kubernetes/kops v1.25.0

on GitHub

Significant changes

• GCE cloud provider support has been promoted to stable.
• Hetzner cloud provider support has been promoted to beta.
• Karpenter support has been promoted to stable on Kubernetes versions 1.22, 1.23 and 1.24. Karpenter does not yet support Kubernetes above 1.25.
• IAM roles on AWS used for ServiceAccounts are now tagged with the name and namespace of the ServiceAccount.
• Cert Manager may now solve dns-01 challenges. See the cert manager documentation.
• Add support to --cordon-node-before-terminating on the cluster autoscaler addon (CordonNodeBeforeTerminating)
• EBS CSI driver can now be self-managed. See the addon docs.

Breaking changes

Cinder CSI snapthot controller changes

The CSI Cinder plugin for OpenStack will now only use the CSI snapshotter when the CSI snapshot controller is enabled in the cluster spec. This changes the default behavior where the CSI snaphotter container was always present, but spammed the log with error messages (see #13890). In case of manually deployed CRDs to make the snapshotter work it is now necessary to enable the snapshot controller.

Other breaking changes

• Support for Kubernetes version 1.19 has been removed.

Deprecations

• Support for Kubernetes version 1.20 is deprecated and will be removed in kOps 1.26.
• Support for Kubernetes version 1.21 is deprecated and will be removed in kOps 1.27.

What's Changed

• Release notes for 1.24.0-beta.1 by @hakman in #13732
• Bump github.com/spf13/viper from 1.11.0 to 1.12.0 by @dependabot in #13698
• Add GHA workflow for updating dependabot PRs by @rifelpet in #13735
• Bump github.com/hashicorp/vault/api from 1.5.0 to 1.6.0 by @dependabot in #13734
• Bump github.com/google/go-containerregistry from 0.8.0 to 0.9.0 by @dependabot in #13720
• Bump helm.sh/helm/v3 from 3.8.2 to 3.9.0 by @dependabot in #13733
• Only rewrite to k8s.gcr.io until k8s 1.25 by @rifelpet in #13739
• Bump github.com/stretchr/testify from 1.7.1 to 1.7.2 by @dependabot in #13738
• Update containerd and Docker versions by @hakman in #13741
• Remove support for K8s 1.19 by @olemarkus in #13742
• [DigitalOcean] Restart journald service on node startup by @srikiz in #13717
• Drop older cilium versions and add support for k8s 1.25 by @olemarkus in #13747
• Update AWS CCM images for k8s 1.20-1.22 by @hakman in #13748
• Channels to have exit status 1 on apply failure by @olemarkus in #13749
• Add support for setting mode field on file assets by @yurrriq in #13715
• Revert "Use kubectl replace instead of apply when updating addons" by @hakman in #13761
• Don't try to manage the kube-system namespace by @hakman in #13764
• Run channels on upgrade e2e tests to verify addons are being applied by @olemarkus in #13757
• Fix API group name for ingresses in DNS Controller by @julienperignon in #13750
• Remove some unused legacy addons by @hakman in #13765
• Bump nvidia device plugin to 0.12.0 by @ddelange in #13745
• Update runc to v1.1.3 by @hakman in #13763
• Fix namespace for cert manager webhook config by @olemarkus in #13773
• Avoid spurious changes with ed25519 keys by @hakman in #13774
• Make the cert-manager breaking change more visible. by @olemarkus in #13780
• Bump go.uber.org/multierr from 1.6.0 to 1.8.0 by @dependabot in #13782
• Bump github.com/aws/aws-sdk-go from 1.44.6 to 1.44.32 by @dependabot in #13783
• Bump github.com/hashicorp/vault/api from 1.6.0 to 1.7.2 by @dependabot in #13785
• Add back the metrics-server 443 port with a new name by @olemarkus in #13779
• Fix broken node selector for node termination handler by @olemarkus in #13781
• Bump google.golang.org/api from 0.81.0 to 0.83.0 by @dependabot in #13784
• Release notes for 1.24.0-beta.2 by @olemarkus in #13790
• Fix PDB api version for a set of addons by @olemarkus in #13791
• Remove replaces from go.mod by @olemarkus in #13789
• Remove core addons from addons by @hakman in #13768
• Use exported interface to detect SSH key type by @AaronFriel in #13805
• Use node.k8s.io/v1 API in the nvidia addon by @olemarkus in #13806
• Merge the cilium templates by @olemarkus in #13807
• fix tenv linter by @remyleone in #13802
• Replace flexdriver with busybox by @zetaab in #13809
• add support for varcheck linter by @remyleone in #13801
• Depend on external cloud providers rather than cloud-providers-legacy by @olemarkus in #13808
• bump k8s versions and ubuntu ami (aws) in alpha channel by @MoShitrit in #13822
• chore(deps): Included dependency review by @naveensrinivasan in #13651
• add metric port to nth deployment by @raffis in #13811
• Recommend the latest kOps version in alpha & stable channels and add 1.24 to alpha by @MoShitrit in #13823
• Ensure clusters with internal load balancers have a private subnet by @olemarkus in #13793
• Update etcd-manager to v3.0.20220617 by @hakman in #13824
• Use legacy-cloud-providers repo for the gcp provider dep by @olemarkus in #13840
• Bump actions/dependency-review-action from 1 to 2 by @dependabot in #13829
• Remove the removable replaces in kubetest2 by @olemarkus in #13841
• Add kubetest2 scenario for testing many addons by @olemarkus in #13828
• Skip known failing cilium e2e test by @olemarkus in #13842
• Add manual job for updating dependencies by @hakman in #13827
• Update dependencies by @github-actions in #13843
• Do not run cluster autoscaler on spot instances by @olemarkus in #13846
• Fix GCE resource tracking by @hakman in #13857
• Adding GuestAccelerators to InstanceTemplate by @jonasasx in #13707
• Align website and readme file by @sxt90128 in #13862
• Limit GCE tag for role to 63 chars by @hakman in #13866
• Promote alpha to stable by @MoShitrit in #13868
• Clean-up firewall rules that contain targets with the cluster name hash by @hakman in #13869
• Replace manifests after apply by @olemarkus in #13819
• Bump kubetest2 to test rundir by @olemarkus in #13870
• Release notes for 1.24.0-beta.3 by @olemarkus in #13881
• Generate cli docs after updating dependencies by @hakman in #13885
• Fix unexpected symbol error in update-deps workflow by @hakman in #13886
• Update troubleshoot.md by @Deepak1100 in #13891
• Update dependencies by @github-actions in #13889
• Replace Dependabot with regular update-deps run by @hakman in #13894
• Log errors from detachInstance by @olemarkus in #13896
• increase backoff time when updating loadbalancer pool member by @zetaab in #13854
• gce: Move out of beta, drop feature flag by @justinsb in #13903
• Update CoreDNS to v1.9.3 by @hakman in #13895
• gce: set ProvisioningModel on InstanceTemplate by @justinsb in #13902
• Set Makefile GITSHA to the git sha instead of human 'readable' name by @olemarkus in #13860
• Add validation for IRSA bucket name which contains dots by @h3poteto in #13888
• Only fail an addon update if the final apply fails. Install PKI anyway by @olemarkus in #13897
• Fix cleanup of firewall rules that contain targets with the cluster name hash by @hakman in #13907
• Update Calico to v3.23.2 by @hakman in #13908
• Release 1.25.0-alpha.1 by @hakman in #13912
• Ignore the _rundir that kubetest2 now creates by @olemarkus in #13914
• Remove obsolete protokube test for mirrored assets by @hakman in #13916
• Use Calico v3.23 for Kubernetes 1.22+ by @hakman in #13901
• gce: Refactor ClusterPrefixedName and ClusterSuffixedName to not return error by @hakman in #13920
• Mount /etc/hosts from host for CoreDNS by @hakman in #13922
• Wait longer after update in the e2e upgrade scenario by @olemarkus in #13925
• Limit GCE names to 63 chars for various resources by @hakman in #13873
• Make IRSA webhook configure apps to use regional STS and set the default region on them by @olemarkus in #13926
• Use csi-snapshotter for OS only when the controller is enabled by @ederst in #13890
• Make it possible to enable the shield addon for LBC by @olemarkus in #13929
• Update Cilium to 1.11.6 by @ReillyBrogan in #13917
• Limit GCE router name to 63 chars by @hakman in #13932
• fix typos by @yojay11717 in #13851
• Fix unsetting ASG max price by @olemarkus in #13852
• Bump EBS CSI driver to 1.8.0 by @hakman in #13939
• Revert "Add back the metrics-server 443 port with a new name" by @olemarkus in #13940
• Add config drive as a source for OpenStack instance metadata by @ederst in #13845
• Be more specific when filtering OS instance ports by @ederst in #13861
• aws: introduce maximum instance lifetime in cluster by @sterchelen in #13892
• Upgrade karpenter to 0.13.1 by @rifelpet in #13918
• Fix broken links by @Ladicle in #13942
• Set SpecOverrideFlag to true by default by @hakman in #13955
• Release notes for 1.24.0 by @hakman in #13959
• Fix release notes for 1.24.0 by @hakman in #13960
• Use dynamic client for applying channels manifest rather than calling kubectl by @olemarkus in #13753
• Add release 1.24.0 to channels by @hakman in #13961
• Fix AWS IAM Authenticator nodeSelector in k8s 1.24 by @rifelpet in #13965
• Remove non-functional scheduler annotations from addons by @rifelpet in #13969
• Skip deregistering the instance during rolling update for Spotinst by @hakman in #13970
• bump alpha channel k8s releases by @MoShitrit in #13977
• Upgrade aws-iam-authenticator to v0.5.9 by @rifelpet in #13979
• Update dependencies by @github-actions in #13981
• Use only IPv4 for Hetzner servers by @hakman in #13982
• Add option to set etcd-manager backup interval by @hakman in #13975
• Add option to set number of replicas for pod-identity-webhook by @hakman in #13986
• Adding GCE SPOT support by @jonasasx in #13946
• Update etcd-manager to v3.0.20220717 by @hakman in #13990
• Update Go to v1.18.4 by @hakman in #13994
• Add S3_REGION to Hetzner docs by @tom-dudley in #13987
• Update GitHub workflows by @hakman in #13995
• Bump actions/setup-go from 3.2.0 to 3.2.1 by @dependabot in #14002
• Add missing namespace to external-dns Service by @rifelpet in #14001
• Upgrade DO CSI controller to 4.2.0 by @rifelpet in #14005
• Applier should be more tolerant of errors by @justinsb in #13963
• Switch to latest MacOS version for CI by @hakman in #14015
• delete t.FailNow after t.Fatalf by @Abirdcfly in #14014
• fix hyperlinks in calico docs by @mostafahussein in #14016
• Update dependencies by @github-actions in #14022
• Revert to using instance private DNS name to lookup hostname by @hakman in #14024
• Add server group management for Hetzner by @hakman in #14018
• promote alpha k8s versions to stable by @MoShitrit in #14029
• Update Calico and Canal to v3.23.3 by @hakman in #14009
• Update etcd-manager to v3.0.20220727 by @hakman in #14038
• Update continuous_integration.md by @yurrriq in #14032
• Check keyset existence before attempting to distrust by @yurrriq in #14041
• Make control plane size configurable in kops-up by @olemarkus in #14036
• Do not allow PodSecurityPolicy using K8s 1.25 by @olemarkus in #14045
• Fix SIGSEGV when deleting a Hetzner instance by @hakman in #14046
• Use cabundle for etcd CA files to fix key rotation in HA clusters by @olemarkus in #14054
• Use stable kops release for kops 1.21 by @olemarkus in #14056
• Remove namespaces from cluster-scoped resources in CNI manifests by @rifelpet in #14053
• Update dependencies by @github-actions in #14055
• Enable rolling updates for Hetzner by @hakman in #14034
• Release notes for 1.22.6 by @justinsb in #14062
• Release notes for 1.23.3 by @justinsb in #14063
• Wait for load balancer to be ready for Hetzner by @hakman in #14057
• Add multiple SSH keys support for Hetzner by @hakman in #14058
• Release 1.25.0-alpha.2 by @hakman in #14070
• Release notes for 1.24.1 by @hakman in #14073
• Use SSA for updating addon channel objects by @olemarkus in #14074
• Merge cmd factories by @olemarkus in #14075
• Remove passing cluster name as positional argument by @olemarkus in #14076
• Allow configuring OpenStack CCM networking options by @ederst in #14017
• Upgrade kubetest2 by @rifelpet in #14061
• Fix Karpenter IAM permissions and make karpenter respect IG subnets by @olemarkus in #14077
• Remove --files flag from channels and make single arg mandatory by @olemarkus in #14082
• Fix typo in channels error message by @rifelpet in #14083
• Set higher verbosity when logging the endpoint of non-AWS S3 backend by @hakman in #14084
• aws-ebs-csi-driver: remove preStop hook by @sterchelen in #14081
• Hide klog flags from --help output by @justinsb in #14088
• Positional deprecation warning should go to stderr by @justinsb in #14089
• Add back conversion struct to cert-manager CRDs by @olemarkus in #14087
• Support kube-scheduler config by @justinsb in #13618
• Add option to configure runc version for containerd by @hakman in #14090
• Add template for e2e test with cpuManagerPolicy: static by @olemarkus in #14092
• Update dependencies by @github-actions in #14094
• Add support for ci and stable builds in upgrade-ab script by @olemarkus in #14095
• Add hashes for containerd v1.6.7 by @hakman in #14093
• Test the aws ebs csi driver in e2e if installed by @olemarkus in #14098
• Specify the full url for CI versions in upgrade-ab tests by @olemarkus in #14099
• Bump AWS CNI to 1.11.3 by @MoShitrit in #14107
• Update containerd to v1.6.8 by @hakman in #14106
• Don't add previous-gen instances to Karpenter provisioners by @olemarkus in #14109
• Skip testing the in-tree aws-ebs driver if CSI driver is enabled by @olemarkus in #14110
• cilium: fix wrong pod annotations templating by @sterchelen in #14111
• Add deployment-specific selectors to nth pdb by @olemarkus in #14113
• Disable some flags in kube-controller-manager and kube-scheduler when logging-format is not text by @h3poteto in #14115
• Use semver for skipregex ifs instead of strings.Contains by @olemarkus in #14112
• Update dependencies by @github-actions in #14116
• Fix more e2e skips by @olemarkus in #14124
• Create etcd-manager config for each instance group by @hakman in #14080
• Revert back to using kubectl in channels by @olemarkus in #14125
• Limit GCE network names to 63 chars by @hakman in #14134
• Bump the CCM images by @olemarkus in #14130
• Update Go to v1.19.0 by @hakman in #14135
• Bump cilium to 1.11.8 by @olemarkus in #14137
• Revert "Remove passing cluster name as positional argument" by @olemarkus in #14138
• Remove life cycle hooks when warmpool is disabled by @olemarkus in #14141
• Update dependencies by @github-actions in #14144
• Bump Karpenter to 0.15 and enable consolidation by @olemarkus in #14142
• Add more create_cluster integration tests by @olemarkus in #14147
• Add more cluster_update tests by @olemarkus in #14148
• Plug the IAM role leak by @olemarkus in #14151
• Write the user provided IG spec to state store instead of the full spec by @olemarkus in #14127
• Add default image for CAS that exists by @olemarkus in #14150
• Introduce library for applying objects by @justinsb in #14030
• Bump k8s releases and Ubuntu AMI version in Alpha by @MoShitrit in #14152
• Ignore entities not found when deleting IAM roles and profiles by @olemarkus in #14153
• Bump actions/dependency-review-action from 2.0.4 to 2.1.0 by @dependabot in #14156
• Bump peter-evans/create-pull-request from 4.0.4 to 4.1.1 by @dependabot in #14157
• Fix no such entity check for iam profiles and roles by @olemarkus in #14155
• Update and clean up etcdcli and etcd backup documentation by @olemarkus in #14158
• Fix bugs and typo in iam resource deletion logic by @olemarkus in #14159
• Fix test package location when using k8s ci versions in the upgrade AB scenario by @olemarkus in #14161
• Don't set unused test package flags to empty string by @olemarkus in #14163
• Fix the non-ci markers by @olemarkus in #14166
• Trim space around SSH public key by @hakman in #14168
• Bump K8s libs to 0.25.0 by @olemarkus in #14167
• Tag IAM Roles with service account info by @rifelpet in #13052
• Fix policy API version for LBC and NTH by @olemarkus in #14169
• Skip tests related to metadata concealment on GCE k8s <= 1.23 by @olemarkus in #14170
• Bump karpenter to 0.16 by @olemarkus in #14173
• Allow self-managed aws-ebs-csi-driver by @torredil in #14164
• Bump node termination handler to 1.17.0 by @olemarkus in #14177
• Bump AWS Load Balancer Controller to v2.4.3 by @olemarkus in #14178
• Merge kubeletConfigs earlier by @olemarkus in #14114
• Add Terraform target support for Hetzner by @hakman in #14179
• Bump Cert Manager to 1.9.1 by @olemarkus in #14180
• Bump snapshot-controller to 6.0.1 by @olemarkus in #14184
• Bump the nvidia addon by @olemarkus in #14185
• Update runc to v1.1.4 by @hakman in #14188
• Bump node local dns cache to 1.22.8 by @olemarkus in #14187
• Update cloud.google.com/go/storage to v1.25.0 by @hakman in #14191
• Update dependencies by @github-actions in #14190
• OIDC: Tolerate extra service-account key set items by @seh in #14175
• Bump external-dns to 0.12.2 by @olemarkus in #14193
• Update CSI driver to latest for Hetzner by @hakman in #14186
• Map up kubelet config to karpenter provisioners and add CCM startup taint by @olemarkus in #14183
• Fix karpenter update test by @olemarkus in #14199
• Bump actions/setup-go from 3.2.1 to 3.3.0 by @dependabot in #14200
• Use runpath for kubectl binary by @olemarkus in #14198
• Promote alpha to stable by @MoShitrit in #14202
• Run etcd-manager with instance group name as volume name tag for Hetzner by @hakman in #14181
• Show the reason for which an AWS image is invalid by @hakman in #14206
• Calico: Work around host port/conntrack problem by @seh in #14205
• Update etcd-manager to v3.0.20220831 by @hakman in #14208
• Bumping AWS CCM to 1.25 by @olemarkus in #14207
• Release 1.25.0-beta.1 by @hakman in #14210
• Automated cherry pick of #14226: Update Flannel to v0.19.2 by @hakman in #14238
• Automated cherry pick of #14215: AWS IAM Role listing: don't ignore "other" errors by @hakman in #14227
• Automated cherry pick of #14223: Remove warning for FindClusterStatus not implemented for by @hakman in #14228
• Automated cherry pick of #14225: Update Calico to v3.24.1 by @hakman in #14239
• Automated cherry pick of #14235: Bump cluster-autoscaler images by @olemarkus in #14240
• Automated cherry pick of #14229: Add support for cert-manager dns-01 challenges by @olemarkus in #14241
• Automated cherry pick of #14236: Add support to --cordon-node-before-terminating on the by @olemarkus in #14242
• Automated cherry pick of #14244: aws-node-termination-handler: Add option to fetch node name by @olemarkus in #14245
• Automated cherry pick of #14254: Fix CAS cordon flag by @olemarkus in #14256
• Automated cherry pick of #14255: AWS LBC needs ec2:DescribeVpcPeeringConnections for IPv6 by @hakman in #14259
• Automated cherry pick of #14260: Bump verbosity level for some log statements by @olemarkus in #14261
• Automated cherry pick of #13853: Fix openstack tag limitation by @hakman in #14263
• Automated cherry pick of #14251: Warm pool-enabled ASGs scaled to zero will no longer panic by @hakman in #14266
• Automated cherry pick of #14265: bump aws-cni to version 1.11.4 by @MoShitrit in #14273
• Automated cherry pick of #14272: remove 'get' from aws-cni clusterRole to reflect by @hakman in #14274
• Automated cherry pick of #14282: Delete the oldest servers when over the desired count for by @hakman in #14283
• Automated cherry pick of #14287: Add test for ensuring taints are merged correctly by @zetaab in #14289
• Automated cherry pick of #14290: User IG without image should be allowed by @hakman in #14292
• Automated cherry pick of #14291: Bump tests to supported k8s version by @hakman in #14293
• Automated cherry pick of #14294: Add support for using an existing network for Hetzner by @hakman in #14296
• Automated cherry pick of #14297: Update Hetzner CCM to v1.13.0 by @hakman in #14298
• Automated cherry pick of #14299: hetzner: Move out of alpha and drop feature flag by @hakman in #14300
• Release 1.25.0 by @hakman in #14304

New Contributors

• @julienperignon made their first contribution in #13750
• @AaronFriel made their first contribution in #13805
• @remyleone made their first contribution in #13802
• @raffis made their first contribution in #13811
• @jonasasx made their first contribution in #13707
• @sxt90128 made their first contribution in #13862
• @Deepak1100 made their first contribution in #13891
• @Ladicle made their first contribution in #13942
• @tom-dudley made their first contribution in #13987
• @Abirdcfly made their first contribution in #14014
• @mostafahussein made their first contribution in #14016
• @torredil made their first contribution in #14164

Full Changelog: v1.24.0-beta.1...v1.25.0