OpenShift 1.5/3.5 Release Notes Tracker

[0xmichalis]

All notes related to the Origin 1.5 / OCP 3.5 release

[0xmichalis]

activeDeadlineSeconds is now configurable for deployer pods via the deployment config api

openshift/origin#12276

[marun]

The default value for ingressIPNetworkCIDR was previously a non-private range (172.46.0.0/16) and has been changed to a private range (172.29.0.0/16). Clusters configured with the non-private range run the risk of routing issues, and updating to a private range is advised. Warning: when ingressIPNetworkCIDR changes, any external ip's allocated from the previous range will be reallocated from the new range.

openshift/origin#12379

[benjaminapetersen]

@eng role reconciliation? openshift/origin#11328

[enj]

Sorry @eng @benjaminapetersen meant to say @enj

[enj]

openshift/origin#11328 will need the cluster admin to run oadm policy reconcile-cluster-roles (with the latest version of oc) to reconcile the following cluster roles (assuming those roles do not have the openshift.io/reconcile-protect annotation):

clusterrole/cluster-admin
clusterrole/sudoer
clusterrole/cluster-reader
clusterrole/system:build-strategy-docker
clusterrole/system:build-strategy-custom
clusterrole/system:build-strategy-source
clusterrole/system:build-strategy-jenkinspipeline
clusterrole/admin
clusterrole/edit
clusterrole/view
clusterrole/basic-user
clusterrole/self-access-reviewer
clusterrole/self-provisioner
clusterrole/cluster-status
clusterrole/system:image-auditor
clusterrole/system:image-puller
clusterrole/system:image-pusher
clusterrole/system:image-builder
clusterrole/system:image-pruner
clusterrole/system:image-signer
clusterrole/system:deployer
clusterrole/system:master
clusterrole/system:oauth-token-deleter
clusterrole/system:router
clusterrole/system:registry
clusterrole/system:node-proxier
clusterrole/system:node-admin
clusterrole/system:node-reader
clusterrole/system:node
clusterrole/system:sdn-reader
clusterrole/system:sdn-manager
clusterrole/system:webhook
clusterrole/registry-admin
clusterrole/registry-editor
clusterrole/registry-viewer

[enj]

UPDATE: The will probably not make it for 3.5.

---

openshift/origin#11909 will need the cluster admin to cleanup legacy oauthclientauthorization data by running:

oc get oauthclientauthorization -o jsonpath="{range .items[*]}{.metadata.name}{\"\\n\"}{end}" | grep -v '::' | xargs -n 1 echo oc delete oauthclientauthorization

This will output values such as (but will not delete anything):

oc delete oauthclientauthorization developer1:system:serviceaccount:myproject:jenkins
oc delete oauthclientauthorization developer:system:serviceaccount:myproject:jenkins

All values should be in the format <username>:system:serviceaccount:<projectname>:<serviceaccountname> (the new format is <username>::system:serviceaccount:<projectname>:<serviceaccountname> - note the :: instead of : after <username>). Upon confirming this, the cluster admin can pipe the previous script to BASH to actually delete the legacy data.

[enj]

cc @sdodson

[enj]

@sdodson This will probably not make it for 3.5.

[soltysh]

Add this type of notice for CronJobs for 3.5:

In version 3.5 ScheduledJob is renamed to CronJob. If you want to keep your ScheduledJob-s you need to export them from the 3.4 cluster (using oc export or oc get -o yaml) and create them again after the upgrade, on the 3.5 cluster. This is because the storage prefix has changed, along with the name, and newly created clusters don't know where to look for ScheduledJob-s.
Cluster version 3.5 operates on CronJobs, but it also understand ScheduledJob submitted to it, and performs on-the-fly conversion saving your newly created object as a CronJob, resulting in all subsequent read operations returning CronJob, instead.

[liggitt]

The groups field in the User object is deprecated (openshift/origin#12870).

Instead, create Group API objects containing the names of the users that are members of the group.

[liggitt]

oc whoami --token was deprecated in 1.4 in favor of oc whoami -t, and oc whoami --context is deprecated in favor of oc whoami -c. The --token and --context options now behave consistently with all other oc commands, indicating the specified token/context should be used.

[soltysh]

extensions/v1beta1.Job is deprecated in favor of using batch/v1.Job. The storage should be updated (see <put here link to manual upgrades 1.5/3.5> - the PR for that is #3709) to keep the Jobs readable in future versions of the cluster.

[sdodson]

OCP 3.5 requires that the rhel-7-fast-datapath repo be enabled. #3686 for that

[bparees]

template instantiation now respects namespaces defined in the template objects (meaning it will create the object in specified namespace) if and only if the namespace definition uses a parameter reference. (previously it never respected the namespace defined in the object).

[liggitt]

Clusters using the RequestHeaderIdentityProvider should ensure the configured loginURL ends with .../authorize?${query} (with no trailing slash after /authorize), and that subpaths of that URL proxy to subpaths of https://<master>/oauth/authorize. This ensures that OAuth grant approval flows work properly when authentication via an auth proxy.

See #4079

[ahardin-rh]

@soltysh Is CronJob (formerly ScheduledJob) still considered Tech Preview for 3.5?

[soltysh]

@soltysh Is CronJob (formerly ScheduledJob) still considered Tech Preview for 3.5?

To my knowledge - yes, but I'll ask @pweil- to confirm that.

[pweil-]

Still alpha upstream so yes to Tech Preview.

[liggitt]

the project names openshift, kube, and kubernetes, and the project prefixes openshift-, kube-, and kubernetes- are reserved and cannot be requested via the projectrequests API:

openshift/origin#13673

[sdodson]

the project names openshift, kube, and kubernetes, and the project prefixes openshift-, kube-, and kubernetes- are reserved and cannot be requested via the projectrequests API:

And should be removed before upgrading to 3.5, there's a check in the upgrade that blocks the upgrade if they exist.