The software described in this documentation is either no longer supported or is in extended support.
Oracle recommends that you upgrade to a current supported release.

Chapter 3 New Features and Notable Changes

This chapter lists the new features and notable changes in each Oracle Cloud Native Environment release.

3.1 Release 1.3.5

This section lists the notable changes in Release 1.3.5 of Oracle Cloud Native Environment.

The following components have been updated:

Istio Updated: Istio is updated to Release 1.12.6.

Prometheus Updated: Prometheus is updated to Release 2.30.1.

Grafana Updated: Grafana is updated to Release 7.5.15.

3.2 Release 1.3.2

This section lists the notable changes in Release 1.3.2 of Oracle Cloud Native Environment.

The following components have been updated:

Kubernetes Updated: Kubernetes is updated to Release 1.20.11.

Istio Updated: Istio is updated to Release 1.10.4.

3.3 Release 1.3.1

This section lists the notable changes in Release 1.3.1 of Oracle Cloud Native Environment.

IP Masquerading: Setting IP masquerading is no longer required on Oracle Linux 7 control plane or worker nodes. IP masquerading is still required for Release 1.3.0 installations on Oracle Linux 7. IP masquerading configuration instructions have been removed from Updates and Upgrades as all upgrades should be made to the latest 1.3 release, which no longer requires this to be set.

The following component has been updated:

Istio Updated: Istio is updated to Release 1.10.2.

3.4 Release 1.3.0

This section lists the notable changes in Release 1.3.0 of Oracle Cloud Native Environment.

Operator Lifecycle Manager: A new Operator Lifecycle Manager module is added. This module can be used to install and manage Kubernetes operators in a Kubernetes cluster.

For information on installing and using the Operator Lifecycle Manager module, see Container Orchestration.

Kubernetes Updated: Kubernetes is updated to Release 1.20.6.

CRI-O Updated: CRI-O is updated to Release 1.20.2.

Kata Containers Updated: Kata Containers is updated to Release 1.12.1.

Helm Updated: Helm is updated to Release 3.5.4.

Istio Updated: Istio is updated to Release 1.8.5.

Prometheus Updated: Prometheus is updated to Release 2.21.0.

Grafana Updated: Grafana is updated to Release 7.2.1.

Installation Change: A new ULN channel (ol7_x86_64_olcne13) and a new Oracle Linux yum server repository (ol7_olcne13) are available for installing the Oracle Cloud Native Environment Release 1.3 packages on Oracle Linux 7. Use this new channel or repository to install or upgrade to Release 1.3 on Oracle Linux 7.

A new ULN channel (ol8_x86_64_olcne13) and a new Oracle Linux yum server repository (ol8_olcne13) are available for installing the Oracle Cloud Native Environment Release 1.3 packages on Oracle Linux 8. Use this new channel or repository to install Release 1.3 on Oracle Linux 8.

For information on setting up the ULN channel or Oracle Linux yum server repository, see Getting Started.

Deprecation Notice: Oracle Linux 7 running Unbreakable Enterprise Kernel Release 5 (UEK R5) is planned to be removed as a kernel in Oracle Cloud Native Environment Release 1.4. Oracle Cloud Native Environment Release 1.3 is the last release this kernel can be used.

3.5 Release 1.2.5

This section lists the notable changes in Release 1.2.5 of Oracle Cloud Native Environment.

The following components have been updated:

Istio Updated: Istio is updated to Release 1.9.8.

3.6 Release 1.2.4

This section lists the notable changes in Release 1.2.4 of Oracle Cloud Native Environment.

IP Masquerading: Setting IP masquerading is no longer required on Oracle Linux 7 control plane or worker nodes. IP masquerading is still required for Release 1.2.3 or earlier installations on Oracle Linux 7. IP masquerading configuration instructions have been removed from Updates and Upgrades as all upgrades should be made to the latest 1.2 release, which no longer requires this to be set.

The following components have been updated:

Istio Updated: Istio is updated to Release 1.9.6.

Prometheus Updated: Prometheus is updated to Release 2.21.0.

Grafana Updated: Grafana is updated to Release 7.2.1.

3.7 Release 1.2.2

This section lists the notable changes in Release 1.2.2 of Oracle Cloud Native Environment.

externalIPs Validation: The olcnectl module create and olcnectl module update commands are improved by adding options to set access to externalIPs in Kubernetes services.

For information on setting access to externalIPs in Kubernetes services, see Container Orchestration.

3.8 Release 1.2.0

This section lists the notable changes in Release 1.2.0 of Oracle Cloud Native Environment.

Oracle Linux 8: Oracle Cloud Native Environment can be installed on hosts running Oracle Linux 8 (x86_64) with the Unbreakable Enterprise Kernel Release 6 (UEK R6). A minimum of Oracle Linux 8.3 is required.

Installation Change: A new ULN channel (ol7_x86_64_olcne12) and a new Oracle Linux yum server repository (ol7_olcne12) are available for installing the Oracle Cloud Native Environment Release 1.2 packages on Oracle Linux 7. Use this new channel or repository to install or upgrade to Release 1.2 on Oracle Linux 7.

A new ULN channel (ol8_x86_64_olcne12) and a new Oracle Linux yum server repository (ol8_olcne12) are available for installing the Oracle Cloud Native Environment Release 1.2 packages on Oracle Linux 8. Use this new channel or repository to install Release 1.2 on Oracle Linux 8.

For information on setting up the ULN channel or Oracle Linux yum server repository, see Getting Started.

Network Interface for Kubernetes Data Plane: The olcnectl module create command is enhanced with a new --pod-network-iface option to optionally set the network interface to use for the Kubernetes data plane. For information about using the olcnectl module create command to create a Kubernetes cluster and setting the network interface for the data plane, see Container Orchestration.

SELinux: The olcnectl module create and olcnectl module update commands are improved by adding a new --selinux option to enable setting the SELinux mode for nodes in a cluster. You can set SELinux to either enforcing (recommended) or permissive mode when you create a Kubernetes module, or change the setting after a Kubernetes module has been installed.

TLS Configuration for Platform Agent and Platform API Server: The olcnectl command is improved by adding new global options to set TLS configuration for the Platform Agent and Platform API Server. The new global options for the olcnectl command are:

  • --olcne-tls-cipher-suites

  • --olcne-tls-max-version

  • --olcne-tls-min-version

For more information on the new global options, see Platform Command-Line Interface.

TLS Configuration for the Kubernetes module: The olcnectl module create command is improved by adding new options to set TLS configuration for the Kubernetes module. The new options for the olcnectl module create command are:

  • --kube-tls-cipher-suites

  • --kube-tls-min-version

For more information on the new olcnectl module create options, see Platform Command-Line Interface.

Deprecated Platform CLI Option: The apiserver-advertise-address option in the olcnectl module create command is deprecated. This option set the IP address on which to advertise the Kubernetes API server to members of the Kubernetes cluster in a non-HA cluster, with a single control plane node. The --master-nodes option specifies the IP address and this deprecated option is no longer used.

3.9 Release 1.1.10

This section lists the notable changes in Release 1.1.10 of Oracle Cloud Native Environment.

externalIPs Validation: The olcnectl module create and olcnectl module update commands are improved by adding options to set access to externalIPs in Kubernetes services.

For information on setting access to externalIPs in Kubernetes services, see Container Orchestration.

3.10 Release 1.1.7

This section lists the notable changes in Release 1.1.7 of Oracle Cloud Native Environment.

Kernel Support: In addition to Unbreakable Enterprise Kernel Release 5, Unbreakable Enterprise Kernel Release 6 is now a supported kernel on Oracle Linux 7.

3.11 Release 1.1.6

This section lists the notable changes in Release 1.1.6 of Oracle Cloud Native Environment.

NGINX Load Balancer Updates: A new option is added to the Platform CLI to update the NGINX load balancer that can optionally be installed by the Platform CLI. A new --nginx-image option is included with the olcnectl module update command. This option is used to specify the location of the NGINX container image used to update NGINX on the control plane nodes.

For information about updating to this errata release, see Updates and Upgrades.

3.12 Release 1.1.5

This section lists the notable changes in Release 1.1.5 of Oracle Cloud Native Environment.

This release resolves CVE-2020-16845. This CVE relates to Go where it can have an infinite read loop in ReadUvarint and ReadVarint in encoding/binary via invalid inputs. The components updated for this are:

  • Platform API Server: Updated to Release 1.1.5.

  • Platform Agent: Updated to Release 1.1.5.

  • Platform CLI: Updated to Release 1.1.5.

  • Kata Containers: Security fixes have been back ported to Release 1.7.3.

  • CRI-O: Security fixes have been back ported to Release 1.17.0.

  • Kubernetes: Security fixes have been back ported to Release 1.17.9.

  • Istio: Security fixes have been back ported to Release 1.14.10.

  • Helm: Security fixes have been back ported to Release 3.1.1.

  • Prometheus: Security fixes have been back ported to Release 2.13.1.

  • Grafana: Security fixes have been back ported to Release 6.7.4.

The Platform API Server is also updated to include a fix for an issue related to the Kubernetes pod subnet flag (--pod-cidr) not being honored in the flannel configuration.

For information about updating to this errata release, see Updates and Upgrades.

3.13 Release 1.1.4

This section lists the notable changes in Release 1.1.4 of Oracle Cloud Native Environment.

Kata Containers Updated: Kata Containers is updated to resolve an issue where the Kata package had a hard coded dependency of a specific version of the kernel-uek-container package.

Kubernetes Updated: Kubernetes is updated to set the Kata version in the Kata meta-package.

Platform Agent Updated: The Platform Agent is updated to resolve an issue pulling container images using a proxy server. The Platform Agent now uses crictl pull instead of podman pull to pull container images.

CRI-O Updated: CRI-O is updated to resolve an issue with the default cni-plugins directory. This is now set to /opt/cni/bin instead of /usr/libexec/cni.

For information about updating to this errata release, see Updates and Upgrades.

3.14 Release 1.1.3

This section lists the notable changes in Release 1.1.3 of Oracle Cloud Native Environment.

Kubernetes Updated: Kubernetes is updated to resolve an issue where kubeadm reset does not unmount the root /var/lib/kubelet directory if it is mounted by the user.

For information about updating to this errata release, see Updates and Upgrades.

3.15 Release 1.1.2

This section lists the notable changes in Release 1.1.2 of Oracle Cloud Native Environment.

Kubernetes Updated: Kubernetes is updated to Release 1.17.9 to resolve the following CVEs.

  • CVE-2020-8559. This CVE relates to an issue where if an attacker is able to intercept certain requests to the kubelet, they can send a redirect response that may be followed by a client using the credentials from the original request. This can lead to compromise of other nodes.

  • CVE-2020-8557. This CVE relates to an issue where the /etc/hosts file mounted in a pod by kubelet is not included by the kubelet eviction manager when calculating ephemeral storage usage by a pod. If a pod writes a large amount of data to the /etc/hosts file, it could fill the storage space of the node and cause the node to fail.

Istio Updated: Istio is updated to Release 1.4.10 to resolve the following CVEs.

  • CVE-2020-1764. This CVE relates to a default signing key to install Kiali. This can allow an attacker with access to Kiali to bypass authentication and gain administrative privileges over Istio.

  • CVE-2020-10739. This CVE relates to an issue when sending a specially crafted packet, an attacker could trigger a Null Pointer Exception resulting in a Denial of Service. This could be sent to the ingress gateway or a sidecar.

  • CVE-2020-11080. This CVE relates to an issue when sending a specially crafted packet, an attacker could cause the CPU to spike at 100%. This could be sent to the ingress gateway or a sidecar.

  • CVE-2020-15104. This CVE relates to an issue when validating TLS certificates, Envoy incorrectly allows wildcards in DNS Subject Alternative Name (SAN) to apply to multiple subdomains.

Kata Updated: Kata security fixes have been back ported to Release 1.7.3 to resolve the following CVEs.

  • CVE-2020-2024. This CVE relates to an improper link resolution vulnerability when tearing down a container. A malicious guest could trick the kata-runtime into unmounting any mount point on the host and all mount points underneath it, potentiality resulting in a host Denial of Service.

  • CVE-2020-2025. This CVE relates to persistent guest file system changes to the underlying image file on the host. A malicious guest could overwrite the image file to gain control of all subsequent guest virtual machines.

  • CVE-2020-2026. This CVE relates to mounting the untrusted container file system on any host path. A malicious guest that is compromised before a container creation can trick the kata-runtime into mounting the untrusted container file system on any host path, potentially allowing for code execution on the host.

For information about updating to this errata release, see Updates and Upgrades.

3.16 Release 1.1.1

This section lists the notable changes in Release 1.1.1 of Oracle Cloud Native Environment.

Kubernetes Updated: Kubernetes is updated to Release 1.17.6 to resolve two CVEs.

  • CVE-2020-8555. This CVE relates to a Server Side Request Forgery (SSRF) vulnerability in kube-controller-manager.

  • CVE-2020-10749. This CVE relates to a man-in-the-middle vulnerability.

Grafana Updated: Grafana is updated to Release 6.7.4 to resolve CVE-2020-13379. This CVE relates to an incorrect access control issue in Grafana.

For information about updating to this errata release, see Updates and Upgrades.

3.17 Release 1.1.0

This section lists the notable changes in Release 1.1.0 of Oracle Cloud Native Environment.

  • Kubernetes Updated to 1.17: Kubernetes 1.17 is the default release installed on nodes in a new cluster in Oracle Cloud Native Environment. Existing Kubernetes Release 1.14 deployments can be upgraded to Release 1.17. For information about upgrading to Release 1.1, see Updates and Upgrades.

  • Kubernetes Cluster Scaling: The olcnectl module update command is enhanced so that you can now scale a Kubernetes cluster by either adding control plane and worker nodes to it or removing control plane and worker nodes from it. For information about using the olcnectl module update command to scale a Kubernetes cluster, see Container Orchestration.

  • Service Mesh: A new module is available to deploy a service mesh to a Kubernetes cluster. The Istio module for Oracle Cloud Native Environment deploys a service mesh in Oracle Cloud Native Environment. Grafana is deployed as part of the service mesh. For information about deploying and using a service mesh, see Service Mesh. For information about using Grafana, see Monitoring and Visualization.

  • Firewall Changes: Masquerading no longer needs to be enabled in the firewall on Kubernetes nodes. Instead, the cni0 interface must be added to the trusted zone on nodes. For information on firewall and network requirements for Kubernetes nodes, see Getting Started.

  • Installation Change: A new ULN channel (ol7_x86_64_olcne11) and a new Oracle Linux yum server repository (ol7_olcne11) are available for installing the Oracle Cloud Native Environment Release 1.1 packages. Use this new channel or repository to install or upgrade to Release 1.1. For information on setting up the ULN channel or Oracle Linux yum server repository, see Getting Started.