v1.4.12

Important Registry Change Information

In November, we announced that we are changing all image references from k8s.gcr.io to registry.k8s.io to keep up with the latest upstream changes. This patch release includes this change. Please ensure that any mirrors you use are able to host registry.k8s.io and/or that firewall rules are going to allow access to registry.k8s.io to pull images before upgrading to this KubeOne patch release.

The December Kubernetes patch releases (1.25.5, 1.24.9, 1.23.15, and 1.22.17) are enforcing registry.k8s.io by default. Please keep this in mind if you're using an older KubeOne patch release with the latest Kubernetes patch releases. We strongly advise that you use KubeOne v1.5.4 or newer with the latest Kubernetes patch releases.

Changelog since v1.4.11

Changes by Kind

API Change

• Image references are changed from k8s.gcr.io to registry.k8s.io. This is done to keep up with the latest upstream changes. Please ensure that any mirrors you use are able to host registry.k8s.io and/or that firewall rules are going to allow access to registry.k8s.io to pull images before applying the next KubeOne patch releases. (#2508, @xmudrii)

Feature

• KubeOne is now built using Go 1.18.9 (#2527, @xmudrii)
• Update etcd to 3.5.6 which includes a fix for the recently reported data inconsistency issue for a case when etcd crashes during processing defragmentation operation (#2500, @xmudrii)
• Enable compact hash checks as per the recommendations from etcd for detecting data corruption (#2500, @xmudrii)
• Validate support for Kubernetes patch releases 1.23.15 and 1.22.17 (#2533, @xmudrii)

Bug or Regression

• Fix a panic (NPE) when determining if it is safe to repair a cluster when there's no kubelet or kubelet systemd unit on the node (#2496, @kubermatic-bot)
• Use the pause image from registry.k8s.io for all Kubernetes releases (#2530, @xmudrii)

v1.5.3

Important Registry Change Information

For the next series of KubeOne and KKP patch releases, image references will move from k8s.gcr.io to registry.k8s.io. This will be done to keep up with the latest upstream changes. Please ensure that any mirrors you use are able to host registry.k8s.io and/or that firewall rules are going to allow access to registry.k8s.io to pull images before applying the next KubeOne patch releases. This is not included in this patch release but just a notification of future changes.

Important Security Information

Kubernetes releases prior to 1.25.4, 1.24.8, 1.23.14, and 1.22.16 are affected by two Medium CVEs in kube-apiserver: CVE-2022-3162 (Unauthorized read of Custom Resources) and CVE-2022-3294 (Node address isn't always verified when proxying). We strongly recommend upgrading to 1.25.4, 1.24.8, 1.23.14, or 1.22.16 as soon as possible.

Changelog since v1.5.2

Changes by Kind

API Change

• .cloudProvider.csiConfig is now a mandatory field for vSphere clusters using the external cloud provider (.cloudProvider.external: true). .cloudProvider.csiConfig can be specified even if the in-tree provider is used, but the provided CSIConfig is ignored in such cases (a warning about this is printed) (#2447, @kubermatic-bot)

Feature

• Add allow_insecure variable (default false) to Terraform configs for vSphere. The value of this variable is propagated to the MachineDeployment template in output.tf (#2449, @xmudrii)
• Add a new addon parameter called HubbleIPv6 (true/false, default: true) for Cilium CNI used to enable/disable Hubble UI listening on an IPv6 interface (#2451, @kubermatic-bot)
• Update OpenStack CCM and CSI to v1.24.5 and v1.22.2 (#2445, @xmudrii)
• Update etcd to 3.5.5 or use the version provided by kubeadm if it's newer (#2443, @kubermatic-bot)

Other (Cleanup or Flake)

• Expose machine-controller metrics port (8080/TCP), so Prometheus ServiceMonitor can be used for scraping (#2439, @kubermatic-bot)
• Make volume size for worker nodes configurable in Terraform configs for AWS (50 GB by default) (#2450, @xmudrii)

Chore

• Rename generate-internal-groups Make target to update-codegen (#2450, @xmudrii)
• KubeOne is now built using Go 1.19.3 (#2462, @xmudrii)
• The kubeone-e2e image is moved from Docker Hub to Quay (quay.io/kubermatic/kubeone-e2e) (#2464, @xmudrii)

Checksums

SHA256 checksums can be found in the kubeone_1.5.3_checksums.txt file.

v1.4.11

Important Registry Change Information

For the next series of KubeOne and KKP patch releases, image references will move from k8s.gcr.io to registry.k8s.io. This will be done to keep up with the latest upstream changes. Please ensure that any mirrors you use are able to host registry.k8s.io and/or that firewall rules are going to allow access to registry.k8s.io to pull images before applying the next KubeOne patch releases. This is not included in this patch release but just a notification of future changes.

Important Security Information

Kubernetes releases prior to 1.25.4, 1.24.8, 1.23.14, and 1.22.16 are affected by two Medium CVEs in kube-apiserver: CVE-2022-3162 (Unauthorized read of Custom Resources) and CVE-2022-3294 (Node address isn't always verified when proxying). We strongly recommend upgrading to 1.25.4, 1.24.8, 1.23.14, or 1.22.16 as soon as possible.

Changelog since v1.4.10

Changes by Kind

Feature

• Update etcd to 3.5.5 for Kubernetes 1.22+ clusters or use the version provided by kubeadm if it's newer (#2444, @xmudrii)

Other (Cleanup or Flake)

• Expose machine-controller metrics port (8080/TCP), so Prometheus ServiceMonitor can be used for scraping (#2440, @kubermatic-bot)

Chore

• KubeOne is now built using Go 1.18.8 (#2465, @xmudrii)
• The kubeone-e2e image is moved from Docker Hub to Quay (quay.io/kubermatic/kubeone-e2e) (#2465, @xmudrii)

Checksums

SHA256 checksums can be found in the kubeone_1.4.11_checksums.txt file.

v1.5.2

Changes by Kind

Feature

• Add support for Ubuntu 22.04 (#2383, @ahmedwaleedmalik)

Updates

• Update containerd to 1.6. This change affects control plane nodes, static worker nodes, and nodes managed by machine-controller/OSM (#2388, @ahmedwaleedmalik)
• Update to machine-controller v1.54.1 (#2383, @ahmedwaleedmalik)
• Update Operating System Manager (OSM) to 1.1.1 (#2388, @ahmedwaleedmalik)

Checksums

SHA256 checksums can be found in the kubeone_1.5.2_checksums.txt file.

v1.4.10

Changes by Kind

Bug or Regression

• Update golang.org/x/crypto dependency to a newer version to fix issues with SSH authentication on instances with newer OpenSSH versions (#2390, @xmudrii)

Checksums

SHA256 checksums can be found in the kubeone_1.4.10_checksums.txt file.

v1.5.1

Changes by Kind

Feature

• Add a new NodeLocalDNS field to the KubeOneCluster API used to control should the NodeLocalDNSCache component be deployed or not. Run kubeone config print --full for details on how to use this field (#2377, @kron4eg)
• Upgrade Cilium from v1.12.0 to v1.12.2 (#2376, @ahmedwaleedmalik)

Bug or Regression

• Automatically delete the CoreDNS PodDistruptionBudget if the feature is disabled (#2365, @xmudrii)
• Fix NPE when machine-controller deployment is disabled (#2357, @kron4eg)
• Fix NPE with Operating System Manager (OSM) when the KubeOneCluster v1beta1 API is used (#2357, @kron4eg)
• Explicitly disable Operating System Manager (OSM) when the KubeOneCluster v1beta1 is used (#2357, @kron4eg)
• Recreate SSH connection in the case of errors with session (#2357, @kron4eg)
• Update the kubernetes-cni package from 0.8.7 to 1.1.1 to support the latest Kubernetes patch releases (#2357, @kron4eg)
• Use vmware-system-csi namespace when generating certs for the vSphere CSI webhooks (#2374, @xmudrii)

Checksums

SHA256 checksums can be found in the kubeone_1.5.1_checksums.txt file.

v1.4.9

Changes by Kind

Feature

• Update the kubernetes-cni package from 0.8.7 to 1.1.1 to support the latest Kubernetes patch releases (#2358, @xmudrii)

Checksums

SHA256 checksums can be found in the kubeone_1.4.9_checksums.txt file.

v1.5.0

KubeOne 1.5.0

We're happy to announce a new KubeOne minor release — KubeOne 1.5! Please consult the changelog, as well as, the upgrade guide and the Known Issues document before upgrading:

• Changelog
• Upgrading from KubeOne 1.4 to 1.5 guide
• Known Issues in KubeOne 1.5

Checksums

SHA256 checksums can be found in the kubeone_1.5.0_checksums.txt file.

v1.4.8

Urgent Upgrade Notes

(No, really, you MUST read this before you upgrade)

• Update machine-controller to v1.43.7. This update fixes several issues for RHEL clusters on Azure. If you have RHEL-based MachineDeployments on Azure, we strongly recommend upgrading to KubeOne 1.4.8 and rotating those MachineDeployments BEFORE upgrading to KubeOne 1.5. If not done, the Canal CNI update might break the cluster networking when upgrading to KubeOne 1.5. (#2333, @xmudrii)

Changes by Kind

Bug or Regression

• Mount /etc/pki to the OpenStack CCM container to fix CrashLoopBackoff on clusters running CentOS 7 (#2303, @xmudrii)
• Explicitly create /opt/bin on Flatcar before trying to untar anything to that directory (#2305, @xmudrii)
• Mount /etc/pki to the Azure CCM container to fix CrashLoopBackoff on clusters running CentOS 7 and Rocky Linux (#2310, @kubermatic-bot)
• Mount /usr/share/ca-certificates to the Azure CCM container to fix CrashLoopBackoff on clusters running Flatcar (#2334, @xmudrii)
• Set iptables backend (FELIX_IPTABLESBACKEND) to NFT for Canal and Calico VXLAN on clusters running Flatcar Linux and RHEL. For non Flatcar/RHEL clusters, iptables backend is set to Auto, which is the default value and results in Calico determining the iptables backend automatically. The value can be overridden by setting the iptablesBackend addon parameter (see the PR description for an example). (#2334, @xmudrii)

Checksums

SHA256 checksums can be found in the kubeone_1.4.8_checksums.txt file.

v1.5.0-rc.0

Changelog

The complete changelog since the v1.5.0-beta.0 release is available in CHANGELOG/CHANGELOG-1.5.md.

Urgent Upgrade Notes

• The minimum Kubernetes version has been increased to v1.22.0. If you're still using Kubernetes v1.21 or v1.20, you have to upgrade the cluster to v1.22 or newer before upgrading to KubeOne 1.5. (#2236, @xmudrii)
• Remove defaulting for Flatcar provisioning utility in example Terraform configs for AWS (defaulted to Ignition by machine-controller). If you have Flatcar-based MachineDeployments that use the cloud-init provisioning utility, you must change the provisioning utility to ignition (or leave it empty) for Operating System Manager (OSM) to work properly (#2285, @xmudrii)
• Remove the hcloud-volumes StorageClass deployed automatically by Hetzner CSI driver in favor of hcloud-volumes StorageClass deployed by the default-storage-class addon. If you're using hcloud-volumes StorageClass, make sure that you have the default-storage-class addon enabled before upgrading to KubeOne 1.5 (#2269, @xmudrii)

Deprecations

• We announced with the KubeOne 1.4.0 release that kubeone install and kubeone upgrade commands are deprecated in favor of kubeone apply. This time we're marking those commands as hidden, so they'll not show in the help output. In the next release, we'll completely remove those commands, so we strongly recommend migrating to kubeone apply as soon as possible. (#2258, @kron4eg)

Known Issues

• Calico VXLAN addon has an issue with broken network connectivity for pods running on the same node. If you're using Calico VXLAN, we recommend staying on KubeOne 1.4 until the issue is not fixed. Follow #2192 for updates.

Checksums

SHA256 checksums can be found in the kubeone_1.5.0-rc.0_checksums.txt file.