You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Update dnsmasq to the latest version. (#53149, @bowei)
On GCP platforms, e2e testing now logs which OS images the cluster was found to have. (#48310, @abgworrall)
Update cluster-proportional-autoscaler, etcd-empty-dir-cleanup, fluentd-gcp, and kube-addon-manager addons with refreshed base images containing fixes for CVE-2015-8271, CVE-2016-7543, CVE-2016-9841, CVE-2016-9843, CVE-2017-1000366, CVE-2017-2616, and CVE-2017-7507. (#48011, @ixdy)
kube-up (with gce/gci and gce/coreos providers) now ensures the authentication token file contains correct tokens for the control plane components, even if the file already exists (ensures upgrades and downgrades work successfully) (#43676, @liggitt)
PodSecurityPolicy authorization is correctly enforced by the PodSecurityPolicy admission plugin. (#43489, @liggitt)
Bump gcr.io/google_containers/glbc from 0.9.1 to 0.9.2. Release notes: 0.9.2 (#43097, @timstclair)
Update gcr.io/google-containers/rescheduler to v0.2.2, which uses busybox as a base image instead of ubuntu. (#41911, @ixdy)
restored normalization of custom --etcd-prefix when --storage-backend is set to etcd3 (#42506, @liggitt)
v1.5.5
This release contains a fix for a PodSecurityPolicy vulnerability which allows users to make use of any existing PodSecurityPolicy object, even ones they are not authorized to use.
Other then that, this release contains no other changes from 1.5.4.
Enable the PodSecurityPolicy admission plugin (which is not enabled by default):
--admission-control=...,PodSecurityPolicy,...
Use authorization to limit users' ability to use specific PodSecurityPolicy objects
What is the impact?
A user that is authorized to create pods can make use of any existing PodSecurityPolicy, even ones they are not authorized to use.
How can I mitigate this prior to installing 1.5.5?
Export existing PodSecurityPolicy objects:
kubectl get podsecuritypolicies -o yaml > psp.yaml
Review and delete any PodSecurityPolicy objects you do not want all pod-creating users to be able to use (NOTE: Privileged users that were making use of those policies will also lose access to those policies). For example:
Fix AWS device allocator to only use valid device names (#41455, @gnufied)
The kube-apiserver basic audit log can be enabled in GCE by exporting the environment variable ENABLE_APISERVER_BASIC_AUDIT=true before running cluster/kube-up.sh. This will log to /var/log/kube-apiserver-audit.log and use the same logrotate settings as /var/log/kube-apiserver.log. (#41211, @enisoc)
list-resources: don't fail if the grep fails to match any resources (#41933, @ixdy)
Bump GCE ContainerVM to container-vm-v20170214 to address CVE-2016-9962. (#41449, @zmerlynn)
We change the default attach_detach_controller sync period to 1 minute to reduce the query frequency through cloud provider to check whether volumes are attached or not. (#41363, @jingxu97)
Added configurable etcd initial-cluster-state to kube-up script (#41320, @jszczepkowski)
If ExperimentalCriticalPodAnnotation=True flag gate is set, kubelet will ensure that pods with scheduler.alpha.kubernetes.io/critical-pod annotation will be admitted even under resource pressure, will not be evicted, and are reasonably protected from system OOMs. (#41052, @vishh)
Reverts to looking up the current VM in vSphere using the machine's UUID, either obtained via sysfs or via the vm-uuid parameter in the cloud configuration file. (#40892, @robdaemon)
Fix for detach volume when node is not present/ powered off (#40118, @BaluDontu)
Move b.gcr.io/k8s_authenticated_test to gcr.io/k8s-authenticated-test (#40335, @zmerlynn)
Enable lazy inode table and journal initialization for ext3 and ext4 (#38865, @codablock)
Kubelet will no longer set hairpin mode on every interface on the machine when an error occurs in setting up hairpin for a specific interface. (#36990, @bboreham)
The SubjectAccessReview API passes subresource and resource name information to the authorizer to answer authorization queries. (#40935, @liggitt)
Bump GCE ContainerVM to container-vm-v20170201 to address CVE-2016-9962. (#40828, @zmerlynn)
Fixes request header authenticator by presenting the request header client CA so that the front proxy will authenticate using its client certificate. (#40301, @deads2k)
Add a KUBERNETES_NODE_* section to build kubelet/kube-proxy for windows (#38919, @brendandburns)
Update GCE ContainerVM deployment to container-vm-v20170117 to pick up CVE fixes in base image. (#40094, @zmerlynn)
Adding vmdk file extension for vmDiskPath in vsphere DeleteVolume (#40538, @divyenpatel)
AWS: Remove duplicate calls to DescribeInstance during volume operations (#39842, @gnufied)
Caching added to the OIDC client auth plugin to fix races and reduce the time kubectl commands using this plugin take by several seconds. (#38167, @ericchiang)
Actually fix local-cluster-up on 1.5 branch (#40501, @lavalamp)
Prevent hotloops on error conditions, which could fill up the disk faster than log rotation can free space. (#40497, @lavalamp)
Fix issue with PodDisruptionBudgets in which minAvailable specified as a percentage did not work with StatefulSet Pods. (#39454, @foxish)
Update fluentd-gcp addon to 1.28.1 (#39706, @ixdy)
Provide kubernetes-controller-manager flags to control volume attach/detach reconciler sync. The duration of the syncs can be controlled, and the syncs can be shut off as well. (#39551, @chrislovecnm)
Fix an issue where AWS tear-down leaks an DHCP Option Set. (#38645, @zmerlynn)
Give apply the versioned struct that generated from the type defined in the restmapping. (#38982, @ymqytw)
Add support for Azure Container Registry, update Azure dependencies (#37783, @brendandburns)
Fixes an issue where hack/local-up-cluster.sh would fail on the API server start with (#38898, @deads2k)
!!! [1215 15:42:56] Timed out waiting for apiserver: to answer at https://localhost:6443/version; tried 10 waiting 1 between each
Since kubernetes.tar.gz no longer includes client or server binaries, cluster/kube-{up,down,push}.sh now automatically download released binaries if they are missing. (#38730, @ixdy)
Fixes issue where if the audit log is enabled and anonymous authentication is disabled, then an unauthenticated user request will cause a panic and crash the kube-apiserver. (#38717, @deads2k)
Known Issues for v1.5.1
hack/local-up-cluster.sh script times out waiting for apiserver to answer, see #38847.
To workaround this, modify the script to pass --anonymous-auth=true to sudo -E "${GO_OUT}/hyperkube" apiserver ... when starting kube-apiserver.
StatefulSets are beta now (fixes and stabilization)
Improved Federation Support
New command: kubefed
DaemonSets
Deployments
ConfigMaps
Simplified Cluster Deployment
Improvements to kubeadm
HA Setup for Master
Node Robustness and Extensibility
Windows Server Container support
CRI for pluggable container runtimes
kubelet API supports authentication and authorization
Features
Features for this release were tracked via the use of the kubernetes/features issues repo. Each Feature issue is owned by a Special Interest Group from kubernetes/community
API Machinery
[beta] kube-apiserver support for the OpenAPI spec is moving from alpha to beta. The first non-go client is based on it (kubernetes/features#53)
Apps
[stable] When replica sets cannot create pods, they will now report detail via the API about the underlying reason (kubernetes/features#120)
[stable] kubectl apply is now able to delete resources you no longer need with --prune (kubernetes/features#128)
[beta] Deployments that cannot make progress in rolling out the newest version will now indicate via the API they are blocked (docs) (kubernetes/features#122)
[beta] StatefulSets allow workloads that require persistent identity or per-instance storage to be created and managed on Kubernetes. (docs) (kubernetes/features#137)
[beta] In order to preserve safety guarantees the cluster no longer force deletes pods on un-responsive nodes and users are now warned if they try to force delete pods via the CLI. (docs) (kubernetes/features#119)
Auth
[alpha] Further polishing of the Role-based access control alpha API including a default set of cluster roles. (docs) (kubernetes/features#2)
[beta] Added ability to authenticate/authorize access to the Kubelet API (docs) (kubernetes/features#89)
[alpha] Improved UX and usability for the kubeadm binary that makes it easy to get a new cluster running. (docs) (changelog) (kubernetes/features#11)
Cluster Ops
[alpha] Added ability to create/remove clusters w/highly available (replicated) masters on GCE using kube-up/kube-down scripts. (docs) (kubernetes/features#48)
[alpha] Cluster federation: Added support for DeleteOptions.OrphanDependents for federation resources. (docs) (kubernetes/features#99)
[alpha] Introducing kubefed, a new command line tool to simplify federation control plane. (docs) (kubernetes/features#97)
Network
[stable] Services can reference another service by DNS name, rather than being hosted in pods (kubernetes/features#33)
[beta] Opt in source ip preservation for Services with Type NodePort or LoadBalancer (docs) (kubernetes/features#27)
[stable] Enable DNS Horizontal Autoscaling with beta ConfigMap parameters support (docs)
Node
[alpha] Added ability to preserve access to host userns when userns remapping is enabled in container runtime (kubernetes/features#127)
[alpha] Introducing the v1alpha1 CRI API to allow pluggable container runtimes; an experimental docker-CRI integration is ready for testing and feedback. (docs) (kubernetes/features#54)
[alpha] Kubelet launches container in a per pod cgroup hierarchy based on quality of service tier (kubernetes/features#126)
[beta] Kubelet integrates with memcg notification API to detect when a hard eviction threshold is crossed (kubernetes/features#125)
[beta] Introducing the beta version containerized node conformance test gcr.io/google_containers/node-test:0.2 for users to verify node setup. (docs) (kubernetes/features#84)
[beta] PodDisruptionBudget has been promoted to beta, can be used to safely drain nodes while respecting application SLO's (docs) (kubernetes/features#85)
UI
[stable] Dashboard UI now shows all user facing objects and their resource usage. (docs) (kubernetes/features#136)
Windows
[alpha] Added support for Windows Server 2016 nodes and scheduling Windows Server Containers (docs) (kubernetes/features#116)
getDeviceNameFromMount() function doesn't return the volume path correctly when the volume path contains spaces #37712
Federation alpha features do not have feature gates defined and
are hence enabled by default. This will be fixed in a future release.
#38593
Federation control plane can be upgraded by updating the image
fields in the Deployment specs of the control plane components.
However, federation control plane upgrades were not tested in this
release 38537
Notable Changes to Existing Behavior
Node controller no longer force-deletes pods from the api-server. (#35235, @foxish)
For StatefulSet (previously PetSet), this change means creation of
replacement pods is blocked until old pods are definitely not running
(indicated either by the kubelet returning from partitioned state,
deletion of the Node object, deletion of the instance in the cloud provider,
or force deletion of the pod from the api-server).
This helps prevent "split brain" scenarios in clustered applications by
ensuring that unreachable pods will not be presumed dead unless some
"fencing" operation has provided one of the above indications.
For all other existing controllers except StatefulSet, this has no effect on
the ability of the controller to replace pods because the controllers do not
reuse pod names (they use generate-name).
User-written controllers that reuse names of pod objects should evaluate this change.
When deleting an object with kubectl delete ... --grace-period=0, the client will
begin a graceful deletion and wait until the resource is fully deleted. To force
deletion immediately, use the --force flag. This prevents users from accidentally
allowing two Stateful Set pods to share the same persistent volume which could lead to data
corruption #37263
Allow anonymous API server access, decorate authenticated users with system:authenticated group (#32386, @liggitt)
kube-apiserver learned the '--anonymous-auth' flag, which defaults to true. When enabled, requests to the secure port that are not rejected by other configured authentication methods are treated as anonymous requests, and given a username of 'system:anonymous' and a group of 'system:unauthenticated'.
Authenticated users are decorated with a 'system:authenticated' group.
IMPORTANT: See Action Required for important actions related to this change.
kubectl get -o jsonpath=... will now throw an error if the path is to a field not present in the json, even if the path is for a field valid for the type. This is a change from the pre-1.5 behavior, which would return the default value for some fields even if they were not present in the json. (#37991, @pwittrock)
The strategicmerge patchMergeKey for VolumeMounts was changed from "name" to "mountPath". This was necessary because the name field refers to the name of the Volume, and is not a unique key for the VolumeMount. Multiple VolumeMounts will have the same Volume name if mounting the same volume more than once. The "mountPath" is verified to be unique and can act as the mergekey. (#35071, @pwittrock)
Deprecations
extensions/v1beta1.Jobs is deprecated, use batch/v1.Job instead (#36355, @soltysh)
The kubelet --reconcile-cdir flag is deprecated because it has no function anymore. (#35523, @luxas)
The init-container (pod.beta.kubernetes.io/init-containers) annotations used to accept capitalized field names that could be accidentally generated by the k8s.io/kubernetes/pkg/api package. Using an upper case field name will now return an error and all users should use the versioned API types from pkg/api/v1 when serializing from Golang.
Action Required Before Upgrading
**Important Security-related changes before upgrading
You MUST set --anonymous-auth=false flag on your kube-apiserver unless you are a developer testing this feature and understand it.
If you do not, you risk allowing unauthorized users to access your apiserver.
You MUST set --anonymous-auth=false flag on your federation apiserver unless you are a developer testing this feature and understand it.
If you do not, you risk allowing unauthorized users to access your federation apiserver.
You do not need to adjust this flag on Kubelet: there was no authorization for the Kubelet APIs in 1.4.
batch/v2alpha1.ScheduledJob has been renamed, use batch/v2alpha1.CronJob instead (#36021, @soltysh)
PetSet has been renamed to StatefulSet.
If you have existing PetSets, you must perform extra migration steps both
before and after upgrading to convert them to StatefulSets. (docs) (#35663, @janetkuo)
If you are upgrading your Cluster Federation components from v1.4.x, please update your federation-apiserver and federation-controller-manager manifests to the new version (#30601, @madhusudancs)
The deprecated kubelet --configure-cbr0 flag has been removed, and with that the "classic" networking mode as well. If you depend on this mode, please investigate whether the other network plugins kubenet or cni meet your needs. (#34906, @luxas)
New client-go structure, refer to kubernetes/client-go for versioning policy (#34989, @caesarxuchao)
The deprecated kube-scheduler --bind-pods-qps and --bind-pods burst flags have been removed, use --kube-api-qps and --kube-api-burst instead (#34471, @timothysc)
If you used the PodDisruptionBudget feature in 1.4 (i.e. created PodDisruptionBudget objects), then BEFORE upgrading from 1.4 to 1.5, you must delete all PodDisruptionBudget objects (policy/v1alpha1/PodDisruptionBudget) that you have created. It is not possible to delete these objects after you upgrade, and their presence will prevent you from using the beta PodDisruptionBudget feature in 1.5 (which uses policy/v1beta1/PodDisruptionBudget). If you have already upgraded, you will need to downgrade the master to 1.4 to delete the policy/v1alpha1/PodDisruptionBudget objects.
External Dependency Version Information
Continuous integration builds have used the following versions of external dependencies, however, this is not a strong recommendation and users should consult an appropriate installation or upgrade guide before deciding what versions of etcd, docker or rkt to use.
Docker versions 1.10.3 - 1.12.3
Docker version 1.11.2 known issues
Kernel crash with Aufs storage driver on Debian Jessie (#27885
which can be identified by the node problem detector
kubelet: don't reject pods without adding them to the pod manager (#37661, @yujuhong)
Fix photon controller plugin to construct with correct PdID (#37167, @luomiao)
Fix the equality checks for numeric values in cluster/gce/util.sh. (#37638, @roberthbailey)
federation service controller: stop deleting services from underlying clusters when federated service is deleted. (#37353, @nikhiljindal)
Set Dashboard UI version to v1.5.0 (#37684, @rf232)
When deleting an object with --grace-period=0, the client will begin a graceful deletion and wait until the resource is fully deleted. To force deletion, use the --force flag. (#37263, @smarterclayton)
Removes shorthand flag -w from kubectl apply (#37345, @MrHohn)
Fix issue in converting AWS volume ID from mount paths (#36840, @jingxu97)
fix leaking memory backed volumes of terminated pods (#36779, @sjenning)
Default logging subsystem's resiliency was greatly improved, fluentd memory consumption and OOM error probability was reduced. (#37021, @Crassirostris)
Federation: allow specification of dns zone by ID (#36336, @justinsb)
K8s 1.5 keeps container-vm as the default node image on GCE for backwards compatibility reasons. Please beware that container-vm is officially deprecated (supported with security patches only) and you should replace it with GCI if at all possible. You can review the migration guide here for more detail: https://cloud.google.com/container-engine/docs/node-image-migration (#36822, @mtaufen)
Add a flag allowing contention profiling of the API server (#36756, @gmarek)
Rename --cgroups-per-qos to --experimental-cgroups-per-qos in Kubelet (#36767, @vishh)
Implement CanMount() for gfsMounter for linux (#36686, @rkouj)
Default host user namespace via experimental flag (#31169, @pweil-)
Use generous limits in the resource usage tracking tests (#36623, @yujuhong)
Update Dashboard UI version to 1.4.2 (#35895, @rf232)
Add support for service load balancer source ranges to Azure load balancers. (#36696, @brendandburns)
Fix fetching pids running in a cgroup, which caused problems with OOM score adjustments & setting the /system cgroup ("misc" in the summary API). (#36551, @timstclair)
federation: Adding support for DeleteOptions.OrphanDependents for federated replicasets and deployments. Setting it to false while deleting a federated replicaset or deployment also deletes the corresponding resource from all registered clusters. (#36476, @nikhiljindal)
Migrates addons from RCs to Deployments (#36008, @MrHohn)
Avoid setting S_ISGID on files in volumes (#36386, @sjenning)
federation: Adding support for DeleteOptions.OrphanDependents for federated daemonsets and ingresses. Setting it to false while deleting a federated daemonset or ingress also deletes the corresponding resource from all registered clusters. (#36330, @nikhiljindal)
Node Conformance Test: Containerize the node e2e test (#31093, @Random-Liu)
federation: Adding support for DeleteOptions.OrphanDependents for federated secrets. Setting it to false while deleting a federated secret also deletes the corresponding secrets from all registered clusters. (#36296, @nikhiljindal)
Deploy kube-dns with cluster-proportional-autoscaler (#33239, @MrHohn)
Adds support for StatefulSets in kubectl drain. (#35483, @ymqytw)
Switches to use the eviction sub-resource instead of deletion in kubectl drain, if server supports.
azure: load balancer preserves destination ip address (#36256, @colemickens)
[AppArmor] Hold bad AppArmor pods in pending rather than rejecting (#35342, @timstclair)
Federation: separate notion of zone-name & dns-suffix (#35372, @justinsb)
In order to bypass graceful deletion of pods (to immediately remove the pod from the API) the user must now provide the --force flag in addition to --grace-period=0. This prevents users from accidentally force deleting pods without being aware of the consequences of force deletion. Force deleting pods for resources like StatefulSets can result in multiple pods with the same name having running processes in the cluster, which may lead to data corruption or data inconsistency when using shared storage or common API endpoints. (#35484, @smarterclayton)
have basic kubectl crud agnostic of registered types (#36085, @deads2k)
Fix how we iterate over active jobs when removing them for Replace policy (#36161, @soltysh)
Adds TCPCloseWaitTimeout option to kube-proxy for sysctl nf_conntrack_tcp_timeout_time_wait (#35919, @bowei)
Pods that are terminating due to eviction by the nodecontroller (typically due to unresponsive kubelet, or network partition) now surface in kubectl get output (#36017, @foxish)
as being in state "Unknown", along with a longer description in kubectl describe output.
The hostname of the node (as autodetected by the kubelet, specified via --hostname-override, or determined by the cloudprovider) is now recorded as an address of type "Hostname" in the status of the Node API object. The hostname is expected to be resolveable from the apiserver. (#25532, @mkulke)
[Kubelet] Add alpha support for --cgroups-per-qos using the configured --cgroup-driver. Disabled by default. (#31546, @derekwaynecarr)
Move Statefulset (previously PetSet) to v1beta1 (#35731, @janetkuo)
The error handling behavior of pkg/client/restclient.Result has changed. Calls to Result.Raw() will no longer parse the body, although they will still return errors that react to pkg/api/errors.Is*() as in previous releases. Callers of Get() and Into() will continue to receive errors that are parsed from the body if the kind and apiVersion of the body match the Status object. (#36001, @smarterclayton)
This more closely aligns rest client as a generic RESTful client, while preserving the special Kube API extended error handling for the Get and Into methods (which most Kube clients use).
Making the pod.alpha.kubernetes.io/initialized annotation optional in PetSet pods (#35739, @foxish)
The main kubernetes repository stops hosting archived version of released clients. Please use client-go. (#35928, @caesarxuchao)
Correct the article in generated documents (#32557, @asalkeld)
Update PodAntiAffinity to ignore calls to subresources (#35608, @soltysh)
The apiserver can now select which type of kubelet-reported address to use for apiserver->node communications, using the --kubelet-preferred-address-types flag. (#35497, @liggitt)
update list of vailable resources (#32687, @jouve)
Remove stale volumes if endpoint/svc creation fails. (#35285, @humblec)
Remove scheduler flags that were marked as deprecated 2+ releases ago. (#34471, @timothysc)
Other notable changes
Make the fake RESTClient usable by all the API groups, not just core. (#35492, @madhusudancs)
Adding support for DeleteOptions.OrphanDependents for federated namespaces. Setting it to false while deleting a federated namespace also deletes the corresponding namespace from all registered clusters. (#34648, @nikhiljindal)
Kubelet flag '--mounter-path' renamed to '--experimental-mounter-path' (#35646, @vishh)
Node status updater should SetNodeStatusUpdateNeeded if it fails to update status (#34368, @jingxu97)
Deprecate OpenAPI spec for GroupVersion endpoints in favor of single spec /swagger.json (#35388, @mbohlool)
fixed typo in script which made setting custom cidr in gce using kube-up impossible (#35267, @tommywo)
The podGC controller will now always run, irrespective of the value supplied to the "terminated-pod-gc-threshold" flag supplied to the controller manager. (#35476, @foxish)
The specific behavior of the podGC controller to clean up terminated pods is still governed by the flag, but the podGC's responsibilities have evolved beyond just cleaning up terminated pods.
Update grafana version used by default in kubernetes to 3.1.1 (#35435, @Crassirostris)
vSphere Kube-up: resolve vm-names on all nodes (#35365, @kerneltime)
bootstrap: Start hostNetwork pods even if network plugin not ready (#33347, @justinsb)
Factor out post-init swagger and OpenAPI routes (#32590, @sttts)
pvc.Spec.Resources.Requests min and max can be enforced with a LimitRange of type "PersistentVolumeClaim" in the namespace (#30145, @markturansky)
Federated DaemonSet controller. Supports all the API that regular DaemonSet has. (#34319, @mwielgus)
New federation deployment mechanism now allows non-GCP clusters. (#34620, @madhusudancs)
* Writes the federation kubeconfig to the local kubeconfig file.
Update the series and the README to reflect the change. (#30374, @mbruzek)
Alpha JWS Discovery API for locating an apiserver securely (#32203, @dgoodwin)
Action Required
kube-apiserver learned the '--anonymous-auth' flag, which defaults to true. When enabled, requests to the secure port that are not rejected by other configured authentication methods are treated as anonymous requests, and given a username of 'system:anonymous' and a group of 'system:unauthenticated'. (#32386, @liggitt)
Authenticated users are decorated with a 'system:authenticated' group.
NOTE: anonymous access is enabled by default. If you rely on authentication alone to authorize access, change to use an authorization mode other than AlwaysAllow, or or set '--anonymous-auth=false'.
The NamespaceExists and NamespaceAutoProvision admission controllers have been removed. (#31250, @derekwaynecarr)
All cluster operators should use NamespaceLifecycle.
Federation binaries and their corresponding docker images - federation-apiserver and federation-controller-manager are now folded in to the hyperkube binary. If you were using one of these binaries or docker images, please switch to using the hyperkube version. Please refer to the federation manifests - federation/manifests/federation-apiserver.yaml and federation/manifests/federation-controller-manager-deployment.yaml for examples. (#29929, @madhusudancs)
Other notable changes
The kube-apiserver --service-account-key-file option can be specified multiple times, or can point to a file containing multiple keys, to enable rotation of signing keys. (#34029, @liggitt)
The apiserver now uses addresses reported by the kubelet in the Node object's status for apiserver->kubelet communications, rather than the name of the Node object. The address type used defaults to InternalIP, ExternalIP, and LegacyHostIP address types, in that order. (#33718, @justinsb)
Federated deployment controller that supports the same api as the regular kubernetes deployment controller. (#34109, @mwielgus)
Match GroupVersionKind against specific version (#34010, @soltysh)
kubectl: Add external ip information to node when '-o wide' is used (#33552, @floreks)
Update GCI base image: (#34156, @adityakali)
* Enabled VXLAN and IP_SET config options in kernel to support some networking tools (ebtools)
* OpenSSL CVE fixes
ContainerVm/GCI image: try to use ifdown/ifup if available (#33595, @freehan)
Use manifest digest (as docker-pullable://) as ImageID when available (exposes a canonical, pullable image ID for containers). (#33014, @DirectXMan12)
Add kubelet awareness to taint tolerant match caculator. (#26501, @resouer)
Fix nil pointer issue when getting metrics from volume mounter (#34251, @jingxu97)
Enforce Disk based pod eviction with GCI base image in Kubelet (#33520, @vishh)
Remove headers that are unnecessary for proxy target (#34076, @mbohlool)
Add missing argument to log message in federated ingress controller. (#34158, @quinton-hoole)
The kubelet --eviction-minimum-reclaim option can now take precentages as well as absolute values for resources quantities (#33392, @sjenning)
The implicit registration of Prometheus metrics for workqueue has been removed, and a plug-able interface was added. If you were using workqueue in your own binaries and want these metrics, add the following to your imports in the main package: "k8s.io/pkg/util/workqueue/prometheus". (#33792, @caesarxuchao)
Add kubectl --node-port option for specifying the service nodeport (#33319, @juanvallejo)
To reduce memory usage to reasonable levels in smaller clusters, kube-apiserver now sets the deserialization cache size based on the target memory usage. (#34000, @wojtek-t)
use service accounts as clients for controllers (#33310, @deads2k)
Add a new option "--local" to the kubectl annotate (#34074, @asalkeld)
Add a new option "--local" to the kubectl label (#33990, @asalkeld)
Initialize podsWithAffinity to avoid scheduler panic (#33967, @xiang90)
Fix base image pinning during upgrades via cluster/gce/upgrade.sh (#33147, @vishh)
Remove the flannel experimental overlay (#33862, @luxas)
CRI: Remove the mount name and port name. (#33970, @yifan-gu)
Enable kubectl describe rs to work when apiserver does not support pods (#33794, @nikhiljindal)
Fixes in HPA: consider only running pods; proper denominator in avg request calculations. (#33735, @jszczepkowski)
When CORS Handler is enabled, we now add a new HTTP header named "Access-Control-Expose-Headers" with a value of "Date". This allows the "Date" HTTP header to be accessed from XHR/JavaScript. (#33242, @dims)
Add port forwarding for rkt with kvm stage1 (#32126, @jjlakis)
The value of the versioned.Event object (returned by watch APIs) in the Swagger 1.2 schemas has been updated from *versioned.Event which was not expected by many client tools. The new value is consistent with other structs returned by the API. (#33007, @smarterclayton)
Remove cpu limits for dns pod to avoid CPU starvation (#33227, @vishh)
Allow secure access to apiserver from Admission Controllers (#31491, @dims)
Resolves x509 verification issue with masters dialing nodes when started with --kubelet-certificate-authority (#33141, @liggitt)
Fix possible panic in PodAffinityChecker (#33086, @ivan4th)
Upgrading Container-VM base image for k8s on GCE. Brief changelog as follows: (#32738, @Amey-D)
- Fixed performance regression in veth device driver
- Docker and related binaries are statically linked
- Fixed the issue of systemd being oom-killable
Move HighWaterMark to the top of the struct in order to fix arm (#33117, @luxas)
kubenet: SyncHostports for both running and ready to run pods. (#31388, @yifan-gu)
Limit the number of names per image reported in the node status (#32914, @yujuhong)
Some components like kube-dns and kube-proxy could fail to load the service account token when started within a pod. Properly handle empty configurations to try loading the service account config. (#31947, @smarterclayton)
Removed comments in json config when using kubectl edit with -o json (#31685, @jellonek)
fixes invalid null selector issue in sysdig example yaml (#31393, @baldwinSPC)
Rescheduler which ensures that critical pods are always scheduled enabled by default in GCE. (#31974, @piosz)
Added liveness probe to Heapster service. (#31878, @mksalawa)
Adding clusters to the list of valid resources printed by kubectl help (#31719, @nikhiljindal)
Kubernetes server components using kubeconfig files no longer default to http://localhost:8080. Administrators must specify a server value in their kubeconfig files. (#30808, @smarterclayton)
Include security options in the container created event (#31557, @timstclair)
Federation can now be deployed using the federation/deploy/deploy.sh script. This script does not depend on any of the development environment shell library/scripts. This is an alternative to the current federation-up.sh/federation-down.sh scripts. Both the scripts are going to co-exist in this release, but the federation-up.sh/federation-down.sh scripts might be removed in a future release in favor of federation/deploy/deploy.sh script. (#30744, @madhusudancs)
Add get/delete cluster, delete context to kubectl config (#29821, @alexbrand)
rkt: Force rkt fetch to fetch from remote to conform the image pull policy. (#31378, @yifan-gu)
Allow services which use same port, different protocol to use the same nodePort for both (#30253, @AdoHe)
Remove environment variables and internal Kubernetes Docker labels from cAdvisor Prometheus metric labels. (#31064, @grobie)
Old behavior:
environment variables explicitly whitelisted via --docker-env-metadata-whitelist were exported as container_env_*=*. Default is zero so by default non were exported
all docker labels were exported as container_label_*=*
New behavior:
Only container_name, pod_name, namespace, id, image, and name labels are exposed
no environment variables will be exposed ever via /metrics, even if whitelisted