Update for 2019-10-07 patch release

2019-10-02 17:16:28 -04:00 · 2019-10-02 17:16:28 -04:00 · 04239cc55b
parent 2f5d850941
commit 04239cc55b
1 changed files with 234 additions and 192 deletions
--- a/ee/ucp/release-notes.md
+++ b/ee/ucp/release-notes.md
@ -20,15 +20,43 @@ upgrade your installation to the latest release.
 * [Version 3.0](#version-30)
 * [Version 2.2](#version-22)
-**Note**: For archived versions of UCP documentation, refer to [View the docs archives](https://docs.docker.com/docsarchive/).
+**Note:** For archived versions of UCP documentation, [view the docs archives](https://docs.docker.com/docsarchive/).
 # Version 3.2
 ## 3.2.2
 2019-10-07
 ### UI
 * Fixes a UI issue that caused incorrect line breaks at pre-logon banner notification (ENGORC-2678)
 * Users have an option to store sessionToken per window tab session. (ENGORC-2597)
 ### Kubernetes
 * Kubernetes has been upgraded to version 1.14.7.
 * Enabled Kubernetes Node Authorizer Plugin. (ENGORC-2652)
 ### Networking
 * Interlock has been upgraded to version 3.0.0. (ENGCORE-792)
 ### Bug fixes
 * Upgraded RethinkDB Go Client to v5. (ENGORC-2704)
 * Fixes an issue that caused slow response with increasing number of collections. (ENGORC-2638)
 ### Components
 | Component             | Version |
 | --------------------- | ------- |
 | UCP                   | 3.2.2   |
 | Kubernetes            | 1.14.7  |
 | Calico                | 3.8.2   |
 | Interlock             | 3.0.0   |
 | Interlock NGINX proxy | 1.14.2  |
 ## 3.2.1
 2019-09-03
 ### Bug fixes
-* Fixed an issue where UCP did not install on GCP due to missing metadata.google.internal in /etc/hosts
+* Fixes an issue where UCP did not install on GCP due to missing metadata.google.internal in /etc/hosts
 ### Kubernetes
 * Kubernetes has been upgraded to version 1.14.6.
@ -36,22 +64,24 @@ upgrade your installation to the latest release.
  than 1 replica by default.
 ### Networking
-* Calico has been upgraded to version 3.8.2. For more information see the [Calico Release
+* Calico has been upgraded to version 3.8.2. For more information, see the [Calico Release
  Notes](https://docs.projectcalico.org/v3.8/release-notes/).
 * Interlock has been upgraded to version 2.6.1.
 * The `azure-ip-count` variable is now exposed at install time, allowing a User
  to customize the number of IP addresses UCP provisions for each node.
  Additional information can be found
-  [here](/ee/ucp/admin/install/cloudproviders/install-on-azure/#adjust-the-ip-count-value)
+  [here](/ee/ucp/admin/install/cloudproviders/install-on-azure/#adjust-the-ip-count-value).
 ### Security
 * Upgraded Golang to 1.12.9.
 * Added CSP header to prevent cross-site scripting attacks (XSS)
 ### Bootstrap
-* Fixed various issues in install, uninstall, backup and restore when UCP
+* Fixes various issues in install, uninstall, backup, and restore when UCP
  Telemetry data had been disabled. (ENGORC-2593)
 ### Components
 | Component             | Version |
 | --------------------- | ------- |
 | UCP                   | 3.2.1   |
@ -112,21 +142,15 @@ more information see
 ### Deprecations
 The following features are deprecated in UCP 3.2:
- Collections
+#### Collections
-    - The ability to create a nested collection of more than 2 layers deep within the root /Swarm/collection is
+
-    now deprecated and will not be included in future versions of the product. However, current nested collections
+- The ability to create a nested collection of more than 2 layers deep within the root /Swarm/collection is now deprecated and will not be included in future versions of the product. However, current nested collections with more than 2 layers are still retained.
-    with more than 2 layers are still retained.
+- Docker recommends a maximum of two layers when creating collections within UCP under the shared cluster collection designated as /Swarm/. For example, if a production collection called /Swarm/production is created under the shared cluster collection /Swarm/, only one level of nesting should be created, for example, /Swarm/production/app/. See Nested collections for more details.
-    - Docker recommends a maximum of two layers when creating collections within UCP under the shared cluster
+- UCP `stop` and `restart`. Additional upgrade functionality has been included which eliminates the need for these commands.
-    collection designated as /Swarm/. For example, if a production collection called /Swarm/production is created
+- `ucp-agent-pause` is no longer supported. To pause UCP reconciliation on a specific node, for example, when repairing unhealthy `etcd` or `rethinkdb` replicas, you can use swarm node labels as shown in the following example:
-    under the shared cluster collection /Swarm/, only one level of nesting should be created, for
+```
-    example, /Swarm/production/app/. See Nested collections for more details.
+docker node update --label-add com.docker.ucp.agent-pause=true <NODE>
- UCP `stop` and `restart`
+```
    - Additional upgrade functionality has been included which eliminates the need for these commands.
 - `ucp-agent-pause`
    - `ucp-agent-pause` is no longer supported. To pause UCP reconciliation on a specific node, for example, when repairing unhealthy `etcd` or `rethinkdb` replicas, you can use swarm node labels as shown in the following example:
    ```
    docker node update --label-add com.docker.ucp.agent-pause=true <NODE>
    ```
 - Windows 2016 is formally deprecated from Docker Enterprise 3.0. EOL of Windows Server 2016 support will occur in Docker
 Enterprise 3.1. Upgrade to Windows Server 2019 for continued support on Docker Enterprise.
 - Support for updating the UCP config with `docker service update ucp-manager-agent --config-add <Docker config> ...`
@ -138,87 +162,54 @@ Refer to [UCP backup information](/ee/admin/backup/back-up-ucp/) for detailed UC
 If your cluster has lost quorum and you cannot recover it on your own, please contact Docker Support.
- Browser support
+#### Browser support
 In order to optimize user experience and security, support for Internet Explorer (IE) version 11 is not provided for Windows 7 with UCP version 3.2. Docker recommends updating to a newer browser version if you plan to use UCP 3.2, or remaining on UCP 3.1.x or older until EOL of IE11 in January 2020.
- Kubernetes
+### Kubernetes
-    -  Integrated Kubernetes Ingress
+- Integrated Kubernetes Ingress
-        - You can now dynamiclly deploy L7 routes for applications, scale out multi-tenant ingress for shared clusters,
+- You can now dynamiclly deploy L7 routes for applications, scale out multi-tenant ingress for shared clusters, and give applications TLS termination, path-based routing, and high-performance L7 load-balancing in a centralized and controlled manner.
-    and give applications TLS termination, path-based routing, and high-performance L7 load-balancing in a
+- Updated Kubernetes to version 1.14.
    centralized and controlled manner.
-    - Updated Kubernetes to version 1.14.
+#### Enhancements
-        - Enhancements:
+- PodShareProcessNamespace
-            - PodShareProcessNamespace
+  - The PodShareProcessNamespace feature, available by default, configures PID namespace sharing within a pod. See [Share Process Namespace between Containers in a Pod](https://kubernetes.io/docs/tasks/configure-pod-container/share-process-namespace/) for more information. [kubernetes #66507](https://github.com/kubernetes/kubernetes/pull/66507)
-
+- Volume Dynamic Provisioning
                - The PodShareProcessNamespace feature, available by default, configures PID namespace sharing within a pod. See [Share Process Namespace between Containers in a Pod](https://kubernetes.io/docs/tasks/configure-pod-container/share-process-namespace/) for more information.
                - https://github.com/kubernetes/kubernetes/pull/66507
            - Volume Dynamic Provisioning
  - Combined `VolumeScheduling` and `DynamicProvisioningScheduling`.
  - Added allowedTopologies description in kubectl.
-                - ACTION REQUIRED: The DynamicProvisioningScheduling alpha feature gate has been removed. The VolumeScheduling beta feature gate is still required for this feature. - https://github.com/kubernetes/kubernetes/pull/67432
+  - ACTION REQUIRED: The DynamicProvisioningScheduling alpha feature gate has been removed. The VolumeScheduling beta feature gate is still required for this feature. [kubernetes #67432](https://github.com/kubernetes/kubernetes/pull/67432)
-            - TokenRequest and TokenRequestProjection
+- TokenRequest and TokenRequestProjection [kubernetes #67349](https://github.com/kubernetes/kubernetes/pull/67349)
  - Enable these features by starting the API server with the following flags:
-                * --service-account-issuer
+    - `--service-account-issuer`
-                * --service-account-signing-key-file
+    - `--service-account-signing-key-file`
-                * --service-account-api-audiences
+    - `--service-account-api-audiences`
-                - https://github.com/kubernetes/kubernetes/pull/67349
+- Removed `--cadvisor-port flag` from kubelet
-        - Removed `--cadvisor-port flag` from kubelet
+  - ACTION REQUIRED: The cAdvisor web UI that the kubelet started using `--cadvisor-port` was removed in 1.12. If cAdvisor is needed, run it via a DaemonSet. [kubernetes #65707](https://github.com/kubernetes/kubernetes/pull/65707)
-
+- Support for Out-of-tree CSI Volume Plugins (stable) with API
            - ACTION REQUIRED: The cAdvisor web UI that the kubelet started using `--cadvisor-port` was removed
        in 1.12. If cAdvisor is needed, run it via a DaemonSet.
            - https://github.com/kubernetes/kubernetes/pull/65707
            - Support for Out-of-tree CSI Volume Plugins (stable) with API
  - Allows volume plugins to be developed out-of-tree.
  - Not require building volume plugins (or their dependencies) into Kubernetes binaries.
-                - Not requiring direct machine access to deploy new volume plugins (drivers).
+  - Not requiring direct machine access to deploy new volume plugins (drivers). [kubernetes #178](https://github.com/kubernetes/enhancements/issues/178)
-                - https://github.com/kubernetes/enhancements/issues/178
+- Server-side Apply leveraged by the UCP GUI for the yaml create page
-            - Server-side Apply leveraged by the UCP GUI for the yaml create page
+  - Moved "apply" and declarative object management from kubectl to the apiserver. Added "field ownership". [kubernetes #555](https://github.com/kubernetes/enhancements/issues/555)
-
+- The PodPriority admission plugin
                - Moved "apply" and declarative object management from kubectl to the apiserver. Added "field ownership".
                - https://github.com/kubernetes/enhancements/issues/555
            - The PodPriority admission plugin
  - For `kube-apiserver`, the `Priority` admission plugin is now enabled by default when using `--enable-admission-plugins`. If using `--admission-control` to fully specify the set of admission plugins, the `Priority` admission plugin should be added if using the `PodPriority` feature, which is enabled by default in 1.11.
-            - The priority admission plugin:
+  - Allows pod creation to include an explicit priority field if it matches the computed priority (allows export/import cases to continue to work on the same cluster, between clusters that match priorityClass values, and between clusters where priority is unused and all pods get priority:0)
-                - Allows pod creation to include an explicit priority field if it matches the computed
+  - Preserves existing priority if a pod update does not include a priority value and the old pod did (allows POST, PUT, PUT, PUT workflows to continue to work, with the admission-set value on create being preserved by the admission plugin on update). [kubernetes #65739](https://github.com/kubernetes/kubernetes/pull/65739)
-            priority (allows export/import cases to continue to work on the same cluster, between
+- Volume Topology
-            clusters that match priorityClass values, and between clusters where priority is unused
+  - Made the scheduler aware of a Pod's volume's topology constraints, such as zone or node. [kubernetes #490](https://github.com/kubernetes/enhancements/issues/490)
            and all pods get priority:0)
                - Preserves existing priority if a pod update does not include a priority value and the old
            pod did (allows POST, PUT, PUT, PUT workflows to continue to work, with the admission-set value
            on create being preserved by the admission plugin on update)
                - https://github.com/kubernetes/kubernetes/pull/65739
            - Volume Topology
                - Made the scheduler aware of a Pod's volume's topology constraints, such as zone or node.
                - https://github.com/kubernetes/enhancements/issues/490
                - Docs pr here: kubernetes/website#10736
  - Admin RBAC role and edit RBAC roles
-                - The admin RBAC role is aggregated from edit and view.  The edit RBAC role is aggregated from a
+   - The admin RBAC role is aggregated from edit and view.  The edit RBAC role is aggregated from a separate edit and view. [kubernetes #66684](https://github.com/kubernetes/kubernetes/pull/66684)
-        separate edit and view.
+- API
-                - https://github.com/kubernetes/kubernetes/pull/66684
+  - `autoscaling/v2beta2` and `custom_metrics/v1beta2` implement metric selectors for Object and Pods metrics, as well as allow AverageValue targets on Objects, similar to External metrics. [kubernetes #64097](https://github.com/kubernetes/kubernetes/pull/64097)
            - API
                - `autoscaling/v2beta2` and `custom_metrics/v1beta2` implement metric selectors for Object and Pods
        metrics, as well as allow AverageValue targets on Objects, similar to External metrics.
                - https://github.com/kubernetes/kubernetes/pull/64097
  - Version updates
   - Client-go libraries bump
-                - ACTION REQUIRED: the API server and client-go libraries support additional non-alpha-numeric
+    - ACTION REQUIRED: the API server and client-go libraries support additional non-alpha-numeric characters in UserInfo "extra" data keys. Both support extra data containing "/" characters or other characters disallowed in HTTP headers.
-    characters in UserInfo "extra" data keys. Both support extra data containing "/" characters or
+   - Old clients sending keys that were %-escaped by the user have their values unescaped by new API servers. New clients sending keys containing illegal characters (or "%") to old API servers do not have their values unescaped. [kubernetes #65799](https://github.com/kubernetes/kubernetes/pull/65799)
-    other characters disallowed in HTTP headers.
+  - audit.k8s.io API group bump. The audit.k8s.io API group has been bumped to v1.
                - Old clients sending keys that were %-escaped by the user have their values unescaped by new API servers.
    New clients sending keys containing illegal characters (or "%") to old API servers do not have their values unescaped.
                - https://github.com/kubernetes/kubernetes/pull/65799
            - audit.k8s.io API group bump
            - The audit.k8s.io API group has been bumped to v1.
  - Deprecated element metav1.ObjectMeta and Timestamp are removed from audit Events in v1 version.
-            - Default value of option --audit-webhook-version and --audit-log-version are changed from `audit.k8s.io/v1beta1` to `audit.k8s.io/v1`.
+  - Default value of option --audit-webhook-version and --audit-log-version are changed from `audit.k8s.io/v1beta1` to `audit.k8s.io/v1`. [kubernetes #65891](https://github.com/kubernetes/kubernetes/pull/65891)
            - https://github.com/kubernetes/kubernetes/pull/65891
 ### Known issues
@ -361,7 +352,7 @@ In order to optimize user experience and security, support for Internet Explorer
        -testkit-4DA6F6-sles-2   Shutdown            Complete 7 minutes ago
        ```
-    4. Switch cluster to run kubernetes workloads. Your cluster is now set to run iSCSI workloads.
+    4. Switch cluster to run Kubernetes workloads. Your cluster is now set to run iSCSI workloads.
 ### Components
@ -375,6 +366,29 @@ In order to optimize user experience and security, support for Internet Explorer
 # Version 3.1
 ## 3.1.11
 2019-10-07
 ### Bug fixes
 * Upgraded RethinkDB Go Client to v5. (ENGORC-2704)
 * Fixes an issue that caused slow response with increasing number of collections. (ENGORC-2638)
 ### Kubernetes
 * Enabled Kubernetes Node Authorizer Plugin. (ENGORC-2652)
 ### Networking
 * Interlock has been upgraded to version 3.0.0. (ENGCORE-792)
 ### Components
 | Component             | Version |
 | --------------------- | ------- |
 | UCP                   | 3.1.11  |
 | Kubernetes            | 1.11.10 |
 | Calico                | 3.8.2   |
 | Interlock             | 3.0.0   |
 | Interlock NGINX proxy | 1.14.2  |
 ## 3.1.10
 2019-09-03
@ -412,7 +426,7 @@ In order to optimize user experience and security, support for Internet Explorer
 ### Bug fixes
 * Added toleration to calico-node DaemonSet so it can run on all nodes in the cluster
-* Fixed an issue where sensitive command line arguments provided to the UCP installer command were also printed in the debug logs.
+* Fixes an issue where sensitive command line arguments provided to the UCP installer command were also printed in the debug logs.
 * Added a restrictive `robots.txt` to the root of the UCP API server.
 ### Known issues
@ -470,7 +484,7 @@ In order to optimize user experience and security, support for Internet Explorer
 ### Bug fixes
 * Added a migration logic to remove all actions on `pods/exec` and `pods/attach` Kubernetes subresource from the migrated UCP View-Only role. (ENGORC-2434)
-* Fixed an issue that allows unauthenticated user to list directories. (ENGORC-2175)
+* Fixes an issue that allows unauthenticated user to list directories. (ENGORC-2175)
 ### Deprecated platforms
@ -588,7 +602,7 @@ In order to optimize user experience and security, support for Internet Explorer
 ### Bug fixes
 * Changed Interlock proxy service default `update-action-failure` to rollback. (ENGCORE-117)
 * Added validation for service configuration label values. (ENGCORE-114)
-* Fixed an issue with continuous interlock reconciliation if `ucp-interlock` service image does not match expected version. (ENGORC-2081)
+* Fixes an issue with continuous interlock reconciliation if `ucp-interlock` service image does not match expected version. (ENGORC-2081)
 ### Known issues
@ -628,11 +642,11 @@ In order to optimize user experience and security, support for Internet Explorer
 ### Bug fixes
 * Bump the Golang version that is used to build UCP to version 1.10.8. (docker/orca#16068)
-* Fixed an issue that caused UCP upgrade failure to upgrade with Interlock deployment. (docker/orca#16009)
+* Fixes an issue that caused UCP upgrade failure to upgrade with Interlock deployment. (docker/orca#16009)
-* Fixed an issue that caused ucp-agent(s) on worker nodes to constantly reboot when audit logging is enabled. (docker/orca#16122)
+* Fixes an issue that caused ucp-agent(s) on worker nodes to constantly reboot when audit logging is enabled. (docker/orca#16122)
-* Fixed an issue to ensure that non-admin user actions (with the RestrictedControl role) against RBAC resources are read-only. (docker/orca#16121)
+* Fixes an issue to ensure that non-admin user actions (with the RestrictedControl role) against RBAC resources are read-only. (docker/orca#16121)
-* Fixed an issue to prevent UCP users from updating services with a port that conflicts with the UCP controller port. (escalation#855)
+* Fixes an issue to prevent UCP users from updating services with a port that conflicts with the UCP controller port. (escalation#855)
-* Fixed an issue to validate Calico certs expiration dates and update accordingly. (escalation#981)
+* Fixes an issue to validate Calico certs expiration dates and update accordingly. (escalation#981)
 * Kubelet no longer deletes images, starting with the oldest unused images, after exceeding 85% disk space utilization. This was an issue in air-gapped environments. (docker/orca#16082)
 ### Enhancements
@ -676,14 +690,14 @@ In order to optimize user experience and security, support for Internet Explorer
 * Upgraded Calico to version 3.5. (#15884)
 ### Bug fixes
- * Fixed system hang following UCP backup and docker daemon shutdown. (docker/escalation#841)
+ * Fixes system hang following UCP backup and docker daemon shutdown. (docker/escalation#841)
 * Non-admin users can no longer create `PersistentVolumes` using the `Local`
   Storage Class, as this allowed non-admins to by pass security controls and
   mount host directories. (docker/orca#15936)
 * Added support for the limit arg in `docker ps`. (docker/orca#15812)
- * Fixed an issue with ucp-proxy health check. (docker/orca#15814, docker/orca#15813, docker/orca#16021, docker/orca#15811)
+ * Fixes an issue with ucp-proxy health check. (docker/orca#15814, docker/orca#15813, docker/orca#16021, docker/orca#15811)
- * Fixed an issue with manual creation of a **ClusterRoleBinding** or **RoleBinding** for `User` or `Group` subjects requiring the ID of the user, organization, or team. (docker/orca#14935)
+ * Fixes an issue with manual creation of a **ClusterRoleBinding** or **RoleBinding** for `User` or `Group` subjects requiring the ID of the user, organization, or team. (docker/orca#14935)
- * Fixed an issue in which Kube Rolebindings only worked on UCP User ID and not UCP username. (docker/orca#14935)
+ * Fixes an issue in which Kube Rolebindings only worked on UCP User ID and not UCP username. (docker/orca#14935)
 ### Known issue
 * By default, Kubelet begins deleting images, starting with the oldest unused images, after exceeding 85% disk space utilization. This causes an issue in an air-gapped environment. (docker/orca#16082)
@ -764,35 +778,35 @@ now configurable within the UCP web interface. (#15466)
 ### New features
-### Kubernetes
+#### Kubernetes
 * Kubernetes is updated to version 1.11.2.
 * Kubernetes native RBAC feature manages access control for Kubernetes resources. Users can now create roles for Kubernetes APIs using Kubernetes `Role` and `ClusterRole` objects in the Kubernetes API. They can also grant permissions to users and service accounts with the `RoleBinding` and `ClusterRoleBinding` objects. The web interface for Kubernetes RBAC reflects these changes. Your old Kubernetes grants and roles will be automatically migrated during the UCP upgrade.
-### Logging
+#### Logging
 Admins can now enable audit logging in the UCP config. This logs all incoming user-initiated requests in the `ucp-controller` logs. Admins can choose whether to log only metadata for incoming requests or the full request body as well. For more information, see [Create UCP audit logs](https://docs.docker.com/ee/ucp/admin/configure/create-audit-logs/).
-### Authentication
+#### Authentication
 Admins can configure UCP to use a SAML-enabled identity provider for user authentication. If enabled, users who log into the UCP web interface are redirected to the identity provider's website to log in. Upon login, users are redirected back to the UCP web interface, authenticated as the user chosen. For more information, see [Enable SAML authentication](https://docs.docker.com/ee/ucp/admin/configure/enable-saml-authentication/).
-### Metrics
+#### Metrics
 * The `ucp-metrics` Prometheus server (used to render charts in the UCP interface) was engineered from a container on manager nodes to a Kubernetes daemonset. This lets admins change the daemonset's scheduling rules so that it runs on a set of worker nodes instead of manager nodes. Admins can designate certain UCP nodes to be metrics server nodes, freeing up resources on manager nodes. For more information, see [Collect UCP cluster metrics with Prometheus](https://docs.docker.com/ee/ucp/admin/configure/collect-cluster-metrics/).
 * The UCP controller has a `/metricsdiscovery` endpoint so users can connect their own Prometheus instances to scrape UCP metrics data.
-### UCP web interface
+#### UCP web interface
 * If you enable single sign-on for a DTR instance with UCP, the UCP web interface shows image vulnerability data for images in that DTR instance. Containers and services that use images from that DTR instance show any vulnerabilities DTR detects.
 * The UCP web interface is redesigned to offer larger views for viewing individual resources, with more information for Kubernetes resources.
-### Configs
+#### Configs
 * UCP now stores its configurations in its internal key-value store instead of in a Swarm configuration so changes can propagate across the cluster more quickly.
 * You can now use the `custom_api_server_headers` field in the UCP configuration to set arbitrary headers that are included with every UCP response.
-### API updates
+#### API updates
 There are several backward-incompatible changes in the Kubernetes API that may affect user workloads. They are:
@ -847,6 +861,27 @@ The following features are deprecated in UCP 3.1.
 # Version 3.0
 ## 3.0.15
 2019-10-07
 ### Bug fixes
 * Upgraded RethinkDB Go Client to v5. (ENGORC-2704)
 * Fixes an issue that caused slow response with increasing number of collections. (ENGORC-2638)
 ### Kubernetes
 * Enabled Kubernetes Node Authorizer Plugin. (ENGORC-2652)
 * Kube-dns is now deployed with 2 replicas. (ENGORC-1816)
 ### Components
 | Component             | Version |
 | --------------------- | ------- |
 | UCP                   | 3.0.15  |
 | Kubernetes            | 1.8.15  |
 | Calico                | 3.8.2   |
 | Interlock             | 2.6.1   |
 | Interlock NGINX proxy | 1.14.2  |
 ## 3.0.14
 2019-09-03
@ -882,7 +917,7 @@ The following features are deprecated in UCP 3.1.
 ### Bug fixes
-* Fixed an issue that caused sensitive command line arguments provided to the UCP installer command to also print in debug logs.
+* Fixes an issue that caused sensitive command line arguments provided to the UCP installer command to also print in debug logs.
 * Added a restrictive robots.txt  to the root of the UCP API server.
 ### Components
@ -901,7 +936,7 @@ The following features are deprecated in UCP 3.1.
 ### Bug fixes
 * Added migration logic to remove all actions on `pods/exec` and `pods/attach` Kubernetes subresource from the migrated UCP View-Only role. (ENGORC-2434)
-* Fixed an issue that allows unauthenticated user to list directories. (ENGORC-2175)
+* Fixes an issue that allows unauthenticated user to list directories. (ENGORC-2175)
 ### Deprecated platforms
@ -939,7 +974,7 @@ The following features are deprecated in UCP 3.1.
 ### Bug fixes
 * Bump the Golang version that is used to build UCP to version 1.10.8.
 * Prevent UCP users from updating services with a port that conflicts with the UCP controller port. (escalation#855)
-* Fixed an issue that causes UCP fail to upgrade with Interlock deployment. (docker/orca/#16009)
+* Fixes an issue that caused UCP fail to upgrade with Interlock deployment. (docker/orca/#16009)
 * Validate Calico certs expiration date and update accordingly. (escalation#981)
 ### Components
@ -990,7 +1025,7 @@ The following features are deprecated in UCP 3.1.
  * UCP backend will now complain when a service is created/updated if the
   `com.docker.lb.network` label is not correctly specified. (docker/orca#15015)
  * LDAP group member attribute is now case insensitive. (docker/escalation#917)
-  * Fixed an issue that caused a system hang after UCP backup and the attempted shutdown of the Docker daemon to perform a swarm backup. /dev/shm is now unmounted when starting the kubelet container. (docker/orca#15672, docker/escalation#841)
+  * Fixes an issue that caused a system hang after UCP backup and the attempted shutdown of the Docker daemon to perform a swarm backup. /dev/shm is now unmounted when starting the kubelet container. (docker/orca#15672, docker/escalation#841)
 * Interlock
  * Interlock headers can now be hidden. (docker/escalation#833)
@ -1033,18 +1068,18 @@ The following features are deprecated in UCP 3.1.
 * Core
  * Updated Kubernetes to version 1.8.15.
  * Resolved an issue where LDAP sync jobs terminated when processing an org admin search result that did not correspond to an existing user. (docker/escalation#784 #docker/escalation#888)
-  * Fixed an issue that caused RethinkDB client lock contention. (docker/escalation#902 and docker/escalation#906)
+  * Fixes an issue that caused RethinkDB client lock contention. (docker/escalation#902 and docker/escalation#906)
-  * Fixed an issue that caused Azure IPAM to not release addresses. (docker/escalation#815)
+  * Fixes an issue that caused Azure IPAM to not release addresses. (docker/escalation#815)
-  * Fixed an issue that caused unsuccessful installation of UCP on Azure. (docker/escalation#863)
+  * Fixes an issue that caused unsuccessful installation of UCP on Azure. (docker/escalation#863)
-  * Fixed an issue that caused the Interlock proxy service to keep restarting. (docker/escalation#814)
+  * Fixes an issue that caused the Interlock proxy service to keep restarting. (docker/escalation#814)
-  * Fixed an issue that caused Kubernetes DNS to not work. (#14064, #11981)
+  * Fixes an issue that caused Kubernetes DNS to not work. (#14064, #11981)
-  * Fixed an issue that caused "Missing swarm placement constraints" warning banner to appear unnecessarily. (docker/orca#14539)
+  * Fixes an issue that caused "Missing swarm placement constraints" warning banner to appear unnecessarily. (docker/orca#14539)
 * Security
-  * Fixed `libcurl` vulnerability in RethinkDB image. (docker/orca#15169)
+  * Fixes `libcurl` vulnerability in RethinkDB image. (docker/orca#15169)
 * UI
-  * Fixed an issue that prevented "Per User Limit" on Admin Settings from working. (docker/escalation#639)
+  * Fixes an issue that prevented "Per User Limit" on Admin Settings from working. (docker/escalation#639)
 ### Components
@ -1062,7 +1097,7 @@ The following features are deprecated in UCP 3.1.
 ### Bug fixes
 * Security
-  * Fixed a critical security issue to prevent UCP from accepting certificates from
+  * Fixes a critical security issue to prevent UCP from accepting certificates from
    the system pool when adding client CAs to the server that requires mutual authentication.
 ### Known Issue
@ -1081,7 +1116,7 @@ The following features are deprecated in UCP 3.1.
 | UCP      | 3.0.5 |
 | Kubernetes   | 1.8.11 |
 | Calico      | 3.0.8 |
-| Interlock (nginx)   | 1.13.12 |
+| Interlock (NGINX)   | 1.13.12 |
 ## 3.0.4
@ -1090,7 +1125,7 @@ The following features are deprecated in UCP 3.1.
 ### Bug fixes
 * Security
-  * Fixed a critical security issue where the LDAP bind username and password were stored in cleartext on UCP hosts. Please refer to [this KB article](https://success.docker.com/article/upgrading-to-ucp-2-2-12-ucp-3-0-4/) for proper implementation of this fix.
+  * Fixes a critical security issue where the LDAP bind user name and password were stored in clear text on UCP hosts. Please refer to [this KB article](https://success.docker.com/article/upgrading-to-ucp-2-2-12-ucp-3-0-4/) for proper implementation of this fix.
 ### Known Issue
@ -1119,14 +1154,14 @@ The following features are deprecated in UCP 3.1.
 ### Bug fixes
 * Core
-   * Optimize swarm service read api calls through UCP
+   * Optimize swarm service read API calls through UCP
   * Fixes an issue where some UCP Controller API calls may hang indefinitely.
   * Default Calico MTU set to 1480
   * Calico is upgraded to 3.0.8
   * Compose for Kubernetes logging improvements
   * Fixes an issue where backups would fail if UCP was not licensed.
   * Fixes an issue where DTR admins are missing the Full Control Grant against /Shared Collection even though they have logged in at least once to the web interface.
-   * Add support for bind mount volumes to kubernetes stacks and fixes sporadic errors in kubernetes stack validator that would incorrectly reject stacks.
+   * Add support for bind mount volumes to Kubernetes stacks and fixes sporadic errors in Kubernetes stack validator that would incorrectly reject stacks.
 ### Components
@ -1135,7 +1170,7 @@ The following features are deprecated in UCP 3.1.
 | UCP      | 3.0.3 |
 | Kubernetes   | 1.8.11 |
 | Calico      | 3.0.8 |
-| Interlock (nginx)   | 1.13.12 |
+| Interlock (NGINX)   | 1.13.12 |
 ## 3.0.2
@ -1154,10 +1189,10 @@ Azure Disk when installing UCP with the `--cloud-provider` option.
 ### Bug fixes
 * Core
-   * Fixed an issue for anonymous volumes in Compose for Kubernetes.
+   * Fixes an issue for anonymous volumes in Compose for Kubernetes.
-   * Fixed an issue where a fresh install would have an initial per-user session
+   * Fixes an issue where a fresh install would have an initial per-user session
   limit of unlimited rather than the expected limit of 10 minutes.
-   * Added separate resource types for Kubernetes subresources (e.g. pod/log)
+   * Added separate resource types for Kubernetes subresources (for example, pod/log)
   so that users can get separate permissions for those resources, as with the
   built-in Kubernetes RBAC authorizer. If you had a custom role with
   (for instance) Pod Get permissions, you may need to create a new custom
@ -1170,7 +1205,7 @@ Azure Disk when installing UCP with the `--cloud-provider` option.
     behavior) instead of a 404.
 * UI/UX
-   * Fixed an issue that causes LDAP configuration UI to not work properly.
+   * Fixes an issue that caused LDAP configuration UI to not work properly.
 ### Components
@ -1179,7 +1214,7 @@ Azure Disk when installing UCP with the `--cloud-provider` option.
 | UCP      | 3.0.2 |
 | Kubernetes   | 1.8.11 |
 | Calico      | 3.0.1 |
-| Interlock (nginx)   | 1.13.8 |
+| Interlock (NGINX)   | 1.13.8 |
 ## 3.0.1
@ -1192,19 +1227,19 @@ Azure Disk when installing UCP with the `--cloud-provider` option.
  This port must be in the `NodePort` range.
  * Kubernetes API server port is now configurable via `--kube-apiserver-port`
  flag at install or `cluster_config.kube_apiserver_port` in UCP config.
-  * Fixed an issue where upgrade fails due to missing `ucp-kv` snapshots.
+  * Fixes an issue where upgrade fails due to missing `ucp-kv` snapshots.
-  * Fixed an issue where upgrade fails due to layer 7 routing issues.
+  * Fixes an issue where upgrade fails due to layer 7 routing issues.
  * `ucp-interlock-proxy` no longer tries to schedule components on Windows nodes.
-  * Fixed an issue where a Kubernetes networking failure would not stop UCP from
+  * Fixes an issue where a Kubernetes networking failure would not stop UCP from
  installing successfully.
-  * Fixed an issue where encrypted overlay networks could not communicate on
+  * Fixes an issue where encrypted overlay networks could not communicate on
  firewalled hosts.
-  * Fixed an issue where Pod CIDR and Node IP values could conflict at install
+  * Fixes an issue where Pod CIDR and Node IP values could conflict at install
  Installation no longer fails if an empty `PodCIDR` value is set in the UCP
  config at install time. Instead, it falls back to default CIDR.
 *  UI/UX
-  * Fixed an issue where UCP banners redirected to older UCP 2.2 documentation.
+  * Fixes an issue where UCP banners redirected to older UCP 2.2 documentation.
 ### Known issues
@ -1221,7 +1256,7 @@ Azure Disk when installing UCP with the `--cloud-provider` option.
  networking disruption for pods on each node during the upgrade process,
  depending on how quickly `calico-node` gets upgraded on those nodes.
  * `ucp-interlock-proxy` may fail to start when two or more services are
- configured with two or more backend hosts.  [You can use this workaround](https://success.docker.com/article/how-do-i-ensure-the-ucp-routing-mesh-ucp-interlock-proxy-continues-running-in-the-event-of-a-failed-update).
+ configured with two or more back-end hosts.  [You can use this workaround](https://success.docker.com/article/how-do-i-ensure-the-ucp-routing-mesh-ucp-interlock-proxy-continues-running-in-the-event-of-a-failed-update).
 ### Components
@ -1230,7 +1265,7 @@ Azure Disk when installing UCP with the `--cloud-provider` option.
 | UCP      | 3.0.1 |
 | Kubernetes   | 1.8.11 |
 | Calico      | 3.0.1 |
-| Interlock (nginx)   | 1.13.8 |
+| Interlock (NGINX)   | 1.13.8 |
 ## 3.0.0
 2018-04-17
@ -1293,7 +1328,7 @@ will be available in future releases.
  * You can now create custom roles with Kubernetes API permissions. Default
  roles include Kubernetes API permissions based on their access type.
  As an example, View-Only contains Swarm and Kubernetes read-only API permissions.
-  * In addition to collections, grants can now use Kubernetes Namespaces as
+  * In addition to collections, grants can now use Kubernetes namespaces as
  a resource set type.
  * Admins can now link a Kubernetes namespace to a collection of nodes in order
  to isolate users and workloads between different nodes.
@ -1391,6 +1426,14 @@ deprecated. Deploy your applications as Swarm services or Kubernetes workloads.
 # Version 2.2
 ## Version 2.2.22
 2019-10-07
 ### Bug fixes
 * Upgraded RethinkDB Go Client to v5. (ENGORC-2704)
 * Now UI timeout is obeyed with browser tab open or closed. (ENGORC-2576)
 * Fixes an issue that caused slow response with increasing number of collections. (ENGORC-2638)
 ## Version 2.2.21
 2019-09-03
@ -1402,8 +1445,7 @@ deprecated. Deploy your applications as Swarm services or Kubernetes workloads.
 2019-07-17
 ### Bug fixes
-
+* Fixes an issue that caused sensitive command line arguments provided to the UCP installer command to also print in debug logs.
 * Fixed an issue that caused sensitive command line arguments provided to the UCP installer command to also print in debug logs.
 * Added a restrictive robots.txt  to the root of the UCP API server.
 ### Known issues
@ -1428,7 +1470,7 @@ instead of the correct image for the worker architecture.
 ### Bug fixes
-* Fixed an issue that allows unauthenticated user to list directories. (ENGORC-2175)
+* Fixes an issue that allows unauthenticated user to list directories. (ENGORC-2175)
 ### Known issues
@ -1528,7 +1570,7 @@ instead of the correct image for the worker architecture.
  * Significantly reduced database load in environments with a lot of concurrent and repeated API requests by the same user.
  * Added the ability to set custom HTTP response headers to be returned by the UCP Controller API Server.
 * Web interface
-  * Fixed stack creation for non admin user when UCP uses a custom controller port.
+  * Fixes stack creation for non-admin user when UCP uses a custom controller port.
 ### Known issues
@ -1555,10 +1597,10 @@ instead of the correct image for the worker architecture.
 * Core
  * Resolved an issue where LDAP sync jobs terminated when processing an org admin search result that did not correspond to an existing user. (docker/escalation#784 #docker/escalation#888)
-  * Fixed an issue that caused RethinkDB client lock contention. (docker/escalation#902 and docker/escalation#906)
+  * Fixes an issue that caused RethinkDB client lock contention. (docker/escalation#902 and docker/escalation#906)
 * Web Interface
-  * Fixed an issue that prevented "Per User Limit" on Admin Settings from working. (docker/escalation#639)
+  * Fixes an issue that prevented "Per User Limit" on Admin Settings from working. (docker/escalation#639)
 ### Known issues
@ -1584,7 +1626,7 @@ instead of the correct image for the worker architecture.
 ### Bug fixes
 * Security
-  * Fixed a critical security issue to prevent UCP from accepting certificates from
+  * Fixes a critical security issue to prevent UCP from accepting certificates from
    the system pool when adding client CAs to the server that requires mutual authentication.
 ### Known issues
@ -1611,7 +1653,7 @@ instead of the correct image for the worker architecture.
 ### Bug fixes
 * Security
-  * Fixed a critical security issue where the LDAP bind username and password
+  * Fixes a critical security issue where the LDAP bind user name and password
    were stored in cleartext on UCP hosts. Please refer to the following KB article
    https://success.docker.com/article/upgrading-to-ucp-2-2-12-ucp-3-0-4/
    for proper implementation of this fix.
@ -1643,19 +1685,19 @@ instead of the correct image for the worker architecture.
 ### Bug fixes
 * Security
-  * Fixed an issue that causes some security headers to not be added to all API responses.
+  * Fixes an issue that caused some security headers to not be added to all API responses.
 * Core
  * Optimized swarm service read API calls through UCP.
  * Upgraded `RethinkDB` image to address potential security vulnerabilities.
-  * Fixee an issue where removing a worker node from the cluster would cause an etcd member to be removed on a manager node.
+  * Fixes an issue where removing a worker node from the cluster would cause an etcd member to be removed on a manager node.
  * Upgraded `etcd` version to 2.3.8.
-  * Fixed an issue that causes classic Swarm to provide outdated data.
+  * Fixes an issue that caused classic Swarm to provide outdated data.
-  * Fixed an issue that raises `ucp-kv` collection error with unnamed volumes.
+  * Fixes an issue that raises `ucp-kv` collection error with unnamed volumes.
 * UI
-  * Fixed an issue that causes the web interface to not parse volume options correctly.
+  * Fixes an issue that caused the web interface to not parse volume options correctly.
-  * Fixed an issue that prevents the user from deploying stacks through the web interface.
+  * Fixes an issue that prevents the user from deploying stacks through the web interface.
 ### Known issues
@ -1686,9 +1728,9 @@ instead of the correct image for the worker architecture.
 * UI
  * Users can now set log driver name and options on both create and update
   service screens.
-  * Fixed an issue that causes legacy collections on services to break the web interface. Now
+  * Fixes an issue that caused legacy collections on services to break the web interface. Now
   legacy collections are properly prepended with "/Shared/Legacy/".
-  * Fixed an issue that causes service counts in status summary to be shown
+  * Fixes an issue that caused service counts in status summary to be shown
   incorrectly.
 * Authentication/Authorization
@ -1696,14 +1738,14 @@ instead of the correct image for the worker architecture.
   previously logged in.
  * The logic which reconciles collection labels is now skipped if the
   node already has an access label.
-  * Fixed an issue where LDAP syncs would always search against the last server
+  * Fixes an issue where LDAP syncs would always search against the last server
   in the list of additional domains if the search base DN matched any of those
   domains.
 * Core
  * UCP can now be displayed in an iframe for pages hosted on the same domain.
-  * Fixed an issue that prevents non-admin users to do `docker build` on UCP.
+  * Fixes an issue that prevents non-admin users to do `docker build` on UCP.
-  * Fixed an issue where a node's status may be reported incorrectly in node
+  * Fixes an issue where a node's status may be reported incorrectly in node
   listings.
  * UCP can now be installed on a system with more than 127 logical CPU cores.
  * Improved the performance of UCP's local and global health checks.
@ -1734,12 +1776,12 @@ instead of the correct image for the worker architecture.
 ### Bug fixes
 * Security
-  * Fixed an issue that allows users to incorrectly interact with local volumes.
+  * Fixes an issue that allows users to incorrectly interact with local volumes.
-  * Fixed an issue where setting minimum TLS version causes `ucp-agent` to
+  * Fixes an issue where setting minimum TLS version caused `ucp-agent` to
   keep restarting on worker nodes.
 * Core
-  * Fixed an issue that causes container fail to start with `container ID not found`
+  * Fixes an issue that caused container fail to start with `container ID not found`
   during high concurrent API calls to create and start containers.
 ### Known issues
@ -1769,7 +1811,7 @@ is always used, regardless of which one is actually the best match.
 ### Bug fixes
-* Fixed an issue where the minimum TLS version setting is not correctly handled,
+* Fixes an issue where the minimum TLS version setting is not correctly handled,
  leading to non-default values causing `ucp-controller` and `ucp-agent` to keep
  restarting.
@ -1814,14 +1856,14 @@ is always used, regardless of which one is actually the best match.
 * Core
  * The HRM service is no longer deployed with constraints that might prevent
  the service from ever getting scheduled.
-  * Fixed a problem causing the HRM service to be restarted multiple times.
+  * Fixes an issue that caused the HRM service to restart multiple times.
  * The `ucp-agent` service is now deployed without adding extra collection labels.
  This doesn't change the behavior of the service.
-  * Fixed problem causing a healthy `ucp-auth-store` component to be reported as
+  * Fixes an issue that caused a healthy `ucp-auth-store` component to be reported as
  unhealthy.
-  * Fixed a race condition causing the labels for the UCP controller container
+  * Fixes a race condition causing the labels for the UCP controller container
  to be reset.
-  * Fixed an issue causing the `ucp-agent` service to be deployed with the wrong
+  * Fixes an issue causing the `ucp-agent` service to be deployed with the wrong
  architecture on Windows nodes.
 * RBAC
  * Role-based access control can now be enforced for third-party volume plugins,
@ -1831,16 +1873,16 @@ is always used, regardless of which one is actually the best match.
  to go onto each node and clean up those resources directly.
  * When upgrading from UCP 2.1, inactive user accounts are no longer migrated
  to the new RBAC model.
-  * Fixed an issue preventing users from seeing a collection when they have
+  * Fixes an issue preventing users from seeing a collection when they have
  permissions to deploy services on a child collection.
  * Grants are now deleted when deleting an organization whose teams have grants.
 * UI
-  * Fixed a problem in the Settings page that would cause Docker to stop when
+  * Fixes a issue in the Settings page that caused Docker to stop when
  you made changes to UCP settings and a new manager node is promoted to leader.
-  * Fixed bug causing the Grants list page not to render after deleting an
+  * Fixes a bug causing the Grants list page not to render after deleting an
  organization mentioned used on a grant.
-  * Fixed a problem that would intermittently cause settings not to be persisted.
+  * Fixes an issue that intermittently caused settings not to be persisted.
-  * Fixed an issue that prevented users from being able to change LDAP settings.
+  * Fixes an issue that prevented users from being able to change LDAP settings.
 ### Known issues
@ -1924,7 +1966,7 @@ for volumes.
  * Additional translations added for internationalization.
  * UI for adding users to teams simplified.
  * The grant list can now sorted and pagination in the grants view has been improved. The grants view previously had glitches on systems with many grants.
-  * Fixed problem where the web interface would hang when pulling images.
+  * Fixes an issue where the web interface would hang when pulling images.
  * "Max failure ratio" and "Failure action" re-introduced in service definitions. These settings were not available in UCP 2.2, but were available in previous UCP versions.
  * Collection labels are no longer applied to UCP system services. UCP previously auto-applied labels, which was confusing.
@ -1966,7 +2008,7 @@ for volumes.
  * Windows nodes are no longer displayed in the DTR install UI.
  * DTR settings state in UCP is now preserved when switching tabs. Previously,
  un-saved state was lost when switching tabs.
-  * Fixed problem where first manager node may have IP address `0.0.0.0`,
+  * Fixes an issue where the first manager node may have IP address `0.0.0.0`,
  causing dashboard to not update.
  * UI for adding Windows nodes improved to include full join instructions.
  * Node Task UI fixed. Displaying tasks for a node previously did not work.
@ -2005,24 +2047,24 @@ for volumes.
 ### Bug fixes
 * Core
-  * Fixed an issue that caused timeouts during install, preventing UCP 2.2.1 from
+  * Fixes an issue that caused timeouts during install, preventing UCP 2.2.1 from
  being released.
-  * Fixed a number of issues in which access control labels and roles could not
+  * Fixes a number of issues in which access control labels and roles could not
  be upgraded to their new format, when upgrading UCP.
  [Learn more](https://success.docker.com/KBase/Auth_system_migration_errors).
-  * Fixed an issue that caused an upgrade with multiple manager nodes to fail
+  * Fixes an issue that caused an upgrade with multiple manager nodes to fail
  with RethinkDB startup errors.
-  * Fixed an issue that caused upgrades to fail due to UCP being unable to
+  * Fixes an issue that caused upgrades to fail due to UCP being unable to
  remove and replace older UCP containers.
-  * Fixed an issue in which upgrade timed out due to lack of available disk space.
+  * Fixes an issue in which upgrade timed out due to lack of available disk space.
-  * Fixed an issue in which rescheduling of containers not belonging in services
+  * Fixes an issue in which rescheduling of containers not belonging in services
  could fail due to a request for a duplicate IP address.
  * DTR containers are no longer omitted from `docker ps` commands.
 * UI/UX
-  * Fixed known issue from 2.2.0 where config changes (including LDAP/AD) take
+  * Fixes known issue from 2.2.0 where config changes (including LDAP/AD) take
  an extended period to update after making changes in the UI settings.
-  * Fixed an issue where the `/apidocs` url redirected to the login page.
+  * Fixes an issue where the `/apidocs` url redirected to the login page.
-  * Fixed an issue in which the UI does not redirect to a bad URL immediately
+  * Fixes an issue in which the UI does not redirect to a bad URL immediately
  after an upgrade.
  * Config and API docs now show the correct LDAP sync cron schedule format.
 * docker/ucp image
@ -2103,7 +2145,7 @@ and the API is fully interactive within the UCP web interface.
  * Redesigned dashboard with time-series historical graphs for usage metrics.
  * Compact layout to more easily view resource information at a glance.
  * Detail panels for resources no longer slide out and cover the main panel.
-  * Filtering mechanism to display related items (e.g. resources in a collection or stack).
+  * Filtering mechanism to display related items (for example, resources in a collection or stack).
 ### Known issues