This release updates Kubernetes to v1.23.17, and fixes a number of issues.
For more details on what's new, see the Kubernetes release notes.
Changes since v1.23.16+k3s1:
- Add jitter to scheduled snapshots and retry harder on conflicts (#6784)
- Scheduled etcd snapshots are now offset by a short random delay of up to several seconds. This should prevent multi-server clusters from executing pathological behavior when attempting to simultaneously update the snapshot list ConfigMap. The snapshot controller will also be more persistent in attempting to update the snapshot list.
- Bugfix: do not break cert-manager when pprof is enabled (#6839)
- Fix cronjob example (#6866)
- Consolidate E2E tests (#6889)
- Bump vagrant boxes to fedora37 (#6910)
- Ignore value conflicts when reencrypting secrets (#6917)
- Use default address family when adding kubernetes service address to SAN list (#6906)
- The apiserver advertised address and IP SAN entry are now set correctly on clusters that use IPv6 as the default IP family.
- Allow ServiceLB to honor
ExternalTrafficPolicy=Local(#6909)- ServiceLB now honors the Service's ExternalTrafficPolicy. When set to Local, the LoadBalancer will only advertise addresses of Nodes with a Pod for the Service, and will not forward traffic to other cluster members.
- Fix issue with servicelb startup failure when validating webhooks block creation (#6921)
- The embedded cloud controller manager will no longer attempt to unconditionally re-create its namespace and serviceaccount on startup. This resolves an issue that could cause a deadlocked cluster when fail-closed webhooks are in use.
- Backport user-provided CA cert and
kubeadmbootstrap token support (#6931)- K3s now functions properly when the cluster CA certificates are signed by an existing root or intermediate CA. You can find a sample script for generating such certificates before K3s starts in the github repo at contrib/util/certs.sh.
- K3s now supports
kubeadmstyle join tokens.k3s token createnow creates join token secrets, optionally with a limited TTL. - K3s agents joined with an expired or deleted token stay in the cluster using existing client certificates via the NodeAuthorization admission plugin, unless their Node object is deleted from the cluster.
- Fix access to hostNetwork port on NodeIP when egress-selector-mode=agent (#6938)
- Fixed an issue that would cause the apiserver egress proxy to attempt to use the agent tunnel to connect to service endpoints even in agent or disabled mode.
- Allow for multiple sets of leader-elected controllers (#6943)
- Fixed an issue where leader-elected controllers for managed etcd did not run on etcd-only nodes
- Fix etcd and ca-cert rotate issues (#6956)
- Update flannel to v0.21.1 (#6964)
- Fix ServiceLB dual-stack ingress IP listing (#6989)
- Resolved an issue with ServiceLB that would cause it to advertise node IPv6 addresses, even if the cluster or service was not enabled for dual-stack operation.
- Bump kine to v0.9.9 or newer (#6991)
- The embedded kine version has been bumped to v0.9.9. Compaction log messages are now omitted at
infolevel for increased visibility.
- The embedded kine version has been bumped to v0.9.9. Compaction log messages are now omitted at
- Update to v1.23.17-k3s1 (#7005)
Embedded Component Versions
| Component | Version |
|---|---|
| Kubernetes | v1.23.17 |
| Kine | v0.9.9 |
| SQLite | 3.39.2 |
| Etcd | v3.5.4-k3s1 |
| Containerd | v1.5.16-k3s2-1-22 |
| Runc | v1.1.4 |
| Flannel | v0.21.1-k3s1.23 |
| Metrics-server | v0.6.2 |
| Traefik | v2.9.4 |
| CoreDNS | v1.9.4 |
| Helm-controller | v0.13.1 |
| Local-path-provisioner | v0.0.23 |
Helpful Links
As always, we welcome and appreciate feedback from our community of users. Please feel free to:
- Open issues here
- Join our Slack channel
- Check out our documentation for guidance on how to get started or to dive deep into K3s.
- Read how you can contribute here