Changelog since v1.29
Components that will be restarted during the update
- Grafana/Prometheus
cert-manager
control-plane-manager
ingress-nginx
(versions 0.33+)metallb
user-auth
(Dex authenticators)
Significant Changes
- Kubernetes 1.22 support;
- Ingress nginx controller version 1.0;
- Disable legacy cert-manager for Kubernetes >= 1.22;
- Added alerts to track certificates expiration and cert-exporter health;
- Update local-path-provisioner to protect PVs to be reused in case of unmounted storage;
- Update oauth2-proxy to the latest version
7.2.0
; - namespace-configurator — the new module, that allows assigning annotations and labels to namespaces automatically.
Other changes
[bashible]
- features
- Docker face slapper (pods stuck in terminating)
- Pull request
- NOTE! New step added
- Log rotation changed from 10 Mi / 10 files to 50 Mi / 4 files.
- Pull request
- NOTE! kubelet will restart, neither docker nor containerd won't restart. The change affects only containerd CRI.
- Docker face slapper (pods stuck in terminating)
- fixes
- Fix remove of docker
- Fixed notManaged mode for CRI.
[bashible-apiserver]
- fixes
- Fix do not render bashible bundle in static clusters .
[cert-manager]
- features
- Actualize annotation to delete in the orphan secrets alert description
- Support k8s v1.22 mutating admission for annotations-converter webhook
- fixes
- Disable legacy cert-manager for >= 1.22 kubernetes
- Pull request
- NOTE! Legacy cert-manager resources (
certmanager.k8s.io
) will not be supported in 1.22+ clusters
- Disable legacy cert-manager for >= 1.22 kubernetes
[chrony]
- features
- Disable ntp on nodes by custom bashible step.
- fixes
- Bashible step fix — missed openntpd.service and time-sync.target in list.
- Add VPA label
workload-resource-policy
to make it take part in resources requests calculations.
[cloud-provider-vsphere]
- fixes
- Install latest version of open-vm-tools
[cluster-and-infustructure]
- features
- Add Kubernetes 1.22 support.
- Pull request
- NOTE! Numerous deckhouse components would be restarted due to the upgrade of
kube-rbac-proxy
.
- Add Kubernetes 1.22 support.
[control-plane-manager]
- features
- Add basic audit-policy.
- Pull request
- NOTE! Due to the new basic audit-policy api-server component will be restarted.
- Add basic audit-policy.
[deckhouse]
- features
- Check requirements before applying a DeckhouseRelease
- Different severity level based on pending DeckhouseReleases count
- Add alert if deckhouse config is broken
- Add canary deckhouse release update
- fixes
- Fix requirements check semver lib
- The start and end times of the update window must belong to the same day.
- Use scrape interval x2 instead of hardcoded value for invalid config values alerting
[dhctl]
- fixes
- Check deckhouse pod readiness before get logs. It fixes static cluster bootstrap.
- All master nodes will have
control-plane
role in new clusters.
[docs]
- fixes
- Fix instructions for switching registry and image copier
- Add the 'experimental' warning to namespace-configurator module documentation pages.
- Fix examples in
ClusterLoggingConfig
andPodLoggingConfig
CR. Fix CR generator.
[extended-monitoring]
- features
- Add cert-exporter alerts
- Pull request
- NOTE! Added alerts to track certificates expiration and cert-exporter health
- Add cert-exporter
- Pull request
- NOTE! Added cert-exporter to track certificates expiration
- Add cert-exporter alerts
- fixes
- CronJobFailed alert bugfix.
[flant-integration]
- features
- Add madison-proxy notification channel to send alert from grafana to madison via proxy and show them in Polk
- Pull request
- NOTE! Add rewrite rule to madison-proxy from /api/v1/alerts url to madison url, because grafana always send notification to this URL.
- Add madison-proxy notification channel to send alert from grafana to madison via proxy and show them in Polk
- fixes
- Remove "kubeall.team" field from the
deckhouse
ConfigMap. - Remove the plan parameter from the OpenAPI specification
- Implement proper HA remote-write and reduce outgoing traffic amount.
- Remove "kubeall.team" field from the
[global]
- features
- All master nodes will have
control-plane
role in new exist clusters.- Pull request
- NOTE! Add migration for adding role. Bashible steps will be rerunned on master nodes.
- Update Kubernetes patch versions.
- All master nodes will have
- fixes
- Fix parsing deckhouse images repo if there is the sha256 sum in the image name
- Fix serialization of empty strings in secrets
[helm]
- fixes
- Provide an actual description for deprecated resources API versions alerts.
- Add deprecation guide link to deprecated resources alerts.
[ingress-nginx]
- features
- Add an example of usage LoadBalancer inlet with MetalLB.
- Add ingress-nginx controller version 1.0
- fixes
- Added "pcre_jit on" to nginx.tmpl for controller-0.46 and above
- Pull request
- NOTE! Ingress Controller >= 0.46 will be restarted
- Set proper version for new ingress-nginx controller 1.0 (drop the patch version).
- Always return auth request cookies (only for controllers >= 0.33)
- Pull request
- NOTE! Ingress Nginx controllers >=0.33 pods will be restarted
- Added "pcre_jit on" to nginx.tmpl for controller-0.46 and above
[istio]
- features
alliance.ingressGateway.nodePort.port
option to set a static port for NodePort-type ingressgateway Service.
- fixes
- Correct decision to deploy ingressgateway for multiclusters.
globalVersion
option clarification in documentation.
[local-path-provisioner]
- features
- Added reclaimPolicy selector, set default reclaimPolicy to Retain
- fixes
- Update local-path-provisioner v0.0.21, include fix
- Pull request
- NOTE! Protect PVs to be reused in case of unmounted storage.
- Update local-path-provisioner v0.0.21, include fix
[log-shipper]
- fixes
- Add VPA label
workload-resource-policy
to make it take part in resources requests calculations.
- Add VPA label
[monitoring-kubernetes]
- features
- Added ebpf-exporter
- Pull request
- NOTE! ebpf-exporter that monitors global and per-cgroup OOMs. With recording rules and dashboard.
- Added ebpf-exporter
- fixes
- Filter VPA by actual controllers to calculate VPA coverage
- Fixed node-exporter apparmor profile.
[namespace-configurator]
- features
- New namespace-configurator module
- Pull request
- NOTE! namespace-configurator module allows to assign annotations and labels to namespaces automatically
- New namespace-configurator module
[node-manager]
- features
- Added Early OOM killer
- Pull request
- NOTE! Primitive early OOM that prevents nodes from getting stuck in out-of-memory conditions. Triggers when MemAvailable becomes less than 500 MiB.
- Added Early OOM killer
- fixes
- Fix Static node template annotations updating
[okmener]
- fixes
- Bump oksupervisor version to fix updating problems
[okmeter]
- features
- Okmeter agent image will be checked periodically by tag and used sha256 hash to pin the image for agent.
[prometheus]
- features
- Provisioning alerts channels from CRD's to grafana via new secret. Migrate to direct datasources.
- Pull request
- NOTE! Grafana will be restarted.
Now grafana using direct (proxy) type for deckhouse datasources (main, longterm, uncached), because direct(browse) datasources type is depreated now. And alerts don't work with direct data sources.
Provisioning datasources from secret instead configmap. Deckhouse datasources need client certificates to connect to prometheus or trickter. Old cm leave to prevent mount error while terminating.
- Provisioning alerts channels from CRD's to grafana via new secret. Migrate to direct datasources.
- fixes
- Make Grafana home dashboard queries to only show the top-used versions
[prometheus-crd]
- features
- Add GrafanaAlertsChannel CRD.
- Pull request
- NOTE! Support only prometheus alert manager notification channel
- Add GrafanaAlertsChannel CRD.
[registry-packages]
- fixes
- Fixed build of containerd-fe registry package.
[upmeter]
- fixes
- Assigned limited access rights to the agent serviceaccount
[user-authn]
- features
- Validation webhook for preventing duplicate DexAuthenticators to be created.
- Update oauth2-proxy to the latest version (7.2.0)
- Pull request
- NOTE! Dex Authenticators will be restarted
- fixes
- Ignore updating an existing DexAuthenticator
- Delete publish API secrets with not matching names to avoid the orphaned secrets alerts
[user-authz]
- fixes
- Allow empty group and apiVersion requests in user-authz webhook
Changelog since v1.30.0
[bashible]
- features
- Log rotation changed from 10 Mi / 10 files to 50 Mi / 4 files.
- Pull request
- NOTE! kubelet will restart, neither docker nor containerd won't restart. The change affects only containerd CRI.
- Log rotation changed from 10 Mi / 10 files to 50 Mi / 4 files.
[documentation]
- fixes
- Add the 'experimental' warning to namespace-configurator module documentation pages.
- Fix examples in
ClusterLoggingConfig
andPodLoggingConfig
CR. Fix CR generator.
[flant-integration]
- fixes
- Remove "kubeall.team" field from the
deckhouse
ConfigMap.
- Remove "kubeall.team" field from the
[helm]
- fixes
- Add deprecation guide link to deprecated resources alerts.
[registry-packages]
- fixes
- Fixed build of containerd-fe registry package.