v1.4.6

Changes by Kind

Feature

• Add missing snapshot controller and webhook for OpenStack Cinder CSI (#2218, @xmudrii)
• Rollout pods that are using kubeone-*-credentials Secrets if credentials are changed (#2216, @xmudrii)

Updates

• Update containerd to v1.5. Escape docker/containerd versions to avoid wildcard matching (#2228, @xmudrii)
• Update Canal to v3.22.4 (#2189, @xmudrii)
• Update OpenStack CCM and Cinder CSI to v1.23.4 for Kubernetes 1.23 clusters (#2186, @xmudrii)
• Update machine-controller to v1.43.6 (#2227, @xmudrii)
• Update machine-controller to v1.43.5 (#2210, @kron4eg)
• Update machine-controller to v1.43.4. This machine-controller release fixes an issue with finding Node objects by ProviderID (#2193, @xmudrii)

Bug or Regression

• Disable --configure-cloud-routes on Azure CCM to fix errors when starting the CCM (#2185, @kubermatic-bot)
• Force regenerating CSRs for Kubelet serving certificates after CCM is deployed. This fixes an issue with Kubelet generating CSRs that are stuck in Pending. (#2204, @xmudrii)
• Properly propagate external cloud provider and CSI migration options to OSM (#2203, @kubermatic-bot)
• Replace operator: Exists toleration with the control plane tolerations for metrics-server. This fixes an issue with metrics-server pods breaking eviction (#2206, @kubermatic-bot)
• Tenant ID or Name is not required when using application credentials (#2201, @ahmedwaleedmalik)

Checksums

SHA256 checksums can be found in the kubeone_1.4.6_checksums.txt file.

v1.4.5

Changes by Kind

Feature

• Add GCP Compute Persistent Disk CSI driver. The CSI driver is deployed by default for all GCE clusters running Kubernetes 1.23 or newer (#2141, @xmudrii)
• Migrate GCE standard default StorageClass to set volumeBindingMode to WaitForFirstConsumer. The StorageClass will be automatically recreated the next time you run kubeone apply (#2141, @xmudrii)

Bug or Regression

• Disable node IPAM in Azure CCM (#2107, @rastislavs)
• Disable preserveUnknownFields in all Canal CRDs. This fixes an issue preventing upgrading Canal to v3.22 for KubeOne clusters created with KubeOne 1.2 and older (#2105, @kubermatic-bot)
• Fix wrong maxPods value on follower control plane nodes and static worker nodes (#2128, @xmudrii)
• Set rp_filter=0 on all interfaces when Cilium is used. This fixes an issue with Cilium clusters losing pod connectivity after upgrading the cluster (#2108, @xmudrii)

Checksums

SHA256 checksums can be found in the kubeone_1.4.5_checksums.txt file.

v1.4.4

Changes by Kind

Feature

• Add MaxPods field to the KubeletConfig used to control the maximum number of pods per node (#2080, @xmudrii)
• Update machine-controller to v1.43.3 (#2080, @xmudrii)
• Add machineObjectAnnotations field to DynamicWorkerNodes used to apply annotations to resulting Machine objects. Add nodeAnnotations field to DynamicWorkerNodes Config as a replacement for deprecated machineAnnotations field (#2077, @xmudrii)
• Update Canal and Calico VXLAN addons to v3.22.2. This allows users to use kube-proxy in IPVS mode on AMD64 clusters running Kubernetes 1.23 and newer. It currently remains impossible to use kube-proxy in IPVS mode on ARM64 clusters running Kubernetes 1.23 and newer. (#2042, @kubermatic-bot)
• Update Terraform integration for Azure with new fields (#2085, @xmudrii)
• Update vSphere CCM to v1.23.0 for Kubernetes 1.23 clusters. Add support for Kubernetes 1.23 on vSphere (#2069, @xmudrii)

Bug or Regression

• Migrate AzureDisk CSIDriver to set fsGroupPolicy to File (#2086, @kubermatic-bot)

Checksums

SHA256 checksums can be found in the kubeone_1.4.4_checksums.txt file.

v1.4.3

Changes by Kind

Bug or Regression

• Add missing VolumeAttachments permissions to machine-controller (#2032, @kubermatic-bot)
• Provide registry configuration to kubeadm when pre-pulling images (#2028, @kron4eg)

Checksums

SHA256 checksums can be found in the kubeone_1.4.3_checksums.txt file.

v1.4.2

Attention Needed

This patch releases updates etcd to v3.5.3 which includes a fix for the data inconsistency issues reported earlier (https://groups.google.com/a/kubernetes.io/g/dev/c/B7gJs88XtQc/m/rSgNOzV2BwAJ). To upgrade etcd for an existing cluster, you need to force upgrade the cluster as described here. If you're running Kubernetes 1.22 or newer, we strongly recommend upgrading etcd as soon as possible.

Changes by Kind

Feature

• Domain is not required when using application credentials (#1938, @ahmedwaleedmalik)

Bug or Regression

• Bump flannel image to v0.15.1 (#1993, @ahmedwaleedmalik)
• Deploy etcd v3.5.3 for clusters running Kubernetes 1.22 or newer. etcd v3.5.3 includes a fix for [the data inconsistency issues announced by the etcd maintainers](https://groups.google.com/a/kubernetes.io/g/dev/c/B7gJs88XtQc/m/rSgNOzV2BwAJ. To upgrade etcd) for an existing cluster, you need to force upgrade the cluster as described here (#1953)
• Fixes containerd upgrade on deb based distros (#1935)
• Show "Ensure MachineDeployments" as an action to be taken only when provisioning a cluster for the first time (#1931)
• Update machine-controller to v1.43.2 (#2001, @kron4eg)
  • Fixes an issue where the machine-controller would not wait for the volumeAttachments deletion before deleting the node
  • Fixes an issue where masked services on Flatcar are not properly stopped when provisioning a Flatcar node

Checksums

SHA256 checksums can be found in the kubeone_1.4.2_checksums.txt file.

v1.3.5

Attention Needed

This patch releases updates etcd to v3.5.3 which includes a fix for the data inconsistency issues reported earlier (https://groups.google.com/a/kubernetes.io/g/dev/c/B7gJs88XtQc/m/rSgNOzV2BwAJ). To upgrade etcd for an existing cluster, you need to force upgrade the cluster as described here. If you're running Kubernetes 1.22 or newer, we strongly recommend upgrading etcd as soon as possible.

Changed

• Upgrade machine-controller to v1.37.3 (#1984)
  • This fixes an issue where the machine-controller would not wait for the volumeAttachments deletion before deleting the node.
• Deploy etcd v3.5.3 for clusters running Kubernetes 1.22 or newer. etcd v3.5.3 includes a fix for [the data inconsistency issues announced by the etcd maintainers](https://groups.google.com/a/kubernetes.io/g/dev/c/B7gJs88XtQc/m/rSgNOzV2BwAJ. To upgrade etcd) for an existing cluster, you need to force upgrade the cluster as described here (#1953)

Checksums

SHA256 checksums can be found in the kubeone_1.3.5_checksums.txt file.

v1.3.4

Attention Needed

This patch release enables the etcd corruption checks on every etcd member that is running etcd 3.5 (which applies to all Kubernetes 1.22+ clusters). This change is a recommendation from the etcd maintainers due to issues in etcd 3.5 that can cause data consistency issues. The changes in this patch release will prevent corrupted etcd members from joining or staying in the etcd ring.

Changed

• Enable the etcd integrity checks (on startup and every 4 hours) for Kubernetes 1.22+ clusters. See the official etcd announcement for more details. (#1928)
• Validate Kubernetes version against supported versions constraints. The minimum supported version is 1.19, and the maximum supported version is 1.22 (#1817)
• Fix AMI filter in Terraform configs for AWS to always use x86_64 images (#1692)

Checksums

SHA256 checksums can be found in the kubeone_1.3.4_checksums.txt file.

v1.4.1

Attention Needed

This patch release enables the etcd corruption checks on every etcd member that is running etcd 3.5 (which applies to all Kubernetes 1.22+ clusters). This change is a recommendation from the etcd maintainers due to issues in etcd 3.5 that can cause data consistency issues. The changes in this patch release will prevent corrupted etcd members from joining or staying in the etcd ring.

Changes by Kind

Bug or Regression

• Regenerate container runtime configurations based on kubeone.yaml during control-plane upgrades on Flatcar Linux nodes, not only on the initial installation. (#1918)
• Approve pending CSRs when upgrading control plane and static worker nodes (#1888)
• Enable the etcd integrity checks (on startup and every 4 hours) for Kubernetes 1.22+ clusters. See the official etcd announcement for more details. (#1909)
• Fix CSR approving issue for existing nodes with already approved and GCed CSRs (#1897)
• Fix missing snapshot CRDs for Openstack CSI (#1913)
• Ensure old machine-controller MutatingWebhookConfiguration is deleted (#1913)
• Fix overwriteRegistry not overwriting the Kubernetes control plane images (#1885)
• Mount /usr/share/ca-certificates to the OpenStack CCM pod to fix the OpenStack CCM pod CrashLooping on Flatcar Linux (#1905)
• Fix the GoBetween script failing to install the zip package on Flatcar Linux (#1905)
• Expand path to SSH private key file (#1859)
• Fix an issue with kubeone config migrate failing to migrate configs with the containerRuntime block (#1861)

Checksums

SHA256 checksums can be found in the kubeone_1.4.1_checksums.txt file.

v1.4.0

KubeOne v1.4.0

Today, we are pleased to announce that KubeOne 1.4 is now generally available. With this release, we introduce our new KubeOneCluster API version with many new features that simplify configuration management. Additionally, we have added support for Kubernetes 1.23 and Cilium CNI and facilitated CCM/CSI migration, among other features. KubeOne 1.4 also provides alpha-level support for Nutanix.

Major Highlights

We recommend checking out the Upgrading from KubeOne 1.3 to 1.4 tutorial, as well as, the changelog for more information about upgrading and the latest features and improvements.

Attention Needed

• KubeOne 1.4.0-beta.0 introduces the new KubeOneCluster v1beta2 API
  • The existing KubeOneCluster v1beta1 manifests can be migrated by using the kubeone config migrate command
  • The kubeone config print command now uses the new v1beta2 API
  • The existing KubeOneCluster v1beta1 API is considered deprecated and will be removed in KubeOne 1.6+
  • Highlights:
    • The API group has been changed from kubeone.io to kubeone.k8c.io
    • The AssetConfiguration API has been removed from the v1beta2 API. The AssetConfiguration API can still be used with the v1beta1 API, but we highly recommend migrating away because the v1beta1 API is deprecated
    • The PodPresets feature has been removed from the v1beta2 API because Kubernetes removed support for PodPresets in Kubernetes 1.20
    • Packet (packet) cloud provider has been rebranded to Equinix Metal (equinixmetal). The existing Packet cluster will work with equinixmetal cloud provider, however, manual migration steps are required if you want to use new Terraform configs for Equinix Metal
    • A new ContainerRuntime API has been added to the v1beta2 API in order to support configuring mirror registries
• kubeone install and kubeone upgrade commands are considered deprecated in favor of kubeone apply
  • install and upgrade commands will be removed in KubeOne 1.6+
  • We highly encourage switching to kubeone apply. The apply command has the same semantics and works in the same way as install/upgrade, with some additional checks to ensure each requested operation is safe for the cluster
• Unconditionally deploy AWS, AzureDisk, AzureFile, and vSphere CSI drivers if the Kubernetes version is 1.23 or newer (#1831)
  • Those providers have the CSI migration enabled by default in Kubernetes 1.23, so the CSI driver will be used for all volumes operations
• Unconditionally deploy DigitalOcean, Hetzner, Nutanix, and OpenStack Cinder CSI drivers (#1831)
  • OpenStack has the CSI migration enabled by default since Kubernetes 1.18, so the CSI driver will be used for all operations
• CentOS 8 has reached End-Of-Life (EOL) on January 31st, 2022. It will no longer receive any updates (including security updates). Support for CentOS 8 in KubeOne is deprecated and will be removed in a future release. We strongly recommend migrating to another operating system or RHEL/CentOS distribution as soon as possible.

Breaking changes / Action Required

• The default AMI for CentOS in Terraform configs for AWS has been changed to Rocky Linux. If you use the new Terraform configs with an existing cluster, make sure to bind the AMI as described in the production recommendations document (#1809)
• The cloud-provider-credentials Secret is removed by KubeOne because KubeOne does not use it any longer. If you have any workloads NOT created by KubeOne that use this Secret, please migrate before upgrading KubeOne. Instead, KubeOne now creates kubeone-machine-controller-credentials and kubeone-ccm-credentials Secrets used by machine-controller and external CCM
• Support for Amazon EKS-D clusters has been removed starting from this release
• GCP: Default operating system for control plane instances is now Ubuntu 20.04 (#1576)
  • Make sure to bind control_plane_image_family to the image you're currently using or Terraform might recreate all your control plane instances
• Azure: Default VM type is changed to Standard_F2 (#1528)
  • Make sure to bind control_plane_vm_size and worker_vm_size to the VM size you're currently using or Terraform might recreate all your instances

Known Issues

• It's not possible to run kube-proxy in IPVS mode on Kubernetes 1.23 clusters using Canal/Calico CNI. Trying to upgrade existing 1.22 clusters using IPVS to 1.23 will result in a validation error from KubeOne

Checksums

SHA256 checksums can be found in the kubeone_1.4.0_checksums.txt file.

v1.4.0-rc.1

Attention Needed

• Unconditionally deploy AWS, AzureDisk, AzureFile, and vSphere CSI drivers if the Kubernetes version is 1.23 or newer (#1831)
  • Those providers have the CSI migration enabled by default in Kubernetes 1.23, so the CSI driver will be used for all volumes operations
• Unconditionally deploy DigitalOcean, Hetzner, Nutanix, and OpenStack Cinder CSI drivers (#1831)
  • OpenStack has the CSI migration enabled by default since Kubernetes 1.18, so the CSI driver will be used for all operations
• [BREAKING] The default AMI for CentOS in Terraform configs for AWS has been changed to Rocky Linux. If you use the new Terraform configs with an existing cluster, make sure to bind the AMI as described in the production recommendations document (#1809)

Added

• Include darwin/arm64 and linux/arm64 builds in release artifacts (#1821)
• Allow providing operating system via the API (#1809)

Changed

General

• Increase the minimum Kubernetes version to 1.20 (#1818)
• Validate the Kubernetes version against supported versions constraints (#1808)
• Allow Docker as a container runtime up to Kubernetes v1.24 (previously up to v1.22) (#1826)
• Unconditionally deploy AWS, AzureDisk, AzureFile, and vSphere CSI drivers if the Kubernetes version is 1.23 or newer (#1831)
  • Those providers have the CSI migration enabled by default in Kubernetes 1.23, so the CSI driver will be used for all volumes operations
• Unconditionally deploy DigitalOcean, Hetzner, Nutanix, and OpenStack Cinder CSI drivers (#1831)
  • OpenStack has the CSI migration enabled by default since Kubernetes 1.18, so the CSI driver will be used for all operations

Fixed

• Restore missing addons deploy after containerd migration (#1824)
• Select correct CSR to approve (#1813)

Terraform Configs

• [BREAKING] The default AMI for CentOS in Terraform configs for AWS has been changed to Rocky Linux. If you use the new Terraform configs with an existing cluster, make sure to bind the AMI as described in the production recommendations document (#1809)
• Add the control_plane_vm_count variable to the AWS configs used to control the number of control plane nodes (defaults to 3) (#1810)
• Update the Terraform provider for OpenStack to version 1.47.0 (#1816)
• Set Ubuntu 20.04 as the default image for OpenStack (#1816)
• Add example Terraform configs for Flatcar on vSphere (#1838)

Updated

• Update DigitalOcean CSI to v4.0.0 (#1820)
• Update machine-controller to v1.43.0 (#1834)

Checksums

SHA256 checksums can be found in the kubeone_1.4.0-rc.1_checksums.txt file.