Ussuri Series Release Notes

2.0.0

New Features

  • Added support for Octavia VIP access control list. This new Octavia API allows users to limit incomming traffic to a set of allowed CIDRs. Kuryr uses this to enforce Network Policies on services, changing the security group associated to the Load Balancer through this new API instead of directly. Thanks to it, Kuryr no longer needs admin priviledges to restrict the access to the loadbalancers VIPs some details.

Upgrade Notes

  • Python 2.7 support has been dropped. Last release of Kuryr-Kubernetes to support py2.7 is OpenStack Train. The minimum version of Python now supported by Kuryr-Kubernetes is Python 3.6.

  • In order to prioritize running kuryr-kubernetes services as pods on the Kubernetes cluster they are supposed to serve, default values of [kubernetes]ssl_ca_crt_file and [kubernetes]token_file are now set to where Kubernetes pods are having those files mounted (/var/run/secrets/kubernetes.io/serviceaccount/ca.crt and /var/run/secrets/kubernetes.io/serviceaccount/token). This means that if you want to run Kuryr services standalone through unauthenticated K8s endpoint you need to set both of them to "" in kuryr.conf.

  • Since kuryr-kubernetes works with pod-resource-service provided by kubelet, and now it can get particular virtual function chosen by sriov-device-plugin to compute, there is no need to keep config option mapping physnets to physical devices.

Deprecation Notes

  • Configuration sections [namespace_handler_caching], [np_handler_caching] and [vif_handler_caching] have been deprecated due to simplifying quota usage calculation for readiness checks. Instead of counting Neutron objects (ports, sg, subnets, and networks), the quota_details extension is used, which includes used, limit and reserved counts per resource. In this way, caching becomes unnecessary.

  • Support for OpenShift’s Routes (Ingress) gets removed as is not mantained nor tested, and openshift route pods can be used instead.

  • Support for namespace isolation is now deprecated and will be removed on the first occasion as the same effect can now be achieved using Network Policies support.