From 200612db49e4dd2b72e900c674aa043bdac9b895 Mon Sep 17 00:00:00 2001 From: Dawn W Docker Date: Wed, 10 Jul 2019 13:34:28 -0700 Subject: [PATCH 1/7] adding admission controlers bare bones topic --- _data/toc.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/_data/toc.yaml b/_data/toc.yaml index b5c544b6dc..0c8eb7b74d 100644 --- a/_data/toc.yaml +++ b/_data/toc.yaml @@ -1363,6 +1363,8 @@ manuals: title: Add labels to cluster nodes - path: /ee/ucp/admin/configure/add-sans-to-cluster/ title: Add SANs to cluster certificates + - path: /ee/ucp/admin/configure/admission-controllers + title: Admission Controllers - path: /ee/ucp/admin/configure/collect-cluster-metrics/ title: Collect UCP cluster metrics with Prometheus - path: /ee/ucp/admin/configure/metrics-descriptions/ From 1ebdf7ad417c20643f3a49d4cbc636db0cc9c8db Mon Sep 17 00:00:00 2001 From: Dawn W Docker Date: Wed, 10 Jul 2019 13:38:02 -0700 Subject: [PATCH 2/7] adding file --- .../admin/configure/admission-controllers.md | 29 +++++++++++++++++++ 1 file changed, 29 insertions(+) create mode 100644 ee/ucp/admin/configure/admission-controllers.md diff --git a/ee/ucp/admin/configure/admission-controllers.md b/ee/ucp/admin/configure/admission-controllers.md new file mode 100644 index 0000000000..74b36606ea --- /dev/null +++ b/ee/ucp/admin/configure/admission-controllers.md @@ -0,0 +1,29 @@ +--- +title: Admission controllers +description: Learn about how admission controllers are used in docker. +keywords: cluster, psp, security +--- + +# Admission controllers + +This is the current list of admission controllers used by Docker: + ### Default +- [NamespaceLifecycle](https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#namespacelifecycle) +- [LimitRanger](https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#limitranger) +- [ServiceAccount](https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#serviceaccount) +- [PersistentVolumeLabel](https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#persistentvolumelabel) +- [DefaultStorageClass](https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#defaultstorageclass) +- [DefaultTolerationSeconds](https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#defaulttolerationseconds) +- [NodeRestriction](https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#noderestriction) +- [ResourceQuota](https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#resourcequota) +- [PodNodeSelector](https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#podnodeselector) +- [PodSecurityPolicy](https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#podsecuritypolicy) + +### Custom +- UCPAuthorization +- CheckImageSigning +- UCPNodeSelector + +**Note:** you cannot enable or disable your own admission controllers. For more information about why, see [Supportability of custom kubernetes flags in universal control plane](https://success.docker.com/article/supportability-of-custom-kubernetes-flags-in-universal-control-plane) + +For more information about pod security policies in Docker, see [Pod security policies](/ee/ucp/kubernetes/pod-security-policies.md). \ No newline at end of file From f5394e9e7c1bde9c8126729af7abda59eca9437d Mon Sep 17 00:00:00 2001 From: Dawn W Docker Date: Wed, 10 Jul 2019 14:07:44 -0700 Subject: [PATCH 3/7] fixing heading formatting --- ee/ucp/admin/configure/admission-controllers.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ee/ucp/admin/configure/admission-controllers.md b/ee/ucp/admin/configure/admission-controllers.md index 74b36606ea..247d5313a5 100644 --- a/ee/ucp/admin/configure/admission-controllers.md +++ b/ee/ucp/admin/configure/admission-controllers.md @@ -4,10 +4,10 @@ description: Learn about how admission controllers are used in docker. keywords: cluster, psp, security --- -# Admission controllers This is the current list of admission controllers used by Docker: - ### Default + +### Default - [NamespaceLifecycle](https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#namespacelifecycle) - [LimitRanger](https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#limitranger) - [ServiceAccount](https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#serviceaccount) From cac9b55b18cfea3127de87aa8921bd840a556d73 Mon Sep 17 00:00:00 2001 From: paigehargrave Date: Mon, 15 Jul 2019 13:16:00 -0400 Subject: [PATCH 4/7] Relnotes Landing page What's New/Known Issues updates (#1183) Adding the rel notes landing page --- _data/toc.yaml | 58 ++------------- ee/release-notes.md | 70 +++++------------- ee/ucp/release-notes.md | 155 ++++++++++++++++++++-------------------- release-notes/index.md | 20 +++--- 4 files changed, 108 insertions(+), 195 deletions(-) diff --git a/_data/toc.yaml b/_data/toc.yaml index 0c8eb7b74d..3eb24a840d 100644 --- a/_data/toc.yaml +++ b/_data/toc.yaml @@ -1290,22 +1290,8 @@ manuals: section: - path: /ee/ title: Overview - - sectiontitle: Release notes - section: - - path: /ee/release-notes/ - title: Platform - - path: /engine/release-notes/ - title: Docker Engine - Enterprise and Engine - Community - nosync: true - - path: /ee/ucp/release-notes/ - title: Docker Universal Control Plane - nosync: true - - path: /ee/dtr/release-notes/ - title: Docker Trusted Registry - nosync: true - - path: /ee/desktop/release-notes/ - title: Docker Desktop Enterprise - nosync: true + - path: /ee/release-notes/ + title: Release notes - sectiontitle: Docker Cluster section: - path: /cluster/ @@ -3694,44 +3680,8 @@ manuals: title: Token scope documentation - path: /registry/spec/auth/token/ title: Token authentication specification -- sectiontitle: Release notes - section: - - path: /release-notes/ - title: Overview - - sectiontitle: Docker Enterprise Platform - section: - - path: /ee/release-notes/ - title: Platform - - path: /engine/release-notes/ - title: Docker Engine - Enterprise and Engine - Community - nosync: true - - path: /ee/ucp/release-notes/ - title: Docker Universal Control Plane - nosync: true - - path: /ee/dtr/release-notes/ - title: Docker Trusted Registry - nosync: true - - path: /ee/desktop/release-notes/ - title: Docker Desktop Enterprise - nosync: true - - path: /docker-for-mac/release-notes/ - title: Docker Desktop for Mac - nosync: true - - path: /docker-for-windows/release-notes/ - title: Docker Desktop for Windows - nosync: true - - path: /release-notes/docker-compose/ - title: Docker Compose - nosync: true - - path: /docker-for-aws/release-notes/ - title: Docker for AWS - nosync: true - - path: /docker-for-azure/release-notes/ - title: Docker for Azure - nosync: true - - path: /release-notes/docker-swarm/ - title: Docker Swarm release notes - nosync: true +- path: /release-notes/ + title: Release notes - sectiontitle: Superseded products and tools section: - path: /cs-engine/1.13/release-notes/ diff --git a/ee/release-notes.md b/ee/release-notes.md index ac8fdf19b4..2bd52e5d46 100644 --- a/ee/release-notes.md +++ b/ee/release-notes.md @@ -1,22 +1,26 @@ --- -title: Docker Enterprise Platform release notes -description: Learn about the new features, bug fixes, and breaking changes for Docker Enterprise Platform. +title: Docker Enterprise release notes +description: Learn about the new features, bug fixes, and breaking changes for Docker Enterprise. keywords: engine enterprise, ucp, dtr, desktop enterprise, whats new, release notes --- +This page provides information about Docker Enterprise 3.0. For +detailed information about for each enterprise component, refer to the individual component release notes +pages listed in the following **Docker Enterprise components install and upgrade** section. + ## What’s New? | Feature | Component | Component version | |---------|-----------|-------------------| -| [Group Managed Service Accounts (gMSA)](#) | UCP | 3.2.0 | -| [Open Security Controls Assessment Language (OSCAL)](#) | UCP | 3.2.0 | -| [Container storage interface (CSI)](#) | UCP | 3.2.0 | -| [Internet Small Computer System Interface (iSCSI)](#) | UCP | 3.2.0 | -| [System for Cross-domain Identity Management (SCIM)](#) | UCP | 3.2.0 | -| [Registry CLI](#) | DTR | 2.7.0 | -| [App Distribution](#) | DTR | 2.7.0 | -| [Client certificate-based Authentication](#) | DTR | 2.7.0 | -| [Application Designer](/ee/desktop/app-designer/) | Docker Desktop Enterprise | 0.1.4 | +| [Group Managed Service Accounts (gMSA)](/engine/swarm/services/) | UCP | 3.2.0 | +| [Open Security Controls Assessment Language (OSCAL)](/compliance/oscal/) | UCP | 3.2.0 | +| [Container storage interface (CSI)](/ee/ucp/kubernetes/storage/use-csi/) | UCP | 3.2.0 | +| [Internet Small Computer System Interface (iSCSI)](/ee/ucp/kubernetes/storage/use-iscsi/) | UCP | 3.2.0 | +| [System for Cross-domain Identity Management (SCIM)](/ee/ucp/admin/configure/integrate-scim/) | UCP | 3.2.0 | +| [Docker Registry CLI (Experimental)](/engine/reference/commandline/registry/) | DTR | 2.7.0 | +| [App Distribution](/ee/dtr/user/manage-applications/) | DTR | 2.7.0 | +| [Client certificate-based Authentication](/ee/enable-client-certificate-authentication/) | DTR and UCP|2.7.0 (DTR) and 3.2.0 (UCP)| +| [Application Designer](/ee/desktop/app-designer/) | Docker Desktop Enterprise | 0.1.4 | | [Docker App (Experimental)](/app/working-with-app/) |CLI | 0.8.0 | | [Docker Assemble (Experimental)](/assemble/install/) | CLI | 0.36.0 | | [Docker Buildx (Experimental)](/buildx/working-with-buildx/)| CLI | 0.2.2 | @@ -24,7 +28,7 @@ keywords: engine enterprise, ucp, dtr, desktop enterprise, whats new, release no | [Docker Template CLI (Experimental)](/app-template/working-with-template/) | CLI | 0.1.4 | -## Product install and upgrade +## Docker Enterprise components install and upgrade | Component Release Notes | Version | Install | Upgrade | |---------|-----------|-------------------|-------------- | @@ -34,49 +38,7 @@ keywords: engine enterprise, ucp, dtr, desktop enterprise, whats new, release no | [Docker Desktop Enterprise](/ee/desktop/release-notes/) | 2.1.0 |Install Docker Desktop Enterprise [Mac](/ee/desktop/admin/install/mac/), [Windows](/ee/desktop/admin/install/windows/) | Upgrade Docker Desktop Enterprise [Mac](/ee/desktop/admin/install/mac/), [Windows](/ee/desktop/admin/install/windows/) | Refer to the [Compatibility Matrix](https://success.docker.com/article/compatibility-matrix) and the [Maintenance Lifecycle](https://success.docker.com/article/maintenance-lifecycle) for compatibility and software maintenance details. - -## Known Issues - -This is not an exhaustive list. For complete known issues information, refer to the individual component release notes page. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Issue DescriptionIssue NumberComponentAffected VersionsFixed?Version Fix - Pull Request
docker registry info authentication error (for example purposes)ENG-DTR #912DTR2.7.0-beta2Yes2.7.0
Error when installing UCP with "selinux-enabled": true???UCPUCP with Enterprise Engine 18.09 or 19.03NoN/A
diff --git a/ee/ucp/release-notes.md b/ee/ucp/release-notes.md index a03c9faf16..a92b28aa6d 100644 --- a/ee/ucp/release-notes.md +++ b/ee/ucp/release-notes.md @@ -25,54 +25,52 @@ upgrade your installation to the latest release. # Version 3.2 (2019-7-10) -## New features +### New features -### Group Managed Service Accounts (gMSA) +- Group Managed Service Accounts (gMSA) On Windows, you can create or update a service using --credential-spec with the config:// format. This passes the gMSA credentials file directly to nodes before a container starts. - -### Open Security Controls Assessment Language (OSCAL) +- Open Security Controls Assessment Language (OSCAL) OSCAL API endpoints have been added in Engine and UCP. These endpoints are enabled by default. - -### Container storage interface (CSI) +- Container storage interface (CSI) Version 1.0 of the CSI specification is now supported for container orchestrators to manage storage plugins. Note: As of May 2019, none of the (available CSI drivers)[https://kubernetes-csi.github.io/docs/drivers.html] are production quality and are considered pre-GA. - -### Internet Small Computer System Interface (iSCSI) +- Internet Small Computer System Interface (iSCSI) Using iSCSI, a storage admin can now provision a UCP cluster with persistent storage from which UCP end users can request storage resources without needing underlying infrastructure knowledge. - -### System for Cross-domain Identity Management (SCIM) +- System for Cross-domain Identity Management (SCIM) SCIM implementation allows proactive synchronization with UCP and eliminates manual intervention for changing user status and group membership. - -### Support for Pod Security Policies (PSPs) within Kubernetes +- Support for Pod Security Policies (PSPs) within Kubernetes Pod Security Policies are enabled by default in UCP 3.2 allowing platform operators to enforce security controls on what can run on top of Kubernetes. For more information see [Using Pod Security](/ee/ucp/kubernetes/pod-security-policies/) +- Client Cert-based Authentication + - Users can now use UCP client bundles for DTR authentication. + - Users can now add their client certificate and key to their local Engine for performing pushes and pulls without logging in. + - Users can now use client certificates to make API requests to DTR instead of providing their credentials. -## Enhancements +### Enhancements -### Backup/restore +#### Backup/restore - Backups no longer halt UCP containers. - Backup contents can now be redirected to a file instead of stdout/err. -- You can now view information for all backups performed, including the date, status, and contents filenames. -Error log information can be accessed for troubleshooting. +- You can now view information for all backups performed, including the date, status, and contents filenames. Error log information can be accessed for troubleshooting. -### Upgrade +#### Upgrade - Improved progress information for install and upgrade. - You can now manually control worker node upgrades. - User workloads no longer experience downtime during an upgrade. -### Buildkit +#### Buildkit - You can now use a UCP client bundle with buildkit. -## Deprecations +### Deprecations The following features are deprecated in UCP 3.2: - Collections @@ -102,56 +100,51 @@ Refer to [UCP backup information](/ee/admin/backup/back-up-ucp/) for detailed UC If your cluster has lost quorum and you cannot recover it on your own, please contact Docker Support. -## Browser support +- Browser support In order to optimize user experience and security, support for Internet Explorer (IE) version 11 is not provided for Windows 7 with UCP version 3.2. Docker recommends updating to a newer browser version if you plan to use UCP 3.2, or remaining on UCP 3.1.x or older until EOL of IE11 in January 2020. -## Kubernetes +- Kubernetes -- Integrated Kubernetes Ingress - - You can now dynamiclly deploy L7 routes for applications, scale out multi-tenant ingress for shared clusters, + - Integrated Kubernetes Ingress + - You can now dynamiclly deploy L7 routes for applications, scale out multi-tenant ingress for shared clusters, and give applications TLS termination, path-based routing, and high-performance L7 load-balancing in a centralized and controlled manner. -- Updated Kubernetes to version 1.14. + - Updated Kubernetes to version 1.14. - - Enhancements: - - PodShareProcessNamespace - - - The PodShareProcessNamespace feature, available by default, configures PID namespace sharing within a pod. - See [Share Process Namespace between Containers in a Pod](https://kubernetes.io/docs/tasks/configure-pod-container/share-process-namespace/) for more information. - - https://github.com/kubernetes/kubernetes/pull/66507 - - Volume Dynamic Provisioning - - - Combined `VolumeScheduling` and `DynamicProvisioningScheduling`. - - Added allowedTopologies description in kubectl. - - ACTION REQUIRED: The DynamicProvisioningScheduling alpha feature gate has been removed. - The VolumeScheduling beta feature gate is still required for this feature) -https://github.com/kubernetes/kubernetes/pull/67432 - - TokenRequest and TokenRequestProjection + - Enhancements: + - PodShareProcessNamespace + - The PodShareProcessNamespace feature, available by default, configures PID namespace sharing within a pod. See [Share Process Namespace between Containers in a Pod](https://kubernetes.io/docs/tasks/configure-pod-container/share-process-namespace/) for more information. + - https://github.com/kubernetes/kubernetes/pull/66507 + - Volume Dynamic Provisioning + - Combined `VolumeScheduling` and `DynamicProvisioningScheduling`. + - Added allowedTopologies description in kubectl. + - ACTION REQUIRED: The DynamicProvisioningScheduling alpha feature gate has been removed. The VolumeScheduling beta feature gate is still required for this feature. - https://github.com/kubernetes/kubernetes/pull/67432 + - TokenRequest and TokenRequestProjection - Enable these features by starting the API server with the following flags: * --service-account-issuer * --service-account-signing-key-file * --service-account-api-audiences - - https://github.com/kubernetes/kubernetes/pull/67349 + - https://github.com/kubernetes/kubernetes/pull/67349 - Removed `--cadvisor-port flag` from kubelet - ACTION REQUIRED: The cAdvisor web UI that the kubelet started using `--cadvisor-port` was removed in 1.12. If cAdvisor is needed, run it via a DaemonSet. - https://github.com/kubernetes/kubernetes/pull/65707 - - Support for Out-of-tree CSI Volume Plugins (stable) with API + - Support for Out-of-tree CSI Volume Plugins (stable) with API - - Allows volume plugins to be developed out-of-tree. - - Not require building volume plugins (or their dependencies) into Kubernetes binaries. - - Not requiring direct machine access to deploy new volume plugins (drivers). - - https://github.com/kubernetes/enhancements/issues/178 - - Server-side Apply leveraged by the UCP GUI for the yaml create page + - Allows volume plugins to be developed out-of-tree. + - Not require building volume plugins (or their dependencies) into Kubernetes binaries. + - Not requiring direct machine access to deploy new volume plugins (drivers). + - https://github.com/kubernetes/enhancements/issues/178 + - Server-side Apply leveraged by the UCP GUI for the yaml create page - - Moved "apply" and declarative object management from kubectl to the apiserver. Added "field ownership". - - https://github.com/kubernetes/enhancements/issues/555 - - The PodPriority admission plugin + - Moved "apply" and declarative object management from kubectl to the apiserver. Added "field ownership". + - https://github.com/kubernetes/enhancements/issues/555 + - The PodPriority admission plugin - - For `kube-apiserver`, the `Priority` admission plugin is now enabled by default when using `--enable-admission-plugins`. If using `--admission-control` to fully specify the set of admission plugins, the `Priority` admission plugin should be added if using the `PodPriority` feature, which is enabled by default in 1.11. + - For `kube-apiserver`, the `Priority` admission plugin is now enabled by default when using `--enable-admission-plugins`. If using `--admission-control` to fully specify the set of admission plugins, the `Priority` admission plugin should be added if using the `PodPriority` feature, which is enabled by default in 1.11. - The priority admission plugin: - Allows pod creation to include an explicit priority field if it matches the computed priority (allows export/import cases to continue to work on the same cluster, between @@ -161,35 +154,33 @@ https://github.com/kubernetes/kubernetes/pull/67432 pod did (allows POST, PUT, PUT, PUT workflows to continue to work, with the admission-set value on create being preserved by the admission plugin on update) - https://github.com/kubernetes/kubernetes/pull/65739 - - Volume Topology + - Volume Topology - - Made the scheduler aware of a Pod's volume's topology constraints, such as zone or node. - - https://github.com/kubernetes/enhancements/issues/490, Docs pr here: kubernetes/website#10736 - - Admin RBAC role and edit RBAC roles - - The admin RBAC role is aggregated from edit and view. The edit RBAC role is aggregated from a + - Made the scheduler aware of a Pod's volume's topology constraints, such as zone or node. + - https://github.com/kubernetes/enhancements/issues/490 + - Docs pr here: kubernetes/website#10736 + - Admin RBAC role and edit RBAC roles + - The admin RBAC role is aggregated from edit and view. The edit RBAC role is aggregated from a separate edit and view. - - https://github.com/kubernetes/kubernetes/pull/66684 - - API - - `autoscaling/v2beta2` and `custom_metrics/v1beta2` implement metric selectors for Object and Pods + - https://github.com/kubernetes/kubernetes/pull/66684 + - API + - `autoscaling/v2beta2` and `custom_metrics/v1beta2` implement metric selectors for Object and Pods metrics, as well as allow AverageValue targets on Objects, similar to External metrics. - - https://github.com/kubernetes/kubernetes/pull/64097 - - Version updates - - Client-go libraries bump - - ACTION REQUIRED: the API server and client-go libraries support additional non-alpha-numeric + - https://github.com/kubernetes/kubernetes/pull/64097 + - Version updates + - Client-go libraries bump + - ACTION REQUIRED: the API server and client-go libraries support additional non-alpha-numeric characters in UserInfo "extra" data keys. Both support extra data containing "/" characters or other characters disallowed in HTTP headers. - - Old clients sending keys that were %-escaped by the user have their values unescaped by new API servers. + - Old clients sending keys that were %-escaped by the user have their values unescaped by new API servers. New clients sending keys containing illegal characters (or "%") to old API servers do not have their values unescaped. - - https://github.com/kubernetes/kubernetes/pull/65799 - - audit.k8s.io API group bump + - https://github.com/kubernetes/kubernetes/pull/65799 + - audit.k8s.io API group bump - The audit.k8s.io API group has been bumped to v1. - Deprecated element metav1.ObjectMeta and Timestamp are removed from audit Events in v1 version. - - Default value of option --audit-webhook-version and --audit-log-version are changed from `audit.k8s.io/v1beta1` - to `audit.k8s.io/v1`. + - Default value of option --audit-webhook-version and --audit-log-version are changed from `audit.k8s.io/v1beta1` to `audit.k8s.io/v1`. - https://github.com/kubernetes/kubernetes/pull/65891 - - Known issues - - Backwards-incompatible changes in the Kube API that might affect user workloads will require warnings/documentation in the UCP release notes for Amberjack (list of deprecated features and APIs TBD). - - Does anything need to be noted for Kube 1.12 (deprecations, etc. that is not covered for 1.13?) + ### Known issues @@ -224,29 +215,28 @@ https://github.com/kubernetes/kubernetes/pull/67432 ``` - Using iSCSI on a SLES 15 Kubernetes cluster results in failures - - Using Kubernetes iSCSI on SLES 15 hosts results in failures. Kubelet logs might have errors similar to the following, when there's an attempt to attach the iSCSI based persistent volume: ``` {kubelet ip-172-31-13-214.us-west-2.compute.internal} FailedMount: MountVolume.WaitForAttach failed for volume "iscsi-4mpvj" : exit status 127" ``` - Reason: The failure is because the containerized kubelet in UCP does not contain the library dependency (libopeniscsiusr) for iscsiadm version 2.0.876 on SLES15. - Workaround: use a swarm service to deploy this change across the cluster as follows: - 1. Install UCP and have nodes configured as swarm workers. - 2. Perform iSCSI initiator related configuration on the nodes. - - Install packages: + 1. Install UCP and have nodes configured as swarm workers. + 2. Perform iSCSI initiator related configuration on the nodes. + - Install packages: ``` zypper -n install open-iscsi ``` - - Modprobe the relevant kernel modules + - Modprobe the relevant kernel modules ``` modprobe iscsi_tcp ``` - - Start the iscsi daemon + - Start the iscsi daemon ``` service start iscsid ``` - 3. Create a global docker service that updates the dynamic library configuration path of the ucp-kubelet with relevant host paths. For this, use the UCP client bundle to point to the UCP cluster and run the following swarm commands: + 3. Create a global docker service that updates the dynamic library configuration path of the ucp-kubelet with relevant host paths. For this, use the UCP client bundle to point to the UCP cluster and run the following swarm commands: ``` docker service create --mode=global --restart-condition none --mount type=bind,source=/var/run/docker.sock,target=/var/run/docker.sock mavenugo/swarm-exec:17.03.0-ce docker exec ucp-kubelet "/bin/bash" "-c" "echo /rootfs/usr/lib64 >> /etc/ld.so.conf.d/libc.conf && ldconfig" 4b1qxigqht0vf5y4rtplhygj8 @@ -270,8 +260,19 @@ https://github.com/kubernetes/kubernetes/pull/67432 nwnur7r1mq77 hopeful_margulis.2gzhtgazyt3hyjmffq8f2vro4 mavenugo/swarm-exec:17.03.0-ce user-testkit-4DA6F6-sles-0 Shutdown Complete 7 minutes ago uxd7uxde21gx hopeful_margulis.ugb24g32knzvvjq9d82jbuba1 mavenugo/swarm-exec:17.03.0-ce user -testkit-4DA6F6-sles-2 Shutdown Complete 7 minutes ago + ``` - 4. Switch cluster to run kubernetes workloads. Your cluster is now set to run iSCSI workloads. + 4. Switch cluster to run kubernetes workloads. Your cluster is now set to run iSCSI workloads. + +### Components + +| Component | Version | +| ----------- | ----------- | +| UCP | 3.2.0 | +| Kubernetes | 1.14.3 | +| Calico | 3.5.7 | +| Interlock | 2.4.0 | +| Interlock NGINX proxy | 1.14.2 | # Version 3.1 diff --git a/release-notes/index.md b/release-notes/index.md index 1d9192fef7..4a6e6362c9 100644 --- a/release-notes/index.md +++ b/release-notes/index.md @@ -1,18 +1,18 @@ --- description: Release notes for Docker keywords: docker, documentation, about, technology, understanding, release -title: Docker Release Notes +title: Docker release notes --- -Find out what's new in Docker products! -- [Docker Enterprise Platform](/ee/release-notes/) - - [Docker Engine - Enterprise and Engine - Community](/engine/release-notes) - - [Docker Trusted Registry](/ee/dtr/release-notes/) - - [Docker Universal Control Plane](/ee/ucp/release-notes/) - - [Docker Desktop Enterprise](/ee/desktop/release-notes/) -- [Docker Desktop for Mac](/docker-for-mac/release-notes.md) ([Edge Releases](/docker-for-mac/edge-release-notes.md)) -- [Docker Desktop for Windows](/docker-for-windows/release-notes.md) ([Edge Releases](/docker-for-windows/edge-release-notes.md)) -- [Docker for Azure](/docker-for-azure/release-notes.md) or [Docker for AWS](/docker-for-aws/release-notes.md) +Find out what's new in Docker! Release notes also contain detailed information about known issues and fixes for each component. + +- [Docker Engine](/engine/release-notes) +- [Docker Desktop Enterprise](/ee/desktop/release-notes/) +- [Docker Desktop for Mac](/docker-for-mac/release-notes.md) +- [Docker Desktop for Mac Edge Releases](/docker-for-mac/edge-release-notes.md) +- [Docker Desktop for Windows](/docker-for-windows/release-notes.md) +- [Docker Desktop for Windows Edge Releases](/docker-for-windows/edge-release-notes.md) +- [Docker for AWS](/docker-for-aws/release-notes.md) - [Docker Compose](docker-compose.md) - [Docker Machine](docker-machine.md) - [Docker Swarm (standalone)](docker-swarm.md) From a7ba2284532f004936f3ffdc8686ef8d236cdab9 Mon Sep 17 00:00:00 2001 From: ollypom Date: Sat, 13 Jul 2019 11:50:31 +0000 Subject: [PATCH 5/7] Fix Oscal TOC --- _data/toc.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/_data/toc.yaml b/_data/toc.yaml index 3eb24a840d..f39e5ed680 100644 --- a/_data/toc.yaml +++ b/_data/toc.yaml @@ -469,7 +469,7 @@ guides: title: NIST ITL Bulletin October 2017 - sectiontitle: OSCAL section: - - path: /compliance/oscal + - path: /compliance/oscal/ title: OSCAL compliance guidance - sectiontitle: CIS Benchmarks section: From 08f75af4fa8f94edcf366b02c93e09b38bd8bcf4 Mon Sep 17 00:00:00 2001 From: Dawn W Docker Date: Mon, 15 Jul 2019 12:50:17 -0700 Subject: [PATCH 6/7] updating topic with details from jlhawn --- .../admin/configure/admission-controllers.md | 32 +++++++++++++++++-- 1 file changed, 29 insertions(+), 3 deletions(-) diff --git a/ee/ucp/admin/configure/admission-controllers.md b/ee/ucp/admin/configure/admission-controllers.md index 247d5313a5..bc78412334 100644 --- a/ee/ucp/admin/configure/admission-controllers.md +++ b/ee/ucp/admin/configure/admission-controllers.md @@ -20,9 +20,35 @@ This is the current list of admission controllers used by Docker: - [PodSecurityPolicy](https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#podsecuritypolicy) ### Custom -- UCPAuthorization -- CheckImageSigning -- UCPNodeSelector +- **UCPAuthorization** +This custom admission controller does several things: + - Annotates Docker Compose-on-Kubernetes `Stack` resources with the identity +of the user performing the request so that the Docker Compose-on-Kubernetes +resource controller can manage `Stacks` with correct user authorization. + - Detects when `ServiceAccount` resources are deleted so that they can be +correctly removed from UCP's Node scheduling authorization backend. + - Simplifies creation of `RoleBindings` and `ClusterRoleBindings` resources by +automatically converting user, organization, and team Subject names into +their corresponding unique identifiers. + - Prevents users from deleting the builtin `cluster-admin` `ClusterRole` or +`ClusterRoleBinding` resources. + - Prevents under-privileged users from creating or updating `PersistintVolume` +resources with host paths. + - Works in conjunction with the builtin `PodSecurityPolicies` admission +controller to prevent under-privileged users from creating `Pods` with +privileged options. +- **CheckImageSigning** +Enforces UCP's Docker Content Trust policy which, if enabled, requires that all +Pods use container images which have been digitally signed by trusted and +authorized users which are members of one or more teams in UCP. +- **UCPNodeSelector** +Adds a `com.docker.ucp.orchestrator.kubernetes:*` toleration to pods in the +kube-system namespace and removes `com.docker.ucp.orchestrator.kubernetes` +tolerations from pods in other namespaces. This ensures that user workloads do +not run on swarm-only nodes, which UCP taints with +`com.docker.ucp.orchestrator.kubernetes:NoExecute`. It also adds a node +affinity to prevent pods from running on manager nodes depending on UCP's +settings. **Note:** you cannot enable or disable your own admission controllers. For more information about why, see [Supportability of custom kubernetes flags in universal control plane](https://success.docker.com/article/supportability-of-custom-kubernetes-flags-in-universal-control-plane) From 52b85594a5b8146b46feffd75625d67245e46cff Mon Sep 17 00:00:00 2001 From: Dawn W <51414965+DawnWood-Docker@users.noreply.github.com> Date: Tue, 16 Jul 2019 08:42:59 -0700 Subject: [PATCH 7/7] Update admission-controllers.md --- ee/ucp/admin/configure/admission-controllers.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/ee/ucp/admin/configure/admission-controllers.md b/ee/ucp/admin/configure/admission-controllers.md index bc78412334..3d4ab0a076 100644 --- a/ee/ucp/admin/configure/admission-controllers.md +++ b/ee/ucp/admin/configure/admission-controllers.md @@ -30,16 +30,16 @@ correctly removed from UCP's Node scheduling authorization backend. - Simplifies creation of `RoleBindings` and `ClusterRoleBindings` resources by automatically converting user, organization, and team Subject names into their corresponding unique identifiers. - - Prevents users from deleting the builtin `cluster-admin` `ClusterRole` or + - Prevents users from deleting the built-in `cluster-admin` `ClusterRole` or `ClusterRoleBinding` resources. - Prevents under-privileged users from creating or updating `PersistintVolume` resources with host paths. - - Works in conjunction with the builtin `PodSecurityPolicies` admission + - Works in conjunction with the built-in `PodSecurityPolicies` admission controller to prevent under-privileged users from creating `Pods` with privileged options. - **CheckImageSigning** Enforces UCP's Docker Content Trust policy which, if enabled, requires that all -Pods use container images which have been digitally signed by trusted and +pods use container images which have been digitally signed by trusted and authorized users which are members of one or more teams in UCP. - **UCPNodeSelector** Adds a `com.docker.ucp.orchestrator.kubernetes:*` toleration to pods in the @@ -50,6 +50,6 @@ not run on swarm-only nodes, which UCP taints with affinity to prevent pods from running on manager nodes depending on UCP's settings. -**Note:** you cannot enable or disable your own admission controllers. For more information about why, see [Supportability of custom kubernetes flags in universal control plane](https://success.docker.com/article/supportability-of-custom-kubernetes-flags-in-universal-control-plane) +**Note:** you cannot enable or disable your own admission controllers. For more information, see [Supportability of custom kubernetes flags in universal control plane](https://success.docker.com/article/supportability-of-custom-kubernetes-flags-in-universal-control-plane) -For more information about pod security policies in Docker, see [Pod security policies](/ee/ucp/kubernetes/pod-security-policies.md). \ No newline at end of file +For more information about pod security policies in Docker, see [Pod security policies](/ee/ucp/kubernetes/pod-security-policies.md).