Release notes for kops 1.19 series

(The kops 1.19 release has not been released yet; this is a document to gather the notes prior to the release).

Significant changes

Changes to kubernetes config export

Kops will no longer automatically export the kubernetes config on kops update cluster. In order to export the config on cluster update, you need to either add the --user <user> to reference an existing user, or --admin to export the cluster admin user. If neither flag is passed, the kubernetes config will not be modified. This makes it easier to reuse user definitions across clusters should you, for example, use OIDC for authentication.

Similarly, kops export kubecfg will also require passing either the --admin or --user flag if the context does not already exist.

By default, the credentials of any exported admin user now have a lifetime of 18 hours. The lifetime of the exported
credentials may be specified as a value of the --admin flag. To get the previous behavior, specify --admin=87600h to either kops update cluster or kops export kubecfg.

kops create cluster --yes exports the admin user along with rest of the cluster config, as was the previous behaviour (except for the 18-hour validity).

OpenStack Cinder plugin

Kops will install the Cinder plugin for kops running kubernetes 1.16 or newer. If you already have this plugin installed you should remove it before upgrading.

If you already have a default StorageClass, you should set cloudConfig.Openstack.BlockStorage.CreateStorageClass: false to prevent kops from installing one.

Other significant changes

• New clusters will now have one nodes group per zone. The number of nodes now defaults to the number of zones.

• On AWS kops now defaults to using launch templates instead of launch configurations.

• Clusters using the Amazon VPC CNI provider now perform an ec2.DescribeInstanceTypes call at instance launch time. In large clusters or AWS accounts this may lead to API throttling which could delay node readiness. If this becomes a problem please open a GitHub issue.

• There is now Alpha support for Hashicorp Vault as a store for secrets and keys. See the Vault state store docs.

• New clusters running Cilium now enable BPF NodePort by default if the Kubernetes version is 1.12 or newer.

• The kops update cluster command will now refuse to run on a cluster that
  has been updated by a newer version of kops unless it is given the --allow-kops-downgrade flag.

• The lifetimes of certificates used by various components have been substantially reduced.
  The certificates on a node will expire sometime between 455 and 485 days after the node's creation.
  The expiration times vary randomly so that nodes are likely to have their certs expire at different times than other nodes.

• New command for deleting a single instance: kops delete instance

• Metrics Server is now available as a configurable addon. Add spec.metricsServer.enabled: true to the cluster spec to enable.

Breaking changes

• Support for Kubernetes 1.9 and 1.10 has been removed.

• Support for the Romana networking provider has been removed.

• Support for legacy IAM permissions has been removed. This removal may be temporarily deferred to kops 1.20 by setting the LegacyIAM feature flag.

Required Actions

• See note about Openstack Cinder plugin above.

Deprecations

• Support for Kubernetes versions 1.11 and 1.12 are deprecated and will be removed in kops 1.20.

• Support for Terraform version 0.11 has been deprecated and will be removed in kops 1.20.

• Support for feature flag Terraform-0.12 has been deprecated and will be removed in kops 1.20. All generated Terraform HCL2/JSON files will support versions 0.12.26+ and 0.13.0+.

• The manifest based metrics server addon has been deprecated in favour of a configurable addon.

Partial change list

1.19.0-alpha.4 to 1.19.0-alpha.5

• Release notes for 1.19.0-alpha.4 @hakman #9950
• Support ChainInsertMode config option for Calico Networking @asmith030 #9945
• Add instance groups and k8s 1.19 to bootstrapchannelbuilder tests @rifelpet #9962
• Bump k8s versions and Ubuntu ami version to latest @MoShitrit #9963
• AWS add cluster tag to detachinstances/findinstances filters @zetaab #9961
• Update containerd to v1.4.1 @hakman #9968
• Add addon for aws node termination handler @olemarkus #9921
• Use all kops mirrors to determine artifacts hashes @hakman #9958
• OpenStack: allow to specify storageClass creation to false @zetaab #9971
• Add AWS partition support to iam service account roles @rifelpet #9964
• Update Docker to v19.03.13 @hakman #9969
• Improve kops get instances when api is unavailable @olemarkus #9938
• Fix fip description @olemarkus #9965
• Updating the Version @christus02 #9975
• Add missing permissions for cilium-operator @codablock #9979
• Consolidate all buildMinimalClusters into a generic test cluster builder @olemarkus #9972
• Build cloud outside of PerformAssignments @olemarkus #9973
• Bumping k8s versions and ubuntu AMI version from alpha to stable @MoShitrit #9986
• Update mkdocs dependencies and pin macro plugin @rifelpet #9988
• Fix nil pointer when instance has not joined the cluster @olemarkus #9985
• Production recommendations document @olemarkus #9984
• Clarified S3 state store encryption default @CrossRoast #9991
• Add deprecation notice for support of Terraform v0.11 @bmelbourne #9989
• Fix CAS ASG configuration @olemarkus #9993
• Fix small typo in create cluster help output @erismaster #9995
• Set ctx and cluster on the rolling update struct instead of passing it around everywhere @olemarkus #9974
• Fix pair of typos in openstack docs @erismaster #9997
• Add label to prevent kops-controller from running on old nodes @johngmyers #9998
• Update prometheus-operator to support k8sv >= 1.16.0 @flouthoc #10001
• Bump NTH to 1.8 @olemarkus #10002
• Cilium hubble pointer @olemarkus #9967
• Add missing closing inline code character @mbacchi #10005
• Update rules_docker in order to build protokube @DerrickMartinez #10007
• Bump cilium to 1.8.4 @olemarkus #10008
• Fix support for multiple additionalNetworkCIDR blocks @rifelpet #9996
• More removals of BuildCloud @olemarkus #9981
• OpenStack floatingip fixes for clean cluster @zetaab #10010
• Support rolling upgrade on openstack @olemarkus #9927
• Spotinst: Upgrade the Spot Cluster Controller to version 1.0.67 @liranp #10011
• Don't disassociate additional CIDR blocks with shared VPCs @rifelpet #10013
• enable kubelet --housekeeping-interval flag @nareshku #10016
• Move kops-controller serving port out of conflict @olemarkus #10024
• Sort wellknown ports and add missing ports to table @olemarkus #10025
• [calico] awsSrcDstCheck to disable src/dest checks in AWS @monicagangwar #10019
• Minor fixes to swiftfs.go @olemarkus #10030
• Open etcd port only when Calico uses "etcd" datastore @hakman #10032
• Kubelet serving certificate and metrics server addon @olemarkus #10022
• Update Calico to v3.16.3 @hakman #10036
• Update Docker version defaults for older k8s versions @hakman #10033
• Add support for KubeAPIServer --request-timeout flag @dntosas #10038
• Add WireGuard support for Calico CNI @h3poteto #10037
• Fix docs feature table not being rendered @hakman #10042
• Fix nil pointer when deleting instance @olemarkus #10046
• Don't require PriorityClassName to pass missing-static-pod checks @johngmyers #10049
• Upgrade aws-iam-authenticator to 0.5.2 @rifelpet #10047
• Recommend kops 1.18.1 for kops >= 1.15 in alpha channel @johngmyers #10051
• upgrade-cluster: test that new image in stable or alpha channel will … @nvanheuverzwijn #10052
• Release 1.19.0-alpha.5 @hakman #10054