[release-announce] magnum 6.1.1 (queens)

no-reply at openstack.org no-reply at openstack.org
Tue May 15 17:14:06 UTC 2018 

We are glad to announce the release of:

magnum 6.1.1: Container Management project for OpenStack

This release is part of the queens stable release series.

The source is available from:

    ** http://git.openstack.org/cgit/openstack/magnum

Download the package from:

    https://tarballs.openstack.org/magnum/

Please report issues through launchpad:

    ** http://bugs.launchpad.net/magnum

For more details, please see below.

6.1.1
^^^^^


New Features
************

* k8s_fedora_atomic clusters are deployed with RBAC support. Along
  with RBAC Node authorization is added so the appropriate
  certificates are generated.


Known Issues
************

* Currently, the replicas of coreDNS pod is hardcoded as 1. It's not
  a reasonable number for such a critical service. Without DNS,
  probably all workloads running on the k8s cluster will be broken.
  Now Magnum is making the coreDNS pod autoscaling based on the nodes
  and cores number.


Upgrade Notes
*************

* Using the queens (>=2.9.0) python-magnumclient, when a user
  executes openstack coe cluster config, the client certificate has
  admin as Common Name (CN) and system:masters for Organization which
  are required for authorization with RBAC enabled clusters. This
  change in the client is backwards compatible, so old clusters
  (without RBAC enabled) can be reached with certificates generated by
  the new client. However, old magnum clients will generate
  certificates that will not be able to contact RBAC enabled clusters.
  This issue affects only k8s_fedora_atomic clusters and clients
  <=2.8.0, note that 2.8.0 is still a queens release but only 2.9.0
  includes the relevant patch. Finally, users can always generate and
  sign the certificates using this [0] procedure even with old clients
  since only the cluster config command is affected. [0]
  https://docs.openstack.org/magnum/latest/user/index.html
  #interfacing-with-a-secure-cluster


Security Issues
***************

* k8s_fedora Remove cluster role from the kubernetes-dashboard
  account. When accessing the dashboard and skip authentication, users
  login with the kunernetes-dashboard service account, if that service
  account has the cluster role, users have admin access without
  authentication. Create an admin service account for this use case
  and others.


Bug Fixes
*********

* Fix etcd configuration in k8s_fedora_atomic driver. Explicitly
  enable client and peer authentication and set trusted CA
  (ETCD_TRUSTED_CA_FILE, ETCD_PEER_TRUSTED_CA_FILE,
  ETCD_CLIENT_CERT_AUTH, ETCD_PEER_CLIENT_CERT_AUTH). Only new
  clusters will benefit from the fix.

* Fix bug #1758672 [1] to protect kubelet in the k8s_fedora_atomic
  driver. Before this patch kubelet was listening to 0.0.0.0 and for
  clusters with floating IPs the kubelet was exposed. Also, even on
  clusters without fips the kubelet was exposed inside the cluster.
  This patch allows access to the kubelet only over https and with the
  appropriate roles. The apiserver and heapster have the appropriate
  roles to access it. Finally, all read-only ports have been closed to
  not expose any cluster data. The only remaining open ports without
  authentication are for healthz. [1]
  https://bugs.launchpad.net/magnum/+bug/1758672

Changes in magnum 6.1.0..6.1.1
------------------------------

b8f6261 k8s_fedora: Add admin user
2fc72e9 Make DNS pod autoscale
1e2774f Add calico-node on k8s master node
363095b Stop using slave_scripts/install-distro-packages.sh
1382e6f k8s_fedora: Add flannel to master nodes
fca7f0c Add missing RBAC config for Prometheus
beb124e k8s_fedora: Explicitly set etcd authentication
dba9203 k8s_fedora: Add kubelet authentication/authorization
f735c8a Add service account to daemonset in traefik
23bc667 Add reno for RBAC and client incompatibility
058d982 Check CERT_MANAGER_API if True or False
0b31332 Change swarm ClusterTemplate coe to swarm-mode


Diffstat (except docs and test files)
-------------------------------------

.../kubernetes/fragments/calico-service.sh         | 12 ++-
.../kubernetes/fragments/configure-etcd.sh         |  4 +
.../fragments/configure-kubernetes-master.sh       | 77 ++++++++++++++++-
.../fragments/configure-kubernetes-minion.sh       | 19 ++++-
.../kubernetes/fragments/core-dns-service.sh       | 96 +++++++++++++++++++++-
.../kubernetes/fragments/enable-ingress-traefik    |  1 +
.../fragments/enable-prometheus-monitoring         | 67 ++++++++++++---
.../kubernetes/fragments/enable-services-master.sh |  6 ++
.../fragments/kube-apiserver-to-kubelet-role.sh    | 28 +++++++
.../kubernetes/fragments/kube-dashboard-service.sh | 53 ++++++++----
.../kubernetes/fragments/make-cert-client.sh       |  8 +-
.../templates/kubernetes/fragments/make-cert.sh    | 94 +++++++++++++--------
.../kubernetes/fragments/network-config-service.sh |  4 +
.../fragments/write-heat-params-master.yaml        |  1 +
.../templates/kubecluster.yaml                     |  4 +
.../k8s_fedora_atomic_v1/templates/kubemaster.yaml |  5 ++
playbooks/pre/prepare-workspace-images.yaml        |  8 +-
...nd-client-incompatibility-fdfeab326dfda3bf.yaml | 20 +++++
...284-k8s-fedora-admin-user-e760f9b0edf49391.yaml |  8 ++
...ure-etcd-auth-bug-1759813-baac5e0fe8a2e97f.yaml |  7 ++
.../notes/dns-autoscale-90b63e3d71d7794e.yaml      |  8 ++
...8s_fedora_protect_kubelet-8468ddcb92c2a624.yaml | 12 +++
24 files changed, 485 insertions(+), 80 deletions(-)

More information about the Release-announce mailing list