We are glad to announce the release of: magnum 6.1.1: Container Management project for OpenStack This release is part of the queens stable release series. The source is available from: ** http://git.openstack.org/cgit/openstack/magnum Download the package from: https://tarballs.openstack.org/magnum/ Please report issues through launchpad: ** http://bugs.launchpad.net/magnum For more details, please see below. 6.1.1 ^^^^^ New Features ************ * k8s_fedora_atomic clusters are deployed with RBAC support. Along with RBAC Node authorization is added so the appropriate certificates are generated. Known Issues ************ * Currently, the replicas of coreDNS pod is hardcoded as 1. It's not a reasonable number for such a critical service. Without DNS, probably all workloads running on the k8s cluster will be broken. Now Magnum is making the coreDNS pod autoscaling based on the nodes and cores number. Upgrade Notes ************* * Using the queens (>=2.9.0) python-magnumclient, when a user executes openstack coe cluster config, the client certificate has admin as Common Name (CN) and system:masters for Organization which are required for authorization with RBAC enabled clusters. This change in the client is backwards compatible, so old clusters (without RBAC enabled) can be reached with certificates generated by the new client. However, old magnum clients will generate certificates that will not be able to contact RBAC enabled clusters. This issue affects only k8s_fedora_atomic clusters and clients <=2.8.0, note that 2.8.0 is still a queens release but only 2.9.0 includes the relevant patch. Finally, users can always generate and sign the certificates using this [0] procedure even with old clients since only the cluster config command is affected. [0] https://docs.openstack.org/magnum/latest/user/index.html #interfacing-with-a-secure-cluster Security Issues *************** * k8s_fedora Remove cluster role from the kubernetes-dashboard account. When accessing the dashboard and skip authentication, users login with the kunernetes-dashboard service account, if that service account has the cluster role, users have admin access without authentication. Create an admin service account for this use case and others. Bug Fixes ********* * Fix etcd configuration in k8s_fedora_atomic driver. Explicitly enable client and peer authentication and set trusted CA (ETCD_TRUSTED_CA_FILE, ETCD_PEER_TRUSTED_CA_FILE, ETCD_CLIENT_CERT_AUTH, ETCD_PEER_CLIENT_CERT_AUTH). Only new clusters will benefit from the fix. * Fix bug #1758672 [1] to protect kubelet in the k8s_fedora_atomic driver. Before this patch kubelet was listening to 0.0.0.0 and for clusters with floating IPs the kubelet was exposed. Also, even on clusters without fips the kubelet was exposed inside the cluster. This patch allows access to the kubelet only over https and with the appropriate roles. The apiserver and heapster have the appropriate roles to access it. Finally, all read-only ports have been closed to not expose any cluster data. The only remaining open ports without authentication are for healthz. [1] https://bugs.launchpad.net/magnum/+bug/1758672 Changes in magnum 6.1.0..6.1.1 ------------------------------ b8f6261 k8s_fedora: Add admin user 2fc72e9 Make DNS pod autoscale 1e2774f Add calico-node on k8s master node 363095b Stop using slave_scripts/install-distro-packages.sh 1382e6f k8s_fedora: Add flannel to master nodes fca7f0c Add missing RBAC config for Prometheus beb124e k8s_fedora: Explicitly set etcd authentication dba9203 k8s_fedora: Add kubelet authentication/authorization f735c8a Add service account to daemonset in traefik 23bc667 Add reno for RBAC and client incompatibility 058d982 Check CERT_MANAGER_API if True or False 0b31332 Change swarm ClusterTemplate coe to swarm-mode Diffstat (except docs and test files) ------------------------------------- .../kubernetes/fragments/calico-service.sh | 12 ++- .../kubernetes/fragments/configure-etcd.sh | 4 + .../fragments/configure-kubernetes-master.sh | 77 ++++++++++++++++- .../fragments/configure-kubernetes-minion.sh | 19 ++++- .../kubernetes/fragments/core-dns-service.sh | 96 +++++++++++++++++++++- .../kubernetes/fragments/enable-ingress-traefik | 1 + .../fragments/enable-prometheus-monitoring | 67 ++++++++++++--- .../kubernetes/fragments/enable-services-master.sh | 6 ++ .../fragments/kube-apiserver-to-kubelet-role.sh | 28 +++++++ .../kubernetes/fragments/kube-dashboard-service.sh | 53 ++++++++---- .../kubernetes/fragments/make-cert-client.sh | 8 +- .../templates/kubernetes/fragments/make-cert.sh | 94 +++++++++++++-------- .../kubernetes/fragments/network-config-service.sh | 4 + .../fragments/write-heat-params-master.yaml | 1 + .../templates/kubecluster.yaml | 4 + .../k8s_fedora_atomic_v1/templates/kubemaster.yaml | 5 ++ playbooks/pre/prepare-workspace-images.yaml | 8 +- ...nd-client-incompatibility-fdfeab326dfda3bf.yaml | 20 +++++ ...284-k8s-fedora-admin-user-e760f9b0edf49391.yaml | 8 ++ ...ure-etcd-auth-bug-1759813-baac5e0fe8a2e97f.yaml | 7 ++ .../notes/dns-autoscale-90b63e3d71d7794e.yaml | 8 ++ ...8s_fedora_protect_kubelet-8468ddcb92c2a624.yaml | 12 +++ 24 files changed, 485 insertions(+), 80 deletions(-)