This release is RKE2's first in the v1.21 line. This release updates Kubernetes to v1.21.2.
For more details on what's new, see the Kubernetes release notes. If you are coming from v1.20 or earlier, it is recommended that you read the Urgent Upgrade Notes.
This release resolves a number of bugs and provides a number of new features, most notably, the introduction of the --cni flag. By default, RKE2 uses Canal as its CNI, which is a combination of Calico and Flannel. Now, with the --cni flag, an operator can specify which CNI they want to use. Operators now have the choice of calico, cilium, and canal. The multus meta-plugin can also be used in combination with other CNIs by specifying it as the first option in a comma-separated list, for example --cni=multus,canal. More on this can be found in the docs. Note that not all CNIs are FIPS compliant, please see the Available CNIs table for details.
You can still enable third party CNIs by disabling the default and deploying your own.
Note: With the introduction of addtional CNIs, we have published more image image archives and lists, to allow for fine-grained control of the images needed for air-gap installs. See the documentation for more details.
This release includes a number of new subcommands for interacting with etcd snapshots. All of the subcommands are compatible with locally stored snapshots and snapshots stored in S3.
- save - Alias for
rke2 etcd-snaphot - prune - Removes snapshots that exceed the configured retention policy
- delete - Deletes a given snapshot
- ls - Lists snapshots
Resolved Issues and Enhancements
- Added the INSTALL_RKE2_EXEC environment variable as alias for INSTALL_RKE2_TYPE (#1082)
- Added tolerations to helm charts to enable scheduling on role specific nodes (#1061)
- Added ability to confirm snapshots are turned off (#430)
- Added systemd notify support (#989)
- Added the ability to pass an alternate encryption config. (#1105)
- Added tolerations to helm charts to enable scheduling on role specific nodes (#1061)
- Added support for vSphere’s out-of-tree cloud provider. Note that this feature was introduced in RKE2 1.20.6, but in this version it can be enabled by passing
--cloud-provider-name=rancher-vsphere, instead of simplyvsphere. The implementation from the previous release made it impossible to enable the in-tree vsphere cloud provider. (#1114) - Added support for Calico CNI (#860)
- Added support for Multus + sriov CNI (#746)
- Added support for SUSE Enterprise Linux 15 SP3. (#816)
- Updated Cilium to v1.9.8 (#1099)
- Updated runc to v1.0.0-rc95 (#977)
- Updated ingress nginx version to 3.30.003 (#884)
- Updated Go (GoBoring) to 1.16.4b7 (#968)
- Resolved issue where restoring from snapshot failed with executable file not found in $PATH (#1059)
- Resolved issue where snapshot and restore wasn't working with the "cluster-reset-restore-path" flag (#968)
- Resolved issue where opa-gatekeeper on rke2 cluster disallows cluster members to join after reboot and stay in NotReady state (#1054)
- Resolved possible race where bootstrap data might not save (#1116)
- Resolved an issue where SELinux would block audit logs from being written (#692)
- Resolved an issue where CIS checks for the etcd users where occuring on agents (#1063)
- Resolved an issue where
kubernetes.default.svcwas not being added to SANs in Kubernetes API serving Cert (#1112) - Resolved an issue where helm charts were getting stuck in pending state after upgrade (#1143)
- Resolved an issue where removing etcd role from a node and restarting RKE2 failed (#886)
- Resolved an issue where rke2 couldn’t start if node hostnames were not resolvable through dns (#979)
- Resolved an issue where the the
--disable-apiserverflag was inconsistently named. It is now--disable-api-server. The old flag remains for backwards compatibility, but is hidden (#1019)
Packaged Component Versions
| Component | Version |
|---|---|
| Kubernetes | v1.21.2 |
| Etcd | v3.4.13-k3s1 |
| Containerd | v1.4.4-k3s2 |
| Runc | v1.0.0-rc95 |
| CNI Plugins | v0.8.7 |
| Metrics-server | v0.3.6 |
| CoreDNS | v1.6.9 |
| Ingress-Nginx | 3.30.003 |
| Helm-controller | v0.10.1 |
Available CNIs
| Component | Version | FIPS Compliant |
|---|---|---|
| Canal (Default) | Flannel v0.13.0-rancher1 Calico v3.13.3 | Yes |
| Calico | v3.19.1 | No |
| Cilium | v1.9.8 | No |
| Multus | v3.7.1 | No |
Known Issues
-
#786 - NetworkManager interferes with network related components. If your node has NetworkManager installed and enabled, please refer to the RKE2 Docs for a workaround.
-
#1009 - RKE2 integrated cloud-controller-manager RBAC conflicts with out-of-tree Helm charts. RBAC roles have been renamed to no longer conflict, but if you are upgrading from an earlier release and plan on installing an out-of-tree cloud controller you should run the following command to clean up the legacy roles:
kubectl delete clusterrole,clusterrolebinding cloud-controller-manager
Helpful Links
As always, we welcome and appreciate feedback from our community of users. Please feel free to:
- Open issues here
- Join our Slack channel
- Check out our documentation for guidance on how to get started.