From f18f9e342013b45e9e79029b9c07305d55419d2d Mon Sep 17 00:00:00 2001 From: Cody Hoag Date: Tue, 10 Dec 2019 13:52:36 -0500 Subject: [PATCH] Add etcd data encryption info to release notes --- release_notes/ocp-4-3-release-notes.adoc | 40 ++++++++++++++++++------ 1 file changed, 30 insertions(+), 10 deletions(-) diff --git a/release_notes/ocp-4-3-release-notes.adoc b/release_notes/ocp-4-3-release-notes.adoc index 8beb4393f7..64d53f6b20 100644 --- a/release_notes/ocp-4-3-release-notes.adoc +++ b/release_notes/ocp-4-3-release-notes.adoc @@ -77,6 +77,35 @@ to customers based on data from the Red Hat Service Reliability Engineering (SRE) team, you might not immediately see notification in the web console that updates from version 4.2.z to 4.3 are available at initial release. +[id="ocp-4-3-security"] +=== Security + +[id="ocp-4-3-cert-rotation"] +==== Automatic rotation of certificates + +Automated CA rotation will be available in this release in a future z-stream +update. This is to allow time for administrators to plan accordingly for their environments. + +[id="ocp-4-3-encrypt-data-stored-in-etcd"] +==== Encrypt data stored in etcd + +You can now xref:../authentication/encrypting-etcd.adoc#encrypting-etcd[encrypt data stored in etcd]. +Enabling etcd encryption for your cluster provides an additional layer of data +security. + +When you enable etcd encryption, the following OpenShift API server and +Kubernetes API server resources are encrypted: + +* Secrets + +* ConfigMaps + +* Routes + +* OAuth access tokens + +* OAuth authorize tokens + [id="ocp-4-3-cluster-monitoring"] === Cluster monitoring @@ -161,15 +190,6 @@ Preview, are now fully supported in {product-title} 4.3. Using the Container Storage Interface (CSI) to expand storage volumes after they have already been created is now enabled by default in Technology Preview. -[id="ocp-4-3-certificates"] -=== Certificates - -[id="ocp-4-3-cert-rotation"] -==== Automatic rotation of certificates - -Automated CA rotation will be available in this release in a future z-stream -update. This is to allow time for administrators to plan accordingly for their environments. - [id="ocp-4-3-operators"] === Operators @@ -523,7 +543,7 @@ indicate that the feature is removed from the release or deprecated. |TP |TP -|SR-IOV network Operator +|SR-IOV Network Operator | |TP |GA