Azure/AKS 2021-04-05

Release 2021-04-05

on GitHub

This release is rolling out to all regions - ETA for conclusion 2021-04-14 for public cloud.

Announcements

• From April 26th to May 3rd Azure-NPM is upgrading from 1.1.8 to 1.3.1
• Once GA AKS will default to its new GPU specialized image as the supported option for GPU-capable agent nodes.
• Kubernetes version 1.17 has now been deprecated since March 31st.
• Before k8s 1.20 a bug would allow exec probes to run indefinitely, ignoring any timeoutSeconds configuration value. The previous buggy behavior has been fixed, and timeouts are now enforced. Additionally, this change introduces a new default timeout of 1 second. Please audit all your existing exec probes to make sure that it is appropriate to enforce a 1 second timeout. If not, please provide an explicit timeoutSeconds value that is appropriate for each exec probe.
• CSI Drivers will become default for Kubernetes versions 1.21+.
• Previous pod security policy (preview) deprecation was June 30th 2021. To better align with Kubernetes Upstream pod security policy (preview) deprecation will begin with Kubernetes version 1.21, with its removal in version 1.25. As Kubernetes Upstream approaches that milestone, the Kubernetes community will be working to document viable alternatives.
• For all AKS clusters using Kubernetes v1.20+, CoreDNS will be upgraded to version 1.8.3. This will remove resyncperiod and upstreamfrom the Kubernetes plugin.

Release Notes

• Features

  • New Kubernetes patch versions available, v1.18.17, v1.19.9 and v1.20.5.

• Bug Fixes

  • Fixed a bug in runc that caused pods to be stuck in container creation in containerd 1.4.3 and 1.4.4.
  • Fixed a bug in VMAS that accidently enabled VMAS to be scaled down to 0.
  • NPM does not exclude host network Pods from the network policies resulting in blocking of traffic and disruption in system functions such as collection of kubectl logs.
  • NPM now supports Namespace label updates

• Behavioral Changes

  • NPM changed the rule evaluation behavior to (INGRESS and EGRESS). Before this change, NPM would have also allowed traffic if there is a single Allow rule in either ingress (or egress) and Deny rule in egress (or ingress). With this change, NPM evaluates both ingress and egress rules to take a decision on the packet. If there are no rules in EGRESS or INGRESS or both, NPM allows the traffic by default in that direction.
  • Increased nslookup/nc timeout to 10s for Provisioning CSE in nodes.
  • NPM periodic reconciliation of AZURE-NPM base chains every 5 mins.
  • NPM will now maintain a cache of resources it has operated on resulting in reduced churn for duplicate events.
  • NPM re-sync period for shared informer reduced from 24hrs to 15 mins. This helps reduce the possibility of missing resource events (Add, update or Delete)

• Component Updates

  • Removed Cross-namespace owner references in Azure Policy on AKS v1.20+.
  • Updated omsagent to ciprod03262021.
  • Updated Azure Confidential Compute Image to 1.16 with updated webhook and plugin version, to include a liveness probe.
  • Calico will upgrade to 3.18.1 to correct the policy for Tigera operator which requires hostPath. For the base Calico on linux, we will automatically upgrade cluster with Calico 3.17.2. For the Windows node pools, calico will be upgraded to v3.18.1 in any agent pool update/upgrade operations, for example, upgrade the cluster, update the node image, or upgrade the node pool. For detailed updates on Calico, please read more here.
  • AKS Windows image has been updated to 2019-datacenter-core-smalldisk-17763.1817.210330.
  • AKS Ubuntu 16.04 image updated to AKSUbuntu-1604-2021.03.31.
  • AKS Ubuntu 18.04 image updated to AKSUbuntu-1804-2021.03.31.