From 852e3b924e42176b71e16d630e7d76ba792fbcf5 Mon Sep 17 00:00:00 2001 From: Alex Dellapenta Date: Wed, 11 Oct 2023 15:01:11 -0600 Subject: [PATCH] Add 4.14 relnotes for token auth via CCO / AWS STS --- release_notes/ocp-4-14-release-notes.adoc | 32 ++++++++++++++++++++--- 1 file changed, 28 insertions(+), 4 deletions(-) diff --git a/release_notes/ocp-4-14-release-notes.adoc b/release_notes/ocp-4-14-release-notes.adoc index 023d43c40463..8df127e3bd39 100644 --- a/release_notes/ocp-4-14-release-notes.adoc +++ b/release_notes/ocp-4-14-release-notes.adoc @@ -145,7 +145,7 @@ Before you set a path value for the `template` parameter, ensure that the defaul === Post-installation configuration [id="ocp-4-14-OCP-on-multi-arch-clusters"] -==== {product-title} cluster with multi-architecture compute machines +==== {product-title} cluster with multi-architecture compute machines {product-title} {product-version} clusters with multi-architecture compute machines are now supported on Google Cloud Platform (GCP) as a Day 2 operation. {product-title} clusters with multi-architecture compute machines on bare metal installations are now generally available. For more information on clusters with multi-architecture compute machines and supported platforms, see xref:../post_installation_configuration/configuring-multi-arch-compute-machines/multi-architecture-configuration.adoc#multi-architecture-configuration[About clusters with multi-architecture compute machines]. [id="ocp-4-14-web-console"] @@ -156,14 +156,14 @@ Before you set a path value for the `template` parameter, ensure that the defaul With this release, there are several updates to the *Administrator* perspective of the web console. You can now perform the following actions: -* Narrow down the list of resources in a list view or search page with exact search capabilities. This will help when you have similarly named resources and fuzzy search doesn't narrow down your search. +* Narrow down the list of resources in a list view or search page with exact search capabilities. This will help when you have similarly named resources and fuzzy search does not narrow down your search. * Provide direct feedback about features and report a bug by clicking the *Help* button on the toolbar and clicking *Share Feedback* from the drop-down list. * Display and hide tooltips in the YAML editor. The tooltips will persist so you don't have to change it every time you navigate to the page. [id="supported-os-types-cluster"] -===== Operating system based filtering in Operator Hub +===== Operating system based filtering in OperatorHub -With this update, Operators in the Operator Hub are now filtered based on the nodes operating system since cluster can contain heterogenous nodes. +With this update, Operators in OperatorHub are now filtered based on the nodes operating system because clusters can contain heterogenous nodes. [id="console-supports-installing-specific-operator-versions"] ===== Support for installing specific Operator versions in the web console @@ -172,6 +172,14 @@ With this update, you can now choose from a list of available versions for an Op //link to content in Operator book TBD +[id="console-supports-aws-sts-detection"] +===== OperatorHub support for AWS STS + +With this release, OperatorHub detects when an Amazon Web Services (AWS) cluster is using the Security Token Service (STS). When detected, a "Cluster in STS Mode" notification displays with additional instructions before installing an Operator to ensure it runs correctly. The *Operator Installation* page is also modified to add the required *role ARN* field. + +For more information, see _Token authentication for Operators on cloud providers_. +//xref:../operators/operator_sdk/osdk-token-auth.adoc#osdk-token-auth[Token authentication for Operators on cloud providers]. + [id="ocp-4-14-developer-perspective"] ==== Developer Perspective @@ -242,6 +250,14 @@ With this release, if a user manually modifies a pod security admission label fr For more information, see xref:../authentication/understanding-and-managing-pod-security-admission.adoc#security-context-constraints-psa-sync-exclusions_understanding-and-managing-pod-security-admission[Pod security admission synchronization namespace exclusions]. +[id="ocp-4-14-auth-cco-sts"] +==== OLM-based Operator support for AWS STS + +With this release, some Operators managed by Operator Lifecycle Manager (OLM) on Amazon Web Services (AWS) clusters can use the Cloud Credential Operator (CCO) in manual mode with the Security Token Service (STS). These Operators authenticate with limited-privilege, short-term credentials that are managed outside the cluster. + +For more information, see _Token authentication for Operators on cloud providers_. +//xref:../operators/operator_sdk/osdk-token-auth.adoc#osdk-token-auth[Token authentication for Operators on cloud providers]. + [id="ocp-4-14-networking"] === Networking @@ -374,6 +390,14 @@ For more information about disabling the Image Registry Operator, see xref:../in [id="ocp-4-14-osdk"] === Operator development +[id="ocp-4-14-osdk-cco-sts"] +==== Token authentication for Operators on cloud providers: AWS STS + +With this release, Operators managed by Operator Lifecycle Manager (OLM) can support token authentication when running on Amazon Web Services (AWS) clusters that use the Security Token Service (STS). The Cloud Credential Operator (CCO) is updated to semi-automate provisioning certain limited-privilege, short-term credentials, provided that the Operator author has enabled their Operator to support AWS STS. + +For more information about enabling OLM-based Operators to support CCO-based workflows with AWS STS, see _Token authentication for Operators on cloud providers_. +//xref:../operators/operator_sdk/osdk-token-auth.adoc#osdk-token-auth[Token authentication for Operators on cloud providers]. + [id="ocp-4-14-machine-config-operator"] === Machine Config Operator