Releases: kubernetes/kops
v1.25.0
Significant changes
- GCE cloud provider support has been promoted to stable.
- Hetzner cloud provider support has been promoted to beta.
- Karpenter support has been promoted to stable on Kubernetes versions 1.22, 1.23 and 1.24. Karpenter does not yet support Kubernetes above 1.25.
- IAM roles on AWS used for ServiceAccounts are now tagged with the name and namespace of the ServiceAccount.
- Cert Manager may now solve dns-01 challenges. See the cert manager documentation.
- Add support to --cordon-node-before-terminating on the cluster autoscaler addon (CordonNodeBeforeTerminating)
- EBS CSI driver can now be self-managed. See the addon docs.
Breaking changes
Cinder CSI snapthot controller changes
The CSI Cinder plugin for OpenStack will now only use the CSI snapshotter when the CSI snapshot controller is enabled in the cluster spec. This changes the default behavior where the CSI snaphotter container was always present, but spammed the log with error messages (see #13890). In case of manually deployed CRDs to make the snapshotter work it is now necessary to enable the snapshot controller.
Other breaking changes
- Support for Kubernetes version 1.19 has been removed.
Deprecations
- Support for Kubernetes version 1.20 is deprecated and will be removed in kOps 1.26.
- Support for Kubernetes version 1.21 is deprecated and will be removed in kOps 1.27.
What's Changed
- Release notes for 1.24.0-beta.1 by @hakman in #13732
- Bump github.com/spf13/viper from 1.11.0 to 1.12.0 by @dependabot in #13698
- Add GHA workflow for updating dependabot PRs by @rifelpet in #13735
- Bump github.com/hashicorp/vault/api from 1.5.0 to 1.6.0 by @dependabot in #13734
- Bump github.com/google/go-containerregistry from 0.8.0 to 0.9.0 by @dependabot in #13720
- Bump helm.sh/helm/v3 from 3.8.2 to 3.9.0 by @dependabot in #13733
- Only rewrite to k8s.gcr.io until k8s 1.25 by @rifelpet in #13739
- Bump github.com/stretchr/testify from 1.7.1 to 1.7.2 by @dependabot in #13738
- Update containerd and Docker versions by @hakman in #13741
- Remove support for K8s 1.19 by @olemarkus in #13742
- [DigitalOcean] Restart journald service on node startup by @srikiz in #13717
- Drop older cilium versions and add support for k8s 1.25 by @olemarkus in #13747
- Update AWS CCM images for k8s 1.20-1.22 by @hakman in #13748
- Channels to have exit status 1 on apply failure by @olemarkus in #13749
- Add support for setting mode field on file assets by @yurrriq in #13715
- Revert "Use kubectl replace instead of apply when updating addons" by @hakman in #13761
- Don't try to manage the kube-system namespace by @hakman in #13764
- Run channels on upgrade e2e tests to verify addons are being applied by @olemarkus in #13757
- Fix API group name for ingresses in DNS Controller by @julienperignon in #13750
- Remove some unused legacy addons by @hakman in #13765
- Bump nvidia device plugin to 0.12.0 by @ddelange in #13745
- Update runc to v1.1.3 by @hakman in #13763
- Fix namespace for cert manager webhook config by @olemarkus in #13773
- Avoid spurious changes with ed25519 keys by @hakman in #13774
- Make the cert-manager breaking change more visible. by @olemarkus in #13780
- Bump go.uber.org/multierr from 1.6.0 to 1.8.0 by @dependabot in #13782
- Bump github.com/aws/aws-sdk-go from 1.44.6 to 1.44.32 by @dependabot in #13783
- Bump github.com/hashicorp/vault/api from 1.6.0 to 1.7.2 by @dependabot in #13785
- Add back the metrics-server 443 port with a new name by @olemarkus in #13779
- Fix broken node selector for node termination handler by @olemarkus in #13781
- Bump google.golang.org/api from 0.81.0 to 0.83.0 by @dependabot in #13784
- Release notes for 1.24.0-beta.2 by @olemarkus in #13790
- Fix PDB api version for a set of addons by @olemarkus in #13791
- Remove replaces from go.mod by @olemarkus in #13789
- Remove core addons from addons by @hakman in #13768
- Use exported interface to detect SSH key type by @AaronFriel in #13805
- Use node.k8s.io/v1 API in the nvidia addon by @olemarkus in #13806
- Merge the cilium templates by @olemarkus in #13807
- fix tenv linter by @remyleone in #13802
- Replace flexdriver with busybox by @zetaab in #13809
- add support for varcheck linter by @remyleone in #13801
- Depend on external cloud providers rather than cloud-providers-legacy by @olemarkus in #13808
- bump k8s versions and ubuntu ami (aws) in alpha channel by @MoShitrit in #13822
- chore(deps): Included dependency review by @naveensrinivasan in #13651
- add metric port to nth deployment by @raffis in #13811
- Recommend the latest kOps version in alpha & stable channels and add 1.24 to alpha by @MoShitrit in #13823
- Ensure clusters with internal load balancers have a private subnet by @olemarkus in #13793
- Update etcd-manager to v3.0.20220617 by @hakman in #13824
- Use legacy-cloud-providers repo for the gcp provider dep by @olemarkus in #13840
- Bump actions/dependency-review-action from 1 to 2 by @dependabot in #13829
- Remove the removable replaces in kubetest2 by @olemarkus in #13841
- Add kubetest2 scenario for testing many addons by @olemarkus in #13828
- Skip known failing cilium e2e test by @olemarkus in #13842
- Add manual job for updating dependencies by @hakman in #13827
- Update dependencies by @github-actions in #13843
- Do not run cluster autoscaler on spot instances by @olemarkus in #13846
- Fix GCE resource tracking by @hakman in #13857
- Adding GuestAccelerators to InstanceTemplate by @jonasasx in #13707
- Align website and readme file by @sxt90128 in #13862
- Limit GCE tag for role to 63 chars by @hakman in #13866
- Promote alpha to stable by @MoShitrit in #13868
- Clean-up firewall rules that contain targets with the cluster name hash by @hakman in #13869
- Replace manifests after apply by @olemarkus in #13819
- Bump kubetest2 to test rundir by @olemarkus in #13870
- Release notes for 1.24.0-beta.3 by @olemarkus in #13881
- Generate cli docs after updating dependencies by @hakman in #13885
- Fix unexpected symbol error in update-deps workflow by @hakman in #13886
- Update troubleshoot.md by @Deepak1100 in #13891
- Update dependencies by @github-actions in #13889
- Replace Dependabot with regular
update-deps
run by @hakman in #13894 - Log errors from detachInstance by @olemarkus in #13896
- increase backoff time when updating loadbalancer pool member by @zetaab in #13854
- gce: Move out of beta, drop feature flag by @justinsb in #13903
- Update CoreDNS to v1.9.3 by @hakman in #13895
- gce: set ProvisioningModel on InstanceTemplate by @justinsb in #13902
- Set Makefile GITSHA to the git sha instead of ...
v1.24.3
General release notes for kOps 1.24
What's Changed
- Automated cherry pick of #14244: aws-node-termination-handler: Add option to fetch node name by @olemarkus in #14246
- Automated cherry pick of #14255: AWS LBC needs ec2:DescribeVpcPeeringConnections for IPv6 by @olemarkus in #14257
- Automated cherry pick of #13914: Ignore the _rundir that kubetest2 now creates by @olemarkus in #14258
- Automated cherry pick of #13853: Fix openstack tag limitation by @hakman in #14264
- Automated cherry pick of #14251: Warm pool-enabled ASGs scaled to zero will no longer panic by @hakman in #14267
- Automated cherry pick of #14107: bump aws cni to 1.11.13
#14265: bump aws-cni to version 1.11.4 by @hakman in #14271 - Release 1.24.3 by @olemarkus in #14279
Full Changelog: v1.24.2...v1.24.3
v1.24.2
What's Changed
- Automated cherry pick of #13845: Add config drive as a source for OpenStack instance metadata by @ederst in #13950
- Automated cherry pick of #14017: Allow configuring OpenStack CCM networking options by @ederst in #14079
- Automated cherry pick of #14081: aws-ebs-csi-driver: remove preStop hook by @hakman in #14085
- Automated cherry pick of #14090: Add option to configure runc version for containerd by @hakman in #14091
- Automated cherry pick of #13745: Bump nvidia device plugin to 0.12.0 by @olemarkus in #14104
- Automated cherry pick of #14093: Add hashes for containerd v1.6.7
#14106: Update containerd to v1.6.8 by @hakman in #14108 - Automated cherry pick of #14113: Add deployment-specific selectors to nth pdb by @olemarkus in #14123
- Automated cherry pick of #14115: Disable some flags in kube-controller-manager and by @hakman in #14119
- Automated cherry pick of #14134: Limit GCE network names to 63 chars by @hakman in #14136
- Automated cherry pick of #14130: Bump the CCM images by @olemarkus in #14131
- Automated cherry pick of #14188: Update runc to v1.1.4 by @hakman in #14189
- Automated cherry pick of #14175: OIDC: Tolerate extra service-account key set items by @hakman in #14192
- Automated cherry pick of #14137: Always disable rp_filter when using cilium by @olemarkus in #14196
- Bump cert-manager to 1.8.2 by @olemarkus in #14212
- Automated cherry pick of #14205: Calico: Work around host port/conntrack problem by @hakman in #14209
- Release 1.24.2 by @justinsb in #14219
Full Changelog: v1.24.1...v1.24.2
v1.23.4
What's Changed
- Automated cherry pick of #14081: aws-ebs-csi-driver: remove preStop hook by @hakman in #14086
- cilium: fix wrong pod annotations templating #1.23 by @sterchelen in #14105
- Automated cherry pick of #14115: Disable some flags in kube-controller-manager and by @hakman in #14120
- Automated cherry pick of #14188: Update runc to v1.1.4 by @hakman in #14197
- Release 1.23.4 by @justinsb in #14220
Full Changelog: v1.23.3...v1.23.4
v1.25.0-beta.1
What's Changed
- Release notes for 1.24.1 by @hakman in #14073
- Use SSA for updating addon channel objects by @olemarkus in #14074
- Merge cmd factories by @olemarkus in #14075
- Remove passing cluster name as positional argument by @olemarkus in #14076
- Allow configuring OpenStack CCM networking options by @ederst in #14017
- Upgrade kubetest2 by @rifelpet in #14061
- Fix Karpenter IAM permissions and make karpenter respect IG subnets by @olemarkus in #14077
- Remove --files flag from channels and make single arg mandatory by @olemarkus in #14082
- Fix typo in channels error message by @rifelpet in #14083
- Set higher verbosity when logging the endpoint of non-AWS S3 backend by @hakman in #14084
- aws-ebs-csi-driver: remove preStop hook by @sterchelen in #14081
- Hide klog flags from --help output by @justinsb in #14088
- Positional deprecation warning should go to stderr by @justinsb in #14089
- Add back conversion struct to cert-manager CRDs by @olemarkus in #14087
- Support kube-scheduler config by @justinsb in #13618
- Add option to configure runc version for containerd by @hakman in #14090
- Add template for e2e test with cpuManagerPolicy: static by @olemarkus in #14092
- Update dependencies by @github-actions in #14094
- Add support for ci and stable builds in upgrade-ab script by @olemarkus in #14095
- Add hashes for containerd v1.6.7 by @hakman in #14093
- Test the aws ebs csi driver in e2e if installed by @olemarkus in #14098
- Specify the full url for CI versions in upgrade-ab tests by @olemarkus in #14099
- Bump AWS CNI to 1.11.3 by @MoShitrit in #14107
- Update containerd to v1.6.8 by @hakman in #14106
- Don't add previous-gen instances to Karpenter provisioners by @olemarkus in #14109
- Skip testing the in-tree aws-ebs driver if CSI driver is enabled by @olemarkus in #14110
- cilium: fix wrong pod annotations templating by @sterchelen in #14111
- Add deployment-specific selectors to nth pdb by @olemarkus in #14113
- Disable some flags in kube-controller-manager and kube-scheduler when logging-format is not text by @h3poteto in #14115
- Use semver for skipregex ifs instead of strings.Contains by @olemarkus in #14112
- Update dependencies by @github-actions in #14116
- Fix more e2e skips by @olemarkus in #14124
- Create etcd-manager config for each instance group by @hakman in #14080
- Revert back to using kubectl in channels by @olemarkus in #14125
- Limit GCE network names to 63 chars by @hakman in #14134
- Bump the CCM images by @olemarkus in #14130
- Update Go to v1.19.0 by @hakman in #14135
- Bump cilium to 1.11.8 by @olemarkus in #14137
- Revert "Remove passing cluster name as positional argument" by @olemarkus in #14138
- Remove life cycle hooks when warmpool is disabled by @olemarkus in #14141
- Update dependencies by @github-actions in #14144
- Bump Karpenter to 0.15 and enable consolidation by @olemarkus in #14142
- Add more create_cluster integration tests by @olemarkus in #14147
- Add more cluster_update tests by @olemarkus in #14148
- Plug the IAM role leak by @olemarkus in #14151
- Write the user provided IG spec to state store instead of the full spec by @olemarkus in #14127
- Add default image for CAS that exists by @olemarkus in #14150
- Introduce library for applying objects by @justinsb in #14030
- Bump k8s releases and Ubuntu AMI version in Alpha by @MoShitrit in #14152
- Ignore entities not found when deleting IAM roles and profiles by @olemarkus in #14153
- Bump actions/dependency-review-action from 2.0.4 to 2.1.0 by @dependabot in #14156
- Bump peter-evans/create-pull-request from 4.0.4 to 4.1.1 by @dependabot in #14157
- Fix no such entity check for iam profiles and roles by @olemarkus in #14155
- Update and clean up etcdcli and etcd backup documentation by @olemarkus in #14158
- Fix bugs and typo in iam resource deletion logic by @olemarkus in #14159
- Fix test package location when using k8s ci versions in the upgrade AB scenario by @olemarkus in #14161
- Don't set unused test package flags to empty string by @olemarkus in #14163
- Fix the non-ci markers by @olemarkus in #14166
- Trim space around SSH public key by @hakman in #14168
- Bump K8s libs to 0.25.0 by @olemarkus in #14167
- Tag IAM Roles with service account info by @rifelpet in #13052
- Fix policy API version for LBC and NTH by @olemarkus in #14169
- Skip tests related to metadata concealment on GCE k8s <= 1.23 by @olemarkus in #14170
- Bump karpenter to 0.16 by @olemarkus in #14173
- Allow self-managed aws-ebs-csi-driver by @torredil in #14164
- Bump node termination handler to 1.17.0 by @olemarkus in #14177
- Bump AWS Load Balancer Controller to v2.4.3 by @olemarkus in #14178
- Merge kubeletConfigs earlier by @olemarkus in #14114
- Add Terraform target support for Hetzner by @hakman in #14179
- Bump Cert Manager to 1.9.1 by @olemarkus in #14180
- Bump snapshot-controller to 6.0.1 by @olemarkus in #14184
- Bump the nvidia addon by @olemarkus in #14185
- Update runc to v1.1.4 by @hakman in #14188
- Bump node local dns cache to 1.22.8 by @olemarkus in #14187
- Update cloud.google.com/go/storage to v1.25.0 by @hakman in #14191
- Update dependencies by @github-actions in #14190
- OIDC: Tolerate extra service-account key set items by @seh in #14175
- Bump external-dns to 0.12.2 by @olemarkus in #14193
- Update CSI driver to latest for Hetzner by @hakman in #14186
- Map up kubelet config to karpenter provisioners and add CCM startup taint by @olemarkus in #14183
- Fix karpenter update test by @olemarkus in #14199
- Bump actions/setup-go from 3.2.1 to 3.3.0 by @dependabot in #14200
- Use runpath for kubectl binary by @olemarkus in #14198
- Promote alpha to stable by @MoShitrit in #14202
- Run etcd-manager with instance group name as volume name tag for Hetzner by @hakman in #14181
- Show the reason for which an AWS image is invalid by @hakman in #14206
- Calico: Work around host port/conntrack problem by @seh in #14205
- Update etcd-manager to v3.0.20220831 by @hakman in #14208
- Bumping AWS CCM to 1.25 by @olemarkus in #14207
- Release 1.25.0-beta.1 by @hakman in #14210
New Contributors
Full Changelog: v1.25.0-alpha.2...v1.25.0-beta.1
v1.25.0-alpha.2
What's Changed
- Ignore the _rundir that kubetest2 now creates by @olemarkus in #13914
- Remove obsolete protokube test for mirrored assets by @hakman in #13916
- Use Calico v3.23 for Kubernetes 1.22+ by @hakman in #13901
- gce: Refactor ClusterPrefixedName and ClusterSuffixedName to not return error by @hakman in #13920
- Mount /etc/hosts from host for CoreDNS by @hakman in #13922
- Wait longer after update in the e2e upgrade scenario by @olemarkus in #13925
- Limit GCE names to 63 chars for various resources by @hakman in #13873
- Make IRSA webhook configure apps to use regional STS and set the default region on them by @olemarkus in #13926
- Use csi-snapshotter for OS only when the controller is enabled by @ederst in #13890
- Make it possible to enable the shield addon for LBC by @olemarkus in #13929
- Update Cilium to 1.11.6 by @ReillyBrogan in #13917
- Limit GCE router name to 63 chars by @hakman in #13932
- fix typos by @yojay11717 in #13851
- Fix unsetting ASG max price by @olemarkus in #13852
- Bump EBS CSI driver to 1.8.0 by @hakman in #13939
- Revert "Add back the metrics-server 443 port with a new name" by @olemarkus in #13940
- Add config drive as a source for OpenStack instance metadata by @ederst in #13845
- Be more specific when filtering OS instance ports by @ederst in #13861
- aws: introduce maximum instance lifetime in cluster by @sterchelen in #13892
- Upgrade karpenter to 0.13.1 by @rifelpet in #13918
- Fix broken links by @Ladicle in #13942
- Set SpecOverrideFlag to true by default by @hakman in #13955
- Release notes for 1.24.0 by @hakman in #13959
- Fix release notes for 1.24.0 by @hakman in #13960
- Use dynamic client for applying channels manifest rather than calling kubectl by @olemarkus in #13753
- Add release 1.24.0 to channels by @hakman in #13961
- Fix AWS IAM Authenticator nodeSelector in k8s 1.24 by @rifelpet in #13965
- Remove non-functional scheduler annotations from addons by @rifelpet in #13969
- Skip deregistering the instance during rolling update for Spotinst by @hakman in #13970
- bump alpha channel k8s releases by @MoShitrit in #13977
- Upgrade aws-iam-authenticator to v0.5.9 by @rifelpet in #13979
- Update dependencies by @github-actions in #13981
- Use only IPv4 for Hetzner servers by @hakman in #13982
- Add option to set etcd-manager backup interval by @hakman in #13975
- Add option to set number of replicas for pod-identity-webhook by @hakman in #13986
- Adding GCE SPOT support by @jonasasx in #13946
- Update etcd-manager to v3.0.20220717 by @hakman in #13990
- Update Go to v1.18.4 by @hakman in #13994
- Add S3_REGION to Hetzner docs by @tom-dudley in #13987
- Update GitHub workflows by @hakman in #13995
- Bump actions/setup-go from 3.2.0 to 3.2.1 by @dependabot in #14002
- Add missing namespace to external-dns Service by @rifelpet in #14001
- Upgrade DO CSI controller to 4.2.0 by @rifelpet in #14005
- Applier should be more tolerant of errors by @justinsb in #13963
- Switch to latest MacOS version for CI by @hakman in #14015
- delete t.FailNow after t.Fatalf by @Abirdcfly in #14014
- fix hyperlinks in calico docs by @mostafahussein in #14016
- Update dependencies by @github-actions in #14022
- Revert to using instance private DNS name to lookup hostname by @hakman in #14024
- Add server group management for Hetzner by @hakman in #14018
- promote alpha k8s versions to stable by @MoShitrit in #14029
- Update Calico and Canal to v3.23.3 by @hakman in #14009
- Update etcd-manager to v3.0.20220727 by @hakman in #14038
- Update continuous_integration.md by @yurrriq in #14032
- Check keyset existence before attempting to distrust by @yurrriq in #14041
- Make control plane size configurable in kops-up by @olemarkus in #14036
- Do not allow PodSecurityPolicy using K8s 1.25 by @olemarkus in #14045
- Fix SIGSEGV when deleting a Hetzner instance by @hakman in #14046
- Use cabundle for etcd CA files to fix key rotation in HA clusters by @olemarkus in #14054
- Use stable kops release for kops 1.21 by @olemarkus in #14056
- Remove namespaces from cluster-scoped resources in CNI manifests by @rifelpet in #14053
- Update dependencies by @github-actions in #14055
- Enable rolling updates for Hetzner by @hakman in #14034
- Release notes for 1.22.6 by @justinsb in #14062
- Release notes for 1.23.3 by @justinsb in #14063
- Wait for load balancer to be ready for Hetzner by @hakman in #14057
- Add multiple SSH keys support for Hetzner by @hakman in #14058
- Release 1.25.0-alpha.2 by @hakman in #14070
New Contributors
- @Ladicle made their first contribution in #13942
- @tom-dudley made their first contribution in #13987
- @Abirdcfly made their first contribution in #14014
- @mostafahussein made their first contribution in #14016
Full Changelog: v1.25.0-alpha.1...v1.25.0-alpha.2
v1.24.1
What's Changed
- Automated cherry pick of #13901: Use Calico v3.23 for Kubernetes 1.22+ by @hakman in #13968
- Automated cherry pick of #13965: Use control-plane node role for AWS IAM Authenticator by @rifelpet in #13967
- Automated cherry pick of #13970: Skip deregistering the instance during rolling update for by @hakman in #13971
- Automated cherry pick of #13979: Upgrade aws-iam-authenticator to v0.5.9 by @rifelpet in #13980
- Automated cherry pick of #13982: Use only IPv4 for Hetzner servers by @hakman in #13984
- Automated cherry pick of #13975: Add option to set etcd-manager backup interval by @hakman in #13983
- Automated cherry pick of #13990: Update etcd-manager to v3.0.20220717 by @hakman in #13991
- Automated cherry pick of #13994: Update Go to v1.18.4 by @hakman in #13996
- Automated cherry pick of #13986: Add option to set number of replicas for pod-identity-webhook by @hakman in #13988
- Automated cherry pick of #14005: Upgrade DO CSI driver to 4.2.0 by @hakman in #14006
- Update k8s.io/client-go to match k8s.io/api by @hakman in #14003
- Automated cherry pick of #14015: Switch to latest MacOS version for CI by @hakman in #14019
- Automated cherry pick of #14024: Revert to using instance private DNS name to lookup hostname by @hakman in #14025
- Automated cherry pick of #14018: Add server group management for Hetzner by @hakman in #14028
- Update dependencies for kOps 1.24 by @hakman in #13989
- Automated cherry pick of #13908: Update Calico to v3.23.2 #14009: Update Calico to v3.23.3 by @hakman in #14010
- Automated cherry pick of #14038: Update etcd-manager to v3.0.20220727 by @hakman in #14039
- Automated cherry pick of #14041: Check keyset existence before attempting to distrust by @hakman in #14042
- Automated cherry pick of #14046: Fix SIGSEGV when deleting a Hetzner instance by @hakman in #14047
- Automated cherry pick of #14053: Remove namespaces from cluster-scoped resources in CNI by @hakman in #14059
- Automated cherry pick of #14034: Enable rolling updates for Hetzner
#14057: Wait for load balancer to be ready for Hetzner
#14058: Add multiple SSH keys support for Hetzner by @hakman in #14067 - Automated cherry pick of #14054: Use cabundle for etcd CA files by @olemarkus in #14069
- Release 1.24.1 by @hakman in #14071
Full Changelog: v1.24.0...v1.24.1
v1.23.3
Release notes for kOps 1.23 series
Significant changes
-
If the Kubernetes version is 1.23 or later and the external AWS Cloud Controller Manager is
being used, then Kubernetes Node resources will be named after their AWS instance ID instead of their domain name and
managed subnets will be configured to launch instances with Resource Based Names. -
Support for ShutdownGracePeriod and ShutdownGracePeriodCriticalPods. By default, kOps will set ShutdownGracePeriod to 30 seconds and ShutdownGracePeriodCriticalPods to 10 seconds if the Kubernetes version is above 1.21.
-
By enabling the pod identity webhook, you no longer need to modify your Pod specs to assume IAM roles.
Breaking changes
-
Support for Kubernetes version 1.17 has been removed.
-
Support for the Lyft CNI has been removed.
-
The Weave CNI is not supported for Kubernetes 1.23 or later.
-
Support for CentOS 7 has been removed.
-
Support for CentOS 8 has been removed (replaced by Rocky Linux 8).
-
Support for Debian 9 has been removed.
-
Support for RHEL 7 is has been removed.
-
Support for Ubuntu 16.04 (Xenial) has been removed.
-
Cilium now has
disable-cnp-status-updates: true
by default. Set this to false if you rely on the CiliumNetworkPolicy status fields.
Required actions
Deprecations
-
Support for Kubernetes version 1.18 is deprecated and will be removed in kOps 1.24.
-
Support for Kubernetes version 1.19 is deprecated and will be removed in kOps 1.25.
-
All legacy addons are deprecated in favor of managed addons, including the metrics server addon and the autoscaler addon.
-
The
node-role.kubernetes.io/master
andkubernetes.io/role
labels are deprecated and might be removed from control plane nodes in future versions of kOps. -
Due to lack of maintainers, the Aliyun/Alibaba Cloud support has been deprecated and will be removed in kOps 1.24.
-
Due to lack of maintainers, the CloudFormation support has been deprecated. The current implementation will be left as-is until the implementation needs updates or otherwise becomes incompatible. At that point, it will be removed. We very much welcome anyone willing to contribute to this target.
Other changes of note
-
The
kops create cluster
command has a new--discovery-store
flag for specifying a public store for the OIDC-compatible discovery documents.
If this flag is used in AWS, it will enable IRSA. -
If
externalDns.provider
isexternal-dns
, thenexternalDns.watchIngress
will now default totrue
. -
This release introduces a
v1alpha3
API version. This API version is a work in progress and is likely to be replaced in kOps 1.24.
It is recommended to keep using thev1alpha2
API version. -
IPv6 pod subnets is in a working state using public IPv6 addresses for the Pod network. This works with both Cilium and Calico. IPv6 is still behind a feature flag until service controllers and addons implement support for IPv6. See the IPv6 documentation.
-
The
kops rolling-update cluster
command has a new--drain-timeout
flag for specifying the maximum amount of time to wait when attempting to drain a node. Previously, rolling-updates would attempt to drain a node for an indefinite amount of time. If--drain-timeout
is not specified, a default of 15 minutes is applied. -
Fix inconsistent output of
kops get clusters -ojson
. This will now always return a list (irrespective of a single or multiple clusters) to keep the format consistent. However, note thatkops get cluster dev.example.com -ojson
will continue to work as previously, and will return a single object. -
Digital Ocean kops now has vpc support. You can specify a
network-cidr
range while creating the kops cluster. kops resources will be created in the new vpc range. Also supports shared vpc; you can specify the vpc uuid while creating kops cluster.
1.23.2 to 1.23.3
- Increase timeout for pushing binaries to staging @hakman #13633
- Update runc to v1.1.2 @hakman #13638
- Add a nameservers parameter for cert-manager. @jim-barber-he #13567
- Remove unused DNS logic from Protokube @hakman #13689
- Fix Protokube gossip flag @hakman #13692
- Add support for setting mode field on file assets @yurrriq #13715
- Update containerd and Docker versions @hakman #13741
- Fix API group name for ingresses in DNS Controller @julienperignon #13750
- Update runc to v1.1.3 @hakman #13763
- Update AWS CCM images for k8s 1.20-1.22 @hakman #13748
- Avoid spurious changes with ed25519 keys @hakman #13774
- Update etcd-manager to v3.0.20220617 @hakman #13824
- Mount /etc/hosts from host for CoreDNS @hakman #13922
- Update etcd-manager to v3.0.20220717 @hakman #13990
- Update Go to v1.17.12 for kOps 1.23 @hakman #13997
- Switch to latest MacOS version for CI @hakman #14015
- Revert to using instance private DNS name to lookup hostname @hakman #14024
- Check keyset existence before attempting to distrust @yurrriq #14041
- Fix SIGSEGV when deleting a Hetzner instance @hakman #14046
v1.22.6
Release notes for kOps 1.22 series
Significant changes
Instance metadata service version 2
On AWS, kOps will enable Instance Metadata Service Version 2 and require tokens on new clusters with Kubernetes 1.22. In addition, the following max hop limits will be set by default:
- worker and API server Nodes, and bastions, will have a limit of 1 hop.
- control plane nodes will have a limit of 3 hops to accommodate for controller Pods without host networking that need to assume roles.
This will increase security by default, but may break some types of workloads. In order to revert to old behavior, add the following to the InstanceGroup:
spec:
instanceMetadata:
httpTokens: optional
External ServiceAccountPermissions
Many of kOps addons can now make direct use of external permissions.
This can be enabled by adding the following to the Cluster spec:
spec:
iam:
useServiceAccountExternalPermissions: true
Currently this is only available using the AWS cloud provider.
Managed nvidia instances
kOps can now provision instances with nvidia GPUs and configure it for container workloads without the need of hooks and operators. See GPU support
Breacking change in NodeLocalDNS
Since 1.22.0 Cluster spec.kubeDNS.nodeLocalDNS.forwardToKubeDNS
default behaviour changes from true
to false
.
Other significant changes
-
New clusters on AWS will no longer provision an SSH public key by default. To provision
an SSH public key on a new cluster, use the--ssh-public-key
flag tokops create cluster
. -
The kOps Terraform support now renders managed files through the Terraform configuration instead
of writing them to S3 directly. This defers changes to these files until the time ofterraform apply
.
This feature may be temporarily disabled by turning off theTerraformManagedFiles
feature flag
usingexport KOPS_FEATURE_FLAGS="-TerraformManagedFiles"
. -
kOps now implements graceful rotation of its Certificate Authorities and the service
account signing key. See the documentation on How to rotate all secrets / credentials -
New clusters running Kubernetes 1.22 will have AWS EBS CSI driver enabled by default.
-
kOps now supports Debian 11 (Bullseye).
-
kOps can now use external-dns as a drop-in replacement for dns-controller.
Breaking changes
Control plane pods no longer mount /srv/kubernetes
For security reasons, /srv/kubernetes
is no longer mounted in the kube-apiserver and kube-controller-manager Pods. This also means the files in the default file assets path will be unavailable. If you have file assets or other files needed by kube-apiserver, you must put these into /srv/kubernetes/kube-apiserver/
or /srv/kubernetes/kube-controller-manager
, respectively.
For file assets, it means adding an explicit path as shown below:
fileAssets:
- name: audit-policy-config
path: /srv/kubernetes/kube-apiserver/audit-policy-config.yaml # make sure you add the path
roles:
- Master
content: |
apiVersion: audit.k8s.io/v1
kind: Policy
rules:
- level: Metadata
Other breaking changes
-
Support for Kubernetes versions 1.15 and 1.16 has been removed.
-
The legacy addons from
https://github.com/kubernetes/kops/tree/master/addons
have been deprecated and will not be available in Kubernetes 1.23+. Use managed addons instead. -
The legacy location for downloads
s3://https://kubeupv2.s3.amazonaws.com/kops/
has been deprecated and will not be used for new releases. The new canonical downloads location ishttps://artifacts.k8s.io/binaries/kops/
. -
The
assets
phase ofkops update cluster
has been removed. It is replaced by the newkops get assets --copy
command. -
Support for importing and converting kubeup clusters has been removed.
-
Support for Cilium and RHEL 8 has been removed. Cilium users will need to migrate to a distribution with a newer Linux kernel.
Required actions
-
Amazon Linux 2 users are encouraged to use the AMIs based on the 5.10 Linux kernel. See the documentation for more information.
-
Terraform support now requires Terraform >=0.15.0.
Users on older versions must follow Terraform's recommended upgrade path of applying one minor version at a time prior to runningkops update cluster --target terraform
. -
The kOps Terraform support now renders managed files through the Terraform configuration instead
of writing them to S3 directly. If, after upgrading kOps and applying a new Terraform plan,
you subsequently downgrade to an earlier version of kOps, the generated plan will delete these
files, breaking the cluster. Prior to applying the plan, you will need to orphan all the
aws_s3_bucket_object
objects the plan wants to destroy. Useterraform state rm
on each of them.
Then re-runterraform plan
until there are no such objects in the plan.If you applied the plan without first orphaning all of these objects, fix the cluster by re-running
kops update cluster --target terraform
. -
Terraform users of clusters with names beginning with digits will need to move resources prior to upgrading to kOps 1.22. Some of the following commands will need to be run depending on the particular cluster configuration. Confirm the Terraform plan doesn't destroy any of these resources before running
terraform apply
.# View the existing terraform resource names for the exact value to use HYPHENATED_CLUSTER_NAME=123-cluster-example-com terraform state mv "aws_iam_openid_connect_provider.${HYPHENATED_CLUSTER_NAME}" "aws_iam_openid_connect_provider.prefix_${HYPHENATED_CLUSTER_NAME}" terraform state mv "aws_internet_gateway.${HYPHENATED_CLUSTER_NAME}" "aws_internet_gateway.prefix_${HYPHENATED_CLUSTER_NAME}" terraform state mv "aws_route_table.${HYPHENATED_CLUSTER_NAME}" "aws_route_table.prefix_${HYPHENATED_CLUSTER_NAME}" terraform state mv "aws_vpc.${HYPHENATED_CLUSTER_NAME}" "aws_vpc.prefix_${HYPHENATED_CLUSTER_NAME}" terraform state mv "aws_vpc_dhcp_options.${HYPHENATED_CLUSTER_NAME}" "aws_vpc_dhcp_options.prefix_${HYPHENATED_CLUSTER_NAME}" terraform state mv "aws_vpc_dhcp_options_association.${HYPHENATED_CLUSTER_NAME}" "aws_vpc_dhcp_options_association.prefix_${HYPHENATED_CLUSTER_NAME}"
Deprecations
-
Support for Kubernetes version 1.17 is deprecated and will be removed in kOps 1.23.
-
Support for Kubernetes version 1.18 is deprecated and will be removed in kOps 1.24.
-
Support for the Lyft CNI is deprecated and will be removed in kOps 1.23.
-
Support for CentOS 7 is deprecated and will be removed in future versions of kOps.
-
Support for CentOS 8 is deprecated and will be removed in future versions of kOps.
-
Support for Debian 9 (Stretch) is deprecated and will be removed in future versions of kOps.
-
Support for RHEL 7 is deprecated and will be removed in future versions of kOps.
-
Support for Ubuntu 18.04 (Bionic) is deprecated and will be removed in future versions of kOps.
-
All legacy addons are deprecated in favor of managed addons, including the metrics server addon and the autoscaler addon.
-
The
node-role.kubernetes.io/master
andkubernetes.io/role
labels are deprecated and might be removed from control plane nodes in kOps 1.23. -
The
TerraformJSON
feature flag is deprecated and will be removed in kOps 1.23. Only native HCL2 Terraform output will be supported. -
Due to lack of maintainers, the Aliyun/Alibaba Cloud support has been deprecated. The current implementation will be left as-is until the implementation needs updates or otherwise becomes incompatible. At that point, it will be removed. We very much welcome anyone willing to contribute to this cloud provider.
-
Due to lack of maintainers, the CloudFormation support has been deprecated. The current implementation will be left as-is until the implementation needs updates or otherwise becomes incompatible. At that point, it will be removed. We very much welcome anyone willing to contribute to this target.
Other changes of note
-
Support for shell completion has been substantially improved. kOps has added support for shell completion in
fish
andPowerShell
. -
It is no longer necessary to set
AWS_SDK_LOAD_CONFIG=1
in the environment when using AWS assumed roles with thekops
CLI. -
There is a new command
kops get assets
for listing image and file assets used by a cluster.
It also includes a--copy
flag to copy the assets to local repositories.
See the documentation on Using local asset repositories for more information. -
kOps now provisions TLS server certificates signed by the Kubernetes general CA to kube-controller-manager and kube-scheduler.
The previous behavior of using self-signed certs may be restored by settingkubeControllerManager.tlsCertFile
and/or
kubeScheduler.tlsCertFile
to""
in the cluster spec. -
Cilium now supports the wireguard protocol for transparent encryption.
1.22.5 to 1.22.6
- Add hashes for containerd and Docker in order to fix CVE-2022-23648 @drequena #13606
- Avoid "/etc/resolv.conf" file loopback for Flatcar Container Linux distribution @seh #13617
- Update etcd-manager to v3...
v1.24.0
Release Notes
https://kops.sigs.k8s.io/releases/1.24-notes/
What's Changed
- Release 1.24.0-alpha.1 by @hakman in #12928
- Update release notes and minimum k8s version by @hakman in #12929
- kops auth-plugin: need to clear any existing password / key by @justinsb in #12921
- Add integration test for k8s 1.24 by @olemarkus in #12930
- Only shellcheck files by @olemarkus in #12931
- Do not set insecure-port as of k8s 1.20 by @olemarkus in #12926
- tests: Improve logging on test failure by @justinsb in #12933
- nodeup: store the CloudProvider in the context by @justinsb in #12923
- bazel: always build with pure (CGO_ENABLED=0) by @justinsb in #12934
- nodeup: print more info on hash mismatches by @justinsb in #12935
- PKI library: Add initial support for EC keys by @justinsb in #12936
- Recognize debian bullseye as having "broken" resolv.conf by @justinsb in #12937
- Remove code for now-unsupported Kubernetes 1.18 by @johngmyers in #12939
- Add missing k8s 1.18 relnote by @johngmyers in #12938
- Remove obsolete, redundant secrets.md by @johngmyers in #12942
- Drop support for Weave as of k8s 1.23 by @johngmyers in #12941
- Remove support for Aliyun/Alibaba Cloud by @johngmyers in #12944
- Document CoreDNS configuration settings by @recollir in #12914
- Update name of kubernetes-ca keypair in documentation by @johngmyers in #12943
- Revert "Recognize debian bullseye as having "broken" resolv.conf" by @olemarkus in #12947
- Set the default LT version to the new LT version by @olemarkus in #12932
- Make service topology for cilium configurable by @olemarkus in #12918
- gce: ServiceAccount task by @justinsb in #12950
- Update Calico and Canal to v3.21.2 by @hakman in #12951
- Update Go to v1.17.5 by @hakman in #12954
- Skip IPv6 LB test in the k/s e2e by @hakman in #12953
- GCE: Task for StorageBucket IAM by @justinsb in #12958
- GCE: Project IAM Binding task by @justinsb in #12959
- add verify-golangci-lint.sh script by @rlankfo in #12892
- Hubble relay should not tolerate anything by @olemarkus in #12963
- Do not explicitly skip Dashboard tests by @hakman in #12962
- Do not skip NodePort tests for Calico by @hakman in #12960
- Remove verify-staticcheck by @rifelpet in #12965
- wait for instances to drain from classic LB by @heybronson in #12902
- Support Karpenter by @olemarkus in #12906
- Update containerd to v1.6.0-beta.4 by @hakman in #12968
- Update controller-runtime to v0.11.0 by @hakman in #12967
- Add missing permissions by @olemarkus in #12977
- Do not skip HPA tests by @hakman in #12972
- Do not skip RuntimeClass tests by @hakman in #12974
- gce: Use ServiceAccount task when building model by @justinsb in #12978
- Quote values and remove limits in karpenter provisioners by @olemarkus in #12979
- Promote alpha with December releases by @olemarkus in #12984
- gce: map multiple serviceaccounts by @justinsb in #12982
- Defend against nil containerd by @justinsb in #12990
- Remove unused TemplateResource interface by @justinsb in #12989
- Avoid double-encoding templates by @justinsb in #12991
- Refactor nodeup script to avoid action-at-a-distance by @justinsb in #12993
- gce: use per InstanceGroup serviceaccounts by @justinsb in #12988
- dep: update github.com/pkg/sftp by @justinsb in #12996
- Create helper functions for parsing public keys by @justinsb in #12999
- Use terraform literals in GCP service account references by @rifelpet in #12995
- kops-controller: use controller-runtime manager by @justinsb in #12997
- gce: clean up networking objects by reference by @justinsb in #12987
- componentconfig: expose advertise-address flag for kube-apiserver by @justinsb in #12998
- Do not allow docker on k8s 1.24+ by @olemarkus in #12927
- Ignore images hosted in private ECR repositories as containerd cannot pull these by @olemarkus in #13000
- Skip RuntimeClass tests for older Kubernetes versions by @hakman in #13003
- Various nill pointer fixes for karpenter by @olemarkus in #12973
- Set Resource Based Naming on managed subnets by @johngmyers in #12864
- Add kubetest2-kops flags for overriding instance group fields by @rifelpet in #13005
- Support creating dualstack internal NLBs by @johngmyers in #13006
- Skip SCTP check for all versions of k8s 1.23/1.24 by @olemarkus in #13008
- Use spread constraints rather than affinity to spread pods by @olemarkus in #12961
- Bump karpenter to 0.5.3 and RBN support by @olemarkus in #13002
- Validate IGs more strictly after defaults have applied by @olemarkus in #12660
- Karpenter template fix by @olemarkus in #13009
- staticcheck cleanup: fixup nodeup/pkg/model by @justinsb in #13013
- nodeup bash script: use explicit return code by @justinsb in #13012
- Prevent creation of unsupported etcd clusters by @olemarkus in #13011
- Create cgroups for kube and runtime if configured by @olemarkus in #12917
- Do not install ClusterRole and binding used by in-tree volume provider if CSI is used by @olemarkus in #13010
- kubetest2 - Use the same binary path and env when fetching IGs by @rifelpet in #13018
- Use fi.Keyset instead of passing tasks around by @justinsb in #12992
- add instance connection draining for NLBs by @heybronson in #12966
- Use kubelet --non-masquerade-cidr only for Docker with kubenet by @hakman in #13007
- Fix dangling ENIs from AWS VPC CNI by @olemarkus in #13021
- Update k8s dependencies to v1.23.1 by @hakman in #13022
- Improve HA for various addons by @olemarkus in #13027
- Add a CLI flag for creating one karpenter-managed IG for worker nodes instead of ASG-managed ones by @olemarkus in #12975
- Allow IPv6-only subnets by @johngmyers in #13026
- Support specifying instance requirements per IG by @olemarkus in #13019
- Remove TerraformJSON feature flag by @rifelpet in #13029
- LBC has to run on the control plane, so set replicas accordingly by @olemarkus in #13033
- Fix various typos related to karpenter by @olemarkus in #13035
- Kube components log to stdout by @olemarkus in #13038
- Identify pending instances by @olemarkus in #13040
- Add managed-by label to static kube-proxy pods by @olemarkus in #13039
- Prefix karpenter logging-config name by @olemarkus in #13037
- gce: don't set per-IG permissions when using shared account by @justinsb in #13043
- Add documentation on karpenter by @olemarkus in #13036
- external CCM for GCE by @jiahuif in https://github.com/kubernetes/kop...