Issued:

2020-10-22

Updated:

2020-10-22

RHBA-2020:4170 - OpenShift Container Platform 3.11.306 bug fix and enhancement update

Synopsis

OpenShift Container Platform 3.11.306 bug fix and enhancement update

Type/Severity

Bug Fix Advisory None

Topic

Red Hat OpenShift Container Platform release 3.11.306 is now available with updates to packages and images that fix several bugs and add enhancements.

Description

Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.

This advisory contains the RPM packages for Red Hat OpenShift Container Platform 3.11.306. See the following advisory for the container images for this release:

https://access.redhat.com/errata/RHBA-2020:4171

This release fixes the following bugs:

• Previously, the master/admin.kubeconfig was updated during master certificate redeployment, but the node/bootstrap.kubeconfig was not. When master was rebootstrapped, the node could not connect to the API due to the outdated kubeconfig. With this release, the node/bootstrap.kubeconfig on masters is updated when recreating the master/admin.kubeconfig and the node service on masters can bootstrap and access the API when rebootstrapping. (BZ#1772580)

• Previously, during SDN restart, the network policy cache was not initialized if a project had a previously created deny all rule in it, and rules created after the SDN pod was restarted were not detected. With this release, the issue is resolved by setting the networkPolicy initialization to npNameSpace.inUse=true. (BZ#1790407)

• When redeploying master certificates, the master/admin.kubeconfig is updated. The master node requires the updated node.kubeconfig to prevent issues with pods using the node.kubeconfig, such as the sync pod, from failing to authenticate to the API. The issue is resolved in this release. (BZ#1791160)

• Previously, the way that Elasticsearch checked for system call support at startup was only supported on x86_64 architectures. As a result, Cluster Logging failed to deploy on IBM Power with the following error message: unable to install syscall filter: java.lang.UnsupportedOperationException: seccomp unavailable: 'ppc64le' architecture unsupported Now, the OpenShift Ansible playbook, which handles deployment of Elasticsearch, sets an option to override the startup test on applicable architectures and Cluster Logging successfully deploys on IBM Power systems. (BZ#1807201)

• This release adds a check of the master-config.yaml file to determine if the client.CA has been reverted. If not, the play will fail and indicate that openshift_redeploy_openshift_ca=true must be set in the inventory. This check prevents inadvertent certificate redeploy when the OpenShift CA has been updated and not rolled out. (BZ#1837123)

• Previously, a missing check for the matching number of Elasticsearch DCs, PVCs and indices caused Ansible pads missing elements with Nones and lead to cryptic Cluster Logging playbook failure. This release adds the missing check so that the Cluster Logging playbook issues a diagnostic if the number of Elasticsearch DCs, PVCs and indices do not match. (BZ#1848454)

• The 3.10 version of oc does not have the --field-selector flag that the 3.11 version includes. As a result, upgrades from 3.10 could fail. The issue has been resolved in this release. (BZ#1852753)

• With this release, the base image is updated to use the Ansible 2.9 repo. (BZ#1855743)

• Previously, the hashes of locally cached compressed layers were not deleted when deleting images. As a result, images could not be downloaded again if another image with the same layer but a different compression was pulled. Hashes are now cleared from the cache when deleting corresponding layers. (BZ#1867463)

• Previously, internal changes to Ansible 2.11 caused compatibility issues with how OpenShift Ansible uses the execute_module Ansible call. Now, the call is switched to the public module call which is more reliable and safe. (BZ#1870123)

• Previously, the only way to update a named certificate was to redeploy the master certificate. This release adds a playbook for updating named certificates so that they can be updated independently without additional risk. (BZ#1882203)

All OpenShift Container Platform 3.11 users are advised to upgrade to these updated packages and images.

Solution

Before applying this update, ensure all previously released errata relevant to your system is applied.

See the following documentation, which will be updated shortly for release 3.11.306, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update:

This page is not included, but the link has been rewritten to point to the nearest parent document.https://docs.openshift.com/container-platform/3.11/release_notes/ocp_3_11_release_notes.html

This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at This content is not included.https://access.redhat.com/articles/11258.

Affected Products

Updated Packages

• atomic-enterprise-service-catalog-3.11.306-1.git.1.6e60885.el7.ppc64le.rpm
• atomic-enterprise-service-catalog-svcat-3.11.306-1.git.1.6e60885.el7.ppc64le.rpm
• atomic-openshift-clients-3.11.306-1.git.0.af6f5d6.el7.ppc64le.rpm
• atomic-openshift-template-service-broker-3.11.306-1.git.0.af6f5d6.el7.x86_64.rpm
• atomic-openshift-cluster-autoscaler-3.11.306-1.git.1.c22ef3e.el7.src.rpm
• openshift-ansible-roles-3.11.306-3.git.1.22c55e7.el7.noarch.rpm
• atomic-openshift-3.11.306-1.git.0.af6f5d6.el7.src.rpm
• openshift-enterprise-cluster-capacity-3.11.306-1.git.1.f59be92.el7.ppc64le.rpm
• golang-github-prometheus-alertmanager-3.11.306-1.git.1.703ba24.el7.src.rpm
• prometheus-node-exporter-3.11.306-1.git.1.9749d04.el7.ppc64le.rpm
• cri-o-1.11.16-0.13.rhaos3.11.git5218c73.el7.ppc64le.rpm
• atomic-openshift-metrics-server-3.11.306-1.git.1.b9efe71.el7.ppc64le.rpm
• atomic-openshift-clients-redistributable-3.11.306-1.git.0.af6f5d6.el7.x86_64.rpm
• atomic-openshift-hyperkube-3.11.306-1.git.0.af6f5d6.el7.x86_64.rpm
• openshift-kuryr-controller-3.11.306-1.git.1.46b1b0b.el7.noarch.rpm
• atomic-openshift-metrics-server-3.11.306-1.git.1.b9efe71.el7.x86_64.rpm
• atomic-openshift-sdn-ovs-3.11.306-1.git.0.af6f5d6.el7.ppc64le.rpm
• atomic-openshift-node-3.11.306-1.git.0.af6f5d6.el7.ppc64le.rpm
• openshift-ansible-3.11.306-3.git.1.22c55e7.el7.src.rpm
• prometheus-alertmanager-3.11.306-1.git.1.703ba24.el7.ppc64le.rpm
• openshift-ansible-test-3.11.306-3.git.1.22c55e7.el7.noarch.rpm
• openshift-enterprise-autoheal-3.11.306-1.git.1.1df47b8.el7.src.rpm
• golang-github-openshift-oauth-proxy-3.11.306-1.git.1.2866dff.el7.x86_64.rpm
• atomic-openshift-descheduler-3.11.306-1.git.1.3844ca1.el7.ppc64le.rpm
• openshift-enterprise-autoheal-3.11.306-1.git.1.1df47b8.el7.x86_64.rpm
• atomic-openshift-tests-3.11.306-1.git.0.af6f5d6.el7.ppc64le.rpm
• atomic-openshift-tests-3.11.306-1.git.0.af6f5d6.el7.x86_64.rpm
• prometheus-node-exporter-3.11.306-1.git.1.9749d04.el7.x86_64.rpm
• golang-github-openshift-oauth-proxy-3.11.306-1.git.1.2866dff.el7.src.rpm
• golang-github-openshift-oauth-proxy-3.11.306-1.git.1.2866dff.el7.ppc64le.rpm
• atomic-openshift-web-console-3.11.306-1.git.1.cabb8d0.el7.x86_64.rpm
• atomic-openshift-node-3.11.306-1.git.0.af6f5d6.el7.x86_64.rpm
• atomic-openshift-web-console-3.11.306-1.git.1.cabb8d0.el7.ppc64le.rpm
• atomic-openshift-descheduler-3.11.306-1.git.1.3844ca1.el7.src.rpm
• cri-o-1.11.16-0.13.rhaos3.11.git5218c73.el7.x86_64.rpm
• atomic-openshift-service-idler-3.11.306-1.git.1.02dbe7e.el7.src.rpm
• atomic-openshift-pod-3.11.306-1.git.0.af6f5d6.el7.ppc64le.rpm
• atomic-openshift-web-console-3.11.306-1.git.1.cabb8d0.el7.src.rpm
• openshift-ansible-3.11.306-3.git.1.22c55e7.el7.noarch.rpm
• openshift-enterprise-autoheal-3.11.306-1.git.1.1df47b8.el7.ppc64le.rpm
• atomic-openshift-master-3.11.306-1.git.0.af6f5d6.el7.ppc64le.rpm
• openshift-ansible-playbooks-3.11.306-3.git.1.22c55e7.el7.noarch.rpm
• atomic-openshift-service-idler-3.11.306-1.git.1.02dbe7e.el7.x86_64.rpm
• atomic-openshift-node-problem-detector-3.11.306-1.git.1.944e9eb.el7.ppc64le.rpm
• prometheus-3.11.306-1.git.1.579c6d9.el7.x86_64.rpm
• prometheus-alertmanager-3.11.306-1.git.1.703ba24.el7.x86_64.rpm
• atomic-openshift-cluster-autoscaler-3.11.306-1.git.1.c22ef3e.el7.x86_64.rpm
• atomic-openshift-dockerregistry-3.11.306-1.git.1.ea8774d.el7.src.rpm
• atomic-openshift-master-3.11.306-1.git.0.af6f5d6.el7.x86_64.rpm
• cri-o-debuginfo-1.11.16-0.13.rhaos3.11.git5218c73.el7.x86_64.rpm
• golang-github-prometheus-prometheus-3.11.306-1.git.1.579c6d9.el7.src.rpm
• atomic-openshift-cluster-autoscaler-3.11.306-1.git.1.c22ef3e.el7.ppc64le.rpm
• atomic-openshift-node-problem-detector-3.11.306-1.git.1.944e9eb.el7.x86_64.rpm
• prometheus-3.11.306-1.git.1.579c6d9.el7.ppc64le.rpm
• atomic-openshift-excluder-3.11.306-1.git.0.af6f5d6.el7.noarch.rpm
• atomic-openshift-3.11.306-1.git.0.af6f5d6.el7.ppc64le.rpm
• openshift-enterprise-cluster-capacity-3.11.306-1.git.1.f59be92.el7.src.rpm
• openshift-kuryr-3.11.306-1.git.1.46b1b0b.el7.src.rpm
• atomic-openshift-descheduler-3.11.306-1.git.1.3844ca1.el7.x86_64.rpm
• atomic-enterprise-service-catalog-3.11.306-1.git.1.6e60885.el7.x86_64.rpm
• cri-o-1.11.16-0.13.rhaos3.11.git5218c73.el7.src.rpm
• golang-github-prometheus-node_exporter-3.11.306-1.git.1.9749d04.el7.src.rpm
• atomic-openshift-pod-3.11.306-1.git.0.af6f5d6.el7.x86_64.rpm
• openshift-kuryr-cni-3.11.306-1.git.1.46b1b0b.el7.noarch.rpm
• openshift-kuryr-common-3.11.306-1.git.1.46b1b0b.el7.noarch.rpm
• atomic-openshift-hypershift-3.11.306-1.git.0.af6f5d6.el7.ppc64le.rpm
• atomic-openshift-dockerregistry-3.11.306-1.git.1.ea8774d.el7.x86_64.rpm
• atomic-enterprise-service-catalog-svcat-3.11.306-1.git.1.6e60885.el7.x86_64.rpm
• atomic-openshift-hypershift-3.11.306-1.git.0.af6f5d6.el7.x86_64.rpm
• atomic-openshift-3.11.306-1.git.0.af6f5d6.el7.x86_64.rpm
• atomic-openshift-service-idler-3.11.306-1.git.1.02dbe7e.el7.ppc64le.rpm
• atomic-openshift-docker-excluder-3.11.306-1.git.0.af6f5d6.el7.noarch.rpm
• openshift-enterprise-cluster-capacity-3.11.306-1.git.1.f59be92.el7.x86_64.rpm
• atomic-openshift-clients-3.11.306-1.git.0.af6f5d6.el7.x86_64.rpm
• cri-o-debuginfo-1.11.16-0.13.rhaos3.11.git5218c73.el7.ppc64le.rpm
• atomic-openshift-node-problem-detector-3.11.306-1.git.1.944e9eb.el7.src.rpm
• atomic-openshift-sdn-ovs-3.11.306-1.git.0.af6f5d6.el7.x86_64.rpm
• atomic-enterprise-service-catalog-3.11.306-1.git.1.6e60885.el7.src.rpm
• atomic-openshift-template-service-broker-3.11.306-1.git.0.af6f5d6.el7.ppc64le.rpm
• atomic-openshift-metrics-server-3.11.306-1.git.1.b9efe71.el7.src.rpm
• openshift-ansible-docs-3.11.306-3.git.1.22c55e7.el7.noarch.rpm
• python2-kuryr-kubernetes-3.11.306-1.git.1.46b1b0b.el7.noarch.rpm
• atomic-openshift-hyperkube-3.11.306-1.git.0.af6f5d6.el7.ppc64le.rpm

Fixes

• This content is not included.BZ - 1772580
• This content is not included.BZ - 1790407
• This content is not included.BZ - 1791160
• This content is not included.BZ - 1807201
• This content is not included.BZ - 1837123
• This content is not included.BZ - 1848454
• This content is not included.BZ - 1852753
• This content is not included.BZ - 1855743
• This content is not included.BZ - 1857824
• This content is not included.BZ - 1867463
• This content is not included.BZ - 1870123
• This content is not included.BZ - 1878796
• This content is not included.BZ - 1879855
• This content is not included.BZ - 1881529
• This content is not included.BZ - 1882203

CVEs

(none)

References

(none)

Additional information

• The Red Hat security contact is This content is not included.secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.
• Offline Security Data data is available for integration with other systems. See Offline Security Data API to get started.