0.18.0

Lots of good stuff in this release. Highlights include:

• Logging for c2c iptables can be enabled through a BOSH property
• Container networking scales to 20K application instances with 3 policies per application.
• Initial support for logging ASG iptables through a BOSH property. ASG logs will be prefixed with OK_ or DENY_.
• If you are running Diego release v1.10.1 you must upgrade to this release

We do not recommend using cf-networking-release in production yet, but give it a try and give us your feedback in the #container-networking channel on cloudfoundry.slack.com.

Take a look at known issues for current limitations and known issues.

Verified with the following:

• CF deployment

New Manifest Properties

• cf_networking.rep_listen_addr_admin enables our drain scripts to wait for the Diego rep to exit.
  It should always be the same value as diego.rep.listen_addr_admin. It defaults to 127.0.0.1:1800.
• cf_networking.garden_external_networker.iptables_asg_logging globally enables iptables logging for
  all ASGs, including logging of denied packets. Defaults to false.
• cf_networking.vxlan_policy_agent.iptables_c2c_logging enables iptables logging for
  container-to-container traffic. It defaults to false. Note: this is already
  configurable at runtime.
• cf_networking.plugin.health_check_port allows BOSH to better health-check the flanneld process
  required for connectivity.

Removed Manifest Properties

• cf_networking.policy_server.database.connection_string was deprecated in v0.10.0 and is now removed.

Significant Changes

Scalability

• container networking is reliable with 20k app instances across 100 diego cells
• Scalability test for popular server
• Our docs include recommendations on scaling policy server instances and DB
• The policy server can handle our scalability target of 20K AIs

Upgrades

• As an operator I can upgrade from kawasaki to cf-networking

Manifest Changes

• Remove deprecated BOSH property policy_server.database.connection_string

Security

• Policy server can communicate with UAA over TLS

Chores

• Investigate and fix "Ginkgo timed out waiting for parallel nodes to report back"
• Improve stop behavior of monit ctl scripts

Stability

• Flannel has a healthcheck endpoint for monit
• A cell with a subnet mismatch can be recovered by a BOSH restart of the cell
• Policy server monit script checks a healthcheck endpoint

Logging

• Logging for c2c iptables is configurable through a BOSH property
• Logging for denied outbound non-c2c packets

Internal integration

• Garden External Networker handles NetIn/NetOut fields during Up