OpenShift 3.6 Release Notes Tracker

[liggitt]

All notes related to the Origin / OCP 3.6 release

[liggitt]

Custom roles that reference OpenShift resources should be updated to include the appropriate API groups

openshift/origin#12986

[danwinship]

OpenShift will now reject EgressNetworkPolicy, ClusterNetwork, HostSubnet, and NetNamespace objects with ambiguous CIDR values. Before, an EgressNetworkPolicyRule such as

type: Allow
to:
  cidrSelector: 192.168.1.15/24

would have been interpreted as meaning "allow to 192.168.1.0/24". But the user most likely meant "allow to 192.168.1.15/32". In 3.6, trying to create such a rule (or to modify an existing such rule without fixing it) will result in an error.

(The same validation is also now performed on CIDR-valued fields in ClusterNetwork, HostSubnet, and NetNamespace objects, but these are normally only created/modified by OpenShift itself.)

openshift/origin#13508

[mburke5678]

In prior versions, pod volumes remained attached until the pod resource was deleted from the master. This prevented local disk and memory resources from being reclaim as a result of pod eviction.

Trello

[mburke5678]

Init Containers
Pod authors can now user init containers to share volumes, perform network operations, and perform computation prior to the start of the remaining containers. An init container is a container in a pod that is started before the pod’s app containers are started. Init containers can also block or delay the startup of application containers until some precondition is met.
Trello

[mburke5678]

Pod tolerations and node taints have moved from annotations to API fields in pod specifications (PodSpec) and node specification (NodeSpec) files, respectively. Pod tolerations and node taints that are defined in the annotations will be ignored. The annotation keys: scheduler.alpha.kubernetes.io/tolerations and scheduler.alpha.kubernetes.io/taints have been removed.
Trello

[ahardin-rh]

Limited resources in quota is in Tech Preview for 3.6: #4531

[gaurav-nelson]

Mount Options in Additional Concepts > Storage is in Technology Preview #4499

[ahardin-rh]

In OCP 3.6, Daemon pods do respect taints and tolerations, but they are created with NoExecute tolerations for the node.alpha.kubernetes.io/notReady and node.alpha.kubernetes.io/unreachable taints with no tolerationSeconds. This ensures that when the TaintBasedEvictions alpha feature is enabled, they will not be evicted when there are node problems such as a network partition. (When the TaintBasedEvictions feature is not enabled, they are also not evicted in these scenarios, but due to hard-coded behavior of the NodeController rather than due to tolerations). https://trello.com/c/5Ui6Ankz/463-document-tolerations-daemonsets-should-respect-taints-and-tolerations

[knobunc]

The OpenShift router will no longer allow SSLv3 (to prevent the POODLE attack). No modern web browser should require this. openshift/origin#7638

[pecameron]

The router cipher list has changed to reflect the current "intermediate" cipher suite recommendations from Mozilla. We have also made it possible to set the cipher suite explicitly, or choose from a list of named preset security levels: openshift/origin#14505.

[enj]

The ClusterPolicy, Policy, ClusterPolicyBinding and PolicyBinding API types are deprecated. Users will need to switch any interactions with these types to instead use ClusterRole, Role, ClusterRoleBinding or RoleBinding as appropriate. The following oadm policy commands can be used to help with this process:

add-cluster-role-to-group
add-cluster-role-to-user
add-role-to-group
add-role-to-user
remove-cluster-role-from-group
remove-cluster-role-from-user
remove-role-from-group
remove-role-from-user

as well as the following oc create commands:

clusterrole
clusterrolebinding
role
rolebinding

The use of oc create policybinding is also deprecated and no longer a perquisite for creating a RoleBinding to a Role.

cc @adellape

[danwinship]

When using the redhat/openshift-ovs-networkpolicy plugin (which is still in Tech Preview), NetworkPolicy objects now have the "NetworkPolicy v1" semantics from Kubernetes 1.7 (although they are still in the extensions/v1beta1 API group; the new networking.k8s.io/v1 API group is not yet available).

In particular, the net.beta.kubernetes.io/network-policy annotation on Namespaces to opt in to isolation has been removed. Instead, isolation is now determined at a per-pod level, with pods being isolated if there is any NetworkPolicy whose spec.podSelector targets them. Pods that are targeted by NetworkPolicies accept traffic that is accepted by any of the NetworkPolicies (and nothing else), and pods that are not targeted by any NetworkPolicy accept all traffic by default.

To preserve compatibility when upgrading:

1. In Namespaces that previously had the "DefaultDeny" annotation, you can create equivalent v1 semantics by creating a NetworkPolicy that matches all pods but does not allow any traffic:

    kind: NetworkPolicy
    apiVersion: extensions/v1beta1
    metadata:
      name: default-deny
    spec:
      podSelector:
   

   This will ensure that pods that aren't matched by any other NetworkPolicy will continue to be fully-isolated, as they were before.

2. In Namespaces that previously did not have the "DefaultDeny" annotation, you should delete any existing NetworkPolicy objects. These would have had no effect before, but with v1 semantics they might cause some traffic to be blocked that you didn't intend to be blocked.

openshift/origin#14466

[deads2k]

The metadata volumesource https://github.com/openshift/origin/blob/master/vendor/k8s.io/kubernetes/pkg/api/v1/types.go#L338-L341 has been deprecated for multiple releases and will be removed in 3.7.

openshift/origin#14677

[liggitt]

Breaking API change: Unless explicitly documented otherwise, API fields containing lists of items no longer distinguish between null and [], and may return either null or [] regardless of the original value submitted.

[ashcrow]

When using system containers with OpenShift the atomic command on hosts must be >= 1.17.2

[adellape]

Tech Preview: Deploying basic CFME as an OpenShift App https://trello.com/c/Zvrc7Qu4

[bparees]

Container launched by the build pod (e.g. the s2i assemble container or the "docker build" process) now run under the build pod's parent cgroup.

Previously the containers had their own cgroup and the memory/cpu limits were mirrored from the pod's cgroup limits. With this change, the secondary containers will now be sharing the memory limit that is consumed by the build pod, meaning the secondary containers will have slightly less memory available to them.

[deads2k]

SecurityContextConstraints are now also available via a groupified API at /apis/security.openshift.io/v1/securitycontextconstraints. They are still available at /api/v1/securitycontextconstraints, but using the groupified API will provide better integration with tooling.

[childsb]

Openshift Volume Recycler is being deprecated. Anyone using recycler should use dynamic provision and volume deletion instead.

[adellape]

https://bugzilla.redhat.com/show_bug.cgi?id=1464025 should be listed as a Known Issue per @sdodson.

[adellape]

@ahardin-rh FYI https://bugzilla.redhat.com/show_bug.cgi?id=1476012

[sdodson]

DNS changes for 3.6

Prior to 3.6 cluster dns was provided by the API server running on the master and the use of dnsmasq could be disabled by setting openshift_use_dnsmasq=false. Starting with 3.6 the use of dnsmasq is now mandatory and upgrades will be blocked if this variable is set to false. Also, when upgrading to 3.6 the playbooks will configure the node service to serve dns requests on 127.0.0.1:53 and dnsmasq will be reconfigured to route queries for cluster.local and in-addr.arpa to 127.0.0.1:53 rather than to the kubernetes service ip. Your node must not run other services on port 53. Firewall rules exposing port 53 are not necessary as all queries will originate from the local network.

FYI @rjhowe, how's this sound?

[sdodson]

Known issue for 3.6 https://bugzilla.redhat.com/show_bug.cgi?id=1463393

When upgrading from a release of OCP less than 3.5.5.18 the upgrade process may remove data on persistent volumes that fail to unmount correctly. If you're running a version less than 3.5.5.18 than please perform the following steps prior to performing the normal upgrade process.

atomic-openshift-excluder unexclude
yum upgrade atomic-openshift-node
systemctl restart atomic-openshift-node