The software described in this documentation is either no longer supported or is in extended support.
Oracle recommends that you upgrade to a current supported release.
Chapter 3 New Features and Notable Changes
This chapter lists the new features and notable changes in each Oracle Cloud Native Environment release.
3.1 Release 1.3.5
This section lists the notable changes in Release 1.3.5 of Oracle Cloud Native Environment.
The following components have been updated:
Istio Updated: Istio is updated to Release 1.12.6.
Prometheus Updated: Prometheus is updated to Release 2.30.1.
Grafana Updated: Grafana is updated to Release 7.5.15.
3.2 Release 1.3.2
This section lists the notable changes in Release 1.3.2 of Oracle Cloud Native Environment.
The following components have been updated:
Kubernetes Updated: Kubernetes is updated to Release 1.20.11.
Istio Updated: Istio is updated to Release 1.10.4.
3.3 Release 1.3.1
This section lists the notable changes in Release 1.3.1 of Oracle Cloud Native Environment.
IP Masquerading: Setting IP masquerading is no longer required on Oracle Linux 7 control plane or worker nodes. IP masquerading is still required for Release 1.3.0 installations on Oracle Linux 7. IP masquerading configuration instructions have been removed from Updates and Upgrades as all upgrades should be made to the latest 1.3 release, which no longer requires this to be set.
The following component has been updated:
Istio Updated: Istio is updated to Release 1.10.2.
3.4 Release 1.3.0
This section lists the notable changes in Release 1.3.0 of Oracle Cloud Native Environment.
Operator Lifecycle Manager: A new Operator Lifecycle Manager module is added. This module can be used to install and manage Kubernetes operators in a Kubernetes cluster.
For information on installing and using the Operator Lifecycle Manager module, see Container Orchestration.
Kubernetes Updated: Kubernetes is updated to Release 1.20.6.
CRI-O Updated: CRI-O is updated to Release 1.20.2.
Kata Containers Updated: Kata Containers is updated to Release 1.12.1.
Helm Updated: Helm is updated to Release 3.5.4.
Istio Updated: Istio is updated to Release 1.8.5.
Prometheus Updated: Prometheus is updated to Release 2.21.0.
Grafana Updated: Grafana is updated to Release 7.2.1.
Installation Change: A new ULN
channel (ol7_x86_64_olcne13
) and a new Oracle Linux yum server
repository (ol7_olcne13
) are
available for installing the Oracle Cloud Native Environment Release 1.3 packages on
Oracle Linux 7. Use this new channel or repository to install or upgrade to
Release 1.3 on Oracle Linux 7.
A new ULN channel (ol8_x86_64_olcne13
)
and a new Oracle Linux yum server repository
(ol8_olcne13
) are available for
installing the Oracle Cloud Native Environment Release 1.3 packages on Oracle Linux 8. Use this new
channel or repository to install Release 1.3 on Oracle Linux 8.
For information on setting up the ULN channel or Oracle Linux yum server repository, see Getting Started.
Deprecation Notice: Oracle Linux 7 running Unbreakable Enterprise Kernel Release 5 (UEK R5) is planned to be removed as a kernel in Oracle Cloud Native Environment Release 1.4. Oracle Cloud Native Environment Release 1.3 is the last release this kernel can be used.
3.5 Release 1.2.5
This section lists the notable changes in Release 1.2.5 of Oracle Cloud Native Environment.
The following components have been updated:
Istio Updated: Istio is updated to Release 1.9.8.
3.6 Release 1.2.4
This section lists the notable changes in Release 1.2.4 of Oracle Cloud Native Environment.
IP Masquerading: Setting IP masquerading is no longer required on Oracle Linux 7 control plane or worker nodes. IP masquerading is still required for Release 1.2.3 or earlier installations on Oracle Linux 7. IP masquerading configuration instructions have been removed from Updates and Upgrades as all upgrades should be made to the latest 1.2 release, which no longer requires this to be set.
The following components have been updated:
Istio Updated: Istio is updated to Release 1.9.6.
Prometheus Updated: Prometheus is updated to Release 2.21.0.
Grafana Updated: Grafana is updated to Release 7.2.1.
3.7 Release 1.2.2
This section lists the notable changes in Release 1.2.2 of Oracle Cloud Native Environment.
externalIPs
Validation: The olcnectl module
create and olcnectl module update
commands are improved by adding options to set access to
externalIPs
in Kubernetes services.
For information on setting access to
externalIPs
in Kubernetes services, see
Container Orchestration.
3.8 Release 1.2.0
This section lists the notable changes in Release 1.2.0 of Oracle Cloud Native Environment.
Oracle Linux 8: Oracle Cloud Native Environment can be installed on hosts running Oracle Linux 8 (x86_64) with the Unbreakable Enterprise Kernel Release 6 (UEK R6). A minimum of Oracle Linux 8.3 is required.
Installation Change: A new ULN
channel (ol7_x86_64_olcne12
) and a new Oracle Linux yum server
repository (ol7_olcne12
) are
available for installing the Oracle Cloud Native Environment Release 1.2 packages on
Oracle Linux 7. Use this new channel or repository to install or upgrade to
Release 1.2 on Oracle Linux 7.
A new ULN channel (ol8_x86_64_olcne12
)
and a new Oracle Linux yum server repository
(ol8_olcne12
) are available for
installing the Oracle Cloud Native Environment Release 1.2 packages on Oracle Linux 8. Use this new
channel or repository to install Release 1.2 on Oracle Linux 8.
For information on setting up the ULN channel or Oracle Linux yum server repository, see Getting Started.
Network Interface for Kubernetes Data
Plane: The olcnectl module create
command is enhanced with a new
--pod-network-iface
option to optionally set
the network interface to use for the Kubernetes data plane. For
information about using the olcnectl module
create command to create a Kubernetes cluster and setting the
network interface for the data plane, see
Container Orchestration.
SELinux: The olcnectl
module create and olcnectl module
update commands are improved by adding a new
--selinux
option to enable setting the SELinux
mode for nodes in a cluster. You can set SELinux to either
enforcing
(recommended) or
permissive
mode when you create a
Kubernetes module, or change the setting after a
Kubernetes module has been installed.
TLS Configuration for Platform Agent and Platform API Server: The olcnectl command is improved by adding new global options to set TLS configuration for the Platform Agent and Platform API Server. The new global options for the olcnectl command are:
-
--olcne-tls-cipher-suites
-
--olcne-tls-max-version
-
--olcne-tls-min-version
For more information on the new global options, see Platform Command-Line Interface.
TLS Configuration for the Kubernetes module: The olcnectl module create command is improved by adding new options to set TLS configuration for the Kubernetes module. The new options for the olcnectl module create command are:
-
--kube-tls-cipher-suites
-
--kube-tls-min-version
For more information on the new olcnectl module create options, see Platform Command-Line Interface.
Deprecated Platform CLI
Option: The
apiserver-advertise-address
option in the
olcnectl module create command is deprecated.
This option set the IP address on which to advertise the
Kubernetes API server to members of the Kubernetes cluster in a
non-HA cluster, with a single control plane node. The
--master-nodes
option specifies the IP address and
this deprecated option is no longer used.
3.9 Release 1.1.10
This section lists the notable changes in Release 1.1.10 of Oracle Cloud Native Environment.
externalIPs
Validation: The olcnectl module
create and olcnectl module update
commands are improved by adding options to set access to
externalIPs
in Kubernetes services.
For information on setting access to
externalIPs
in Kubernetes services, see
Container Orchestration.
3.10 Release 1.1.7
This section lists the notable changes in Release 1.1.7 of Oracle Cloud Native Environment.
Kernel Support: In addition to Unbreakable Enterprise Kernel Release 5, Unbreakable Enterprise Kernel Release 6 is now a supported kernel on Oracle Linux 7.
3.11 Release 1.1.6
This section lists the notable changes in Release 1.1.6 of Oracle Cloud Native Environment.
NGINX Load Balancer Updates: A
new option is added to the Platform CLI to update the NGINX
load balancer that can optionally be installed by the
Platform CLI. A new --nginx-image
option
is included with the olcnectl module update
command. This option is used to specify the location of the NGINX
container image used to update NGINX on the control plane nodes.
For information about updating to this errata release, see Updates and Upgrades.
3.12 Release 1.1.5
This section lists the notable changes in Release 1.1.5 of Oracle Cloud Native Environment.
This release resolves CVE-2020-16845. This CVE relates to Go where it can have an infinite read loop in ReadUvarint and ReadVarint in encoding/binary via invalid inputs. The components updated for this are:
-
Platform API Server: Updated to Release 1.1.5.
-
Platform Agent: Updated to Release 1.1.5.
-
Platform CLI: Updated to Release 1.1.5.
-
Kata Containers: Security fixes have been back ported to Release 1.7.3.
-
CRI-O: Security fixes have been back ported to Release 1.17.0.
-
Kubernetes: Security fixes have been back ported to Release 1.17.9.
-
Istio: Security fixes have been back ported to Release 1.14.10.
-
Helm: Security fixes have been back ported to Release 3.1.1.
-
Prometheus: Security fixes have been back ported to Release 2.13.1.
-
Grafana: Security fixes have been back ported to Release 6.7.4.
The Platform API Server is also updated to include a fix for an
issue related to the Kubernetes pod subnet flag
(--pod-cidr
) not being honored in the flannel
configuration.
For information about updating to this errata release, see Updates and Upgrades.
3.13 Release 1.1.4
This section lists the notable changes in Release 1.1.4 of Oracle Cloud Native Environment.
Kata Containers Updated: Kata Containers is
updated to resolve an issue where the Kata package had a hard
coded dependency of a specific version of the
kernel-uek-container
package.
Kubernetes Updated: Kubernetes is updated to set the Kata version in the Kata meta-package.
Platform Agent Updated: The Platform Agent is updated to resolve an issue pulling container images using a proxy server. The Platform Agent now uses crictl pull instead of podman pull to pull container images.
CRI-O Updated: CRI-O is updated
to resolve an issue with the default cni-plugins directory. This
is now set to /opt/cni/bin
instead of
/usr/libexec/cni
.
For information about updating to this errata release, see Updates and Upgrades.
3.14 Release 1.1.3
This section lists the notable changes in Release 1.1.3 of Oracle Cloud Native Environment.
Kubernetes Updated: Kubernetes is updated
to resolve an issue where kubeadm reset does
not unmount the root /var/lib/kubelet
directory
if it is mounted by the user.
For information about updating to this errata release, see Updates and Upgrades.
3.15 Release 1.1.2
This section lists the notable changes in Release 1.1.2 of Oracle Cloud Native Environment.
Kubernetes Updated: Kubernetes is updated to Release 1.17.9 to resolve the following CVEs.
-
CVE-2020-8559. This CVE relates to an issue where if an attacker is able to intercept certain requests to the kubelet, they can send a redirect response that may be followed by a client using the credentials from the original request. This can lead to compromise of other nodes.
-
CVE-2020-8557. This CVE relates to an issue where the
/etc/hosts
file mounted in a pod by kubelet is not included by the kubelet eviction manager when calculating ephemeral storage usage by a pod. If a pod writes a large amount of data to the/etc/hosts
file, it could fill the storage space of the node and cause the node to fail.
Istio Updated: Istio is updated to Release 1.4.10 to resolve the following CVEs.
-
CVE-2020-1764. This CVE relates to a default
signing key
to install Kiali. This can allow an attacker with access to Kiali to bypass authentication and gain administrative privileges over Istio. -
CVE-2020-10739. This CVE relates to an issue when sending a specially crafted packet, an attacker could trigger a Null Pointer Exception resulting in a Denial of Service. This could be sent to the ingress gateway or a sidecar.
-
CVE-2020-11080. This CVE relates to an issue when sending a specially crafted packet, an attacker could cause the CPU to spike at 100%. This could be sent to the ingress gateway or a sidecar.
-
CVE-2020-15104. This CVE relates to an issue when validating TLS certificates, Envoy incorrectly allows wildcards in DNS Subject Alternative Name (SAN) to apply to multiple subdomains.
Kata Updated: Kata security fixes have been back ported to Release 1.7.3 to resolve the following CVEs.
-
CVE-2020-2024. This CVE relates to an improper link resolution vulnerability when tearing down a container. A malicious guest could trick the kata-runtime into unmounting any mount point on the host and all mount points underneath it, potentiality resulting in a host Denial of Service.
-
CVE-2020-2025. This CVE relates to persistent guest file system changes to the underlying image file on the host. A malicious guest could overwrite the image file to gain control of all subsequent guest virtual machines.
-
CVE-2020-2026. This CVE relates to mounting the untrusted container file system on any host path. A malicious guest that is compromised before a container creation can trick the kata-runtime into mounting the untrusted container file system on any host path, potentially allowing for code execution on the host.
For information about updating to this errata release, see Updates and Upgrades.
3.16 Release 1.1.1
This section lists the notable changes in Release 1.1.1 of Oracle Cloud Native Environment.
Kubernetes Updated: Kubernetes is updated to Release 1.17.6 to resolve two CVEs.
-
CVE-2020-8555. This CVE relates to a Server Side Request Forgery (SSRF) vulnerability in
kube-controller-manager
. -
CVE-2020-10749. This CVE relates to a man-in-the-middle vulnerability.
Grafana Updated: Grafana is updated to Release 6.7.4 to resolve CVE-2020-13379. This CVE relates to an incorrect access control issue in Grafana.
For information about updating to this errata release, see Updates and Upgrades.
3.17 Release 1.1.0
This section lists the notable changes in Release 1.1.0 of Oracle Cloud Native Environment.
-
Kubernetes Updated to 1.17: Kubernetes 1.17 is the default release installed on nodes in a new cluster in Oracle Cloud Native Environment. Existing Kubernetes Release 1.14 deployments can be upgraded to Release 1.17. For information about upgrading to Release 1.1, see Updates and Upgrades.
-
Kubernetes Cluster Scaling: The olcnectl module update command is enhanced so that you can now scale a Kubernetes cluster by either adding control plane and worker nodes to it or removing control plane and worker nodes from it. For information about using the olcnectl module update command to scale a Kubernetes cluster, see Container Orchestration.
-
Service Mesh: A new module is available to deploy a service mesh to a Kubernetes cluster. The Istio module for Oracle Cloud Native Environment deploys a service mesh in Oracle Cloud Native Environment. Grafana is deployed as part of the service mesh. For information about deploying and using a service mesh, see Service Mesh. For information about using Grafana, see Monitoring and Visualization.
-
Firewall Changes: Masquerading no longer needs to be enabled in the firewall on Kubernetes nodes. Instead, the
cni0
interface must be added to the trusted zone on nodes. For information on firewall and network requirements for Kubernetes nodes, see Getting Started. -
Installation Change: A new ULN channel (
ol7_x86_64_olcne11
) and a new Oracle Linux yum server repository (ol7_olcne11
) are available for installing the Oracle Cloud Native Environment Release 1.1 packages. Use this new channel or repository to install or upgrade to Release 1.1. For information on setting up the ULN channel or Oracle Linux yum server repository, see Getting Started.