kubernetes-sigs/kubespray v2.31.0

on GitHub

Urgent Upgrade Notes

(No, really, you MUST read this before you upgrade)

• Action required
  Make kubernetes v1.35 default. cgroup V1 is no longer supported upstream by default, and must be enabled with kubelet_fail_cgroup_v1: false. (#12812, @mzaian)
• Action required
  Support for ingress-nginx ingress controller is removed, as the project has been retired by upstream (#12767, @jmeza-xyz)
• Action required
  The Kubernetes Dashboard addon has been removed from Kubespray because the upstream project is being archived and is no longer maintained. The configuration dashboard_enabled: true is no longer supported. (#12858, @neo502721)
• Adds automated validation role to detect removed variables at playbook start. Playbooks will abort on removed vars. Users must migrate away from the listed removed variables to avoid playbook failures. (#12942, @Srishti-j18)
• Replace ssh_bastion_confing__name with ssh_bastion_config_name (#13046, @scolley31)

Changes by Kind

Feature

• A new configuration option kubelet_static_pod_path has been added which can be used to configure path of static pod manifests OR even to disable staticPodPath setting in kubelet by setting it as empty (STIG recommendation for worker nodes) (#12433, @shaleenbathla)
• Add Structured AuthenticationConfiguration config file support for kube-apiserver (#13035, @chadswen)
• Add support for kube-vip BGP source selection in Kubespray by exposing kube_vip_bgp_sourceip and kube_vip_bgp_sourceif (mutually exclusive). (#13044, @Kirillov-AN)
• Bump CNI plugins to v1.9.1. (#13198, @karimzakzouk)
• Bump Flannel to v0.28.4. (#13199, @karimzakzouk)
• Bump Prometheus Operator CRD to 0.88.1 (#12968, @hcc429)
• Bump containerd default version to 2.2.3. (#13174, @yankay)
• Cilium template apiVersion upgrade to v2 (#13095, @guoard)
• Coredns service name can now be customized with coredns_svc_name (#12951, @VannTen)
• Enable create_namespace option for custom_cni with helm (#13061, @guoard)
• Increase fs.inotify.max_user_instances to 8192 by default (#13075, @rptaylor)
• Increased StartLimitBurst to 10 for docker service to prevent cri-dockerd restart throttling (#13005, @Tushar240503)
• Make kubernetes v1.35.4 default. (#13193, @mzaian)
• Support for Fedora 41 (#12138, @tico88612)
• Support for Fedora 42 (#12989, @labaq)
• Update etcd to 3.6.8
  Upgrade note: You need to update etcd to >=3.5.26 (Kubespray 2.30.0) before upgrading existing cluster (#12634, @tmurakam)
• Updated the default Calico version to v3.31.5. (#13196, @Srishti-j18)
• Upgrade Dockerfile base image from Ubuntu 22.04 to 24.04 (#12935, @guoard)
• Upgrade OpenStack Cloud Controller Manager to v1.35.0 (#12972, @shuan1026)
• Upgrade ansible from 10.7.0 to 11.13.0 (#12903, @guoard)
• Upgrade metrics-server to v0.8.1 (#13189, @mzaian)
• Use kubeadm:cluster-admins group for admin kubeconfig generation. (#12998, @Srishti-j18)
• [etcd] Default version to 3.6.10 for Kubernetes 1.35. (#13190, @mzaian)
• [runc] Default version to 1.4.2. (#13192, @mzaian)

Design

• Container engine are now included rather than imported, to avoid lots of always skipped tasks during playbook execution (#12946, @Tushar240503)
• Network plugins are now included rather than imported, to avoid lots of always skipped tasks during playbook execution (#12933, @Tushar240503)

Documentation

• Offline files repo is expected to use original domains as top-level directories. (#12684, @bbaassssiiee)
• Remove RHEL8 documentation (#13017, @VannTen)

Bug or Regression

• Add service RBAC for Calico Kubernetes datastore so Calico can monitor LoadBalancer IP allocation (#12928, @mickenordin)
• Calico KDD CRDs are now downloaded from https://github.com/projectcalico/calico/blob/master/manifests/crds.yaml instead of the Calico tarball. (#12985, @Srishti-j18)
• Enable metalink for openEuler repos to auto-select fastest mirror, fixing slow package installs outside China (#13094, @yankay)
• Fix OCI CCM deployment failure caused by incorrect template filename in lookup (#13151, @amoghazy)
• Fix broken NO_PROXY variable (#12981, @VannTen)
• Fix calico missing RBAC permissions for kube-controller-manager to access tiers in manifest installs, which was preventing proper resource garbage collection. (#13100, @guoard)
• Fix calico missing staged policy permissions for api server (#13101, @guoard)
• Fix cilium_enable_prometheus variable having no effect by wiring it to the Helm values template. (#13142, @yankay)
• Fix crash when CiliumBGPAdvertisement is defined without a labels key. (#13149, @karimzakzouk)
• Fix drain tasks failing with UNREACHABLE when drain_timeout exceeds the Ansible SSH connection timeout by using async/poll. (#13081, @0xMH)
• Fix terraform openstack compute image_id and update openstack_blockstorage_volume_v3 (#12910, @HauptJ)
• Fixed Gateway API v1.4.1 unexpected checksum change and add test (#13006, @labaq)
• Fixed openeuler metalink 24.03LTS wrong url (#13144, @tico88612)
• Improved validation for kube_version in validate_inventory role. Users will now receive a clear error message if a specified version is missing from the checksums dictionary, preventing cryptic "AnsibleUndefined" errors during the download phase. (#13071, @jannickk)
• Introduce a timeout of 5 minutes on package installation, customizable using pkg_install_timeout (#12878, @VannTen)
• Kubeadm patches not present in the kubeadm_patches variable are now removed from the managed nodes automatically (#13019, @VannTen)
• Make etcd node removal idempotent (#12949, @VannTen)
• Skip package management when there is no packages to install or remove (#13015, @VannTen)
• Update volumesnapshotclass to v1 (#12775, @viktor-f)

Other (Cleanup or Flake)

• Kubeadm config templates are now v1beta4 only; v1beta3 support has been removed. (#13027, @Srishti-j18)
• Local kubeconfig is now copied from /etc/kubernetes/admin.conf when available. (#12997, @Srishti-j18)
• Nifcloud terraform provider support is removed, as the provider is no longer available. (#12936, @VannTen)
• Remove unused cilium_enable_bpf_clock_probe variable. We can use cilium_extra_values to set it if required (#13050, @shaleenbathla)
• Removed netchecker support (#13058, @VannTen)
• The internal kube-config used by control plane components on control plane nodes now points to the local apiserver (default kubeadm behavior)
  This fixes the incorrect version skew between control plane components and apiserver during upgrade (#12870, @VannTen)

Component versions

• kubernetes 1.35.4
• etcd 3.6.10
• docker 28.3
• containerd 2.2.3
• cri-o 1.35.0
• runc 1.4.2
• cni-plugins 1.9.1
• calico 3.31.5
• cilium 1.19.3
• flannel 0.28.4
• kube-ovn 1.12.21
• kube-router 2.1.1
• multus 4.2.2
• kube-vip 1.0.3
• cert-manager 1.15.3
• coredns (derived from kube_major_version)
• argocd 2.14.21
• helm 3.18.4
• metallb 0.13.9
• registry 2.8.1
• nerdctl 2.2.2
• metrics-server 0.8.1
• kata-containers 3.7.0
• aws-ebs-csi-plugin 0.5.0
• azure-csi-plugin 1.10.0
• cinder-csi-plugin 1.30.0
• gcp-pd-csi-plugin 1.9.2
• local-path-provisioner 0.0.32
• local-volume-provisioner 2.5.0
• node-feature-discovery 0.16.4

New Contributors

Welcome and thank you to all the first-time contributors to Kubespray!

@0xMH @amoghazy @botszhuang @celestina-amadi-moniepoint @HauptJ @hcc429 @jannickk @karimzakzouk @Kirillov-AN @labaq @neo502721 @PangQingcheng @Rayui1225 @scolley31 @shuan1026 @sirzzang @Srishti-j18 @thc1006 @tim80411 @Tushar240503 @uchiha-vivek @voidquark @yangminglintw @Zeratyl06

All Contributors

Thank you to everyone who contributed to this release!

@0xMH @amoghazy @bbaassssiiee @botszhuang @celestina-amadi-moniepoint @chadswen @cyclinder @ErikJiang @eshutov @guoard @HauptJ @hcc429 @jannickk @jmeza-xyz @karimzakzouk @Kirillov-AN @labaq @liggitt @mickenordin @mzaian @neo502721 @PangQingcheng @Rayui1225 @rptaylor @scolley31 @shaleenbathla @shuan1026 @sirzzang @Srishti-j18 @thc1006 @tico88612 @tim80411 @tmurakam @Tushar240503 @uchiha-vivek @VannTen @viktor-f @voidquark @yangminglintw @yankay @Zeratyl06