Release notes for kops 1.19 series
(The kops 1.19 release has not been released yet; this is a document to gather the notes prior to the release).
Significant changes
Changes to kubernetes config export
Kops will no longer automatically export the kubernetes config on kops update cluster
. In order to export the config on cluster update, you need to either add the --user <user>
to reference an existing user, or --admin
to export the cluster admin user. If neither flag is passed, the kubernetes config will not be modified. This makes it easier to reuse user definitions across clusters should you, for example, use OIDC for authentication.
Similarly, kops export kubecfg
will also require passing either the --admin
or --user
flag if the context does not already exist.
By default, the credentials of any exported admin user now have a lifetime of 18 hours. The lifetime of the exported
credentials may be specified as a value of the --admin
flag. To get the previous behavior, specify --admin=87600h
to either kops update cluster
or kops export kubecfg
.
kops create cluster --yes
exports the admin user along with rest of the cluster config, as was the previous behaviour (except for the 18-hour validity).
OpenStack Cinder plugin
Kops will install the Cinder plugin for kops running kubernetes 1.16 or newer. If you already have this plugin installed you should remove it before upgrading.
If you already have a default StorageClass
, you should set cloudConfig.Openstack.BlockStorage.CreateStorageClass: false
to prevent kops from installing one.
Other significant changes
-
New clusters will now have one nodes group per zone. The number of nodes now defaults to the number of zones.
-
On AWS kops now defaults to using launch templates instead of launch configurations.
-
Clusters using the Amazon VPC CNI provider now perform an
ec2.DescribeInstanceTypes
call at instance launch time. In large clusters or AWS accounts this may lead to API throttling which could delay node readiness. If this becomes a problem please open a GitHub issue. -
There is now Alpha support for Hashicorp Vault as a store for secrets and keys. See the Vault state store docs.
-
New clusters running Cilium now enable BPF NodePort by default if the Kubernetes version is 1.12 or newer.
-
The
kops update cluster
command will now refuse to run on a cluster that
has been updated by a newer version of kops unless it is given the--allow-kops-downgrade
flag. -
The lifetimes of certificates used by various components have been substantially reduced.
The certificates on a node will expire sometime between 455 and 485 days after the node's creation.
The expiration times vary randomly so that nodes are likely to have their certs expire at different times than other nodes. -
New command for deleting a single instance: kops delete instance
Breaking changes
-
Support for Kubernetes 1.9 and 1.10 has been removed.
-
Support for the Romana networking provider has been removed.
-
Support for legacy IAM permissions has been removed. This removal may be temporarily deferred to kops 1.20 by setting the
LegacyIAM
feature flag.
Required Actions
- See note about Openstack Cinder plugin above.
Deprecations
- Support for Kubernetes versions 1.11 and 1.12 are deprecated and will be removed in kops 1.20.
Full change list since 1.18.0 release
1.19.0-alpha.3 to 1.19.0-alpha.4
- Upgrade kubernetes dependencies to 1.19.0-rc.4 @rifelpet #9565
- Release notes for 1.19.0-alpha.3 @hakman #9805
- Stop trying to pull the Protokube image @hakman #9809
- Add all images to GH release @hakman #9811
- Refactor: KopsModelContext embeds IAMModelContext @justinsb #9814
- Adding docs on AWS Permissions Boundaries support @victorfrancax1 #9807
- Fix GCE cluster creation with private topology @rifelpet #9815
- Support writing a full certificate chain @justinsb #9812
- Update Calico to v3.15.2 for k8s 1.16+ @hakman #9816
- Update kube-router to v1.0.1 @hakman #9818
- Remove compute floating ip extension @olemarkus #9790
- Pull images from k8s.gcr.io/kops instead of docker.io/kope @hakman #9808
- Upgrade AWS VPC CNI to 1.7.1 @MoShitrit #9822
- Update k8s dependencies to v1.19.0 @hakman #9824
- Remove unknown rules from managed security groups on openstack @olemarkus #9820
- Add --internal flag for export kubecfg that targets the internal dns name @rifelpet #9732
- Reconcile ports and floating ips @olemarkus #9821
- GCE - Set Bastion InstanceGroup zone @rifelpet #9827
- Move from debian-hyperkube-base to debian-base for node-authorizer @rdrgmnzs #9828
- Add kops delete instance command @olemarkus #9784
- remove nodeAffinity from typha @ozdanborne #9826
- Use the get_workspace_status script to get the versions @justinsb #9830
- cloudbuild: allow CI env var to be specified @justinsb #9831
- TaskDependentResource: support preview when the task isn't ready @justinsb #9837
- Addons: Support arbitrary additional objects @justinsb #8119
- add support for cors-allowed-origins @etwillbefine #9838
- Implement setter by reflection @justinsb #8896
- Expose JWKS via a feature-flag @justinsb #9813
- Support authentication helper for kubectl @justinsb #9667
- Always use OpenStack Swift reauthentication @justinsb #9836
- Upgrade cilium versions @olemarkus #9843
- Dont generate the ssl_certificate_id field on TCP listeners in Terraform @rifelpet #9839
- Spotinst: Upgrade the Spot Cluster Controller to version 1.0.64 @liranp #9846
- Update OpenStack CSIDriver to v1 and update few csi deps @zetaab #9847
- Remove more machinery for file-based cloudup models @johngmyers #9841
- Keep SHELLCHECK_IMAGE vesion sync with SHELLCHECK_VERSION defined before @MaXinjian #9849
- Cloudinstances refactor @olemarkus #9799
- Populate cloudinstances data on openstack @olemarkus #9850
- Refactor IAM route53 construction @justinsb #9853
- Improve description of detaching instances @johngmyers #9859
- Add command for listing cloud instances @olemarkus #9762
- fix "unbound variable" issue @MaXinjian #9851
- Add instance info to detached nodes @olemarkus #9860
- Update installation @inductor #9864
- Update Calico to v3.16.0 for k8s 1.16+ @hakman #9829
- Update alpha channel k8s 1.16 to 1.16.15 and Ubuntu image to latest available @MoShitrit #9869
- Implement cluster autoscaler as bootstrap addon @olemarkus #9787
- Bump cilium to 1.8.3 @olemarkus #9871
- Openstack golden servergrouptests @olemarkus #9874
- Map ENOENT to ErrNotExist in FSPath @johngmyers #9877
- Update Go to v1.15.1 @hakman #9878
- Add kubelet cgroup driver property @bmelbourne #9879
- verify-terraform: rearrange arguments to find @justinsb #9881
- Update mock version to 1.19.0-alpha.3 @hakman #9884
- Use new GitHub artifact names for mirrored assets @hakman #9882
- Use root volume encryption flag for LaunchConfiguration with TF and CF @hakman #9872
- Errors when encryptionConfig is enabled, but no encryptionconfig secret @olemarkus #9885
- Add missing spot support to launch template direct render @johngmyers #9897
- Don't explicitly set insecure-bind-address on newer k8s @olemarkus #9899
- Deprecate old cluster autoscaler addon @olemarkus #9892
- Update Calico to v3.16.1 @hakman #9894
- Nodelocalcache configure resources @commixon #9901
- Release notes for 1.17.2 @justinsb #9902
- Release notes for 1.18.1 @justinsb #9904
- Allow caching of Nodeidentity Info in kops-controller for AWS. @rdrgmnzs #9908
- Simplified form of IAM Roles for ServiceAccounts @justinsb #9352
- Detect AWS region for S3 inside containers @hakman #9857
- Only apply external policies when these are defined @kesor #9867
- Get launch template versions after filtering templates @johngmyers #9909
- Remove constraint of setting volume type for OS @olemarkus #9907
- Remove force_tcp flag for nodelocalcache dot zone @astrikos #9917
- Validate labels @olemarkus #9918
- Add missing setResources on CA task @justinsb #9919
- Add missing flags to cluster autoscaler template @olemarkus #9925
- Add unit test for pkg/apis/kops/model/features.go @hs0210 #9883
- Continue if asg instance is unknown @olemarkus #9900
- Allow the BootstrapClient task to run after Protokube @hakman #9911
- Document process to get older releases into artifacts.k8s.io @justinsb #9934
- Don't write application credentials to cloud config unless external CCM is enabled @olemarkus #9935
- add kube-system psp to system:nodes @zetaab #9941
- use subnet also when creating floatingip @zetaab #9936
- Block external CCM for k8s less than 1.13 @olemarkus #9943
- Force external cloud controller manager on OS @olemarkus #9942
- Update Go to v1.15.2 @hakman #9944
- Only add additional policies to kops managed IAMRoles @hakman #9924
- Release 1.19.0-alpha.4 @hakman #9949