Release notes for kops 1.19 series
(The kops 1.19 release has not been released yet; this is a document to gather the notes prior to the release).
Significant changes
Changes to kubernetes config export
Kops will no longer automatically export the kubernetes config on kops update cluster
. In order to export the config on cluster update, you need to either add the --user <user>
to reference an existing user, or --admin
to export the cluster admin user. If neither flag is passed, the kubernetes config will not be modified. This makes it easier to reuse user definitions across clusters should you, for example, use OIDC for authentication.
Similarly, kops export kubecfg
will also require passing either the --admin
or --user
flag if the context does not already exist.
By default, the credentials of any exported admin user now have a lifetime of 18 hours. The lifetime of the exported
credentials may be specified as a value of the --admin
flag. To get the previous behavior, specify --admin=87600h
to either kops update cluster
or kops export kubecfg
.
kops create cluster --yes
exports the admin user along with rest of the cluster config, as was the previous behaviour (except for the 18-hour validity).
OpenStack Cinder plugin
Kops will install the Cinder plugin for kops running kubernetes 1.16 or newer. If you already have this plugin installed you should remove it before upgrading.
If you already have a default StorageClass
, you should set cloudConfig.Openstack.BlockStorage.CreateStorageClass: false
to prevent kops from installing one.
Other significant changes
-
New clusters will now have one nodes group per zone. The number of nodes now defaults to the number of zones.
-
On AWS kops now defaults to using launch templates instead of launch configurations.
-
Clusters using the Amazon VPC CNI provider now perform an
ec2.DescribeInstanceTypes
call at instance launch time. In large clusters or AWS accounts this may lead to API throttling which could delay node readiness. If this becomes a problem please open a GitHub issue. -
There is now Alpha support for Hashicorp Vault as a store for secrets and keys. See the Vault state store docs.
-
New clusters running Cilium now enable BPF NodePort by default if the Kubernetes version is 1.12 or newer.
-
The
kops update cluster
command will now refuse to run on a cluster that
has been updated by a newer version of kops unless it is given the--allow-kops-downgrade
flag. -
The lifetimes of certificates used by various components have been substantially reduced.
The certificates on a node will expire sometime between 455 and 485 days after the node's creation.
The expiration times vary randomly so that nodes are likely to have their certs expire at different times than other nodes.
Breaking changes
-
Support for Kubernetes 1.9 and 1.10 has been removed.
-
Support for the Romana networking provider has been removed.
-
Support for legacy IAM permissions has been removed. This removal may be temporarily deferred to kops 1.20 by setting the
LegacyIAM
feature flag.
Required Actions
- See note about Openstack Cinder plugin above.
Deprecations
- Support for Kubernetes versions 1.11 and 1.12 are deprecated and will be removed in kops 1.20.
1.19.0-alpha.2 to 1.19.0-alpha.3
- Update Calico to v3.15.1 for k8s 1.16+ @hakman #9656
- Release notes for 1.19.0-alpha.2 @justinsb #9658
- Use BAZEL_OPTIONS for bazel build @srikiz #9651
- Document new release process for kops 1.19 and on @justinsb,@rifelpet #9660
- Prefer nodes with "master" role for Canal Typha pods @hakman #9663
- Refactor networking assets finder @hakman #9665
- Release notes for 1.18.0 @justinsb #9668
- Update releases.md and alpha channel for 1.18.0 release @johngmyers #9669
- Refactor openstackCloud to be mockable, add a MockCloud @rifelpet #9645
- GCE: Fix spurious comparison failures on adddress & InstanceTemplate @justinsb #9671
- Upgrade cluster-proportional-autoscaler to multi-arch image @johngmyers #9674
- Move cluster-proportional-autoscaler to worker nodes @hakman #9676
- When channel is unavailable, don't try to validate things from it @olemarkus #9559
- Determine fixedip during nodeup directly @olemarkus #9560
- Remove embedded structs from spotinst terraform types @rifelpet #9682
- Spotinst: Change
ScaleDown.MaxPercentage
from int to float64 @liranp #9683 - Update protobuf to v1.4.2 @hakman #9686
- Add missing locking in MockEC2 @johngmyers #9677
- Openstack - Don't panic if the dns zone is not found @rifelpet #9690
- Add an initial structure for openstack cloudmock @rifelpet #9691
- Spotinst: Upgrade the Spot Cluster Controller to version 1.0.63 @liranp #9696
- Add markdown code block to bug report GH issue template @rifelpet #9697
- Spotinst: Selecting a default Instance Group in Spot Ocean should be optional @liranp #9699
- [Digital Ocean] Upload binaries to DO Spaces @srikiz #9672
- Adds support for using OS application credentials @olemarkus #9702
- Allow configurable backend modes for aws-iam-authenticator @WarpRat #9500
- Add support for cilium on openstack @olemarkus #9703
- Update Go to v1.15rc2 @hakman #9709
- Update k8s dependencies to v1.18.6 @hakman #9711
- Fix bazel darwin hash for Go 15rc2 @hakman #9714
- Make it possible to change subnet dns servers @olemarkus #9715
- Update example for Resources Reservation @hakman #9708
- Improve the error logged when multiple DNS Zones match the provided name @rifelpet #9717
- Default kubelet authorization-mode to Webhook for k8s 1.19+ @johngmyers #9718
- Respect Topology when assigning floating ips or not @olemarkus #9701
- Capture logs from a kops cluster @justinsb,@rifelpet #8577
- Update docs for Amazon Linux 2 @hakman #9720
- Update SECURITY_CONTACTS @johngmyers #9627
- Remove amd64 TravisCI jobs @rifelpet #9005
- Implement Openstack cloudmock, add integration test @rifelpet #9722
- Add cinder plugin @olemarkus #9700
- Add windows job to GH workflows @hakman #9721
- Add instance-selector cmd to toolbox @bwagner5 #9478
- Upgrade CI jobs to go 1.15.0 @rifelpet #9733
- Upgrade AWS VPC CNI provider to 1.6.4 @rifelpet #9734
- Update Go to v1.15.0 for Bazel @hakman #9735
- Add missing cli options for kube-controller-manager and kube-scheduler @Evalle #9726
- Fix test-windows target @hakman #9738
- Add an integration test for openstack floating ip @olemarkus #9739
- Fix update and verify goimports @hakman #9740
- Upgrade to Terraform 0.13.0 @rifelpet #9742
- Update cluster-proportional-autoscaler to v1.8.3 @hakman #9744
- Update link names for releases @hakman #9743
- Update images docs @hakman #9736
- Remove unused Tags and FSRoot from NodeUp @hakman #9737
- Spotinst: Support for Instance Types in Ocean Launch Spec @liranp #9746
- Update alpha channel with August releases @MoShitrit #9748
- Update shared-VPC documentation @johngmyers #9719
- Support for using hostPort when using kube-router @andsens #9689
- Move kubernetes 1.18 from alpha to stable @mariusv #9754
- Add the client cert / ACM cert known issue to the 1.18 release notes @rifelpet #9758
- Remove unused tags functionality @johngmyers #9759
- Default kubelet authenticationTokenWebhook to true for k8s 1.19+ @johngmyers #9757
- Reduce the lifetime of exported kubecfg credentials @johngmyers #9593
- Add ARM64 support for masters @hakman #9566
- Clear KOPS_FEATURE_FLAGS in update-expected.sh @justinsb #9764
- Bootstrap worker nodes using kops-controller @johngmyers #9653
- Upgrade to klog v2 @rifelpet #9765
- Issue more certs out of kops-controller @johngmyers #9771
- Fix backwards compatibility when backend mode isn't set @WarpRat #9755
- Update more klog v1 references to v2 @rifelpet #9772
- Document Docker iptables settings @hakman #9760
- Use /etc/os-release to identify the distribution @hakman #9766
- Issue the cilium etcd client cert out of kops-controller @johngmyers #9776
- Only add OS variables if they are needed @olemarkus #9778
- Add support for containerd v1.4.0 @hakman #9777
- Don't give access to calico-client key when not needed @johngmyers #9779
- Squash patch versions of old release notes @hakman #9770
- Enhancement in Ubuntu or debian apt-get and CI issue fix @Rajpratik71 #8687
- feat(openstack): propagate cloud labels to machines @mitch000001 #9211
- Add release note about cert expiration @johngmyers #9781
- Put userid in kubecfg cert CommonName @johngmyers #9780
- Adding support for permission boundaries for AWS IAM Roles @victorfrancax1 #9773
- Update Weave Net to v2.7.0 @hakman #9783
- Upgrade AWS VPC CNI to 1.7.0 @MoShitrit #9786
- Unset more env vars in update-expected.sh @rifelpet #9789
- Ignore the disableTxChecksumOffloading flag for Flannel and Canal @hakman #9782
- Add flag for root volume encryption @hakman #9793
- Don't use nova for glance mocks @olemarkus #9792
- Fix feature flag typo in release notes @rifelpet #9796
- De-emphasize bootstrap tokens and document node authorization as depr… @johngmyers #9791
- Update the openstack getting started docs @olemarkus #9797
- Mock create server should associate with mock ports @olemarkus #9798
- Upgrade gophercloud to v1.11.0 @olemarkus #9800
- Update validation for Calico to assume etcd3 as default @hakman #9803
- Update API slice fields to not use pointers @rifelpet #9802
- Bump stable versions from alpha @MoShitrit #9804
- Release 1.19.0-alpha.3 @hakman #9801