v1.14 offers support for Kubernetes secrets, a CSI v1.0.0 Cinder driver plus improvements to authentication, load balancing and networking.


The OpenStack Special Interest Group (SIG-OpenStack) is excited to announce the v1.14 release of Cloud-Provider-OpenStack (CPO). CPO provides an interface between a Kubernetes cluster and a host OpenStack cloud, allowing for advanced management and introspection of OpenStack resources. This release is matched to the recent Kubernetes v1.14 release. The K8s-SIG-OpenStack team has been hard at work on adding new features, including extended support for Kubernetes secrets with Barbican integration, ingress controllers with Octavia integration, CSI-conformant volumes through Cinder, and Keystone based authentication. The release is available for immediate download as source code, compiled binaries, and Docker images.

If you’d like to learn more or get involved with OpenStack and Kubernetes integrations:

For a deeper dive on OpenStack and container integrations, check out the white paper  “Leveraging OpenStack and Containers: A Comprehensive Review,” written by the SIG-K8s community.

1.14 release notes

In-tree support for the OpenStack cloud provider is deprecated and scheduled for removal by the end of the year. If you depend on the in-tree provider that ships with Kubernetes core, now’s the time to start on your migration strategy to the external cloud-provider-openstack.

As part of that deprecation, the in-tree volume provider code is being removed in favor of proxying to the out-of-tree Cinder CSI provider. This will not impact the in-tree Cinder APIs, but will require the Cinder CSI provider to be present on deployment nodes.

The v1.14 release of OpenStack cloud provider for Kubernetes includes the following features and bug fixes:

  • Keystone Authentication
    • Improved argument handling for keystone client auth.
    • Added support for clouds.yaml.
    • Added multi-cloud selection support in clouds.yaml.
    • Added Support for client certificates in keystone auth.
    • Fixed keystone client auth error.
    • Fixed mountpoint for cloud.conf.
    • Improved failure logging.
  • Cinder Volume/CSI Storage
    • Reduced size of Cinder CSI images.
    • Improved CSI status reporting.
    • Added Certificate of Authority (CA) support in CSI.
    • Updated Cinder driver to CSI 1.0.0 spec
    • Added snapshot support for CSI.
    • Added volume stage and unstage capabilities.
    • Added support for topology-aware dynamic volume provisioning.
    • Fixed volume snapshot and restore.
  • Neutron networking
    • Added internal-network-name option.
    • Improved ingress naming to improve resource management and cleanup.
    • Fixed floating ip descriptions.
  • Load balancer
    • The name of load balancer created by Service has been changed, now the name is more meaningful, including cluster name, Service namespace and Service name. The existing Services are not affected.
    • Introduced a new Service annotation ‘loadbalancer.openstack.org/x-forwarded-for’, if set to “true”, the backend HTTP service is able to get the real source IP address of the request from the HTTP headers(X-Forwarded-For).
    • Introduced a new Service annotation ‘loadbalancer.openstack.org/port-id’ for Service of LoadBalancer type to specify a particular Neutron port as the Octavia load balancer VIP, which is useful for automation.
  • Octavia ingress controller
    • Standardized use of ‘kebab case’ for the setting configuration options of Octavia ingress controller.
    • Improved floating IP and security group management in octavia-ingress-controller.
    • Added support for creating internal or external ingress by setting the annotation ‘octavia.ingress.kubernetes.io/internal’, if it’s true, the load balancer created in Octavia won’t have floating IP associated. The default value is true.
  • Secret management
    • Added support for Kubernetes secrets.
    • Added support for cloud configuration as Kubernetes secret.
    • Simplified cloud configuration secret generation.
    • Additional support for Barbican secrets.
  • Manilla file storage
    • Added support for Manilla RBAC Permissions for endpoints
    • Improved Manilla options validation.