Release Notes
Release notes summarize user-visible changes, breaking changes, and migration requirements for each MaaS version.
v0.1.2
Release Date: TBD
Breaking Changes
Gateway-level AuthPolicy (RHOAIENG-62571)
- The maas-controller now creates a single AuthPolicy/maas-gateway-auth in the gateway namespace (openshift-ingress) instead of one per-model AuthPolicy in each model namespace.
- Per-model AuthPolicy objects managed by the controller are deleted on the first reconcile after upgrade.
- status.authPolicies now references maas-gateway-auth / openshift-ingress instead of per-model policy names.
- New admission webhooks (failurePolicy=Ignore) validate that MaaSAuthPolicy and MaaSSubscription are created in namespaces that contain a Tenant CR.
- AITenant created outside the configured --aitenant-namespace are now rejected at admission instead of being accepted and later marked Failed/InvalidPlacement by the controller.
- Minimum Kuadrant version: v1.4.2 or later required for spec.defaults.rules support.
- End-user auth behavior is unchanged — valid API key + active subscription + allowed group still returns 200.
New Features
Singleton gateway AuthPolicy
- All per-model allowlists aggregated into one CEL expression in maas-gateway-auth
- Dynamic model identity extracted from X-Gateway-Model-Name header with request.path fallback
- Model-aware cache keys prevent subscription result pollution across models
- Response header injection: X-MaaS-Subscription, userId, username, groups
Admission webhooks
- Validating webhooks for MaaSAuthPolicy and MaaSSubscription enforce namespace tenancy requirements
Known Limitations
tenant-gateway-isolationrule is a stub. The gateway policy includes an always-allow placeholder for multi-gateway tenant isolation. This will be replaced with a real hostname check in a future release.
v0.1.1
Release Date: 2026-05-01
Breaking Changes
Required spec field for MaaS CRs
- MaaSAuthPolicy, MaaSSubscription, and MaaSModelRef now require the spec field
- CRs without spec are marked as Invalid and new CRs without spec are blocked
- Tenant.Spec remains optional
- Migration: Add a spec field to existing MaaSAuthPolicy, MaaSSubscription, and MaaSModelRef CRs that lack one (e.g., add spec: {} if needed)
New Features
Tenant CR
- Platform-level configuration centralized in the Tenant CR (maas.opendatahub.io/v1alpha1)
- Auto-bootstrapped as default-tenant in models-as-a-service namespace
- Configurable gateway, API key lifetime, telemetry, and external OIDC via spec fields
- See Tenant CR Configuration
Observability - Perses dashboards for model usage visualization - Admin usage dashboard for token consumption tracking - ServiceMonitor for maas-controller metrics
OIDC Enhancements
- OIDC token support for /v1/models endpoint
- Configurable cluster audience via --cluster-audience flag
External Models
- External models (introduced in v0.1.0) now included in /v1/models listings
- Namespace prefix added to HTTPRoute paths for LLMInferenceService parity
Key Improvements
- Fail-close logic when Limitador is unavailable prevents rate limit bypass
- Degraded/failed subscriptions rejected at auth layer
- Token rate limit validation aligned with Kuadrant TokenRateLimitPolicy windows
- Terminating namespace handling during RHOAI upgrades
- Local Kind deployment support for development
Known Limitations
- Shared HTTPRoute token rate limits: Multiple
MaaSModelRefresources on the sameHTTPRoutecreate multipleTokenRateLimitPolicyobjects, but only one may be enforced at the gateway. See Quota and Access Configuration for workarounds.
v0.1.0
Release Date: 2026-04-01
Breaking Changes
Subscription-based access model
- Legacy tier-based access control (ConfigMap tier-to-group-mapping) fully removed
- All deployments must use subscription CRDs: MaaSModelRef, MaaSAuthPolicy, MaaSSubscription
- Migration: See Migration Guide: Tier-Based to Subscription Model
CRD Changes
- MaaSModel renamed to MaaSModelRef
- New required CRDs: MaaSSubscription, MaaSAuthPolicy, ExternalModel
- Namespace scoping: MaaS API watches a configurable namespace for subscriptions
Required tokenRateLimits field
- All MaaSSubscription resources must include inline tokenRateLimits specification
- The tokenRateLimitRef field has been removed
- Migration: See Migration Guide: Tier-Based to Subscription Model for subscription examples with inline rate limits
New Features
Authentication & Authorization - API key management: create, revoke, set expiration - Ephemeral API keys with cleanup CronJob - Salt-based encryption for API key hashing - OIDC authentication integration with maas-api AuthPolicy - RBAC aggregation for namespace users
Model Management
- New ExternalModel CRD for external model support with Istio-based egress routing
- /v1/models endpoint returns available models with subscription info
- /v1/subscriptions endpoint for subscription management
- Support for Vertex AI (Gemini) API translation
Rate Limiting & Quotas
- Token-based rate limiting via tokenRateLimits specification
- Integration with Kuadrant TokenRateLimitPolicy
- Configurable Authorino caching for AuthPolicy evaluators
Operations
- FIPS compliance enabled
- Auto-create models-as-a-service namespace on controller startup
- Multi-arch image builds
- Subscription flow E2E tests with group support
v0.0.2
Release Date: 2026-01-22
New Features
Security - End-to-end TLS for external API traffic - NetworkPolicy to allow Authorino access to MaaS components
Deployment - Updated deploy script for new RHOAI Operator flow - Centralized maas-api image substitution - Flexible CSV version checking and dynamic deployment discovery
API - Fixed model listing authorization to target actual API endpoint - Corrected authorization checks for proper JWT validation
Operations - GitHub Release Action automation - Installation documentation for ODH-based deployments - Kustomize component handling in manifest validation
0.0.1
Release Date: 2025-11-24
Initial release