Featured in this release
Dual stack support and CIDR configuration made easy
In the past, community members provided instructions on how to configure dual-stack in MicroK8s clusters. From this release onwards, dual-stack along with the respective CIDR configuration can be easily setup with launch configurations even at install time.
You can read more on dual stack over at:
Improve security and CIS compliance
Full CIS compliance can be achieved with a single call: microk8s enable cis-hardening
. For auditors and those interested in what each CIS recommendation is about we have assembled a detailed list of each recommendation and how we comply with it. Some of the CIS hardening suggestions have been adopted as default setup options in MicroK8s, for example the authentication of users is now done via x509 certificates instead of tokens.
For the work on this feature you can read:
Ceph and MicroK8s
Try this microk8s enable rook-ceph
to get the Rook Ceph operator on your cluster. We found that pairing MicroCeph, the low ops Ceph distribution, with MicroK8s produces a great setup in terms of feature richenss, stability and effectiveness. In our docs we have a guide showing how to testdirve this combination on a single node cluster.
Read more at:
- https://microk8s.io/docs/how-to-ceph
- https://canonical-microceph.readthedocs-hosted.com/en/latest/
- https://rook.io/
New partner joining our addons ecosystem
Two addons joined our ecosystems:
-
KubeArmor is a cloud-native runtime security enforcement system that restricts the behavior (such as process execution, file access, and networking operations) of pods, containers, and nodes at the system level.
-
MICROCKS is a CNCF project designed to simplify and streamline API mocking and testing, with support for many different types of API and integrations for GitHub, Gitlab, Jenkins and more.
Detail list of updates since last release
Kubernetes core services
- Kubernetes v1.28
- Calico CNI updated to v3.25.1
Usability Improvements
microk8s status
will return an error code in case the cluster is not yet ready.microk8s join
no longer fails if nodes cannot resolve each other’s hostnames. This limitation has been lifted by updating the default arguments of kube-apiserver.- fixes iptables rule with custom CIDR, thanks @Dunge
- Certificate based authentication replaces token auth
- kubelet certificate authority set to the cluster CA by default
- RBAC rules for kubelet webhook auth-mode loaded by default
- EventRateLimit is enabled by default
- Kubelet now does not serialize image pulls by default, which should result in faster image pulls (thanks @ghboutry)
- Attempt to increase inotify and async IO limits if found too low
Addon updates
- New addon: kubearmor, thanks to @nyrahul and @webdevgopi
- New addon: microcks, thank you @yada
- Update ArgoCD to v2.7.2 and add support for ARM64, thank you @alirezaghey
- Coredns updated to v1.10.1
- cilium updated to 1.13.4 now supporting multi-node clusters
- gopapdle updated to v4.2.9, added support for ARM64, renamed to goppadle from goppadle-lite, thank you @Gayathri-Bluemeric
- Metrics server updated to v0.6.3
- Ingress updated to v1.8.0
- linkerd updated to v2.13.5, thank you @balchua
- keda updated to v2.11.1, thank you @balchua
- kata addon expects to find a runtime and does not use the kata-runtime snap anymore
- trivy addon updated tov 0.15.1
- Metallb updated to v0.13.10, thank you @jadams
- Istio updated to v1.18.2, thank you @aalonsolopez