Object:
-
Some ObjectBucketClaim options were added in Rook v1.16 that allowed more control over buckets. These controls allow users to self-serve their own S3 policies, which many administrators might consider a risk, depending on their environment. Rook has taken steps to ensure potentially risky configurations are disabled by default to ensure the safest off-the-shelf configurations. Administrators who wish to allow users to use the full range of OBC configurations must use the new
ROOK_OBC_ALLOW_ADDITIONAL_CONFIG_FIELDSto enable users to set potentially risky options. See rook#15376 for more information. -
Add first-class credential management to CephObjectStoreUser. Existing S3 users provisioned via CephObjectStoreUser resources no longer allow multiple credentials to exist on underlying S3 users, unless explicitly managed by Rook. Rook will purge all but one of the undeclared credentials. This could be a user observable regression for administrators who manually edited/rotated S3 user credentials for CephObjectStoreUsers. Affected users should make use of the new credential management feature instead. For more details, see #15359.