Skip to content

Latest commit

 

History

History
590 lines (491 loc) · 33.6 KB

CHANGELOG.md

File metadata and controls

590 lines (491 loc) · 33.6 KB
Raw

UNRELEASED

1.20.4 (22.02.2021)

1.19.8 (21.02.2021)

1.19.7 (17.02.2021)

1.19.3 (26.10.2020)

1.19.1 (10.09.2020)

Changelog from 1.18

  • Kubernetes: 1.19.1
  • Docker: 19.03.12
  • FeatureGates: add GenericEphemeralVolume
  • FeatureGates: add CSIStorageCapacity
  • FeatureGates: add EphemeralContainers
  • ControllerManager: add --cluster-signing-duration flag
  • Cgroups: default cgroup driver set to systemd
  • Logging: add logging_format to all components
  • ControllerManager: use separate flags for different CSR signers
  • ControllerManager: garbagecollector controller flags
  • ControllerManager: horizontalpodautoscaling controller flags
  • Kubelet: set the maximum number of images to report in Node.Status.Images
  • Kubelet: integrate with the kernel memcg notification to determine if memory eviction thresholds are crossed rather than polling
  • Kubelet: check the underlying node for required components (binaries, etc.) before performing the mount
  • KubeProxy: add --bind-address-hard-fail flag to treat failure to bind to a port as fatal
  • KubeletConfig: Add support for disabling /logs endpoint in kubelet.
  • Node Problem Detector: 0.8.4
  • CNI/plugins: 0.8.7
  • etcd: 3.4.13

1.18.8 (20.08.2020)

  • Kubernetes: 1.18.8
  • kubelet: added systemReserved and kubeReserved configuration options (only for cpu and memory now)
  • Weave Net: 2.7.0
  • etcd: 3.4.12
  • Weave: include weave-npc by default 🤷
  • BUG: Fix etcd initial_cluster_string
  • Weave: don't include weave-npc by default
  • Weave: define weave metrics port in DaemonSet to use it in Pod/ServiceMonitors
  • Weave: define npd metrics port in DaemonSet to use it in Pod/ServiceMonitors

1.18.6 (17.07.2020)

1.18.5 (08.07.2020)

1.18.4 (08.07.2020)

1.18.3 (28.05.2020)

1.18.2 (06.05.2020)

1.18.1 (16.04.2020)

1.17.4 (20.03.2020)

1.17.3 (14.02.2020)

1.17.2 (30.01.2020)

  • Kubernetes: 1.17.2
  • SSL: fix subject generation
  • SSL: rebuild profiles section to be more universal
  • Controller manager: use service account credentials
  • Controller manager: add bootstrapsigner and tokencleaner controllers
  • Controller manager: add requestheader client ca file
  • Apiserver: no more insecure ports
  • SSL: etcd client keypair
  • SSL: keypair generator should log cfssl command before apply
  • SSL: each keypair has its own profile by default
  • SSL: Certification authorities should have their own csr profile
  • Recipes::Master: configuration files for scheduler and controller-manager
  • SSL: scheduler and controller_manager should have their own keypairs
  • CNI/plugins: 0.8.5
  • CoreDNS: 1.6.7

1.17.0 (25.12.2019)

Urgent Upgrade Notes

BEFORE upgrade

Keypairs

  • actualize your lib/tasks/ssl/config.yaml with lib/tasks/ssl/config_example.yaml

  • add list of dns names and/or ip addresses to .accounts.etcd_peer and .accounts.etcd_server sections

  • set necessary environment variables, like:

      export CHEF_SECRET_FILE=../../.chef/secret.pem
  export CHEF_DIR=../../.chef

  • regenerate all the things with $ rake encrypt_all

  • move databag items to databags directory

      $ mv ssl/{ca-cluster_signing,ca-requestheader,ca-etcd_server,ca-etcd_peer,admin,proxy,front_proxy_client,kubelet_client,service_account,etcd_server,etcd_peer,apiserver}_ssl.json \
  ../../data_bags/kubernetes

  • upload new items to the chef server

      $ for i in ca-cluster_signing ca-requestheader ca-etcd_server \
  ca-etcd_peer admin proxy front_proxy_client kubelet_client \
  service_account etcd_server etcd_peer apiserver
  do knife data bag from file kubernetes ${i}_ssl.json
  done

Etcd

  • go to any node with etcd peer

  • set ETCDCTL_API environment variable equal to 3

  • get list of all members with $ etcdctl member list we will use the following list as an example:

      8f3ebeda27935ffc, started, 10.135.130.52, http://10.135.130.52:2380, http://10.135.130.52:2379
  9d2e8736041a9a71, started, 10.135.128.188, http://10.135.128.188:2380, http://10.135.128.188:2379

    for now we're on host with peer 8f3ebeda27935ffc so it will be last in line

  • upgrade all members one by one with the last the one you're on the host with

      $ etcdctl member update 9d2e8736041a9a71 --peer-urls="https://10.135.128.188:2380" --insecure-skip-tls-verify
  $ etcdctl member update 8f3ebeda27935ffc --peer-urls="https://10.135.130.52:2380" --insecure-skip-tls-verify

    BE AWARE! Your apiservers will be unresponsive from that time till upgrade to finish

Workers

  • remove all keypairs retrieved by kubelets

      $ knife ssh "roles:kubernetes_node" "sudo unlink /etc/kubernetes/ssl/kubelet-client-current.pem"
  $ knife ssh "roles:kubernetes_node" "sudo unlink /etc/kubernetes/ssl/kubelet-server-current.pem"

Upgrade procedure

  • Etcd upgrade and restart all instances

      $ knife ssh "roles:etcd" "sudo chef-client"
  $ knife ssh "roles:etcd" "sudo systemctl restart etcd"

  • Api servers upgrade and restart all instances

      $ knife ssh "roles:kubernetes_master" "sudo chef-client"
  $ knife ssh "roles:kubernetes_master" "sudo systemctl restart kube-apiserver"

  • Workers upgrade and restart all instances

      $ knife ssh "roles:kubernetes_node" "sudo chef-client"
  $ knife ssh "roles:kubernetes_node" "sudo systemctl restart kubelet"
  • Kubernetes: 1.17.0
  • FeatureGates: added ServiceTopology
  • etcd: 3.4.3
  • SSL: etcd CAs and keypairs
  • SSL: separate cluster signing CA instead of one CA to rule them all
  • SSL: kubelet_client keypair
  • SSL: service account keypair
  • SSL: requestheader CA and keypair
  • SSL: keypair generation procedure should get CN and profile from keypair properties
  • SSL: ability to generate and use multiple CAs
  • SSL: added profile for long living keypairs
  • CVE-2019-16782
  • Remove deis from cookbook

1.16.4 (12.12.2019)

1.16.3 (10.12.2019)

1.16.2 (19.10.2019)

  • Kubernetes: 1.16.2
  • FeatureGates: VolumeSubpathEnvExpansion is beta now and enabled by default
  • Kubelet: --cni-cache-dir option, which defaults to /var/lib/cni/cache
  • podman: 1.6.2

1.15.5 (17.10.2019)

1.15.4 (24.09.2019)

1.15.3 (19.08.2019)

1.15.2 (06.08.2019)

1.15.1 (29.07.2019)

1.15.0 (26.06.2019)

1.14.3 (07.06.2019)

1.14.2 (20.05.2019)

1.14.1 (17.04.2019)

1.14.0

1.13.5 (25.03.2019)

  • podman: 1.1.1
  • CoreDNS: 1.4.0
  • CoreDNS: change deprecated proxy plugin to forward
  • ApiServer <=> Kubelet communications: --kubelet-preferred-address-types apiserver key now explicitly points to InternalIP,ExternalIP,InternalDNS,ExternalDNS,Hostname; this way you are free to use hostname (or any other name) for your kubelets, just make sure your kubelet has proper NodeAddressType: InternalIP or ExternalIP and so on. You can check it like this: $ kubectl get no <node> -o jsonpath='{.status.addresses[?(@.type=="InternalIP")].address}'
  • CNI/plugins: 0.7.5
  • Kubernetes: 1.13.5

1.13.4 (01.03.2019)

1.13.3 (02.02.2019)

1.13.2 (11.01.2019)

1.13.1 (13.12.2018)

  • fix file modes arguments and some more minor syntax issues
  • kubelet: fixed warning "failed to get imageFs info: no imagefs label for configured runtime"
  • docker version set to 18.06 accordingly to external dependencies
  • Kubernetes: 1.13.1

1.13.0 (07.12.2018)

  • Apiserver: encryption provider config is no more experimental
  • Scheduler: listen on secure port cluster-wide
  • Controller manager: listen on secure port cluster-wide
  • Apiserver: etcd2 support removed, so no more remark about application/json media type
  • Kubernetes: 1.13.0
  • CoreDNS: security context
  • CoreDNS: added plugins: loop, reload, loadbalance
  • FeatureGates: added NodeLease
  • Controller manager: remove deprecated args
  • podman: 0.12.1
  • cri-o: 1.13.0
  • FeatureGates: added TTLAfterFinished

1.12.4 (27.11.2018)

1.12.3 (20.11.2018)

1.12.2 (28.10.2018)

1.12.1 (05.10.2018)

1.12.0 (28.09.2018)

1.11.10 (25.09.2018)

1.11.9 (17.09.2018)

1.11.8 (10.09.2018)

1.11.7 (19.08.2018)

1.11.6 (26.07.2018)

  • Etcd: 3.3.9
  • Weave: 2.4.0

1.11.5 (19.07.2018)

  • podman upgraded to 0.7.2
  • Kubernetes: 1.11.1
  • Etcd systemd unit default name set to etcd instead of etcd-#{node['name']}

1.11.4 (13.07.2018)

  • CoreDNS: 1.2.0
  • kube-proxy: explicitly set cluster-cidr
  • kube-proxy: simplify proxy-mode configuration
  • Make kubernetes services network route ipvs compatible
  • Packages: install ipvsadm and ipset for IPVS proxy mode
  • kube-proxy: split attributes to global and ipvs-related
  • sdn canal: calico updated to 3.1

1.11.3 (11.07.2018)

  • CNI plugins: bump to 0.7.1
  • podman: 0.7.1
  • cri-o: 1.11.1

1.11.2 (07.07.2018)

  • Kubelet: add ability to use custom runtimes
  • kubeletconfig: check for RotateKubeletServerCertificate feature gate before enabling server certificates autorotation
  • Docker moved to separate recipe
  • install CRIO and corresponding binaries
  • Buildah installation recipe
  • Explicitly install aufs-tools if cri-o uses aufs as storage
  • kubeletconfig: explicitly set cgroup driver

1.11.1 (28.06.2018)

  • Kubernetes: 1.11.0
  • Feature gates: remove already enabled by default MountPropagation and VolumeScheduling
  • recipes/proxy: typo fix in LimitNOFILE systemd-unit instruction
  • kubeletconfig: fix unexpected camelcase in keys
  • kubeletconfig: explicitly add TLS-settings

1.11.0 (27.06.2018)

  • Delete kubernetes dashboard from cookbook
  • Kubernetes: 1.11.0-rc.3
  • KubeDNS: 1.14.10
  • Get rid of upstart (and ubuntu-trusty) support

1.10.6 (21.06.2018)

  • Return create action for etcd recipe
  • Add checksum validation for etcd tarball

1.10.5 (21.06.2018)

  • Kubernetes updated to 1.10.5

1.10.4 (21.06.2018)

  • [breaking] Upgrade docker from docker-engine-1.12 to docker-ce-17.03
  • Etcd updated to 3.3.8

1.10.3 (20.06.2018)

  • CoreDNS update to 1.1.4

1.10.2 (13.06.2018)

  • Add ReadOnlyPort for kubelet. Need for heapster auth.

1.10.1 (06.06.2018)

1.10.0 (31.05.2018)

  • Update versioning procedure. From now on major and minor parts coincedes with Kubernetes major and minor, and patch version reflects the current release number
  • Kubernetes updated to 1.10.3
  • CoreDNS updated to 1.1.3
  • Etcd updated to 3.3.5

0.1.3 (15.04.2018)

  • Upgrade etcd cookbook dependency from 4.1 to 5.5
  • Add chef-client 14 support

0.1.2 (14.04.2018)

  • Weave: 2.3.0
  • Weave: split --status-addr into separate --status-addr and --metrics-addr args
  • Weave: make status port and metrics port as attributes
  • Etcd: 3.3.3

0.1.1 (14.04.2018)

  • Kubernetes 1.10.1

0.1.0 (05.04.2018)

  • Use --config for kubelet
  • Change featureGates struct from string to hash
  • Update helpers.rb for backward compatibility with service options
  • Reanimate inspec with testkitchen.
  • Fix docker built-in variables into recipe
  • Move kube-proxy config args from recipe to k8s_proxy.rb
  • Add sort for master nodes in haproxy config
  • Bump cniVersion from 0.3.0 to 0.3.1
  • Add haproxy reload by default

0.0.4 (03.04.2018)

  • Bump to 1.10.0 kubernetes version
  • Change packages array to hash
  • Move cni plugins symlinks to attributes for enable/disable actions
  • Move kubelet args to attributes/kubelet.rb from recipe
  • Move apiserver args to attributes/k8s_apiserver.rb from recipe
  • Move scheduler args to attributes/scheduler.rb from recipe
  • Move controller_manager args to attributes/k8s_controller.rb from recipe

0.0.3 (11.03.2018)

  • Add custom docker installation. Default true. But if you have another docker installation you can skip built-in.
  • Move packages array from packages.rb to default attrs file
  • Update README.md for new users.

0.0.2 (29.06.2016)

0.0.1

Initial release of kubernetes