我的书签
添加书签
移除书签Release notes for Service Binding Operator
The Service Binding Operator consists of a controller and an accompanying custom resource definition (CRD) for service binding. It manages the data plane for workloads and backing services. The Service Binding Controller reads the data made available by the control plane of backing services. Then, it projects this data to workloads according to the rules specified through the ServiceBinding resource.
With Service Binding Operator, you can:
Bind your workloads together with Operator-managed backing services.
Automate configuration of binding data.
Provide service operators a low-touch administrative experience to provision and manage access to services.
Enrich development lifecycle with a consistent and declarative service binding method that eliminates discrepancies in cluster environments.
The custom resource definition (CRD) of the Service Binding Operator supports the following APIs:
Service Binding with the
binding.operators.coreos.comAPI group.Service Binding (Spec API Tech Preview) with the
servicebinding.ioAPI group.Service Binding (Spec API Tech Preview) with the
servicebinding.ioAPI group is a Technology Preview feature only. Technology Preview features are not supported with Red Hat production service level agreements (SLAs) and might not be functionally complete. Red Hat does not recommend using them in production. These features provide early access to upcoming product features, enabling customers to test functionality and provide feedback during the development process.For more information about the support scope of Red Hat Technology Preview features, see https://access.redhat.com/support/offerings/techpreview/.
Support matrix
Some features in this release are currently in Technology Preview. These experimental features are not intended for production use.
In the table, features are marked with the following statuses:
TP: Technology Preview
GA: General Availability
Note the following scope of support on the Red Hat Customer Portal for these features:
| Service Binding Operator | API Group and Support Status | OpenShift Versions | |
|---|---|---|---|
Version |
|
| |
1.1.1 | GA | TP | 4.7-4.10 |
1.1 | GA | TP | 4.7-4.10 |
1.0.1 | GA | TP | 4.7-4.9 |
1.0 | GA | TP | 4.7-4.9 |
Making open source more inclusive
Red Hat is committed to replacing problematic language in our code, documentation, and web properties. We are beginning with these four terms: master, slave, blacklist, and whitelist. Because of the enormity of this endeavor, these changes will be implemented gradually over several upcoming releases. For more details, see Red Hat CTO Chris Wright’s message.
Release notes for Service Binding Operator 1.1.1
Service Binding Operator 1.1.1 is now available on OKD 4.7, 4.8, 4.9, and 4.10.
Fixed issues
Before this update, a security vulnerability
CVE-2021-38561was noted for Service Binding Operator Helm chart. This update fixes theCVE-2021-38561error and updates thegolang.org/x/textpackage from v0.3.6 to v0.3.7. APPSVC-1124Before this update, users of the Developer Sandbox did not have sufficient permissions to read
ClusterWorkloadResourceMappingresources. As a result, Service Binding Operator prevented all service bindings from being successful. With this update, the Service Binding Operator now includes the appropriate role-based access control (RBAC) rules for any authenticated subject including the Developer Sandbox users. These RBAC rules allow the Service Binding Operator toget,list, andwatchtheClusterWorkloadResourceMappingresources for the Developer Sandbox users and to process service bindings successfully. APPSVC-1135
Known issues
There is currently a known issue with installing Service Binding Operator in a single namespace installation mode. The absence of an appropriate namespace-scoped role-based access control (RBAC) rule prevents the successful binding of an application to a few known Operator-backed services that the Service Binding Operator can automatically detect and bind to. When this happens, it generates an error message similar to the following example:
Example error message
`postgresclusters.postgres-operator.crunchydata.com "hippo" is forbidden:User "system:serviceaccount:my-petclinic:service-binding-operator" cannotget resource "postgresclusters" in API group "postgres-operator.crunchydata.com"in the namespace "my-petclinic"`
Workaround 1: Install the Service Binding Operator in the
all namespacesinstallation mode. As a result, the appropriate cluster-scoped RBAC rule now exists and the binding succeeds.Workaround 2: If you cannot install the Service Binding Operator in the
all namespacesinstallation mode, install the following role binding into the namespace where the Service Binding Operator is installed:Example: Role binding for Crunchy Postgres Operator
kind: RoleBindingapiVersion: rbac.authorization.k8s.io/v1metadata:name: service-binding-crunchy-postgres-viewersubjects:- kind: ServiceAccountname: service-binding-operatorroleRef:apiGroup: rbac.authorization.k8s.iokind: ClusterRolename: service-binding-crunchy-postgres-viewer-role
Currently, when you modify the
ClusterWorkloadResourceMappingresources, the Service Binding Operator does not implement correct behavior. As a workaround, perform the following steps:Delete any
ServiceBindingresources that use the correspondingClusterWorkloadResourceMappingresource.Modify the
ClusterWorkloadResourceMappingresource.Re-apply the
ServiceBindingresources that you previously removed in step 1.
Release notes for Service Binding Operator 1.1
Service Binding Operator is now available on OKD 4.7, 4.8, 4.9, and 4.10.
New features
This section highlights what is new in Service Binding Operator 1.1:
Service Binding Options
Workload resource mapping: Define exactly where binding data needs to be projected for the secondary workloads.
Bind new workloads using a label selector.
Fixed issues
- Before this update, service bindings that used label selectors to pick up workloads did not project service binding data into the new workloads that matched the given label selectors. As a result, the Service Binding Operator could not periodically bind such new workloads. With this update, service bindings now project service binding data into the new workloads that match the given label selector. The Service Binding Operator now periodically attempts to find and bind such new workloads. APPSVC-1083
Known issues
There is currently a known issue with installing Service Binding Operator in a single namespace installation mode. The absence of an appropriate namespace-scoped role-based access control (RBAC) rule prevents the successful binding of an application to a few known Operator-backed services that the Service Binding Operator can automatically detect and bind to. When this happens, it generates an error message similar to the following example:
Example error message
`postgresclusters.postgres-operator.crunchydata.com "hippo" is forbidden:User "system:serviceaccount:my-petclinic:service-binding-operator" cannotget resource "postgresclusters" in API group "postgres-operator.crunchydata.com"in the namespace "my-petclinic"`
Workaround 1: Install the Service Binding Operator in the
all namespacesinstallation mode. As a result, the appropriate cluster-scoped RBAC rule now exists and the binding succeeds.Workaround 2: If you cannot install the Service Binding Operator in the
all namespacesinstallation mode, install the following role binding into the namespace where the Service Binding Operator is installed:Example: Role binding for Crunchy Postgres Operator
kind: RoleBindingapiVersion: rbac.authorization.k8s.io/v1metadata:name: service-binding-crunchy-postgres-viewersubjects:- kind: ServiceAccountname: service-binding-operatorroleRef:apiGroup: rbac.authorization.k8s.iokind: ClusterRolename: service-binding-crunchy-postgres-viewer-role
Currently, when you modify the
ClusterWorkloadResourceMappingresources, the Service Binding Operator does not implement correct behavior. As a workaround, perform the following steps:Delete any
ServiceBindingresources that use the correspondingClusterWorkloadResourceMappingresource.Modify the
ClusterWorkloadResourceMappingresource.Re-apply the
ServiceBindingresources that you previously removed in step 1.
Release notes for Service Binding Operator 1.0.1
Service Binding Operator is now available on OKD 4.7, 4.8 and 4.9.
Service Binding Operator 1.0.1 supports OpenShift Container Platform 4.9 and later running on:
IBM Power Systems
IBM Z and LinuxONE
The custom resource definition (CRD) of the Service Binding Operator 1.0.1 supports the following APIs:
Service Binding with the
binding.operators.coreos.comAPI group.Service Binding (Spec API Tech Preview) with the
servicebinding.ioAPI group.Service Binding (Spec API Tech Preview) with the
servicebinding.ioAPI group is a Technology Preview feature only. Technology Preview features are not supported with Red Hat production service level agreements (SLAs) and might not be functionally complete. Red Hat does not recommend using them in production. These features provide early access to upcoming product features, enabling customers to test functionality and provide feedback during the development process.For more information about the support scope of Red Hat Technology Preview features, see https://access.redhat.com/support/offerings/techpreview/.
Support matrix
Some features in this release are currently in Technology Preview. These experimental features are not intended for production use.
Technology Preview Features Support Scope
In the table below, features are marked with the following statuses:
TP: Technology Preview
GA: General Availability
Note the following scope of support on the Red Hat Customer Portal for these features:
| Feature | Service Binding Operator 1.0.1 |
|---|---|
| GA |
| TP |
Fixed issues
Before this update, binding the data values from a
Clustercustom resource (CR) of thepostgresql.k8s.enterpriesedb.io/v1API collected thehostbinding value from the.metadata.namefield of the CR. The collected binding value is an incorrect hostname and the correct hostname is available at the.status.writeServicefield. With this update, the annotations that the Service Binding Operator uses to expose the binding data values from the backing service CR are now modified to collect thehostbinding value from the.status.writeServicefield. The Service Binding Operator uses these modified annotations to project the correct hostname in thehostandproviderbindings. APPSVC-1040Before this update, when you would bind a
PostgresClusterCR of thepostgres-operator.crunchydata.com/v1beta1API, the binding data values did not include the values for the database certificates. As a result, the application failed to connect to the database. With this update, modifications to the annotations that the Service Binding Operator uses to expose the binding data from the backing service CR now include the database certificates. The Service Binding Operator uses these modified annotations to project the correctca.crt,tls.crt, andtls.keycertificate files. APPSVC-1045Before this update, when you would bind a
PerconaXtraDBClustercustom resource (CR) of thepxc.percona.comAPI, the binding data values did not include theportanddatabasevalues. These binding values along with the others already projected are necessary for an application to successfully connect to the database service. With this update, the annotations that the Service Binding Operator uses to expose the binding data values from the backing service CR are now modified to project the additionalportanddatabasebinding values. The Service Binding Operator uses these modified annotations to project the complete set of binding values that the application can use to successfully connect to the database service. APPSVC-1073
Known issues
Currently, when you install the Service Binding Operator in the single namespace installation mode, the absence of an appropriate namespace-scoped role-based access control (RBAC) rule prevents the successful binding of an application to a few known Operator-backed services that the Service Binding Operator can automatically detect and bind to. In addition, the following error message is generated:
Example error message
`postgresclusters.postgres-operator.crunchydata.com "hippo" is forbidden:User "system:serviceaccount:my-petclinic:service-binding-operator" cannotget resource "postgresclusters" in API group "postgres-operator.crunchydata.com"in the namespace "my-petclinic"`
Workaround 1: Install the Service Binding Operator in the
all namespacesinstallation mode. As a result, the appropriate cluster-scoped RBAC rule now exists and the binding succeeds.Workaround 2: If you cannot install the Service Binding Operator in the
all namespacesinstallation mode, install the following role binding into the namespace where the Service Binding Operator is installed:Example: Role binding for Crunchy Postgres Operator
kind: RoleBindingapiVersion: rbac.authorization.k8s.io/v1metadata:name: service-binding-crunchy-postgres-viewersubjects:- kind: ServiceAccountname: service-binding-operatorroleRef:apiGroup: rbac.authorization.k8s.iokind: ClusterRolename: service-binding-crunchy-postgres-viewer-role
Release notes for Service Binding Operator 1.0
Service Binding Operator is now available on OKD 4.7, 4.8 and 4.9.
The custom resource definition (CRD) of the Service Binding Operator 1.0 supports the following APIs:
Service Binding with the
binding.operators.coreos.comAPI group.Service Binding (Spec API Tech Preview) with the
servicebinding.ioAPI group.Service Binding (Spec API Tech Preview) with the
servicebinding.ioAPI group is a Technology Preview feature only. Technology Preview features are not supported with Red Hat production service level agreements (SLAs) and might not be functionally complete. Red Hat does not recommend using them in production. These features provide early access to upcoming product features, enabling customers to test functionality and provide feedback during the development process.For more information about the support scope of Red Hat Technology Preview features, see https://access.redhat.com/support/offerings/techpreview/.
Support matrix
Some features in this release are currently in Technology Preview. These experimental features are not intended for production use.
Technology Preview Features Support Scope
In the table below, features are marked with the following statuses:
TP: Technology Preview
GA: General Availability
Note the following scope of support on the Red Hat Customer Portal for these features:
| Feature | Service Binding Operator 1.0 |
|---|---|
| GA |
| TP |
New features
Service Binding Operator 1.0 supports OpenShift Container Platform 4.9 and later running on:
IBM Power Systems
IBM Z and LinuxONE
This section highlights what is new in Service Binding Operator 1.0:
Exposal of binding data from services
Based on annotations present in CRD, custom resources (CRs), or resources.
Based on descriptors present in Operator Lifecycle Manager (OLM) descriptors.
Support for provisioned services
Workload projection
Projection of binding data as files, with volume mounts.
Projection of binding data as environment variables.
Service Binding Options
Bind backing services in a namespace that is different from the workload namespace.
Project binding data into the specific container workloads.
Auto-detection of the binding data from resources owned by the backing service CR.
Compose custom binding data from the exposed binding data.
Support for non-
PodSpeccompliant workload resources.
Security
- Support for role-based access control (RBAC).
