[release-announce] magnum 6.1.1 (queens)
no-reply at openstack.org
no-reply at openstack.org
Tue May 15 17:14:06 UTC 2018
We are glad to announce the release of:
magnum 6.1.1: Container Management project for OpenStack
This release is part of the queens stable release series.
The source is available from:
** http://git.openstack.org/cgit/openstack/magnum
Download the package from:
https://tarballs.openstack.org/magnum/
Please report issues through launchpad:
** http://bugs.launchpad.net/magnum
For more details, please see below.
6.1.1
^^^^^
New Features
************
* k8s_fedora_atomic clusters are deployed with RBAC support. Along
with RBAC Node authorization is added so the appropriate
certificates are generated.
Known Issues
************
* Currently, the replicas of coreDNS pod is hardcoded as 1. It's not
a reasonable number for such a critical service. Without DNS,
probably all workloads running on the k8s cluster will be broken.
Now Magnum is making the coreDNS pod autoscaling based on the nodes
and cores number.
Upgrade Notes
*************
* Using the queens (>=2.9.0) python-magnumclient, when a user
executes openstack coe cluster config, the client certificate has
admin as Common Name (CN) and system:masters for Organization which
are required for authorization with RBAC enabled clusters. This
change in the client is backwards compatible, so old clusters
(without RBAC enabled) can be reached with certificates generated by
the new client. However, old magnum clients will generate
certificates that will not be able to contact RBAC enabled clusters.
This issue affects only k8s_fedora_atomic clusters and clients
<=2.8.0, note that 2.8.0 is still a queens release but only 2.9.0
includes the relevant patch. Finally, users can always generate and
sign the certificates using this [0] procedure even with old clients
since only the cluster config command is affected. [0]
https://docs.openstack.org/magnum/latest/user/index.html
#interfacing-with-a-secure-cluster
Security Issues
***************
* k8s_fedora Remove cluster role from the kubernetes-dashboard
account. When accessing the dashboard and skip authentication, users
login with the kunernetes-dashboard service account, if that service
account has the cluster role, users have admin access without
authentication. Create an admin service account for this use case
and others.
Bug Fixes
*********
* Fix etcd configuration in k8s_fedora_atomic driver. Explicitly
enable client and peer authentication and set trusted CA
(ETCD_TRUSTED_CA_FILE, ETCD_PEER_TRUSTED_CA_FILE,
ETCD_CLIENT_CERT_AUTH, ETCD_PEER_CLIENT_CERT_AUTH). Only new
clusters will benefit from the fix.
* Fix bug #1758672 [1] to protect kubelet in the k8s_fedora_atomic
driver. Before this patch kubelet was listening to 0.0.0.0 and for
clusters with floating IPs the kubelet was exposed. Also, even on
clusters without fips the kubelet was exposed inside the cluster.
This patch allows access to the kubelet only over https and with the
appropriate roles. The apiserver and heapster have the appropriate
roles to access it. Finally, all read-only ports have been closed to
not expose any cluster data. The only remaining open ports without
authentication are for healthz. [1]
https://bugs.launchpad.net/magnum/+bug/1758672
Changes in magnum 6.1.0..6.1.1
------------------------------
b8f6261 k8s_fedora: Add admin user
2fc72e9 Make DNS pod autoscale
1e2774f Add calico-node on k8s master node
363095b Stop using slave_scripts/install-distro-packages.sh
1382e6f k8s_fedora: Add flannel to master nodes
fca7f0c Add missing RBAC config for Prometheus
beb124e k8s_fedora: Explicitly set etcd authentication
dba9203 k8s_fedora: Add kubelet authentication/authorization
f735c8a Add service account to daemonset in traefik
23bc667 Add reno for RBAC and client incompatibility
058d982 Check CERT_MANAGER_API if True or False
0b31332 Change swarm ClusterTemplate coe to swarm-mode
Diffstat (except docs and test files)
-------------------------------------
.../kubernetes/fragments/calico-service.sh | 12 ++-
.../kubernetes/fragments/configure-etcd.sh | 4 +
.../fragments/configure-kubernetes-master.sh | 77 ++++++++++++++++-
.../fragments/configure-kubernetes-minion.sh | 19 ++++-
.../kubernetes/fragments/core-dns-service.sh | 96 +++++++++++++++++++++-
.../kubernetes/fragments/enable-ingress-traefik | 1 +
.../fragments/enable-prometheus-monitoring | 67 ++++++++++++---
.../kubernetes/fragments/enable-services-master.sh | 6 ++
.../fragments/kube-apiserver-to-kubelet-role.sh | 28 +++++++
.../kubernetes/fragments/kube-dashboard-service.sh | 53 ++++++++----
.../kubernetes/fragments/make-cert-client.sh | 8 +-
.../templates/kubernetes/fragments/make-cert.sh | 94 +++++++++++++--------
.../kubernetes/fragments/network-config-service.sh | 4 +
.../fragments/write-heat-params-master.yaml | 1 +
.../templates/kubecluster.yaml | 4 +
.../k8s_fedora_atomic_v1/templates/kubemaster.yaml | 5 ++
playbooks/pre/prepare-workspace-images.yaml | 8 +-
...nd-client-incompatibility-fdfeab326dfda3bf.yaml | 20 +++++
...284-k8s-fedora-admin-user-e760f9b0edf49391.yaml | 8 ++
...ure-etcd-auth-bug-1759813-baac5e0fe8a2e97f.yaml | 7 ++
.../notes/dns-autoscale-90b63e3d71d7794e.yaml | 8 ++
...8s_fedora_protect_kubelet-8468ddcb92c2a624.yaml | 12 +++
24 files changed, 485 insertions(+), 80 deletions(-)
More information about the Release-announce
mailing list