kubernetes-sigs/kubespray v2.29.0

on GitHub

Urgent Upgrade Notes

(No, really, you MUST read this before you upgrade)

• Action required
  /etc/hosts/ is no longer populated with all cluster nodes (#12382, @VannTen)
• Action required
  Add support for coredns_affinity to change affinity of coredns deployments, defaulting to the upstream coredns deployment's one.
  The coredns deployment's node affinity has been removed, so the coredns pods will no longer be scheduled into control-planes by default. (#11994, @HoKim98)
• Action required
  Remove support for weave network plugin (#12230, @anshuman-agarwala)
• Action required
  The tag 'master' is removed, replaced by the tag 'control-plane' (#12228, @VannTen)
• Action required
  conntrack_modules is removed; the list of conntrack modules to try to load is instead hardcoded, since there is no reason to have any other values. (#12475, @VannTen)
• Action required
  drop support for cri-o on ubuntu20. (#12233, @VannTen)

Changes by Kind

Feature

• A new sysctl_ignoreerrors value has been added, it allows to ignore errors about unknown keys that may be raised by sysctl (#12514, @bidorffOL)
• A new configuration option kubelet_static_pod_path has been added which can be used to configure path of static pod manifests OR even to disable staticPodPath setting in kubelet by setting it as empty (STIG recommendation for worker nodes) (#12433, @shaleenbathla)
• Add cilium_install_extra_flags variable (#12262, @tmurakam)
• Add external_openstack_lbaas_member_subnet_id: str (not set by default), to define a specific member-subnet-id for the openstack load balancers (#12267, @voondo)
• Add support for containerd_extra_runtime_args variable to allow injection of additional runtime configuration options into containerd CRI plugin section. (#12247, @Ujstor)
• Add support for kubeadm_image_repo variable to change kubernetes core image repository (e.g. kube-apiserver, kube-proxy). (#12128, @HoKim98)
• Add the possibility to use any values from Cilium Helm Chart (#12375, @cleman95)
• Added Prometheus Operator CRDs installation (#12441, @tico88612)
• Adds support for installing containerd as a static binary.
  Bump containerd to 2.1.3, runc to 1.3.0, nerdctl to 2.1.2 (#12377, @yankay)
• Bump ansible to 10.7.0 (#11924, @tico88612)
• Calico supports nftable mode (#12255, @tico88612)
• Control plane health check retries for apiserver, scheduler, and controller-manager are now configurable via control_plane_health_retries (default: 60). (#12452, @aman4433)
• Feat: Support certificate validity period config in kubeadm v1beta4 (#12272, @ErikJiang)
• Feat: add support for crio additional mounts (#12561, @mahendra77024)
• Introduce crio_runtime_switch boolean to allow users to switch the crio runtime by removing pods and stopping crio and kubelet during upgrade ; otherwise crio has problems when trying to work with pods created with the old runtime. (#12008, @mahendra77024)
• Introduced coredns_replicas to alter coredns deployment replicas when enable_dns_autoscaler is set to false. (#12387, @clwluvw)
• Redeploy coredns and nodelocaldns when their configurations change. (#12401, @atobaum)
• Remove --auth-anonymous if kube_api_anonymous_auth is undefined. (#12353, @psychomantys)
• Support Debian 13 Trixie (#12456, @tico88612)
• Support for custom header configuration in containerd registry mirrors via inventory and role variables. Users can now specify headers (e.g., Authorization) for registry mirrors in hosts.toml. (#12368, @pando85)
• Support kubernetes v1.33.1 (#12199, @tmurakam)
• Update cni-plugin to 1.8.0 (#12551, @tmurakam)
• Update load balancers versions to Nginx 1.28.0, Haproxy 3.1.7 (#12178, @guoard)
• Upgrade external snapshot CRD to v0.15.0 (#12308, @tico88612)
• Upgrade multus cni from 4.1.0 to 4.2.2 (#12495, @ThisIsQasim)
• [calico] Update default calico to v3.30.3 (#12523, @tmurakam)
• [flannel] upgrade to 0.26.7 (#12260, @tico88612)
• [ingress-nginx] upgrade controller to version 1.13.3 (#12604, @mzaian)

Design

• Show node to be upgraded/uncordoned in upgrade/uncordon confirmation prompt when using upgrade_node_confirm or upgrade_node_post_upgrade_confirm (#12399, @MatthiasLohr)

Bug or Regression

• Add argocd_install_checksum: str, to define the checksum of argocd_install_url (#12266, @voondo)
• Add missing addresses in kube-apiserver certificate SAN. (#12413, @hhk7734)
• Bugfix: skip etcd cert extraction if cilium identity uses crd (#12565, @mahendra77024)
• Fix Cilium installation issues (caused by templating syntax errors) when certain non-default features (encryption, etc.) are enabled (#12280, @spantaleev)
• Fix Hubble-Relay peer discovery in clusters using non-default cluster name by properly configuring clusterDomain in Cilium Helm values (#12346, @mertcancam)
• Fix cilium installation role to render cilium_config_extra_vars into helm values (#12335, @atobaum)
• Fix cilium_policy_audit_mode variable (#12569, @guoard)
• Fix error when using kubeadm_ignore_preflight_errors: ['all'] (#12606, @VannTen)
• Fix ingress-nginx DaemonSet and Service templates rendering TCP/UDP ports as strings, which prevented correct export of TCP/UDP services via NGINX ingress controller. (#12442, @MahdadGhasemian)
• Fix invalid PodSecurity admission configuration when kube_pod_security_use_default: false (#12439, @AMacedoP)
• Fix scale.yml problems with cached IP facts (#12243, @fox0430)
• Fix the Cilium cluster, which is upgraded from 2.27 to 2.28 will break
  Fix helm release re-use message when installing repeatedly (#12254, @tico88612)
• Fix the issue of etcd node addition failure caused by incorrect ETCD_INITIAL_CLUSTER configuration. (#12342, @liuxu623)
• Fix(kubeadm): Conditionally add --skip-phases flag for v1.32.0+ (#12351, @ErikJiang)
• Fix: A timeout occurs when running the offline deployment script using Podman. (#11962, @DearJey)
• Fix: When running ./manage-offline-container-images.sh register with using Podman, getting the image_id fails and the script is interrupted. (#11961, @DearJey)
• Fix: kubeadm secondary nodes use file discovery validation failed (#12132, @tico88612)
• Fixed a looping timeout bug when deleting an entire cluster (#12300, @chadswen)
• Fixed cilium_enable_bgp_control_plane config (#12430, @XuhuiSun95)
• Fixed packages installation on Alma/Rocky Linux when behind a proxy (#12264, @root-expert)
• Fixes a syntax error that made the '_bgp_config' an 'AnsibleUnsafeText' instead of a 'dict', which caused the "Calico | Process BGP Configuration" step to fail (#12258, @mathgaming)
• Make APT updates its package cache before dist-upgrade (#12465, @guoard)
• Nodelocaldns capabilities only use NET_ADMIN, not privileged (#12398, @tico88612)
• [reset] When flush_iptables: true, set IPv4/IPv6 default policies (INPUT/FORWARD/OUTPUT) to ACCEPT before flushing and delete user-defined chains to ensure a clean, non-locking reset. (#12552, @sasantk)

Other (Cleanup or Flake)

• Change the EOL Debian backports apt package to archive.debian.org (#12434, @tico88612)
• Dnsmasq directories are no longer cleaned up (#12380, @wangsifei99)
• Fix netcheck etcd image tag align with the etcd current version (#12402, @wangsifei99)
• Remove Ubuntu 20.04 support (#12301, @tico88612)
• When using timer based kubeadm certs renewal, only renew if certificates are near expiration (#12194, @panpan0000)

Components

• kubernetes 1.33.5
• etcd 3.5.22
• docker 28.3
• containerd 2.1.4
• cri-o 1.33.4
• cni-plugins 1.8.0
• calico 3.30.3
• cilium 1.18.2
• flannel 0.27.3
• kube-ovn 1.12.21
• kube-router 2.1.1
• multus 4.2.2
• kube-vip 0.8.0
• cert-manager 1.15.3
• coredns 1.12.0
• ingress-nginx 1.13.3
• argocd 2.14.5
• helm 3.18.4
• metallb 0.13.9
• registry 2.8.1
• aws-ebs-csi-plugin 0.5.0
• azure-csi-plugin 1.10.0
• cinder-csi-plugin 1.30.0
• gcp-pd-csi-plugin 1.9.2
• local-path-provisioner 0.0.32
• local-volume-provisioner 2.5.0
• node-feature-discovery 0.16.4