This version contains a critical update to etcd-manager: 1 year after creation (or first adopting etcd-manager), clusters will stop responding due to expiration of a TLS certificate. Upgrading kops to 1.18.0-beta.1 (or the latest versions of the 1.15, 1.16, 1.17 or 1.18 series) and running
kops update followed by a
kops rolling-update will fix the issue. Please see the advisory for the full details.
kops 1.18.0 beta.2 is the next beta in the 1.18 series for kops. We intend for the next release in the 1.18 series to be 1.18.0, so this can be treated as a release candidate for 1.18.0 (1.18.0-rc.1).
Please see the release notes for the full list of changes.
The default image has been updated to Ubuntu 20.04 (Focal). Consequently, the SSH user changed to
ubuntuand the Linux kernel changed to version 5.4.
To address the issue of IPv4 only clusters being susceptible to MitM attacks via IPv6 rogue router advertisements, the affected components have been upgraded as follows:
Support for Amazon Linux 2 has been improved and will work with the default Docker version.
containerd has been added and can be selected as an alternate container runtime for Kubernetes. Enable by using the
--container-runtime containerdflag when creating a cluster or by setting
Rolling updates now support surging and parallelism within an instance group. For details see the documentation.
Cilium CNI can now use AWS networking natively through the AWS ENI IPAM mode. Kops can also run a Kubernetes cluster entirely without kube-proxy using Cilium’s BPF NodePort implementation.
Cilium CNI can now use a dedicated etcd cluster managed by etcd-manager for synchronizing agent state instead of CRDs.
The Terraform target now supports Terraform 0.12 syntax (HCL2) by default. See the Required Actions item below.
New clusters in GCE are configured to run the metadata-proxy by default. The proxy runs as a DaemonSet and lands on nodes with the nodeLabel
cloud.google.com/metadata-proxy-ready: "true". If you want to enable metadata-proxy on an existing cluster/instance group, add that nodeLabel to your instancegroup specs (
kops edit ig ...) and run
kops update cluster. When the changes are applied, the proxy will roll out to those targeted nodes.
GCE has a new flag:
--gce-service-account. This takes the email of an existing GCP service account and launches the instances with it. This setting applies to the whole cluster (ie: it is not currently designed to support Instance Groups with different service accounts). If you do not specify a service account during cluster creation, the default compute service account will be used which matches the prior behavior.
Google API client libraries updated from v0.beta to v1.
Support for NodeLocalDNS cache.
Support for Docker versions 1.11, 1.12 and 1.13 has been removed because of the dockerproject.org shut down. Those affected must upgrade to a newer Docker version.
Terraform users on AWS may need to rename some resources in their state file in order to prepare for Terraform 0.12 support. See Required Actions below.
Support for the CoreOS OS distribution has been removed. Users should consider Flatcar as a replacement.
Support for the Debian 8 (Jessie) OS distribution has been removed.
health-checkservice is now disabled by default. It shouldn’t be needed anymore, but it can still be enabled by setting
spec.docker.healthCheck: true. It is recommended to also check node-problem-detector and draino as replacements. See Required Actions below.
Lyft CNI plugin default subnet tags changed from from
KubernetesCluster: myclustername.mydns.io. Subnets intended for use by the plugin will need to be tagged with this new tag and additional tag filters may need to be added to the cluster spec in order to achieve the desired set of subnets.
Support for basic authentication has been disabled by default for Kubernetes 1.18 and will be removed in Kubernetes 1.19.
Support for static tokens has been disabled by default for Kubernetes 1.18 and later. To re-enable, see the Security Notes for Kubernetes. We intend to remove support entirely in a future kops version, so file an issue with your use case if you need this feature.
Support for Kubernetes versions prior to 1.9 has been removed.
Kubernetes 1.9 users will need to enable the PodPriority feature gate. See Required Actions below.
Support for the “Legacy” etcd provider has been removed for Kubernetes versions 1.18 and higher. Such clusters will need to migrate to the default “Manager” etcd provider. To migrate, see the etcd migration documentation.
A controller is now used to apply labels to nodes. If you are not using AWS, GCE or OpenStack your (non-master) nodes may not have labels applied correctly.
kops.k8s.io/v1alpha1API has been removed. Users of
kops replacewill need to supply v1alpha2 resources.
Please see the notes in the 1.15 release about the apiGroup changing from kops to kops.k8s.io
- Terraform users on AWS may need to rename resources in their terraform state file in order to support Terraform 0.12.
Terraform 0.12 no longer supports resource names starting with digits. In Kops, both the default route and additional VPC CIDR associations are affected. See #7957 for more information.
- The default route was named
aws_route.0-0-0-0--0and will now be named
- Additional CIDR blocks associated with a VPC were similarly named the hyphenated CIDR block with two hyphens for the
/, for example
aws_vpc_ipv4_cidr_block_association.10-1-0-0--16. These will now be prefixed with
cidr-, for example
- The default route was named
To prevent downtime, follow these steps with the new version of Kops:
KOPS_FEATURE_FLAG=-Terraform-0.12 kops update cluster --target terraform ... # Use Terraform <0.12 terraform plan # Observe any aws_route or aws_vpc_ipv4_cidr_block_association resources being destroyed and recreated # Run these commands as necessary. The exact names may differ; use what is outputted by terraform plan terraform state mv aws_route.0-0-0-0--0 aws_route.route-0-0-0-0--0 terraform state mv aws_vpc_ipv4_cidr_block_association.10-1-0-0--16 aws_vpc_ipv4_cidr_block_association.cidr-10-1-0-0--16 terraform plan # Ensure these resources are no longer being destroyed and recreated terraform apply
Kops will now output Terraform 0.12 syntax with the normal workflow:
kops update cluster --target terraform ... # Use Terraform 0.12. This plan should be a no-op terraform plan
Users that need the Docker
health-checkservice will need to explicitly enable it:
kops edit cluster # Add the following section spec: docker: healthCheck: true
Kubernetes 1.9 users will need to enable the PodPriority feature gate. This is required for newer versions of Kops.
To enable the Pod priority feature, follow these steps:
kops edit cluster # Add the following section spec: kubelet: featureGates: PodPriority: "true"
- If a custom Kops build was used on a cluster, a kops-controller Deployment may have been created that should get deleted.
kubectl -n kube-system delete deployment kops-controllerafter upgrading to Kops 1.16.0-beta.1 or later.
Support for Kubernetes versions 1.9 and 1.10 are deprecated and will be removed in kops 1.19.
Support for Ubuntu 16.04 (Xenial) has been deprecated and will be removed in future versions of Kops.
All changes from v1.18.0-beta.1 to v1.18.0-beta.2
- [Digital Ocean] Update RBAC for DO CCM @srikiz #9249
- Use Docker 19.03.11 for Kubernetes 1.18+ @hakman #9258
- Use CNI 0.8.6 for Kubernetes 1.15+ @hakman #9256
- Update Calico and Canal for CVE-2020-13597 @hakman #9268
- Update Weave for CVE-2020-13597 @hakman #9285
- Don’t export basic auth credentials if basic auth is disabled @johngmyers #9284
- Use Docker 19.03.11 for Kubernetes 1.17+ @hakman #9317
- Fix mismatch in SecurityGroups handling with launch templates @johngmyers #9288
- Remove all traces of utils.tar.gz @hakman #9197
- Update Weave Net to 2.6.5 @hakman #9330
- Bug: Explicitly set default StorageClass to support upgrades @joshbranham #9337
- Bump cilium to 1.7.5 @olemarkus #9367
- Move host-network services off of port 8080 @johngmyers #9355
- Run “go mod vendor” in verify-gomod @rifelpet #9389
- Remove go 1.14 CI jobs for k8s 1.18 @hakman #9398
- Add support for c5a aws ec2 instance types @coolstang #9386
- Fix: dns-controller: 3999 port address already in use @vgunapati #9404
- Fix cilium etcd migration @olemarkus #9451
- Create separate field for disabling rolling updates @johngmyers #9348
- Fix where etcd-cluster-spec is writen when etcd’s BackupStore is defined -v2 @rdrgmnzs #9474
- Update Calico to v3.15.0 for k8s 1.16+ @hakman #9444
- Update KubeDNS to v1.15.13 @hakman #9462
- Update the service manifest for Docker @hakman #9465
- When building to staging, split out the marker files by branch @justinsb #9272
- Fix verify-terraform in release-1.18 branch @rifelpet #9504
- Use kubelet docker-specific flags only for Docker @hakman #9495
- Default ClusterDNS appropriately when NodeLocalDNS is enabled @johngmyers #9491
- Update kube-router to v1.0.0 @hakman,@johngmyers #9512
- Add missing lifecycle to etcd keypair tasks @johngmyers #9553
Please see the release notes for the full list of changes.