The software described in this documentation is either no longer supported or is in extended support.
Oracle recommends that you upgrade to a current supported release.

Chapter 3 New Features and Notable Changes

This chapter lists the new features and notable changes in each Oracle Cloud Native Environment release, including the major components delivered with Oracle Cloud Native Environment, such as Kubernetes.

3.1 Oracle Cloud Native Environment Changes

• 3.1.1 Release 1.2.5
• 3.1.2 Release 1.2.4
• 3.1.3 Release 1.2.2
• 3.1.4 Release 1.2.0
• 3.1.5 Release 1.1.10
• 3.1.6 Release 1.1.7
• 3.1.7 Release 1.1.6
• 3.1.8 Release 1.1.5
• 3.1.9 Release 1.1.4
• 3.1.10 Release 1.1.3
• 3.1.11 Release 1.1.2
• 3.1.12 Release 1.1.1
• 3.1.13 Release 1.1.0
• 3.1.14 Release 1.0.9
• 3.1.15 Release 1.0.8
• 3.1.16 Release 1.0.7
• 3.1.17 Release 1.0.6
• 3.1.18 Release 1.0.5
• 3.1.19 Release 1.0.4
• 3.1.20 Release 1.0.3
• 3.1.21 Release 1.0.2
• 3.1.22 Release 1.0.1

This section lists the changes made in each release of Oracle Cloud Native Environment.

3.1.1 Release 1.2.5

This section lists the notable changes in Release 1.2.5 of Oracle Cloud Native Environment.

The following components have been updated:

Istio Updated: Istio is updated to Release 1.9.8.

3.1.2 Release 1.2.4

This section lists the notable changes in Release 1.2.4 of Oracle Cloud Native Environment.

IP Masquerading: Setting IP masquerading is no longer required on Oracle Linux 7 control plane or worker nodes. IP masquerading is still required for Release 1.2.3 or earlier installations on Oracle Linux 7. IP masquerading configuration instructions have been removed from Updates and Upgrades as all upgrades should be made to the latest 1.2 release, which no longer requires this to be set.

The following components have been updated:

Istio Updated: Istio is updated to Release 1.9.6.

Prometheus Updated: Prometheus is updated to Release 2.21.0.

Grafana Updated: Grafana is updated to Release 7.2.1.

3.1.3 Release 1.2.2

This section lists the notable changes in Release 1.2.2 of Oracle Cloud Native Environment.

externalIPs Validation: The olcnectl module create and olcnectl module update commands are improved by adding options to set access to externalIPs in Kubernetes services.

For information on setting access to externalIPs in Kubernetes services, see Container Orchestration.

3.1.4 Release 1.2.0

This section lists the notable changes in Release 1.2.0 of Oracle Cloud Native Environment.

Oracle Linux 8: Oracle Cloud Native Environment can be installed on hosts running Oracle Linux 8 (x86_64) with the Unbreakable Enterprise Kernel Release 6 (UEK R6). A minimum of Oracle Linux 8.3 is required.

Installation Change: A new ULN channel (ol7_x86_64_olcne12) and a new Oracle Linux yum server repository (ol7_olcne12) are available for installing the Oracle Cloud Native Environment Release 1.2 packages on Oracle Linux 7. Use this new channel or repository to install or upgrade to Release 1.2 on Oracle Linux 7.

A new ULN channel (ol8_x86_64_olcne12) and a new Oracle Linux yum server repository (ol8_olcne12) are available for installing the Oracle Cloud Native Environment Release 1.2 packages on Oracle Linux 8. Use this new channel or repository to install Release 1.2 on Oracle Linux 8.

For information on setting up the ULN channel or Oracle Linux yum server repository, see Getting Started.

Network Interface for Kubernetes Data Plane: The olcnectl module create command is enhanced with a new --pod-network-iface option to optionally set the network interface to use for the Kubernetes data plane. For information about using the olcnectl module create command to create a Kubernetes cluster and setting the network interface for the data plane, see Container Orchestration.

SELinux: The olcnectl module create and olcnectl module update commands are improved by adding a new --selinux option to enable setting the SELinux mode for nodes in a cluster. You can set SELinux to either enforcing or permissive mode when you create a Kubernetes module, or change the setting after a Kubernetes module has been installed. For more information on setting up SELinux, see Getting Started.

TLS Configuration for Platform Agent and Platform API Server: The olcnectl command is improved by adding new global options to set TLS configuration for the Platform Agent and Platform API Server. The new global options for the olcnectl command are:

• --olcne-tls-cipher-suites

• --olcne-tls-max-version

• --olcne-tls-min-version

For more information on the new global options, see Platform Command-Line Interface.

TLS Configuration for the Kubernetes module: The olcnectl module create command is improved by adding new options to set TLS configuration for the Kubernetes module. The new options for the olcnectl module create command are:

• --kube-tls-cipher-suites

• --kube-tls-min-version

For more information on the new olcnectl module create options, see Platform Command-Line Interface.

Deprecated Platform CLI Option: The apiserver-advertise-address option in the olcnectl module create command is deprecated. This option set the IP address on which to advertise the Kubernetes API server to members of the Kubernetes cluster in a non-HA cluster, with a single control plane node. The --master-node option specifies the IP address and this deprecated option is no longer used.

3.1.5 Release 1.1.10

This section lists the notable changes in Release 1.1.10 of Oracle Cloud Native Environment.

externalIPs Validation: The olcnectl module create and olcnectl module update commands are improved by adding options to set access to externalIPs in Kubernetes services.

For information on setting access to externalIPs in Kubernetes services, see Container Orchestration.

3.1.6 Release 1.1.7

This section lists the notable changes in Release 1.1.7 of Oracle Cloud Native Environment.

Kernel Support: In addition to Unbreakable Enterprise Kernel Release 5, Unbreakable Enterprise Kernel Release 6 is now a supported kernel on Oracle Linux 7.

3.1.7 Release 1.1.6

This section lists the notable changes in Release 1.1.6 of Oracle Cloud Native Environment.

NGINX Load Balancer Updates: A new option is added to the Platform CLI to update the NGINX load balancer that can optionally be installed by the Platform CLI. A new --nginx-image option is included with the olcnectl module update command. This option is used to specify the location of the NGINX container image used to update NGINX on the control plane nodes.

For information about updating to this errata release, see Updates and Upgrades.

3.1.8 Release 1.1.5

This section lists the notable changes in Release 1.1.5 of Oracle Cloud Native Environment.

This release resolves CVE-2020-16845. This CVE relates to Go where it can have an infinite read loop in ReadUvarint and ReadVarint in encoding/binary via invalid inputs. The components updated for this are:

• Platform API Server: Updated to Release 1.1.5.

• Platform Agent: Updated to Release 1.1.5.

• Platform CLI: Updated to Release 1.1.5.

• Kata Containers: Security fixes have been back ported to Release 1.7.3.

• CRI-O: Security fixes have been back ported to Release 1.17.0.

• Kubernetes: Security fixes have been back ported to Release 1.17.9.

• Istio: Security fixes have been back ported to Release 1.14.10.

• Helm: Security fixes have been back ported to Release 3.1.1.

• Prometheus: Security fixes have been back ported to Release 2.13.1.

• Grafana: Security fixes have been back ported to Release 6.7.4.

The Platform API Server is also updated to include a fix for an issue related to the Kubernetes pod subnet flag (--pod-cidr) not being honored in the flannel configuration.

For information about updating to this errata release, see Updates and Upgrades.

3.1.9 Release 1.1.4

This section lists the notable changes in Release 1.1.4 of Oracle Cloud Native Environment.

Kata Containers Updated: Kata Containers is updated to resolve an issue where the Kata package had a hard coded dependency of a specific version of the kernel-uek-container package.

Kubernetes Updated: Kubernetes is updated to set the Kata version in the Kata meta-package.

Platform Agent Updated: The Platform Agent is updated to resolve an issue pulling container images using a proxy server. The Platform Agent now uses crictl pull instead of podman pull to pull container images.

CRI-O Updated: CRI-O is updated to resolve an issue with the default cni-plugins directory. This is now set to /opt/cni/bin instead of /usr/libexec/cni.

For information about updating to this errata release, see Updates and Upgrades.

3.1.10 Release 1.1.3

This section lists the notable changes in Release 1.1.3 of Oracle Cloud Native Environment.

Kubernetes Updated: Kubernetes is updated to resolve an issue where kubeadm reset does not unmount the root /var/lib/kubelet directory if it is mounted by the user.

For information about updating to this errata release, see Updates and Upgrades.

3.1.11 Release 1.1.2

This section lists the notable changes in Release 1.1.2 of Oracle Cloud Native Environment.

Kubernetes Updated: Kubernetes is updated to Release 1.17.9 to resolve the following CVEs.

• CVE-2020-8559. This CVE relates to an issue where if an attacker is able to intercept certain requests to the kubelet, they can send a redirect response that may be followed by a client using the credentials from the original request. This can lead to compromise of other nodes.

• CVE-2020-8557. This CVE relates to an issue where the /etc/hosts file mounted in a pod by kubelet is not included by the kubelet eviction manager when calculating ephemeral storage usage by a pod. If a pod writes a large amount of data to the /etc/hosts file, it could fill the storage space of the node and cause the node to fail.

Istio Updated: Istio is updated to Release 1.4.10 to resolve the following CVEs.

• CVE-2020-1764. This CVE relates to a default signing key to install Kiali. This can allow an attacker with access to Kiali to bypass authentication and gain administrative privileges over Istio.

• CVE-2020-10739. This CVE relates to an issue when sending a specially crafted packet, an attacker could trigger a Null Pointer Exception resulting in a Denial of Service. This could be sent to the ingress gateway or a sidecar.

• CVE-2020-11080. This CVE relates to an issue when sending a specially crafted packet, an attacker could cause the CPU to spike at 100%. This could be sent to the ingress gateway or a sidecar.

• CVE-2020-15104. This CVE relates to an issue when validating TLS certificates, Envoy incorrectly allows wildcards in DNS Subject Alternative Name (SAN) to apply to multiple subdomains.

Kata Updated: Kata security fixes have been back ported to Release 1.7.3 to resolve the following CVEs.

• CVE-2020-2024. This CVE relates to an improper link resolution vulnerability when tearing down a container. A malicious guest could trick the kata-runtime into unmounting any mount point on the host and all mount points underneath it, potentiality resulting in a host Denial of Service.

• CVE-2020-2025. This CVE relates to persistent guest file system changes to the underlying image file on the host. A malicious guest could overwrite the image file to gain control of all subsequent guest virtual machines.

• CVE-2020-2026. This CVE relates to mounting the untrusted container file system on any host path. A malicious guest that is compromised before a container creation can trick the kata-runtime into mounting the untrusted container file system on any host path, potentially allowing for code execution on the host.

For information about updating to this errata release, see Updates and Upgrades.

3.1.12 Release 1.1.1

This section lists the notable changes in Release 1.1.1 of Oracle Cloud Native Environment.

Kubernetes Updated: Kubernetes is updated to Release 1.17.6 to resolve two CVEs.

• CVE-2020-8555. This CVE relates to a Server Side Request Forgery (SSRF) vulnerability in kube-controller-manager.

• CVE-2020-10749. This CVE relates to a man-in-the-middle vulnerability.

Grafana Updated: Grafana is updated to Release 6.7.4 to resolve CVE-2020-13379. This CVE relates to an incorrect access control issue in Grafana.

For information about updating to this errata release, see Updates and Upgrades.

3.1.13 Release 1.1.0

This section lists the notable changes in Release 1.1.0 of Oracle Cloud Native Environment.

• Kubernetes Updated to 1.17: Kubernetes 1.17 is the default release installed on nodes in a new cluster in Oracle Cloud Native Environment. Existing Kubernetes Release 1.14 deployments can be upgraded to Release 1.17. For information about upgrading to Release 1.1, see Updates and Upgrades.

• Kubernetes Cluster Scaling: The olcnectl module update command is enhanced so that you can now scale a Kubernetes cluster by either adding control plane and worker nodes to it or removing control plane and worker nodes from it. For information about using the olcnectl module update command to scale a Kubernetes cluster, see Container Orchestration.

• Service Mesh: A new module is available to deploy a service mesh to a Kubernetes cluster. The Istio module for Oracle Cloud Native Environment deploys a service mesh in Oracle Cloud Native Environment. Grafana is deployed as part of the service mesh. For information about deploying and using a service mesh, see Service Mesh. For information about using Grafana, see Monitoring and Visualization.

• Firewall Changes: Masquerading no longer needs to be enabled in the firewall on Kubernetes nodes. Instead, the cni0 interface must be added to the trusted zone on nodes. For information on firewall and network requirements for Kubernetes nodes, see Getting Started.

• Installation Change: A new ULN channel (ol7_x86_64_olcne11) and a new Oracle Linux yum server repository (ol7_olcne11) are available for installing the Oracle Cloud Native Environment Release 1.1 packages. Use this new channel or repository to install or upgrade to Release 1.1. For information on setting up the ULN channel or Oracle Linux yum server repository, see Getting Started.

3.1.14 Release 1.0.9

This section lists the notable changes in Release 1.0.9 of Oracle Cloud Native Environment.

Kernel Support: In addition to Unbreakable Enterprise Kernel Release 5, Unbreakable Enterprise Kernel Release 6 is now a supported kernel on Oracle Linux 7.

3.1.15 Release 1.0.8

This section lists the notable changes in Release 1.0.8 of Oracle Cloud Native Environment.

NGINX Load Balancer Updates: A new option is added to the Platform CLI to update or upgrade the NGINX load balancer that can optionally be installed by the Platform CLI. A new --nginx-image option is included with the olcnectl module update command. This option is used to specify the location of the NGINX container image used to update or upgrade NGINX on the control plane nodes.

For information about updating to this errata release, see Updates and Upgrades.

3.1.16 Release 1.0.7

This section lists the notable changes in Release 1.0.7 of Oracle Cloud Native Environment.

This release resolves CVE-2020-16845. This CVE relates to Go where it can have an infinite read loop in ReadUvarint and ReadVarint in encoding/binary via invalid inputs. The components updated for this are:

• Platform API Server: Updated to Release 1.0.7.

• Platform Agent: Updated to Release 1.0.7.

• Platform CLI: Updated to Release 1.0.7.

• Kata Containers: Security fixes have been back ported to Release 1.7.3.

• CRI-O: Security fixes have been back ported to Release 1.14.7.

• Kubernetes: Security fixes have been back ported to Release 1.14.9.

The Platform API Server is also updated to include a fix for an issue related to the Kubernetes pod subnet flag (--pod-cidr) not being honored in the flannel configuration.

For information about updating to this errata release, see Updates and Upgrades.

3.1.17 Release 1.0.6

This section lists the notable changes in Release 1.0.6 of Oracle Cloud Native Environment.

Kata Containers Updated: Kata Containers is updated to resolve an issue where the Kata package had a hard coded dependency of a specific version of the kernel-uek-container package.

Kubernetes Updated: Kubernetes is updated to set the Kata version in the Kata meta-package.

For information about updating to this errata release, see Updates and Upgrades.

3.1.18 Release 1.0.5

This section lists the notable changes in Release 1.0.5 of Oracle Cloud Native Environment.

Kubernetes Updated: Kubernetes security fixes have been pack ported to Release 1.14.9 to resolve the following CVEs.

• CVE-2020-8559. This CVE relates to an issue where if an attacker is able to intercept certain requests to the kubelet, they can send a redirect response that may be followed by a client using the credentials from the original request. This can lead to compromise of other nodes.

• CVE-2020-8557. This CVE relates to an issue where the /etc/hosts file mounted in a pod by kubelet is not included by the kubelet eviction manager when calculating ephemeral storage usage by a pod. If a pod writes a large amount of data to the /etc/hosts file, it could fill the storage space of the node and cause the node to fail.

Kata Updated: Kata security fixes have been back ported to Release 1.7.3 to resolve the following CVEs.

• CVE-2020-2024. This CVE relates to an improper link resolution vulnerability when tearing down a container. A malicious guest could trick the kata-runtime into unmounting any mount point on the host and all mount points underneath it, potentiality resulting in a host Denial of Service.

• CVE-2020-2025. This CVE relates to persistent guest file system changes to the underlying image file on the host. A malicious guest could overwrite the image file to gain control of all subsequent guest virtual machines.

• CVE-2020-2026. This CVE relates to mounting the untrusted container file system on any host path. A malicious guest that is compromised before a container creation can trick the kata-runtime into mounting the untrusted container file system on any host path, potentially allowing for code execution on the host.

For information about updating to this errata release, see Updates and Upgrades.

3.1.19 Release 1.0.4

This section lists the notable changes in Release 1.0.4 of Oracle Cloud Native Environment.

Kubernetes Updated: Kubernetes is updated to Release 1.14.9 to resolve two CVEs.

• CVE-2020-8555. This CVE relates to a Server Side Request Forgery (SSRF) vulnerability in kube-controller-manager.

• CVE-2020-10749. This CVE relates to a man-in-the-middle vulnerability.

For information about updating to this errata release, see Updates and Upgrades.

3.1.20 Release 1.0.3

This section lists the notable changes in Release 1.0.3 of Oracle Cloud Native Environment.

Kubernetes Updated: Kubernetes is updated to Release 1.14.9 to resolve CVE-2019-11254. This CVE relates to a denial of service vulnerability in the kube-apiserver. For information about updating to this errata release, see Updates and Upgrades.

3.1.21 Release 1.0.2

This section lists the notable changes in Release 1.0.2 of Oracle Cloud Native Environment.

Kubernetes Updates: The olcnectl module update command failed to update the Kubernetes module for Oracle Cloud Native Environment. Running this command caused the Kubernetes cluster to become unstable. This issue is fixed in this release. If there are no Kubernetes module updates available, the cluster is not updated.

3.1.22 Release 1.0.1

This section lists the notable changes in Release 1.0.1 of Oracle Cloud Native Environment.

• Oracle Cloud Native Environment Updates: A procedure is added to the documentation to show how to update the Oracle Cloud Native Environment packages on each node. For information on updating the packages, see Updates and Upgrades.

• Kubernetes Updates: The olcnectl module update command is added to enable updates to the Kubernetes module. This command updates the Kubernetes release on each node in an environment.

  Important

  Make sure you update the Oracle Cloud Native Environment packages to Release 1.0.1 on each node before you update the Kubernetes module.

  For information on using the olcnectl module update command to update the Kubernetes release, see Updates and Upgrades.

• Kubernetes Installation: The olcnectl module install command is changed to automatically install the Kubernetes packages, and enable and start the crio and kubelet services. You no longer need to manually install the Kubernetes packages or enable and start these services before installing the Kubernetes module. For information on using the olcnectl module install command to install a Kubernetes module, see Container Orchestration.

• Load Balancer Installation: The olcnectl module install command used with the --virtual-ip option is changed to automatically deploy the load balancer that comes with Oracle Cloud Native Environment. As part of deploying the load balancer, NGINX and keepalived are installed on the control plane nodes, and the olcne-nginx and keepalived services are enabled and started. For information on creating a highly available Kubernetes cluster using the load balancer deployed by the Oracle Cloud Native Environment Platform Command-Line Interface, see Container Orchestration.

3.2 Kubernetes Changes

• 3.2.1 Release 1.18
• 3.2.2 Release 1.17
• 3.2.3 Release 1.14

This section lists the notable changes delivered as updates to the Kubernetes module for Oracle Cloud Native Environment.

3.2.1 Release 1.18

Kubernetes Release 1.18 is based on the upstream Release 1.18. A cumulative list of the major changes in this release includes:

Features

• The Container Storage Interface Driver API is now generally available and is now available under storage.k8s.io/v1.

• BlockVolume and CSIBlockVolume have reached general availability. This feature allows a block volume to be presented to a pod directly as a block volume, not a file-system.

Administrator Changes

• The kubectl run command no longer supports deprecated generators of ReplicationController, Deployment, Job and CronJob and now only creates Pods. If you need to create these objects use kubectl create.

• The kubectl flag of --server-dry-run that specifies server side dry runs is deprecated. The --dry-run= flag which had been used to specify only client side dry runs, now also specifies server side dry runs. Valid options are server, client or none.

API Changes

• The following APIs were made read only, in 1.2. The APIs are now removed:

  • extensions/v1beta1: Use the policy/v1beta1 API for Pod security policy resources instead.

  • extensions/v1beta1: Use the networking.k8s.io/v1 API Network policy resources instead.

  • extensions/v1beta1, apps/v1beta1, and apps/v1beta2 APIs : Use the apps/v1 API for the daemon set, deployment, and replica set resources instead.

  • scheduling.k8s.io/v1beta1 and scheduling.k8s.io/v1alpha1 APIs: Use the scheduling.k8s.io/v1 API for the priority class resources instead.

3.2.2 Release 1.17

Kubernetes Release 1.17 is based on the upstream Release 1.17. A cumulative list of the major changes in Kubernetes Release 1.15 through to Release 1.17 includes:

Administrator Changes

• Custom resource definitions are now available and have been improved with pruning, defaulting, and OpenAPI publishing.

• As an extensibility mechanism, admission plugins can be developed as extensions and can now be run as webhooks configured at runtime.

• A global metrics registry has been implemented to register metrics to be exposed in a more transparent means.

• The Container Storage Interface (CSI) has been further improved to help migrate in-tree volume plugins to the CSI.

• Certificate management is more robust with kubeadm seamlessly rotating all certificates (on upgrades) before they expire.

• There are now improvements for scheduling nodes by using items such as schedule daemon set pods, taint nodes by condition, and node lease.

• The kubectl get and kubectl describe commands now work with Kubernetes API extensions.

• The kubectl convert command has been removed.

API Changes

• Pod security policy resources have been changed from the extensions/v1beta1 API to the policy/v1beta1 API. Existing persisted data can be retrieved via the policy/v1beta1 API.

• Network policy resources have been changed from the extensions/v1beta1 API to the networking.k8s.io/v1 API. Existing persisted data can be retrieved via the networking.k8s.io/v1 API.

• The daemon set, deployment, and replica set resources have been changed from the extensions/v1beta1, apps/v1beta1, or apps/v1beta2 APIs to the apps/v1 API. Existing persisted data can be retrieved via the apps/v1 API.

• Priority class resources have been changed from the scheduling.k8s.io/v1beta1 and scheduling.k8s.io/v1alpha1 APIs to the scheduling.k8s.io/v1 API. Existing persisted data can be retrieved via the scheduling.k8s.io/v1 API.

3.2.3 Release 1.14

Kubernetes Release 1.14 is based on the upstream Release 1.14. Major changes in Kubernetes Release 1.14 include:

• Kubernetes Updated: The upstream Kubernetes Release 1.14 software is packaged as a Certified Kubernetes distribution for Oracle Linux.

• Oracle Cloud Native Environment Module: Kubernetes is now a component of the Oracle Cloud Native Environment (known as the Kubernetes module for Oracle Cloud Native Environment). This provides a new set up, configuration, and deployment utility provided by the Oracle Cloud Native Environment Platform Command-Line Interface (the Platform CLI). For information on using Oracle Cloud Native Environment to deploy and manage the Kubernetes module, see Getting Started and Container Orchestration.

• Deprecated Set up Scripts: The kubeadm-setup.sh and kubeadm-ha-setup utilities are deprecated. The deployment of the Kubernetes module is now performed using the Platform CLI. For information on using the Platform CLI, see Platform Command-Line Interface.

• Back up and Restore: Backing up and restoring a Kubernetes control plane node is now performed using the Platform CLI. For information on backing up and restoring a control plane node, see Container Orchestration.

• Runtime Engines: Oracle Container Runtime for Docker is no longer the container runtime engine. CRI-O is now used to delegate container runtimes. CRI-O is an implementation of the Kubernetes Container Runtime Interface (CRI) to enable using Open Container Initiative (OCI) compatible runtimes. The new runtime engines are runC and Kata Containers. The Kata Containers runtime engine uses lightweight virtual machines for improved container isolation. For information on the runtime engines, see Container Runtimes.

• High Availability: A load balancer is provided for high availability Kubernetes clusters. You can also use your own load balancer. For information on setting up the load balancer deployed by the Platform CLI, see Getting Started.

Copyright © 2020, 2021, Oracle and/or its affiliates.