- v1.9.0
- Downloads for v1.9.0
- 1.9 Release Notes
- WARNING: etcd backup strongly recommended
- Introduction to 1.9.0
- Major themes
- Before Upgrading
- Known Issues
- Deprecations
- Notable Changes
- External Dependencies
- v1.9.0-beta.2
- v1.9.0-beta.1
- v1.9.0-alpha.3
- v1.9.0-alpha.2
- v1.9.0-alpha.1
filename | sha256 hash |
---|---|
kubernetes.tar.gz | d8a52a97382a418b69d46a8b3946bd95c404e03a2d50489d16b36517c9dbc7f4 |
kubernetes-src.tar.gz | 95d35ad7d274e5ed207674983c3e8ec28d8190c17e635ee922e2af8349fb031b |
filename | sha256 hash |
---|---|
kubernetes-client-darwin-386.tar.gz | 2646aa4badf9281b42b921c1e9e2ed235e1305d331423f252a3380396e0c383f |
kubernetes-client-darwin-amd64.tar.gz | e76e69cf58399c10908afce8bb8d1f12cb8811de7b24e657e5f9fc80e7b9b6fb |
kubernetes-client-linux-386.tar.gz | bcd5ca428eb78fdaadbcf9ff78d9cbcbf70585a2d2582342a4460e55f3bbad13 |
kubernetes-client-linux-amd64.tar.gz | ba96c8e71dba68b1b3abcad769392fb4df53e402cb65ef25cd176346ee2c39e8 |
kubernetes-client-linux-arm64.tar.gz | 80ceae744fbbfc7759c3d95999075f98e5d86d80e53ea83d16fa8e849da4073d |
kubernetes-client-linux-arm.tar.gz | 86b271e2518230f3502708cbe8f188a3a68b913c812247b8cc6fbb4c9f35f6c8 |
kubernetes-client-linux-ppc64le.tar.gz | 8b7506ab64ceb2ff470120432d7a6a93adf14e14e612b3c53b3c238d334b55e2 |
kubernetes-client-linux-s390x.tar.gz | c066aa75a99c141410f9b9a78d230aff4a14dee472fe2b17729e902739798831 |
kubernetes-client-windows-386.tar.gz | a315535d6a64842a7c2efbf2bb876c0b73db7efd4c848812af07956c2446f526 |
kubernetes-client-windows-amd64.tar.gz | 5d2ba1f008253da1a784c8bb5266d026fb6fdac5d22133b51e86d348dbaff49b |
filename | sha256 hash |
---|---|
kubernetes-server-linux-amd64.tar.gz | a8d7be19e3b662681dc50dc0085ca12045979530a27d0200cf986ada3eff4d32 |
kubernetes-server-linux-arm64.tar.gz | 8ef6ad23c60a50b4255ff41db044b2f5922e2a4b0332303065d9e66688a0b026 |
kubernetes-server-linux-arm.tar.gz | 7cb99cf65553c9637ee6f55821ea3f778873a9912917ebbd6203e06d5effb055 |
kubernetes-server-linux-ppc64le.tar.gz | 529b0f45a0fc688aa624aa2b850f28807ce2be3ac1660189f20cd3ae864ac064 |
kubernetes-server-linux-s390x.tar.gz | 692f0c198da712f15ff93a4634c67f9105e3ec603240b50b51a84480ed63e987 |
filename | sha256 hash |
---|---|
kubernetes-node-linux-amd64.tar.gz | 7ff3f526d1c4ec23516a65ecec3b947fd8f52d8c0605473b1a87159399dfeab1 |
kubernetes-node-linux-arm64.tar.gz | fada290471467c341734a3cfff63cd0f867aad95623b67096029d76c459bde06 |
kubernetes-node-linux-arm.tar.gz | ded3640bef5f9701f7f622de4ed162cd2e5a968e80a6a56b843ba84a0b146fac |
kubernetes-node-linux-ppc64le.tar.gz | a83ebe3b360d33c2190bffd5bf0e2c68268ca2c85e3b5295c1a71ddb517a4f90 |
kubernetes-node-linux-s390x.tar.gz | 1210efdf35ec5e0b2e96ff7e456e340684ff12dbea36aa255ac592ca7195e168 |
kubernetes-node-windows-amd64.tar.gz | 9961ad142abc7e769bbe962aeb30a014065fae83291a2d65bc2da91f04fbf185 |
Before updating to 1.9, you are strongly recommended to back up your etcd data. Consult the installation procedure you are using (kargo, kops, kube-up, kube-aws, kubeadm etc) for specific advice.
Some upgrade methods might upgrade etcd from 3.0 to 3.1 automatically when you upgrade from Kubernetes 1.8, unless you specify otherwise. Because etcd does not support downgrading, you'll need to either remain on etcd 3.1 or restore from a backup if you want to downgrade back to Kubernetes 1.8.
Kubernetes version 1.9 includes new features and enhancements, as well as fixes to identified issues. The release notes contain a brief overview of the important changes introduced in this release. The content is organized by Special Interest Group (SIG).
For initial installations, see the Setup topics in the Kubernetes documentation.
To upgrade to this release from a previous version, first take any actions required Before Upgrading.
For more information about this release and for the latest documentation, see the Kubernetes documentation.
Kubernetes is developed by community members whose work is organized into Special Interest Groups, which provide the themes that guide their work. For the 1.9 release, these themes included:
Extensibility. SIG API Machinery added a new class of admission control webhooks (mutating), and brought the admission control webhooks to beta.
The core workloads API, which is composed of the DaemonSet, Deployment, ReplicaSet, and StatefulSet kinds, has been promoted to GA stability in the apps/v1 group version. As such, the apps/v1beta2 group version is deprecated, and all new code should use the kinds in the apps/v1 group version.
SIG Auth focused on extension-related authorization improvements. Permissions can now be added to the built-in RBAC admin/edit/view roles using cluster role aggregation. Webhook authorizers can now deny requests and short-circuit checking subsequent authorizers. Performance and usability of the beta PodSecurityPolicy feature was also improved.
In v1.9 SIG AWS has improved stability of EBS support across the board. If a Volume is “stuck” in the attaching state to a node for too long a unschedulable taint will be applied to the node, so a Kubernetes admin can take manual steps to correct the error. Users are encouraged to ensure they are monitoring for the taint, and should consider automatically terminating instances in this state.
In addition, support for NVMe disks has been added to Kubernetes, and a service of type LoadBalancer can now be backed with an NLB instead of an ELB (alpha).
SIG Azure worked on improvements in the cloud provider, including significant work on the Azure Load Balancer implementation.
SIG Cluster Lifecycle has been focusing on improving kubeadm in order to bring it to GA in a future release, as well as developing the Cluster API. For kubeadm, most new features, such as support for CoreDNS, IPv6 and Dynamic Kubelet Configuration, have gone in as alpha features. We expect to graduate these features to beta and beyond in the next release. The initial Cluster API spec and GCE sample implementation were developed from scratch during this cycle, and we look forward to stabilizing them into something production-grade during 2018.
In v1.9 we focused on improving stability of the components owned by the SIG, including Heapster, Custom Metrics API adapters for Prometheus, and Stackdriver.
In v1.9 SIG Network has implemented alpha support for IPv6, and alpha support for CoreDNS as a drop-in replacement for kube-dns. Additionally, SIG Network has begun the deprecation process for the extensions/v1beta1 NetworkPolicy API in favor of the networking.k8s.io/v1 equivalent.
SIG Node iterated on the ability to support more workloads with better performance and improved reliability. Alpha features were improved around hardware accelerator support, device plugins enablement, and cpu pinning policies to enable us to graduate these features to beta in a future release. In addition, a number of reliability and performance enhancements were made across the node to help operators in production.
In this cycle, SIG OpenStack focused on configuration simplification through smarter defaults and the use of auto-detection wherever feasible (Block Storage API versions, Security Groups) as well as updating API support, including:
- Block Storage (Cinder) V3 is now supported.
- Load Balancer (Octavia) V2 is now supported, in addition to Neutron LBaaS V2.
- Neutron LBaas V1 support has been removed.
This work enables Kubernetes to take full advantage of the relevant services as exposed by OpenStack clouds. Refer to the Cloud Providers documentation for more information.
SIG Storage is responsible for storage and volume plugin components.
For the 1.9 release, SIG Storage made Kubernetes more pluggable and modular by introducing an alpha implementation of the Container Storage Interface (CSI). CSI will make installing new volume plugins as easy as deploying a pod, and enable third-party storage providers to develop their plugins without the need to add code to the core Kubernetes codebase.
The SIG also focused on adding functionality to the Kubernetes volume subsystem, such as alpha support for exposing volumes as block devices inside containers, extending the alpha volume-resizing support to more volume plugins, and topology-aware volume scheduling.
We are advancing support for Windows Server and Windows Server Containers to beta along with continued feature and functional advancements on both the Kubernetes and Windows platforms. This opens the door for many Windows-specific applications and workloads to run on Kubernetes, significantly expanding the implementation scenarios and the enterprise reach of Kubernetes.
Consider the following changes, limitations, and guidelines before you upgrade:
- The admission API, which is used when the API server calls admission control webhooks, is moved from
admission.v1alpha1
toadmission.v1beta1
. You must delete any existing webhooks before you upgrade your cluster, and update them to use the latest API. This change is not backward compatible. - The admission webhook configurations API, part of the admissionregistration API, is now at v1beta1. Delete any existing webhook configurations before you upgrade, and update your configuration files to use the latest API. For this and the previous change, see also the documentation.
- A new
ValidatingAdmissionWebhook
is added (replacingGenericAdmissionWebhook
) and is available in the generic API server. You must update your API server configuration file to pass the webhook to the--admission-control
flag. (#55988, @caesarxuchao) (#54513, @deads2k) - The deprecated options
--portal-net
and--service-node-ports
for the API server are removed. (#52547, @xiangpengzhao)
- PodSecurityPolicy: A compatibility issue with the allowPrivilegeEscalation field that caused policies to start denying pods they previously allowed was fixed. If you defined PodSecurityPolicy objects using a 1.8.0 client or server and set allowPrivilegeEscalation to false, these objects must be reapplied after you upgrade. (#53443, @liggitt)
- KMS: Alpha integration with GCP KMS was removed in favor of a future out-of-process extension point. Discontinue use of the GCP KMS integration and ensure data has been decrypted (or reencrypted with a different provider) before upgrading (#54759, @sakshamsharma)
- Swagger 1.2 validation is removed for kubectl. The options
--use-openapi
and--schema-cache-dir
are also removed because they are no longer needed. (#53232, @apelisse)
- You must either specify the
--discovery-token-ca-cert-hash
flag tokubeadm join
, or opt out of the CA pinning feature using--discovery-token-unsafe-skip-ca-verification
. - The default
auto-detect
behavior of the kubelet's--cloud-provider
flag is removed.- You can manually set
--cloud-provider=auto-detect
, but be aware that this behavior will be removed completely in a future version. - Best practice for version 1.9 and future versions is to explicitly set a cloud-provider. See the documentation
- You can manually set
- The kubeadm
--skip-preflight-checks
flag is now deprecated and will be removed in a future release. - If you are using the cloud provider API to determine the external host address of the apiserver, set
--external-hostname
explicitly instead. The cloud provider detection has been deprecated and will be removed in the future (#54516, @dims)
- Development of Kubernetes Federation has moved to github.com/kubernetes/federation. This move out of tree also means that Federation will begin releasing separately from Kubernetes. Impact:
- The kubelet
--network-plugin-dir
flag is removed. This flag was deprecated in version 1.7, and is replaced with--cni-bin-dir
. (#53564, @supereagle) - kubelet's
--cloud-provider
flag no longer defaults to "auto-detect". If you want cloud-provider support in kubelet, you must set a specific cloud-provider explicitly. (#53573, @dims)
- NetworkPolicy objects are now stored in etcd in v1 format. After you upgrade to version 1.9, make sure that all NetworkPolicy objects are migrated to v1. (#51955, @danwinship)
- The API group/version for the kube-proxy configuration has changed from
componentconfig/v1alpha1
tokubeproxy.config.k8s.io/v1alpha1
. If you are using a config file for kube-proxy instead of the command line flags, you must change its apiVersion tokubeproxy.config.k8s.io/v1alpha1
. (#53645, @xiangpengzhao) - The "ServiceNodeExclusion" feature gate must now be enabled for the
alpha.service-controller.kubernetes.io/exclude-balancer
annotation on nodes to be honored. (#54644, @brendandburns)
- Taint key
unreachable
is now in GA. - Taint key
notReady
is changed tonot-ready
, and is also now in GA. - These changes are automatically updated for taints. Tolerations for these taints must be updated manually. Specifically, you must:
- Change
node.alpha.kubernetes.io/notReady
tonode.kubernetes.io/not-ready
- Change
node.alpha.kubernetes.io/unreachable
tonode.kubernetes.io/unreachable
- Change
- The
node.kubernetes.io/memory-pressure
taint now respects the configured whitelist. To use it, you must add it to the whitelist.(#55251, @deads2k) - Refactor kube-scheduler configuration (#52428)
- The kube-scheduler command now supports a --config flag which is the location of a file containing a serialized scheduler configuration. Most other kube-scheduler flags are now deprecated. (#52562, @ironcladlou)
- Opaque integer resources (OIR), which were (deprecated in v1.8.), have been removed. (#55103, @ConnorDoyle)
- [alpha] The LocalPersistentVolumes alpha feature now also requires the VolumeScheduling alpha feature. This is a breaking change, and the following changes are required:
- The VolumeScheduling feature gate must also be enabled on kube-scheduler and kube-controller-manager components.
- The NoVolumeNodeConflict predicate has been removed. For non-default schedulers, update your scheduler policy.
- The CheckVolumeBinding predicate must be enabled in non-default schedulers. (#55039, @msau42)
- Remove the LbaasV1 of OpenStack cloud provider, currently only support LbaasV2. (#52717, @FengyunPan)
This section contains a list of known issues reported in Kubernetes 1.9 release. The content is populated from the [v1.9.x known issues and FAQ accumulator](https://github.com/kubernetes/kubernetes/issues/57159](https://github.com/kubernetes/kubernetes/issues/57159).
-
If you are adding Windows Server Virtual Machines as nodes to your Kubernetes environment, there is a compatibility issue with certain virtualization products. Specifically the Windows version of the kubelet.exe calls
GetPhysicallyInstalledSystemMemory
to get the physical memory installed on Windows machines and reports it as part of node metrics to heapster. This API call fails for VMware and VirtualBox virtualization environments. This issue is not present in bare metal Windows deployments, in Hyper-V, or on some of the popular public cloud providers. -
If you run
kubectl get po
while the API server in unreachable, a misleading error is returned:the server doesn't have a resource type "po"
. To work around this issue, specify the full resource name in the command instead of the abbreviation:kubectl get pods
. This issue will be fixed in a future release.
For more information, see #57198.
- Mutating and validating webhook configurations are continuously polled by the API server (once per second). This issue will be fixed in a future release.
For more information, see #56357.
- Audit logging is slow because writes to the log are performed synchronously with requests to the log. This issue will be fixed in a future release.
For more information, see #53006.
- Custom Resource Definitions (CRDs) are not properly deleted under certain conditions. This issue will be fixed in a future release.
For more information, see #56348.
- API server times out after performing a rolling update of the etcd cluster. This issue will be fixed in a future release.
For more information, see #47131
- If a namespaced resource is owned by a cluster scoped resource, and the namespaced dependent is processed before the cluster scoped owner has ever been observed by the garbage collector, the dependent will be erroneously deleted.
For more information, see #54940
This section provides an overview of deprecated API versions, options, flags, and arguments. Deprecated means that we intend to remove the capability from a future release. After removal, the capability will no longer work. The sections are organized by SIGs.
- The kube-apiserver
--etcd-quorum-read
flag is deprecated and the ability to switch off quorum read will be removed in a future release. (#53795, @xiangpengzhao) - The
/ui
redirect in kube-apiserver is deprecated and will be removed in Kubernetes 1.10. (#53046, @maciaszczykm) etcd2
as a backend is deprecated and support will be removed in Kubernetes 1.13 or 1.14.
- Default controller-manager options for
--cluster-signing-cert-file
and--cluster-signing-key-file
are deprecated and will be removed in a future release. (#54495, @mikedanese) - RBAC objects are now stored in etcd in v1 format. After upgrading to 1.9, ensure all RBAC objects (Roles, RoleBindings, ClusterRoles, ClusterRoleBindings) are at v1. v1alpha1 support is deprecated and will be removed in a future release. (#52950, @liggitt)
- kube-apiserver:
--ssh-user
and--ssh-keyfile
are now deprecated and will be removed in a future release. Users of SSH tunnel functionality in Google Container Engine for the Master -> Cluster communication should plan alternate methods for bridging master and node networks. (#54433, @dims) - The kubeadm
--skip-preflight-checks
flag is now deprecated and will be removed in a future release. - If you are using the cloud provider API to determine the external host address of the apiserver, set
--external-hostname
explicitly instead. The cloud provider detection has been deprecated and will be removed in the future (#54516, @dims)
- The NetworkPolicy extensions/v1beta1 API is now deprecated and will be removed in a future release. This functionality has been migrated to a dedicated v1 API - networking.k8s.io/v1. v1beta1 Network Policies can be upgraded to the v1 API with the cluster/update-storage-objects.sh script. Documentation can be found here. (#56425, @cmluciano)
- The
volume.beta.kubernetes.io/storage-class
annotation is deprecated. It will be removed in a future release. For the StorageClass API object, use v1, and in place of the annotation usev1.PersistentVolumeClaim.Spec.StorageClassName
andv1.PersistentVolume.Spec.StorageClassName
instead. (#53580, @xiangpengzhao)
- The kube-scheduler command now supports a
--config
flag, which is the location of a file containing a serialized scheduler configuration. Most other kube-scheduler flags are now deprecated. (#52562, @ironcladlou)
As announced with the release of version 1.8, the Kubernetes Workloads API is at v1 in version 1.9. This API consists of the DaemonSet, Deployment, ReplicaSet and StatefulSet kinds.
- Admission webhooks are now in beta, and include the following:
- Mutation support for admission webhooks. (#54892, @caesarxuchao)
- Webhook admission now takes a config file that describes how to authenticate to webhook servers (#54414, @deads2k)
- The dynamic admission webhook now supports a URL in addition to a service reference, to accommodate out-of-cluster webhooks. (#54889, @lavalamp)
- Added
namespaceSelector
toexternalAdmissionWebhook
configuration to allow applying webhooks only to objects in the namespaces that have matching labels. (#54727, @caesarxuchao)
- Metrics are added for monitoring admission plugins, including the new dynamic (webhook-based) ones. (#55183, @jpbetz)
- The PodSecurityPolicy annotation kubernetes.io/psp on pods is set only once on create. (#55486, @sttts)
- Fixed a bug related to discovery information for scale subresources in the apps API group (#54683, @liggitt)
- Fixed a bug that prevented client-go metrics from being registered in Prometheus. This bug affected multiple components. (#53434, @crassirostris)
- Fixed a bug so that
kube-apiserver
now waits for open connections to finish before exiting. This fix provides graceful shutdown and ensures that the audit backend no longer drops events on shutdown. (#53695, @hzxuzhonghu) - Webhooks now always retry sending if a connection reset error is returned. (#53947, @crassirostris)
- Validation of resources defined by a Custom Resource Definition (CRD) is now in beta (#54647, @colemickens)
- An example CRD controller has been added, at github.com/kubernetes/sample-controller. (#52753, @munnerz)
- Custom resources served by CustomResourceDefinition objects now support field selectors for
metadata.name
andmetadata.namespace
. Also fixed an issue with watching a single object; earlier versions could watch only a collection, and so a watch on an instance would fail. (#53345, @ncdc)
kube-apiserver
now runs with the default value forservice-cluster-ip-range
(#52870, @jennybuckley)- Add
--etcd-compaction-interval
to apiserver for controlling request of compaction to etcd3 from apiserver. (#51765, @mitake) - The httpstream/spdy calls now support CIDR notation for NO_PROXY (#54413, @kad)
- Code generation for CRD and User API server types is improved with the addition of two new scripts to k8s.io/code-generator:
generate-groups.sh
andgenerate-internal-groups.sh
. (#52186, @sttts) - [beta] Flag
--chunk-size={SIZE}
is added tokubectl get
to customize the number of results returned in large lists of resources. This reduces the perceived latency of managing large clusters because the server returns the first set of results to the client much more quickly. Pass 0 to disable this feature.(#53768, @smarterclayton) - [beta] API chunking via the limit and continue request parameters is promoted to beta in this release. Client libraries using the Informer or ListWatch types will automatically opt in to chunking. (#52949, @smarterclayton)
- The
--etcd-quorum-read
flag now defaults to true to ensure correct operation with HA etcd clusters. This flag is deprecated and the flag will be removed in future versions, as well as the ability to turn off this functionality. (#53717, @liggitt) - Add events.k8s.io api group with v1beta1 API containing redesigned event type. (#49112, @gmarek)
- Fixed a bug where API discovery failures were crashing the kube controller manager via the garbage collector. (#55259, @ironcladlou)
conversion-gen
is now usable in a context without a vendored k8s.io/kubernetes. The Kubernetes core API is removed fromdefault extra-peer-dirs
. (#54394, @sttts)- Fixed a bug where the
client-gen
tag for code-generator required a newline between a comment block and a statement. tag shortcomings when newline is omitted (#53893) (#55233, @sttts) - The Apiserver proxy now rewrites the URL when a service returns an absolute path with the request's host. (#52556, @roycaihw)
- The gRPC library is updated to pick up data race fix (#53124) (#53128, @dixudx)
- Fixed server name verification of aggregated API servers and webhook admission endpoints (#56415, @liggitt)
- The
kubernetes.io/created-by
annotation is no longer added to controller-created objects. Use themetadata.ownerReferences
item with controller set totrue
to determine which controller, if any, owns an object. (#54445, @crimsonfaith91) - StatefulSet controller now creates a label for each Pod in a StatefulSet. The label is
statefulset.kubernetes.io/pod-name
, wherepod-name
= the name of the Pod. This allows users to create a Service per Pod to expose a connection to individual Pods. (#55329, @kow3ns) - DaemonSet status includes a new field named
conditions
, making it consistent with other workloads controllers. (#55272, @janetkuo) - StatefulSet status now supports conditions, making it consistent with other core controllers in v1 (#55268, @foxish)
- The default garbage collection policy for Deployment, DaemonSet, StatefulSet, and ReplicaSet has changed from OrphanDependents to DeleteDependents when the deletion is requested through an
apps/v1
endpoint. (#55148, @dixudx)- Clients using older endpoints will be unaffected. This change is only at the REST API level and is independent of the default behavior of particular clients (e.g. this does not affect the default for the kubectl
--cascade
flag). - If you upgrade your client-go libs and use the
AppsV1()
interface, please note that the default garbage collection behavior is changed.
- Clients using older endpoints will be unaffected. This change is only at the REST API level and is independent of the default behavior of particular clients (e.g. this does not affect the default for the kubectl
- RequestReceivedTimestamp and StageTimestamp are added to audit events (#52981, @CaoShuFeng)
- Advanced audit policy now supports a policy wide omitStage (#54634, @CaoShuFeng)
- New permissions have been added to default RBAC roles (#52654, @liggitt):
- The default admin and edit roles now include read/write permissions
- The view role includes read permissions on poddisruptionbudget.policy resources.
- RBAC rules can now match the same subresource on any resource using the form
*/(subresource)
. For example,*/scale
matches requests toreplicationcontroller/scale
. (#53722, @deads2k) - The RBAC bootstrapping policy now allows authenticated users to create selfsubjectrulesreviews. (#56095, @ericchiang)
- RBAC ClusterRoles can now select other roles to aggregate. (#54005, @deads2k)
- Fixed an issue with RBAC reconciliation that caused duplicated subjects in some bootstrapped RoleBinding objects on each restart of the API server. (#53239, @enj)
- Pod Security Policy can now manage access to specific FlexVolume drivers (#53179, @wanghaoran1988)
- Audit policy files without apiVersion and kind are treated as invalid. (#54267, @ericchiang)
- Fixed a bug that where forbidden errors were encountered when accessing ReplicaSet and DaemonSets objects via the apps API group. (#54309, @liggitt)
- Improved PodSecurityPolicy admission latency. (#55643, @tallclair)
- kube-apiserver:
--oidc-username-prefix
and--oidc-group-prefix
flags are now correctly enabled. (#56175, @ericchiang) - If multiple PodSecurityPolicy objects allow a submitted pod, priority is given to policies that do not require default values for any fields in the pod spec. If default values are required, the first policy ordered by name that allows the pod is used. (#52849, @liggitt)
- A new controller automatically cleans up Certificate Signing Requests that are Approved and Issued, or Denied. (#51840, @jcbsmpsn)
- PodSecurityPolicies have been added for all in-tree cluster addons (#55509, @tallclair)
- Added support for PodSecurityPolicy on GCE:
ENABLE_POD_SECURITY_POLICY=true
enables the admission controller, and installs policies for default addons. (#52367, @tallclair)
- HorizontalPodAutoscaler objects now properly functions on scalable resources in any API group. Fixed by adding a polymorphic scale client. (#53743, @DirectXMan12)
- Fixed a set of minor issues with Cluster Autoscaler 1.0.1 (#54298, @mwielgus)
- HPA tolerance is now configurable by setting the
horizontal-pod-autoscaler-tolerance
flag. (#52275, @mattjmcnaughton) - Fixed a bug that allowed the horizontal pod autoscaler to allocate more
desiredReplica
objects thanmaxReplica
objects in certain instances. (#53690, @mattjmcnaughton)
- Nodes can now use instance types (such as C5) that use NVMe. (#56607, @justinsb)
- Nodes are now unreachable if volumes are stuck in the attaching state. Implemented by applying a taint to the node. (#55558, @gnufied)
- Volumes are now checked for available state before attempting to attach or delete a volume in EBS. (#55008, @gnufied)
- Fixed a bug where error log messages were breaking into two lines. (#49826, @dixudx)
- Fixed a bug so that volumes are now detached from stopped nodes. (#55893, @gnufied)
- You can now override the health check parameters for AWS ELBs by specifying annotations on the corresponding service. The new annotations are:
healthy-threshold
,unhealthy-threshold
,timeout
,interval
. The prefix for all annotations isservice.beta.kubernetes.io/aws-load-balancer-healthcheck-
. (#56024, @dimpavloff) - Fixed a bug so that AWS ECR credentials are now supported in the China region. (#50108, @zzq889)
- Added Amazon NLB support (#53400, @micahhausler)
- Additional annotations are now properly set or updated for AWS load balancers (#55731, @georgebuckerfield)
- AWS SDK is updated to version 1.12.7 (#53561, @justinsb)
- Fixed several issues with properly provisioning Azure disk storage (#55927, @andyzhangx)
- A new service annotation
service.beta.kubernetes.io/azure-dns-label-name
now sets the Azure DNS label for a public IP address. (#47849, @tomerf) - Support for GetMountRefs function added; warning messages no longer displayed. (#54670, #52401, @andyzhangx)
- Fixed an issue where an Azure PersistentVolume object would crash because the value of
volumeSource.ReadOnly
was set to nil. (#54607, @andyzhangx) - Fixed an issue with Azure disk mount failures on CoreOS and some other distros (#54334, @andyzhangx)
- GRS, RAGRS storage account types are now supported for Azure disks. (#55931, @andyzhangx)
- Azure NSG rules are now restricted so that external access is allowed only to the load balancer IP. (#54177, @itowlson)
- Azure NSG rules can be consolidated to reduce the likelihood of hitting Azure resource limits (available only in regions where the Augmented Security Groups preview is available). (#55740, @itowlson)
- The Azure SDK is upgraded to v11.1.1. (#54971, @itowlson)
- You can now create Windows mount paths (#51240, @andyzhangx)
- Fixed a controller manager crash issue on a manually created k8s cluster. (#53694, @andyzhangx)
- Azure-based clusters now support unlimited mount points. (#54668) (#53629, @andyzhangx)
- Load balancer reconciliation now considers NSG rules based not only on Name, but also on Protocol, SourcePortRange, DestinationPortRange, SourceAddressPrefix, DestinationAddressPrefix, Access, and Direction. This change makes it possible to update NSG rules under more conditions. (#55752, @kevinkim9264)
- Custom mountOptions for the azurefile StorageClass object are now respected. Specifically,
dir_mode
andfile_mode
can now be customized. (#54674, @andyzhangx) - Azure Load Balancer Auto Mode: Services can be annotated to allow auto selection of available load balancers and to provide specific availability sets that host the load balancers (for example,
service.beta.kubernetes.io/azure-load-balancer-mode=auto|as1,as2...
)
kubectl cp
can now copy a remote file into a local directory. (#46762, @bruceauyeung)kubectl cp
now honors destination names for directories. A complete directory is now copied; in previous versions only the file contents were copied. (#51215, @juanvallejo)- You can now use
kubectl get
with a fieldSelector. (#50140, @dixudx) - Secret data containing Docker registry auth objects is now generated using the config.json format (#53916, @juanvallejo)
kubectl apply
now calculates the diff between the current and new configurations based on the OpenAPI spec. If the OpenAPI spec is not available, it falls back to baked-in types. (#51321, @mengqiy)kubectl explain
now explainsapiservices
andcustomresourcedefinition
. (Updated to use OpenAPI instead of Swagger 1.2.) (#53228, @apelisse)kubectl get
now uses OpenAPI schema extensions by default to select columns for custom types. (#53483, @apelisse)- kubectl
top node
now sorts by name andtop pod
sorts by namespace. Fixed a bug where results were inconsistently sorted. (#53560, @dixudx) - Added --dry-run option to kubectl drain. (#52440, @juanvallejo)
- Kubectl now outputs for columns specified by -o custom-columns but not found in object, rather than "xxx is not found" (#51750, @jianhuiz)
kubectl create pdb
no longer sets the min-available field by default. (#53047, @yuexiao-wang)- The canonical pronunciation of kubectl is "cube control".
- Added --raw to kubectl create to POST using the normal transport. (#54245, @deads2k)
- Added kubectl
create priorityclass
subcommand (#54858, @wackxu) - Fixed an issue where
kubectl set
commands occasionally encountered conversion errors for ReplicaSet and DaemonSet objects (#53158, @liggitt)
- [alpha] Added an
--endpoint-reconciler-type
command-line argument to select the endpoint reconciler to use. The default is to use the 'master-count' reconciler which is the default for 1.9 and in use prior to 1.9. The 'lease' reconciler stores endpoints within the storage api for better cleanup of deleted (or removed) API servers. The 'none' reconciler is a no-op reconciler, which can be used in self-hosted environments. (#51698, @rphillips)
- Added
cloud-controller-manager
tohyperkube
. This is useful as a number of deployment tools run all of the kubernetes components from thehyperkube
image/binary. It also makes testing easier as a single binary/image can be built and pushed quickly. (#54197, @colemickens) - Added the concurrent service sync flag to the Cloud Controller Manager to allow changing the number of workers. (
--concurrent-service-syncs
) (#55561, @jhorwit2) - kubelet's --cloud-provider flag no longer defaults to "auto-detect". If you want cloud-provider support in kubelet, you must set a specific cloud-provider explicitly. (#53573, @dims)
- kubeadm health checks can now be skipped with
--ignore-preflight-errors
; the--skip-preflight-checks
flag is now deprecated and will be removed in a future release. (#56130, @anguslees) (#56072, @kad) - You now have the option to use CoreDNS instead of KubeDNS. To install CoreDNS instead of kube-dns, set CLUSTER_DNS_CORE_DNS to 'true'. This support is experimental. (#52501, @rajansandeep) (#55728, @rajansandeep)
- Added --print-join-command flag for kubeadm token create. (#56185, @mattmoyer)
- Added a new --etcd-upgrade keyword to kubeadm upgrade apply. When this keyword is specified, etcd's static pod gets upgraded to the etcd version officially recommended for a target kubernetes release. (#55010, @sbezverk)
- Kubeadm now supports Kubelet Dynamic Configuration on an alpha level. (#55803, @xiangpengzhao)
- Added support for adding a Windows node (#53553, @bsteciuk)
- Added support for SAN entries in the master node certificate. (#54234, @hyperbolic2346)
- Add extra-args configs for scheduler and controller-manager to kubernetes-master charm (#55185, @Cynerva)
- Add support for RBAC (#53820, @ktsakalozos)
- Fixed iptables FORWARD policy for Docker 1.13 in kubernetes-worker charm (#54796, @Cynerva)
- Upgrading the kubernetes-master units now results in staged upgrades just like the kubernetes-worker nodes. Use the upgrade action in order to continue the upgrade process on each unit such as juju run-action kubernetes-master/0 upgrade (#55990, @hyperbolic2346)
- Added extra_sans config option to kubeapi-load-balancer charm. This allows the user to specify extra SAN entries on the certificate generated for the load balancer. (#54947, @hyperbolic2346)
- Added extra-args configs to kubernetes-worker charm (#55334, @Cynerva)
- Base images have been bumped to Debian Stretch (9) (#52744, @rphillips)
- Upgraded to go1.9. (#51375, @cblecker)
- Add-on manager now supports HA masters. (#55466, #55782, @x13n)
- Hyperkube can now run from a non-standard path. (#54570)
- The service account made available on your nodes is now configurable. (#52868, @ihmccreery)
- GCE nodes with NVIDIA GPUs attached now expose nvidia.com/gpu as a resource instead of alpha.kubernetes.io/nvidia-gpu. (#54826, @mindprince)
- Docker's live-restore on COS/ubuntu can now be disabled (#55260, @yujuhong)
- Metadata concealment is now controlled by the ENABLE_METADATA_CONCEALMENT env var. See cluster/gce/config-default.sh for more info. (#54150, @ihmccreery)
- Masquerading rules are now added by default to GCE/GKE (#55178, @dnardo)
- Fixed master startup issues with concurrent iptables invocations. (#55945, @x13n)
- Fixed issue deleting internal load balancers when the firewall resource may not exist. (#53450, @nicksardo)
- Adjust batching audit webhook default parameters: increase queue size, batch size, and initial backoff. Add throttling to the batching audit webhook. Default rate limit is 10 QPS. (#53417, @crassirostris)
- These parameters are also now configurable. (#56638, @crassirostris)
- Fix a typo in prometheus-to-sd configuration, that drops some stackdriver metrics. (#56473, @loburm)
- [fluentd-elasticsearch addon] Elasticsearch and Kibana are updated to version 5.6.4 (#55400, @mrahbar)
- fluentd now supports CRI log format. (#54777, @Random-Liu)
- Bring all prom-to-sd container to the same image version (#54583)
- [fluentd-elasticsearch addon] Elasticsearch service name can be overridden via env variable ELASTICSEARCH_SERVICE_NAME (#54215, @mrahbar)
- Kubefed init now supports --imagePullSecrets and --imagePullPolicy, making it possible to use private registries. (#50740, @dixudx)
- Updated cluster printer to enable --show-labels (#53771, @dixudx)
- Kubefed init now supports --nodeSelector, enabling you to determine on what node the controller will be installed. (#50749, @dixudx)
- [alpha] IPv6 support has been added. Notable IPv6 support details include:
- Support for IPv6-only Kubernetes cluster deployments. Note: This feature does not provide dual-stack support.
- Support for IPv6 Kubernetes control and data planes.
- Support for Kubernetes IPv6 cluster deployments using kubeadm.
- Support for the iptables kube-proxy backend using ip6tables.
- Relies on CNI 0.6.0 binaries for IPv6 pod networking.
- Adds IPv6 support for kube-dns using SRV records.
- Caveats
- Only the CNI bridge and local-ipam plugins have been tested for the alpha release, although other CNI plugins do support IPv6.
- HostPorts are not supported.
- An IPv6 network mask for pod or cluster cidr network must be /66 or longer. For example: 2001:db1::/66, 2001:dead:beef::/76, 2001:cafe::/118 are supported. 2001:db1::/64 is not supported
- For details, see the complete list of merged pull requests for IPv6 support.
- You can now use the --cleanup-ipvs flag to tell kube-proxy whether to flush all existing ipvs rules in on startup (#56036, @m1093782566)
- Graduate kube-proxy IPVS mode to beta. (#56623, @m1093782566)
- Added iptables rules to allow Pod traffic even when default iptables policy is to reject. (#52569, @tmjd)
- You can once again use 0 values for conntrack min, max, max per core, tcp close wait timeout, and tcp established timeout; this functionality was broken in 1.8. (#55261, @ncdc)
- You now have the option to use CoreDNS instead of KubeDNS. To install CoreDNS instead of kube-dns, set CLUSTER_DNS_CORE_DNS to 'true'. This support is experimental. (#52501, @rajansandeep) (#55728, @rajansandeep)
- Pod addresses will now be removed from the list of endpoints when the pod is in graceful termination. (#54828, @freehan)
- You can now use a new supported service annotation for AWS clusters,
service.beta.kubernetes.io/aws-load-balancer-ssl-negotiation-policy
, which lets you specify which predefined AWS SSL policy you would like to use. (#54507, @micahhausler) - Termination grace period for the calico/node add-on DaemonSet has been eliminated, reducing downtime during a rolling upgrade or deletion. (#55015, @fasaxc)
- Fixed bad conversion in host port chain name generating func which led to some unreachable host ports. (#55153, @chenchun)
- Fixed IPVS availability check (#51874, @vfreex)
- The output for kubectl describe networkpolicy * has been enhanced to be more useful. (#46951, @aanm)
- Kernel modules are now loaded automatically inside a kube-proxy pod (#52003, @vfreex)
- Improve resilience by annotating kube-dns addon with podAntiAffinity to prefer scheduling on different nodes. (#52193, @StevenACoffman)
- [alpha] Added DNSConfig field to PodSpec. "None" mode for DNSPolicy is now supported. (#55848, @MrHohn)
- You can now add "options" to the host's /etc/resolv.conf (or --resolv-conf), and they will be copied into pod's resolv.conf when dnsPolicy is Default. Being able to customize options is important because it is common to leverage options to fine-tune the behavior of DNS client. (#54773, @phsiao)
- Fixed a bug so that the service controller no longer retries if doNotRetry service update fails. (#54184, @MrHohn)
- Added --no-negcache flag to kube-dns to prevent caching of NXDOMAIN responses. (#53604, @cblecker)
- A single value in metadata.annotations/metadata.labels can now be passed into the containers via the Downward API. (#55902, @yguo0905)
- Pods will no longer briefly transition to a "Pending" state during the deletion process. (#54593, @dashpole)
- Added pod-level local ephemeral storage metric to the Summary API. Pod-level ephemeral storage reports the total filesystem usage for the containers and emptyDir volumes in the measured Pod. (#55447, @jingxu97)
- Kubelet now exposes metrics for NVIDIA GPUs attached to the containers. (#55188, @mindprince)
- The device plugin Alpha API no longer supports returning artifacts per device as part of AllocateResponse. (#53031, @vishh)
- Fix to ignore extended resources that are not registered with kubelet during container resource allocation. (#53547, @jiayingz)
- [alpha] cri-tools: CLI and validation tools for CRI is now v1.0.0-alpha.0. This release mainly focuses on UX improvements. [@feiskyer]
- Make crictl command more user friendly and add more subcommands.
- Integrate with CRI verbose option to provide extra debug information.
- Update CRI to kubernetes v1.9.
- Bug fixes in validation test suites.
- [beta] cri-containerd: CRI implementation for containerd is now v1.0.0-beta.0, [@Random-Liu]
- This release supports Kubernetes 1.9+ and containerd v1.0.0+.
- Pass all Kubernetes 1.9 e2e test, node e2e test and CRI validation tests.
- Kube-up.sh integration.
- Full crictl integration including CRI verbose option.
- Integration with cadvisor to provide better summary api support.
- [stable] cri-o: CRI implementation for OCI-based runtimes is now v1.9. [@mrunalp]
- Pass all the Kubernetes 1.9 end-to-end test suites and now gating PRs as well
- Pass all the CRI validation tests
- Release has been focused on bug fixes, stability and performance with runc and Clear Containers
- Minikube integration
- [stable] frakti: CRI implementation for hypervisor-based runtimes is now v1.9. [@resouer]
- Added ARM64 release. Upgraded to CNI 0.6.0, added block device as Pod volume mode. Fixed CNI plugin compatibility.
- Passed all CRI validation conformance tests and node end-to-end conformance tests.
- [alpha] rktlet: CRI implementation for the rkt runtime is now v0.1.0. [@iaguis]
- This is the first release of rktlet and it implements support for the CRI including fetching images, running pods, CNI networking, logging and exec. This release passes 129/145 Kubernetes e2e conformance tests.
- Container Runtime Interface API change. [@yujuhong]
- A new field is added to CRI container log format to support splitting a long log line into multiple lines. (#55922, @Random-Liu)
- CRI now supports debugging via a verbose option for status functions. (#53965, @Random-Liu)
- Kubelet can now provide full summary api support for the CRI container runtime, with the exception of container log stats. (#55810, @abhi)
- CRI now uses the correct localhost seccomp path when provided with input in the format of localhost//profileRoot/profileName. (#55450, @feiskyer)
- The EvictionHard, EvictionSoft, EvictionSoftGracePeriod, EvictionMinimumReclaim, SystemReserved, and KubeReserved fields in the KubeletConfiguration object (
kubeletconfig/v1alpha1
) are now of type map[string]string, which facilitates writing JSON and YAML files. (#54823, @mtaufen) - Relative paths in the Kubelet's local config files (
--init-config-dir
) will now be resolved relative to the location of the containing files. (#55648, @mtaufen) - It is now possible to set multiple manifest URL headers with the kubelet's
--manifest-url-header
flag. Multiple headers for the same key will be added in the order provided. The ManifestURLHeader field in KubeletConfiguration object (kubeletconfig/v1alpha1) is now a map[string][]string, which facilitates writing JSON and YAML files. (#54643, @mtaufen) - The Kubelet's feature gates are now specified as a map when provided via a JSON or YAML KubeletConfiguration, rather than as a string of key-value pairs, making them less awkward for users. (#53025, @mtaufen)
- Fixed a performance issue (#51899) identified in large-scale clusters when deleting thousands of pods simultaneously across hundreds of nodes, by actively removing containers of deleted pods, rather than waiting for periodic garbage collection and batching resulting pod API deletion requests. (#53233, @dashpole)
- Problems deleting local static pods have been resolved. (#48339, @dixudx)
- CRI now only calls UpdateContainerResources when cpuset is set. (#53122, @resouer)
- Containerd monitoring is now supported. (#56109, @dashpole)
- deviceplugin has been extended to more gracefully handle the full device plugin lifecycle, including: (#55088, @jiayingz)
- Kubelet now uses an explicit cm.GetDevicePluginResourceCapacity() function that makes it possible to more accurately determine what resources are inactive and return a more accurate view of available resources.
- Extends the device plugin checkpoint data to record registered resources so that we can finish resource removing devices even upon kubelet restarts.
- Passes sourcesReady from kubelet to the device plugin to avoid removing inactive pods during the grace period of kubelet restart.
- Extends the gpu_device_plugin e2e_node test to verify that scheduled pods can continue to run even after a device plugin deletion and kubelet restart.
- The NodeController no longer supports kubelet 1.2. (#48996, @k82cn)
- Kubelet now provides more specific events via FailedSync when unable to sync a pod. (#53857, @derekwaynecarr)
- You can now disable AppArmor by setting the AppArmor profile to unconfined. (#52395, @dixudx)
- ImageGCManage now consumes ImageFS stats from StatsProvider rather than cadvisor. (#53094, @yguo0905)
- Hyperkube now supports the support --experimental-dockershim kubelet flag. (#54508, @ivan4th)
- Kubelet no longer removes default labels from Node API objects on startup (#54073, @liggitt)
- The overlay2 container disk metrics for Docker and CRI-O now work properly. (#54827, @dashpole)
- Removed docker dependency during kubelet start up. (#54405, @resouer)
- Added Windows support to the system verification check. (#53730, @bsteciuk)
- Kubelet no longer removes unregistered extended resource capacities from node status; cluster admins will have to manually remove extended resources exposed via device plugins when they the remove plugins themselves. (#53353, @jiayingz)
- The stats summary network value now takes into account multiple network interfaces, and not just eth0. (#52144, @andyxning)
- Base images have been bumped to Debian Stretch (9). (#52744, @rphillips)
- OpenStack Cinder support has been improved:
- Cinder version detection now works properly. (#53115, @FengyunPan)
- The OpenStack cloud provider now supports Cinder v3 API. (#52910, @FengyunPan)
- Load balancing is now more flexible:
- The OpenStack LBaaS v2 Provider is now configurable. (#54176, @gonzolino)
- OpenStack Octavia v2 is now supported as a load balancer provider in addition to the existing support for the Neutron LBaaS V2 implementation. Neutron LBaaS V1 support has been removed. (#55393, @jamiehannaford)
- OpenStack security group support has been beefed up (#50836, @FengyunPan):
- Kubernetes will now automatically determine the security group for the node
- Nodes can now belong to multiple security groups
- Add ExtendedResourceToleration admission controller. This facilitates creation of dedicated nodes with extended resources. If operators want to create dedicated nodes with extended resources (such as GPUs, FPGAs, and so on), they are expected to taint the node with extended resource name as the key. This admission controller, if enabled, automatically adds tolerations for such taints to pods requesting extended resources, so users don't have to manually add these tolerations. (#55839, @mindprince)
- Scheduler cache ignores updates to an assumed pod if updates are limited to pod annotations. (#54008, @yguo0905)
- Issues with namespace deletion have been resolved. (#53720, @shyamjvs) (#53793, @wojtek-t)
- Pod preemption has been improved.
- Fixed 'Schedulercache is corrupted' error in kube-scheduler (#55262, @liggitt)
- The kube-scheduler command now supports a --config flag which is the location of a file containing a serialized scheduler configuration. Most other kube-scheduler flags are now deprecated. (#52562, @ironcladlou)
- A new scheduling queue helps schedule the highest priority pending pod first. (#55109, @bsalamat)
- A Pod can now listen to the same port on multiple IP addresses. (#52421, @WIZARD-CXY)
- Object count quotas supported on all standard resources using count/. syntax (#54320, @derekwaynecarr)
- Apply algorithm in scheduler by feature gates. (#52723, @k82cn)
- A new priority function ResourceLimitsPriorityMap (disabled by default and behind alpha feature gate and not part of the scheduler's default priority functions list) that assigns a lowest possible score of 1 to a node that satisfies one or both of input pod's cpu and memory limits, mainly to break ties between nodes with same scores. (#55906, @aveshagarwal)
- Kubelet evictions now take pod priority into account (#53542, @dashpole)
- PodTolerationRestriction admisson plugin: if namespace level tolerations are empty, now they override cluster level tolerations. (#54812, @aveshagarwal)
- [stable]
PersistentVolume
andPersistentVolumeClaim
objects must now have a capacity greater than zero. - [stable] Mutation of
PersistentVolumeSource
after creation is no longer allowed - [alpha] Deletion of
PersistentVolumeClaim
objects that are in use by a pod no longer permitted (if alpha feature is enabled). - [alpha] Container Storage Interface
- New CSIVolumeSource enables Kubernetes to use external CSI drivers to provision, attach, and mount volumes.
- [alpha] Raw block volumes
- Support for surfacing volumes as raw block devices added to Kubernetes storage system.
- Only Fibre Channel volume plugin supports exposes this functionality, in this release.
- [alpha] Volume resizing
- Added file system resizing for the following volume plugins: GCE PD, Ceph RBD, AWS EBS, OpenStack Cinder
- [alpha] Topology Aware Volume Scheduling
- Improved volume scheduling for Local PersistentVolumes, by allowing the scheduler to make PersistentVolume binding decisions while respecting the Pod's scheduling requirements.
- Dynamic provisioning is not supported with this feature yet.
- [alpha] Containerized mount utilities
- Allow mount utilities, used to mount volumes, to run inside a container instead of on the host.
- Bug Fixes
- ScaleIO volume plugin is no longer dependent on the drv_cfg binary, so a Kubernetes cluster can easily run a containerized kubelet. (#54956, @vladimirvivien)
- AWS EBS Volumes are detached from stopped AWS nodes. (#55893, @gnufied)
- AWS EBS volumes are detached if attached to a different node than expected. (#55491, @gnufied)
- PV Recycle now works in environments that use architectures other than x86. (#53958, @dixudx)
- Pod Security Policy can now manage access to specific FlexVolume drivers.(#53179, @wanghaoran1988)
- To prevent unauthorized access to CHAP Secrets, you can now set the secretNamespace storage class parameters for the following volume types:
- In GCE multizonal clusters,
PersistentVolume
objects will no longer be dynamically provisioned in zones without nodes. (#52322, @davidz627) - Multi Attach PVC errors and events are now more useful and less noisy. (#53401, @gnufied)
- The compute-rw scope has been removed from GCE nodes (#53266, @mikedanese)
- Updated vSphere cloud provider to support k8s cluster spread across multiple vCenters (#55845, @rohitjogvmw)
- vSphere: Fix disk is not getting detached when PV is provisioned on clustered datastore. (#54438, @pshahzeb)
- If a non-absolute mountPath is passed to the kubelet, it must now be prefixed with the appropriate root path. (#55665, @brendandburns)
- The supported etcd server version is 3.1.10, as compared to 3.0.17 in v1.8 (#49393, @hongchaodeng)
- The validated docker versions are the same as for v1.8: 1.11.2 to 1.13.1 and 17.03.x
- The Go version was upgraded from go1.8.3 to go1.9.2 (#51375, @cblecker)
- The minimum supported go version bumps to 1.9.1. (#55301, @xiangpengzhao)
- Kubernetes has been upgraded to go1.9.2 (#55420, @cblecker)
- CNI was upgraded to v0.6.0 (#51250, @dixudx)
- The dashboard add-on has been updated to v1.8.0. (#53046, @maciaszczykm)
- Heapster has been updated to v1.5.0. (#57046, @piosz)
- Cluster Autoscaler has been updated to v1.1.0. (#56969, @mwielgus)
- Update kube-dns 1.14.7 (#54443, @bowei)
- Update influxdb to v1.3.3 and grafana to v4.4.3 (#53319, @kairen)
filename | sha256 hash |
---|---|
kubernetes.tar.gz | e5c88addf6aca01635f283021a72e05be99daf3e87fd3cda92477d0ed63c2d11 |
kubernetes-src.tar.gz | 2419a0ef3681460b64eefc083d07377786b308f6cc62d0618a5c74dfb4729b03 |
filename | sha256 hash |
---|---|
kubernetes-client-darwin-386.tar.gz | 68d971576c3e9a16fb736f06c07ce53b8371fc67c2f37fb60e9f3a366cd37a80 |
kubernetes-client-darwin-amd64.tar.gz | 36251b7b6043adb79706ac115181aa7ecf365ced9198a4c192f1fbc2817d030c |
kubernetes-client-linux-386.tar.gz | 585a3dd6a3440988bce3f83ea14fb9a0a18011bc62e28959301861faa06d6da9 |
kubernetes-client-linux-amd64.tar.gz | 169769d6030d8c1d9d9bc01408b62ea3275d4632a7de85392fc95a48feeba522 |
kubernetes-client-linux-arm64.tar.gz | 7841c2af49be9ae04cda305165b172021c0e72d809c2271d05061330c220256b |
kubernetes-client-linux-arm.tar.gz | 9ab32843cec68b036de83f54a68c2273a913be5180dc20b5cf1e084b314a9a2d |
kubernetes-client-linux-ppc64le.tar.gz | 5a2bb39b78ef381382f9b8aac17d5dbcbef08a80ad3518ff2cf6c65bd7a6d07d |
kubernetes-client-linux-s390x.tar.gz | ddf4b3780f5879b9fb9115353cc26234cfc3a6db63a3cd39122340189a4bf0ca |
kubernetes-client-windows-386.tar.gz | 5960a0a50c92a788e90eca9d85a1d12ff1d41264816b55b3a1a28ffd3f6acf93 |
kubernetes-client-windows-amd64.tar.gz | d85778ace9bf25f5d3626aef3a9419a2c4aaa3847d5e0c2bf34d4dd8ae6b5205 |
filename | sha256 hash |
---|---|
kubernetes-server-linux-amd64.tar.gz | 43e16b3d79c2805d712fd61ed6fd110d9db09a60d39584ef78c24821eb32b77a |
kubernetes-server-linux-arm64.tar.gz | 8580e454e6c467a30687ff5c85248919b3c0d2d0114e28cb3bf64d2e8998ff00 |
kubernetes-server-linux-arm.tar.gz | d2e767be85ebf7c6c537c8e796e8fe0ce8a3f2ca526984490646acd30bf5e6fc |
kubernetes-server-linux-ppc64le.tar.gz | 81dd9072e805c181b4db2dfd00fe2bdb43c00da9e07b50285bce703bfd0d75ba |
kubernetes-server-linux-s390x.tar.gz | f432c816c755d05e62cb5d5e8ac08dcb60d0df6d5121e1adaf42a32de65d6174 |
filename | sha256 hash |
---|---|
kubernetes-node-linux-amd64.tar.gz | 2bf2268735ca4ecbdca1a692b25329d6d9d4805963cbe0cfcbb92fc725c42481 |
kubernetes-node-linux-arm64.tar.gz | 3bb4a695fd2e4fca1c77283c1ad6c2914d12b33d9c5f64ac9c630a42d5e30ab2 |
kubernetes-node-linux-arm.tar.gz | 331c1efadf99dcb634c8da301349e3be63d27a5c5f06cc124b59fcc8b8a91cb0 |
kubernetes-node-linux-ppc64le.tar.gz | ab036fdb64ed4702d7dbbadddf77af90de35f73aa13854bb5accf82acc95c7e6 |
kubernetes-node-linux-s390x.tar.gz | 8257af566f98325549de320d2167c1f56fd137b6225c70f6c1e34507ba124a1f |
kubernetes-node-windows-amd64.tar.gz | 4146fcb5bb6bf3e04641b27e4aa8501649178716fa16bd9bcb7f1fe3449db7f2 |
- Add pvc as part of equivalence hash (#56577, @resouer)
- Fix port number and default Stackdriver Metadata Agent in daemon set configuration. (#56576, @kawych)
- Declare ipvs proxier beta (#56623, @m1093782566)
- Enable admissionregistration.k8s.io/v1beta1 by default in kube-apiserver. (#56687, @sttts)
- Support autoprobing floating-network-id for openstack cloud provider (#52013, @FengyunPan)
- Audit webhook batching parameters are now configurable via command-line flags in the apiserver. (#56638, @crassirostris)
- Update kubectl to the stable version (#54345, @zouyee)
- [scheduler] Fix issue new pod with affinity stuck at
creating
because node had been deleted but its pod still exists. (#53647, @wenlxie) - Updated Dashboard add-on to version 1.8.0: The Dashboard add-on now deploys with https enabled. The Dashboard can be accessed via kubectl proxy at http://localhost:8001/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/. The /ui redirect is deprecated and will be removed in 1.10. (#53046, @maciaszczykm)
- AWS: Detect EBS volumes mounted via NVME and mount them (#56607, @justinsb)
- fix CreateVolume func: use search mode instead (#54687, @andyzhangx)
- kubelet: fix bug where
runAsUser: MustRunAsNonRoot
strategy didn't reject a pod with a non-numericUSER
. (#56503, @php-coder) - kube-proxy addon tolerates all NoExecute and NoSchedule taints by default. (#56589, @mindprince)
- Do not do file system resize on read-only mounts (#56587, @gnufied)
- Mark v1beta1 NetworkPolicy types as deprecated (#56425, @cmluciano)
- Fix problem with /bin/bash ending up linked to dash (#55018, @dims)
- Modifying etcd recovery steps for the case of failed upgrade (#56500, @sbezverk)
filename | sha256 hash |
---|---|
kubernetes.tar.gz | ffdcf0f7cd972340bc666395d759fc18573a32775d38ed3f4fd99d4369e856e4 |
kubernetes-src.tar.gz | 09bee9a955987d53c7a65d2f1a3129854ca3a34f9fb38218f0c58f5bd603494a |
filename | sha256 hash |
---|---|
kubernetes-client-darwin-386.tar.gz | 9d54db976ca7a12e9208e5595b552b094e0cc532b49ba6e919d776e52e56f4a8 |
kubernetes-client-darwin-amd64.tar.gz | 0a22af2c6c84ff8b3022c0ecebf4ba3021048fceddf7375c87c13a83488ffe2c |
kubernetes-client-linux-386.tar.gz | 84bb638c8e61d7a7b415d49d76d166f3924052338c454d1ae57ae36eb37445c6 |
kubernetes-client-linux-amd64.tar.gz | 08b56240288d17f147485e79c5f6594391c5b46e26450d64e7510f65db1f9a79 |
kubernetes-client-linux-arm64.tar.gz | 7206573b131a8915d3bc14aa660fb44890ed79fdbd498bc8f9951c221aa12ea5 |
kubernetes-client-linux-arm.tar.gz | 7ad21796b0e0a9d247beb41d6b3a3d0aaa822b85adae4c90533ba0ef94c05b2e |
kubernetes-client-linux-ppc64le.tar.gz | 2076328ca0958a96c8f551b91a393aa2d6fc24bef92991a1a4d9fc8df52519a7 |
kubernetes-client-linux-s390x.tar.gz | 17ac0aba9a4e2003cb3d06bd631032b760d1a2d521c60a25dc26687aadb5ba14 |
kubernetes-client-windows-386.tar.gz | 3a2bebd4adb6e1bf2b30a8cedb7ec212fc43c4b02e26a0a60c3429e478a86073 |
kubernetes-client-windows-amd64.tar.gz | fcc852e97f0e64d1025344aefd042ceff05227bfded80142bfa99927de1a5f0e |
filename | sha256 hash |
---|---|
kubernetes-server-linux-amd64.tar.gz | 7ed2a789b86f258f1739cb165276150512a171a715da9372aeff000e946548fd |
kubernetes-server-linux-arm64.tar.gz | e4e04a33698ac665a3e61fd8d60d4010fec6b0e3b0627dee9a965c2c2a510e3a |
kubernetes-server-linux-arm.tar.gz | befce41457fc15c8fadf37ee5bf80b83405279c60665cfb9ecfc9f61fcd549c7 |
kubernetes-server-linux-ppc64le.tar.gz | e59e4fb84d6b890e9c6cb216ebb20546212e6c14feb077d9d0761c88e2685f4c |
kubernetes-server-linux-s390x.tar.gz | 0aa47d01907ea78b9a1a8001536d5091fca93409b81bac6eb3e90a4dff6c3faa |
filename | sha256 hash |
---|---|
kubernetes-node-linux-amd64.tar.gz | 107bfaf72b8b6d3b5c163e61ed169c89288958750636c16bc3d781cf94bf5f4c |
kubernetes-node-linux-arm64.tar.gz | 6bc58e913a2467548664ece743617a1e595f6223100a1bad27e9a90bdf2e2927 |
kubernetes-node-linux-arm.tar.gz | d4ff8f37d7c95f7ca3aca30fa3c191f2cc5e48f0159ac6a5395ec09092574baa |
kubernetes-node-linux-ppc64le.tar.gz | a88d65343ccb515c4eaab11352e69afee4a19c7fa345b08aaffa854b225cf305 |
kubernetes-node-linux-s390x.tar.gz | 16d6a67d18273460cab4c293a5b130d4827f41ee4bf5b79b07c60ef517f580cd |
kubernetes-node-windows-amd64.tar.gz | f086659462b6dcdd78abdf13bed339dd67c1111931bae962044aa4ae2396921d |
- Adds alpha support for volume scheduling, which allows the scheduler to make PersistentVolume binding decisions while respecting the Pod's scheduling requirements. Dynamic provisioning is not supported with this feature yet. (#55039, @msau42)
- Action required for existing users of the LocalPersistentVolumes alpha feature:
- The VolumeScheduling feature gate also has to be enabled on kube-scheduler and kube-controller-manager.
- The NoVolumeNodeConflict predicate has been removed. For non-default schedulers, update your scheduler policy.
- The CheckVolumeBinding predicate has to be enabled in non-default schedulers.
- Action required for existing users of the LocalPersistentVolumes alpha feature:
- Action required: (#56004, @caesarxuchao)
- The
admission/v1alpha1
API has graduated tov1beta1
. Please delete your existing webhooks before upgrading the cluster, and update your admission webhooks to use the latest API, because the API has backwards incompatible changes. - The webhook registration related part of the
admissionregistration
API has graduated tov1beta1
. Please delete your existing configurations before upgrading the cluster, and update your configuration file to use the latest API.
- The
- [action required] kubeadm join: Error out if CA pinning isn't used or opted out of (#55468, @yuexiao-wang)
* kubeadm now requires the user to specify either the
--discovery-token-ca-cert-hash
flag or the--discovery-token-unsafe-skip-ca-verification
flag.
- A new priority function
ResourceLimitsPriorityMap
(disabled by default and behind alpha feature gate and not part of the scheduler's default priority functions list) that assigns a lowest possible score of 1 to a node that satisfies one or both of input pod's cpu and memory limits, mainly to break ties between nodes with same scores. (#55906, @aveshagarwal) - AWS: Fix detaching volume from stopped nodes. (#55893, @gnufied)
- Fix stats summary network value when multiple network interfaces are available. (#52144, @andyxning)
- Fix a typo in prometheus-to-sd configuration, that drops some stackdriver metrics. (#56473, @loburm)
- Fixes server name verification of aggregated API servers and webhook admission endpoints (#56415, @liggitt)
- OpenStack cloud provider supports Cinder v3 API. (#52910, @FengyunPan)
- kube-up: Add optional addon CoreDNS. (#55728, @rajansandeep)
- Install CoreDNS instead of kube-dns by setting CLUSTER_DNS_CORE_DNS value to 'true'.
- kubeadm health checks can also be skipped with
--ignore-checks-errors
(#56130, @anguslees) - Adds kubeadm support for using ComponentConfig for the kube-proxy (#55972, @rpothier)
- Pod Security Policy can now manage access to specific FlexVolume drivers (#53179, @wanghaoran1988)
- PVC Finalizing Controller is introduced in order to prevent deletion of a PVC that is being used by a pod. (#55824, @pospispa)
- Kubelet can provide full summary api support except container log stats for CRI container runtime now. (#55810, @abhi)
- Add support for resizing EBS disks (#56118, @gnufied)
- Add PodDisruptionBudget support during pod preemption (#56178, @bsalamat)
- Fix CRI localhost seccomp path in format localhost//profileRoot/profileName. (#55450, @feiskyer)
- kubeadm: Add CoreDNS support for kubeadm "upgrade" and "alpha phases addons". (#55952, @rajansandeep)
- The default garbage collection policy for Deployment, DaemonSet, StatefulSet, and ReplicaSet has changed from OrphanDependents to DeleteDependents when the deletion is requested through an
apps/v1
endpoint. Clients using older endpoints will be unaffected. This change is only at the REST API level and is independent of the default behavior of particular clients (e.g. this does not affect the default for the kubectl--cascade
flag). (#55148, @dixudx)- If you upgrade your client-go libs and use the
AppsV1()
interface, please note that the default garbage collection behavior is changed.
- If you upgrade your client-go libs and use the
- Add resize support for ceph RBD (#52767, @NickrenREN)
- Expose single annotation/label via downward API (#55902, @yguo0905)
- kubeadm: added
--print-join-command
flag forkubeadm token create
. (#56185, @mattmoyer) - Implement kubelet side file system resizing. Also implement GCE PD resizing (#55815, @gnufied)
- Improved PodSecurityPolicy admission latency, but validation errors are no longer limited to only errors from authorized policies. (#55643, @tallclair)
- Add containerd monitoring support (#56109, @dashpole)
- Add pod-level CPU and memory stats from pod cgroup information (#55969, @jingxu97)
- kubectl apply use openapi to calculate diff be default. It will fall back to use baked-in types when openapi is not available. (#51321, @mengqiy)
- It is now possible to override the healthcheck parameters for AWS ELBs via annotations on the corresponding service. The new annotations are
healthy-threshold
,unhealthy-threshold
,timeout
,interval
(all prefixed withservice.beta.kubernetes.io/aws-load-balancer-healthcheck-
) (#56024, @dimpavloff) - Adding etcd version display to kubeadm upgrade plan subcommand (#56156, @sbezverk)
- [fluentd-gcp addon] Fixes fluentd deployment on GCP when custom resources are set. (#55950, @crassirostris)
- [fluentd-elasticsearch addon] Elasticsearch and Kibana are updated to version 5.6.4 (#55400, @mrahbar)
- install ipset in debian-iptables docker image (#56115, @m1093782566)
- Add cleanup-ipvs flag for kube-proxy (#56036, @m1093782566)
- Remove opaque integer resources (OIR) support (deprecated in v1.8.) (#55103, @ConnorDoyle)
- Implement volume resize for cinder (#51498, @NickrenREN)
- Block volumes Support: FC plugin update (#51493, @mtanino)
- kube-apiserver: fixed --oidc-username-prefix and --oidc-group-prefix flags which previously weren't correctly enabled (#56175, @ericchiang)
- New kubeadm flag
--ignore-preflight-errors
that enables to decrease severity of each individual error to warning. (#56072, @kad)- Old flag
--skip-preflight-checks
is marked as deprecated and acts as--ignore-preflight-errors=all
- Old flag
- Block volumes Support: CRI, volumemanager and operationexecutor changes (#51494, @mtanino)
- StatefulSet controller will create a label for each Pod in a StatefulSet. The label is named statefulset.kubernetes.io/pod-name and it is equal to the name of the Pod. This allows users to create a Service per Pod to expose a connection to individual Pods. (#55329, @kow3ns)
- Initial basic bootstrap-checkpoint support (#50984, @timothysc)
- Add DNSConfig field to PodSpec and support "None" mode for DNSPolicy (Alpha). (#55848, @MrHohn)
- Add pod-level local ephemeral storage metric in Summary API. Pod-level ephemeral storage reports the total filesystem usage for the containers and emptyDir volumes in the measured Pod. (#55447, @jingxu97)
- Kubernetes update Azure nsg rules based on not just difference in Name, but also in Protocol, SourcePortRange, DestinationPortRange, SourceAddressPrefix, DestinationAddressPrefix, Access, and Direction. (#55752, @kevinkim9264)
- Add support to take nominated pods into account during scheduling to avoid starvation of higher priority pods. (#55933, @bsalamat)
- Add Amazon NLB support - Fixes #52173 (#53400, @micahhausler)
- Extends deviceplugin to gracefully handle full device plugin lifecycle. (#55088, @jiayingz)
- A new field is added to CRI container log format to support splitting a long log line into multiple lines. (#55922, @Random-Liu)
- [advanced audit]add a policy wide omitStage (#54634, @CaoShuFeng)
- Fix a bug in GCE multizonal clusters where PersistentVolumes were sometimes created in zones without nodes. (#52322, @davidz627)
- With this change (#55845, @rohitjogvmw)
-
- User should be able to create k8s cluster which spans across multiple ESXi clusters, datacenters or even vCenters.
-
- vSphere cloud provider (VCP) uses OS hostname and not vSphere Inventory VM Name.
- That means, now VCP can handle cases where user changes VM inventory name.
-
- VCP can handle cases where VM migrates to other ESXi cluster or datacenter or vCenter.
- The only requirement is the shared storage. VCP needs shared storage on all Node VMs.
-
- The RBAC bootstrapping policy now allows authenticated users to create selfsubjectrulesreviews. (#56095, @ericchiang)
- Defaulting of controller-manager options for --cluster-signing-cert-file and --cluster-signing-key-file is deprecated and will be removed in a later release. (#54495, @mikedanese)
- Add ExtendedResourceToleration admission controller. This facilitates creation of dedicated nodes with extended resources. If operators want to create dedicated nodes with extended resources (like GPUs, FPGAs etc.), they are expected to taint the node with extended resource name as the key. This admission controller, if enabled, automatically adds tolerations for such taints to pods requesting extended resources, so users don't have to manually add these tolerations. (#55839, @mindprince)
- Move unreachable taint key out of alpha. (#54208, @resouer)
- Please note the existing pods with the alpha toleration should be updated by user himself to tolerate the GA taint.
- add GRS, RAGRS storage account type support for azure disk (#55931, @andyzhangx)
- Upgrading the kubernetes-master units now results in staged upgrades just like the kubernetes-worker nodes. Use the upgrade action in order to continue the upgrade process on each unit such as
juju run-action kubernetes-master/0 upgrade
(#55990, @hyperbolic2346) - Using ipset doing SNAT and packet filtering in IPVS kube-proxy (#54219, @m1093782566)
- Add a new scheduling queue that helps schedule the highest priority pending pod first. (#55109, @bsalamat)
- Adds to kubeadm upgrade apply, a new --etcd-upgrade keyword. When this keyword is specified, etcd's static pod gets upgraded to the etcd version officially recommended for a target kubernetes release. (#55010, @sbezverk)
- Adding vishh as an reviewer/approver for hack directory (#54007, @vishh)
- The
GenericAdmissionWebhook
is renamed asValidatingAdmissionWebhook
. Please update you apiserver configuration file to use the new name to pass to the apiserver's--admission-control
flag. (#55988, @caesarxuchao) - iSCSI Persistent Volume Sources can now reference CHAP Secrets in namespaces other than the namespace of the bound Persistent Volume Claim (#51530, @rootfs)
- Bugfix: master startup script on GCP no longer fails randomly due to concurrent iptables invocations. (#55945, @x13n)
- fix azure disk storage account init issue (#55927, @andyzhangx)
- Allow code-generator tags in the 2nd closest comment block and directly above a statement. (#55233, @sttts)
- Ensure additional resource tags are set/updated AWS load balancers (#55731, @georgebuckerfield)
kubectl get
will now use OpenAPI schema extensions by default to select columns for custom types. (#53483, @apelisse)- AWS: Apply taint to a node if volumes being attached to it are stuck in attaching state (#55558, @gnufied)
- Kubeadm now supports for Kubelet Dynamic Configuration. (#55803, @xiangpengzhao)
- Added mutation supports to admission webhooks. (#54892, @caesarxuchao)
- Upgrade to go1.9.2 (#55420, @cblecker)
- If a non-absolute mountPath is passed to the kubelet, prefix it with the appropriate root path. (#55665, @brendandburns)
- action-required: please update your admission webhook to use the latest Admission API. (#55829, @cheftako)
admission/v1alpha1#AdmissionReview
now containsAdmissionRequest
andAdmissionResponse
.AdmissionResponse
includes aPatch
field to allow mutating webhooks to send json patch to the apiserver.
- support mount options in azure file (#54674, @andyzhangx)
- Support AWS ECR credentials in China (#50108, @zzq889)
- The EvictionHard, EvictionSoft, EvictionSoftGracePeriod, EvictionMinimumReclaim, SystemReserved, and KubeReserved fields in the KubeletConfiguration object (kubeletconfig/v1alpha1) are now of type map[string]string, which facilitates writing JSON and YAML files. (#54823, @mtaufen)
- Added service annotation for AWS ELB SSL policy (#54507, @micahhausler)
- Implement correction mechanism for dangling volumes attached for deleted pods (#55491, @gnufied)
- Promote validation for custom resources defined through CRD to beta (#54647, @colemickens)
- Octavia v2 now supported as a LB provider (#55393, @jamiehannaford)
- Kubelet now exposes metrics for NVIDIA GPUs attached to the containers. (#55188, @mindprince)
- Addon manager supports HA masters. (#55782, @x13n)
- Fix kubeadm reset crictl command (#55717, @runcom)
- Fix code-generators to produce correct code when GroupName, PackageName and/or GoName differ. (#55614, @sttts)
- Fixes bad conversion in host port chain name generating func which leads to some unreachable host ports. (#55153, @chenchun)
- Relative paths in the Kubelet's local config files (--init-config-dir) will be resolved relative to the location of the containing files. (#55648, @mtaufen)
- kubeadm: Fix a bug on some OSes where the kubelet tried to mount a volume path that is non-existent and on a read-only filesystem (#55320, @andrewrynhard)
- add hostIP and protocol to the original hostport predicates procedure in scheduler. (#52421, @WIZARD-CXY)
filename | sha256 hash |
---|---|
kubernetes.tar.gz | dce2a70ca51fb4f8979645330f36c346b9c02be0501708380ae50956485a53a4 |
kubernetes-src.tar.gz | 4a8c8eaf32c83968e18f75888ae0d432210262090893cad0a105eebab82b0302 |
filename | sha256 hash |
---|---|
kubernetes-client-darwin-386.tar.gz | 354d6c8d65e4248c3393a3789e9394b8c31c63da4c42f3da60c7b8bc4713ad51 |
kubernetes-client-darwin-amd64.tar.gz | 98c53e4108276535218f4c89c58974121cc28308cecf5bca676f68fa083a62c5 |
kubernetes-client-linux-386.tar.gz | c0dc219073dcae6fb654f33ca6d83faf5f37a2dcba3cc86b32ea5f9e18054faa |
kubernetes-client-linux-amd64.tar.gz | df68fc512d173d1914f7863303cc0a4335439eb76000fa5a6134d5c454f4ef31 |
kubernetes-client-linux-arm64.tar.gz | edbf086c5446a7b48bbf5ac0e65dacf472e7e2eb7ac434ffb4835b0c643363a4 |
kubernetes-client-linux-arm.tar.gz | 138b02e0e96e9e30772e814d2650b40594e9f190442c9b31af5dcf4bd3c29fb2 |
kubernetes-client-linux-ppc64le.tar.gz | 8edb568048f64052e9ab3e2f0d9d9fee3a5c90667d00669d815c07cc1986eb03 |
kubernetes-client-linux-s390x.tar.gz | 9f0f0464041e85221cb65ab5908f7295d7237acdb6a39abff062e40be0a53b4c |
kubernetes-client-windows-386.tar.gz | a9d4b6014c2856b0602b7124dad41f2f932cccea7f48ba57583352f0fbf2710f |
kubernetes-client-windows-amd64.tar.gz | 16827a05b0538ab8ef6e47b173dc5ad1c4398070324b0d2fc0510ad1efe66567 |
filename | sha256 hash |
---|---|
kubernetes-server-linux-amd64.tar.gz | e2aad29fff3cc3a98c642d8bc021a6caa42b4143696ca9d42a1ae3f7e803e777 |
kubernetes-server-linux-arm64.tar.gz | a7e2370d29086dadcb59fc4c3f6e88610ef72ff168577cc1854b4e9c221cad8a |
kubernetes-server-linux-arm.tar.gz | b8da04e06946b221b2ac4f6ebc8e0900cf8e750f0ca5d2e213984644048d1903 |
kubernetes-server-linux-ppc64le.tar.gz | 539db8044dcacc154fff92029d7c18ac9a68de426477cabcd52e01053e8de6e6 |
kubernetes-server-linux-s390x.tar.gz | d793be99d39f1f7b55d381f656b059e4cd78418a6c6bcc77c2c026db82e98769 |
filename | sha256 hash |
---|---|
kubernetes-node-linux-amd64.tar.gz | 22dae55dd97026eae31562fde6d8459f1594b050313ef294e009144aa8c27a8e |
kubernetes-node-linux-arm64.tar.gz | 8d9bd9307cd5463b2e13717c862e171e20a1ba29a91d86fa3918a460006c823b |
kubernetes-node-linux-arm.tar.gz | c696f882b4a95b13c8cf3c2e05695decb81407359911fba169a308165b06be55 |
kubernetes-node-linux-ppc64le.tar.gz | 611a0e04b1014263e66be91ef108a4a56291cae1438da562b157d04dfe84fd1a |
kubernetes-node-linux-s390x.tar.gz | 61b619e3af7fcb836072c4b855978d7d76d6256aa99b9378488f063494518a0e |
kubernetes-node-windows-amd64.tar.gz | c274258e4379f0b50b2023f659bc982a82783c3de3ae07ef2759159300175a8a |
- action required: The
storage.k8s.io/v1beta1
API andvolume.beta.kubernetes.io/storage-class
annotation are deprecated. They will be removed in a future release. Please use v1 API and fieldv1.PersistentVolumeClaim.Spec.StorageClassName
/v1.PersistentVolume.Spec.StorageClassName
instead. (#53580, @xiangpengzhao) - action required: Deprecated flags
--portal-net
andservice-node-ports
of kube-apiserver are removed. (#52547, @xiangpengzhao) - The
node.kubernetes.io/memory-pressure
taint now respects the configured whitelist. If you need to use it, you'll have to add it to the whitelist. (#55251, @deads2k)
- hyperkube: add cloud-controller-manager (#54197, @colemickens)
- Metrics have been added for monitoring admission plugins, including the new dynamic (webhook-based) ones. (#55183, @jpbetz)
- Addon manager supports HA masters. (#55466, @x13n)
-
- Add PodSecurityPolicies for cluster addons (#55509, @tallclair)
-
- Remove SSL cert HostPath volumes from heapster addons
-
- Add PodSecurityPolicies for cluster addons (#55509, @tallclair)
- Add iptables rules to allow Pod traffic even when default iptables policy is to reject. (#52569, @tmjd)
- Validate positive capacity for PVs and PVCs. (#55532, @ianchakeres)
- Kubelet supports running mount utilities and final mount in a container instead running them on the host. (#53440, @jsafrane)
- The PodSecurityPolicy annotation
kubernetes.io/psp
on pods is only set once on create. (#55486, @sttts) - The apiserver sends external versioned object to the admission webhooks now. Please update the webhooks to expect admissionReview.spec.object.raw to be serialized external versions of objects. (#55127, @caesarxuchao)
- RBAC ClusterRoles can now select other roles to aggregate (#54005, @deads2k)
- GCE nodes with NVIDIA GPUs attached now expose
nvidia.com/gpu
as a resource instead ofalpha.kubernetes.io/nvidia-gpu
. (#54826, @mindprince) - Remove docker dependency during kubelet start up (#54405, @resouer)
- Fix session affinity issue with external load balancer traffic when ExternalTrafficPolicy=Local. (#55519, @MrHohn)
- Add the concurrent service sync flag to the Cloud Controller Manager to allow changing the number of workers. (
--concurrent-service-syncs
) (#55561, @jhorwit2) - move IsMissingVersion comments (#55523, @chenpengdev)
- The dynamic admission webhook now supports a URL in addition to a service reference, to accommodate out-of-cluster webhooks. (#54889, @lavalamp)
- Correct wording of kubeadm upgrade response for missing ConfigMap. (#53337, @jmhardison)
- add create priorityclass sub command (#54858, @wackxu)
- Added namespaceSelector to externalAdmissionWebhook configuration to allow applying webhooks only to objects in the namespaces that have matching labels. (#54727, @caesarxuchao)
- Base images bumped to Debian Stretch (9) (#52744, @rphillips)
- [fluentd-elasticsearch addon] Elasticsearch service name can be overridden via env variable ELASTICSEARCH_SERVICE_NAME (#54215, @mrahbar)
- Increase waiting time (120s) for docker startup in health-monitor.sh (#54099, @dchen1107)
- not calculate new priority when user update other spec of a pod (#55221, @CaoShuFeng)
- kubectl create pdb will no longer set the min-available field by default. (#53047, @yuexiao-wang)
- StatefulSet status now has support for conditions, making it consistent with other core controllers in v1 (#55268, @foxish)
- kubeadm: use the CRI for preflights checks (#55055, @runcom)
- kubeadm now produces error during preflight checks if swap is enabled. Users, who can setup kubelet to run in unsupported environment with enabled swap, will be able to skip that preflight check. (#55399, @kad)
- validate if default and defaultRequest match when creating LimitRange for GPU and hugepages. (#54919, @tianshapjq)
- Add extra-args configs to kubernetes-worker charm (#55334, @Cynerva)
- Restored kube-proxy's support for 0 values for conntrack min, max, max per core, tcp close wait timeout, and tcp established timeout. (#55261, @ncdc)
- Audit policy files without apiVersion and kind are treated as invalid. (#54267, @ericchiang)
- ReplicationController now shares its underlying controller implementation with ReplicaSet to reduce the maintenance burden going forward. However, they are still separate resources and there should be no externally visible effects from this change. (#49429, @enisoc)
- Add limitrange/resourcequota/downward_api e2e tests for local ephemeral storage (#52523, @NickrenREN)
- Support copying "options" in resolv.conf into pod sandbox when dnsPolicy is Default (#54773, @phsiao)
- Fix support for configmap resource lock type in CCM (#55125, @jhorwit2)
- The minimum supported go version bumps to 1.9.1. (#55301, @xiangpengzhao)
- GCE: provide an option to disable docker's live-restore on COS/ubuntu (#55260, @yujuhong)
- Azure NSG rules for services exposed via external load balancer (#54177, @itowlson)
- now limit the destination IP address to the relevant front end load
- balancer IP.
- DaemonSet status now has a new field named "conditions", making it consistent with other workloads controllers. (#55272, @janetkuo)
- kubeadm: Add an experimental mode to deploy CoreDNS instead of KubeDNS (#52501, @rajansandeep)
- Allow HPA to read custom metrics. (#54854, @kawych)
- Fixed 'Schedulercache is corrupted' error in kube-scheduler (#55262, @liggitt)
- API discovery failures no longer crash the kube controller manager via the garbage collector. (#55259, @ironcladlou)
- The kube-scheduler command now supports a
--config
flag which is the location of a file containing a serialized scheduler configuration. Most other kube-scheduler flags are now deprecated. (#52562, @ironcladlou) - add field selector for kubectl get (#50140, @dixudx)
- Removes Priority Admission Controller from kubeadm since it's alpha. (#55237, @andrewsykim)
- Add support for the webhook authorizer to make a Deny decision that short-circuits the union authorizer and immediately returns Deny. (#53273, @mikedanese)
- kubeadm init: fix a bug that prevented the --token-ttl flag and tokenTTL configuration value from working as expected for infinite (0) values. (#54640, @mattmoyer)
- Add CRI log parsing library at pkg/kubelet/apis/cri/logs (#55140, @feiskyer)
- Add extra-args configs for scheduler and controller-manager to kubernetes-master charm (#55185, @Cynerva)
- Add masquerading rules by default to GCE/GKE (#55178, @dnardo)
- Upgraded Azure SDK to v11.1.1. (#54971, @itowlson)
- Disable the termination grace period for the calico/node add-on DaemonSet to reduce downtime during a rolling upgrade or deletion. (#55015, @fasaxc)
- Google KMS integration was removed from in-tree in favor of a out-of-process extension point that will be used for all KMS providers. (#54759, @sakshamsharma)
- kubeadm: reset: use crictl to reset containers (#54721, @runcom)
- Check for available volume before attach/delete operation in EBS (#55008, @gnufied)
- DaemonSet, Deployment, ReplicaSet, and StatefulSet have been promoted to GA and are available in the apps/v1 group version. (#53679, @kow3ns)
- In conversion-gen removed Kubernetes core API from default extra-peer-dirs. (#54394, @sttts)
- Fix IPVS availability check (#51874, @vfreex)
- ScaleIO driver completely removes dependency on drv_cfg binary so a Kubernetes cluster can easily run a containerized kubelet. (#54956, @vladimirvivien)
- Avoid unnecessary spam in kube-controller-manager log if --cluster-cidr is not specified and --allocate-node-cidrs is false. (#54934, @akosiaris)
- It is now possible to set multiple manifest url headers via the Kubelet's --manifest-url-header flag. Multiple headers for the same key will be added in the order provided. The ManifestURLHeader field in KubeletConfiguration object (kubeletconfig/v1alpha1) is now a map[string][]string, which facilitates writing JSON and YAML files. (#54643, @mtaufen)
- Add support for PodSecurityPolicy on GCE:
ENABLE_POD_SECURITY_POLICY=true
enables the admission controller, and installs policies for default addons. (#52367, @tallclair) - In PodTolerationRestriction admisson plugin, if namespace level tolerations are empty, now they override cluster level tolerations. (#54812, @aveshagarwal)
- Added extra_sans config option to kubeapi-load-balancer charm. This allows the user to specify extra SAN entries on the certificate generated for the load balancer. (#54947, @hyperbolic2346)
- set leveled logging (v=4) for 'updating container' message (#54865, @phsiao)
- Fix a bug where pod address is not removed from endpoints object while pod is in graceful termination. (#54828, @freehan)
- kubeadm: Add support for adding a Windows node (#53553, @bsteciuk)
filename | sha256 hash |
---|---|
kubernetes.tar.gz | 9d548271e8475171114b3b68323ab3c0e024cf54e25debe4702ffafe3f1d0952 |
kubernetes-src.tar.gz | 99901fa7f996ddf75ecab7fcd1d33a3faca38e9d1398daa2ae30c9b3ac6a71ce |
filename | sha256 hash |
---|---|
kubernetes-client-darwin-386.tar.gz | 5a5e1ce20db98d7f7f0c88957440ab6c7d4b4a4dfefcb31dcd1d6546e9db01d6 |
kubernetes-client-darwin-amd64.tar.gz | 094481f8f650321f39ba79cd6348de5052db2bb3820f55a74cf5ce33d5c98701 |
kubernetes-client-linux-386.tar.gz | 9a7d8e682a35772ba24bd3fa7a06fb153067b9387daa4db285e15dda75de757d |
kubernetes-client-linux-amd64.tar.gz | 3bb742ffed1a6a51cac01c16614873fea2864c2a4432057a15db90a9d7e40aed |
kubernetes-client-linux-arm64.tar.gz | 928936f06161e8a6f40196381d3e0dc215ca7e7dbc5f7fe6ebccd8d8268b8177 |
kubernetes-client-linux-arm.tar.gz | 0a0fa24107f490db0ad57f33638b1aa9ba2baccb5f250caa75405d6612a3e10a |
kubernetes-client-linux-ppc64le.tar.gz | a92f790d1a480318ea206d84d24d2c1d7e43c3683e60f22e7735b63ee73ccbb4 |
kubernetes-client-linux-s390x.tar.gz | 1bfb7f056ad91fcbc50657fb9760310a0920c15a5770eaa74cf1a17b1725a232 |
kubernetes-client-windows-386.tar.gz | d1b0abbc9cd0376fa0d56096e42094db8a40485082b301723d05c8e78d8f4717 |
kubernetes-client-windows-amd64.tar.gz | 69799ea8741caadac8949a120a455e08aba4d2babba6b63fba2ee9aaeb10c84b |
filename | sha256 hash |
---|---|
kubernetes-server-linux-amd64.tar.gz | f3d9f67e94176aa65cffcc6557a7a251ec2384a3f89a81d3daedd8f8dd4c51a7 |
kubernetes-server-linux-arm64.tar.gz | 3747b7e26d8bfba59c53b3f20d547e7e90cbb9356e513183ac27f901d7317630 |
kubernetes-server-linux-arm.tar.gz | 397b7a49adf90735ceea54720dbf012c8566b34dadde911599bceefb507bc29a |
kubernetes-server-linux-ppc64le.tar.gz | 56f76ebb0788c4e23fc3ede36b52eb34b50b456bb5ff0cf7d78c383c04837565 |
kubernetes-server-linux-s390x.tar.gz | 83d961657a50513db82bf421854c567206ccd34240eb8a017167cb98bdb6d38f |
filename | sha256 hash |
---|---|
kubernetes-node-linux-amd64.tar.gz | 1bb0f5ac920e27b4e51260a80fbfaa013ed7d446d58cd1f9d5f73af4d9517edf |
kubernetes-node-linux-arm64.tar.gz | 47635b9097fc6e3d9b1f1f2c3bd1558d144b1a26d1bf03cfc2e97a3c6db4c439 |
kubernetes-node-linux-arm.tar.gz | 212117f1d027c79d50e7c7388951da40b440943748691ba82a3f9f6af75b3ed0 |
kubernetes-node-linux-ppc64le.tar.gz | f2b1d086d07bf2f807dbf02e1f0cd7f6528e57c55be9dadfcecde73e73980068 |
kubernetes-node-linux-s390x.tar.gz | ba6803a5c065b06cf43d1db674319008f15d4bc45900299d0b90105002af245e |
kubernetes-node-windows-amd64.tar.gz | 6d928e3bdba87db3b9198e02f84696f7345b4b78d07ff4ea048d47691c67b212 |
- PodSecurityPolicy: Fixes a compatibility issue that caused policies that previously allowed privileged pods to start forbidding them, due to an incorrect default value for
allowPrivilegeEscalation
. PodSecurityPolicy objects defined using a 1.8.0 client or server that intended to setallowPrivilegeEscalation
tofalse
must be reapplied after upgrading to 1.8.1. (#53443, @liggitt) - RBAC objects are now stored in etcd in v1 format. After completing an upgrade to 1.9, RBAC objects (Roles, RoleBindings, ClusterRoles, ClusterRoleBindings) should be migrated to ensure all persisted objects are written in
v1
format, prior tov1alpha1
support being removed in a future release. (#52950, @liggitt)
- Log error of failed healthz check (#53048, @mrIncompetent)
- fix azure file mount limit issue on windows due to using drive letter (#53629, @andyzhangx)
- Update AWS SDK to 1.12.7 (#53561, @justinsb)
- The
kubernetes.io/created-by
annotation is no longer added to controller-created objects. Use themetadata.ownerReferences
item that hascontroller
set totrue
to determine which controller, if any, owns an object. (#54445, @crimsonfaith91) - Fix overlay2 container disk metrics for Docker and CRI-O (#54827, @dashpole)
- Fix iptables FORWARD policy for Docker 1.13 in kubernetes-worker charm (#54796, @Cynerva)
- Fix
kubeadm upgrade plan
for offline operation: ignore errors when trying to fetch latest versions from dl.k8s.io (#54016, @praseodym) - fluentd now supports CRI log format. (#54777, @Random-Liu)
- Validate that PersistentVolumeSource is not changed during PV Update (#54761, @ianchakeres)
- If you are using the cloud provider API to determine the external host address of the apiserver, set --external-hostname explicitly instead. The cloud provider detection has been deprecated and will be removed in the future (#54516, @dims)
- Fixes discovery information for scale subresources in the apps API group (#54683, @liggitt)
- Optimize Repeated registration of AlgorithmProvider when ApplyFeatureGates (#54047, @kuramal)
kubectl get
will by default fetch large lists of resources in chunks of up to 500 items rather than requesting all resources up front from the server. This reduces the perceived latency of managing large clusters since the server returns the first set of results to the client much more quickly. A new flag--chunk-size=SIZE
may be used to alter the number of items or disable this feature when0
is passed. This is a beta feature. (#53768, @smarterclayton)- Add a new feature gate for enabling an alpha annotation which, if present, excludes the annotated node from being added to a service load balancers. (#54644, @brendandburns)
- Implement graceful shutdown of the kube-apiserver by waiting for open connections to finish before exiting. Moreover, the audit backend will stop dropping events on shutdown. (#53695, @hzxuzhonghu)
- fix warning messages due to GetMountRefs func not implemented in windows (#52401, @andyzhangx)
- Object count quotas supported on all standard resources using
count/<resource>.<group>
syntax (#54320, @derekwaynecarr) - Add openssh-client back into the hyperkube image. This allows the gitRepo volume plugin to work properly. (#54250, @ixdy)
- Bump version of all prometheus-to-sd images to v0.2.2. (#54635, @loburm)
- [fluentd-gcp addon] Fluentd now runs in its own network, not in the host one. (#54395, @crassirostris)
- fix azure storage account num exhausting issue (#54459, @andyzhangx)
- Add Windows support to the system verification check (#53730, @bsteciuk)
- allow windows mount path (#51240, @andyzhangx)
- Development of Kubernetes Federation has moved to github.com/kubernetes/federation. This move out of tree also means that Federation will begin releasing separately from Kubernetes. The impact of this is Federation-specific behavior will no longer be included in kubectl, kubefed will no longer be released as part of Kubernetes, and the Federation servers will no longer be included in the hyperkube binary and image. (#53816, @marun)
- Metadata concealment on GCE is now controlled by the
ENABLE_METADATA_CONCEALMENT
env var. See cluster/gce/config-default.sh for more info. (#54150, @ihmccreery) - Fixed a bug which is causes kube-apiserver to not run without specifying service-cluster-ip-range (#52870, @jennybuckley)
- the generic admission webhook is now available in the generic apiserver (#54513, @deads2k)
- ScaleIO persistent volumes now support referencing a secret in a namespace other than the bound persistent volume claim's namespace; this is controlled during provisioning with the
secretNamespace
storage class parameter; StoragePool and ProtectionDomain attributes no longer defaults to the valuedefault
(#54013, @vladimirvivien) - Feature gates now check minimum versions (#54539, @jamiehannaford)
- fix azure pv crash due to volumeSource.ReadOnly value nil (#54607, @andyzhangx)
- Fix an issue where pods were briefly transitioned to a "Pending" state during the deletion process. (#54593, @dashpole)
- move getMaxVols function to predicates.go and add some NewVolumeCountPredicate funcs (#51783, @jiulongzaitian)
- Remove the LbaasV1 of OpenStack cloud provider, currently only support LbaasV2. (#52717, @FengyunPan)
- generic webhook admission now takes a config file which describes how to authenticate to webhook servers (#54414, @deads2k)
- The NodeController will not support kubelet 1.2. (#48996, @k82cn)
-
- fluentd-gcp runs with a dedicated fluentd-gcp service account (#54175, @tallclair)
-
- Stop mounting the host certificates into fluentd's prometheus-to-sd container
-
- fluentd-gcp runs with a dedicated fluentd-gcp service account (#54175, @tallclair)
- fix azure disk mount failure on coreos and some other distros (#54334, @andyzhangx)
- Allow GCE users to configure the service account made available on their nodes (#52868, @ihmccreery)
- Load kernel modules automatically inside a kube-proxy pod (#52003, @vfreex)
- kube-apiserver:
--ssh-user
and--ssh-keyfile
are now deprecated and will be removed in a future release. Users of SSH tunnel functionality used in Google Container Engine for the Master -> Cluster communication should plan to transition to alternate methods for bridging master and node networks. (#54433, @dims) - Fix hyperkube kubelet --experimental-dockershim (#54508, @ivan4th)
- Fix clustered datastore name to be absolute. (#54438, @pshahzeb)
- Fix for service controller so that it won't retry on doNotRetry service update failure. (#54184, @MrHohn)
- Add support for RBAC support to Kubernetes via Juju (#53820, @ktsakalozos)
- RBD Persistent Volume Sources can now reference User's Secret in namespaces other than the namespace of the bound Persistent Volume Claim (#54302, @sbezverk)
- Apiserver proxy rewrites URL when service returns absolute path with request's host. (#52556, @roycaihw)
- Logging cleanups (#54443, @bowei) * Updates kube-dns to use client-go 3 * Updates containers to use alpine as the base image on all platforms * Adds support for IPv6
- add
--raw
tokubectl create
to POST using the normal transport (#54245, @deads2k) - Remove the --network-plugin-dir flag. (#53564, @supereagle)
- Introduces a polymorphic scale client, allowing HorizontalPodAutoscalers to properly function on scalable resources in any API group. (#53743, @DirectXMan12)
- Add PodDisruptionBudget to scheduler cache. (#53914, @bsalamat)
- Added option lb-provider to OpenStack cloud provider config (#54176, @gonzolino)
- Allow for configuring etcd hostname in the manifest (#54403, @wojtek-t)
- Resolves forbidden error when accessing replicasets and daemonsets via the apps API group (#54309, @liggitt)
- Cluster Autoscaler 1.0.1 (#54298, @mwielgus)
- secret data containing Docker registry auth objects is now generated using the config.json format (#53916, @juanvallejo)
- Added support for SAN entries in the master node certificate via juju kubernetes-master config. (#54234, @hyperbolic2346)
- support imagePullSecrets and imagePullPolicy in kubefed init (#50740, @dixudx)
- update gRPC to v1.6.0 to pick up data race fix grpc/grpc-go#1316 (#53128, @dixudx)
- admission webhook registrations without a specific failure policy default to failing closed. (#54162, @deads2k)
- Device plugin Alpha API no longer supports returning artifacts per device as part of AllocateResponse. (#53031, @vishh)
- admission webhook registration now allows URL paths (#54145, @deads2k)
- The Kubelet's --enable-custom-metrics flag is now marked deprecated. (#54154, @mtaufen)
- Use multi-arch busybox image for e2e (#54034, @dixudx)
- sample-controller: add example CRD controller (#52753, @munnerz)
- RBAC PolicyRules now allow resource=
*/<subresource>
to coverany-resource/<subresource>
. For example,*/scale
coversreplicationcontroller/scale
. (#53722, @deads2k) - Upgrade to go1.9 (#51375, @cblecker)
- Webhook always retries connection reset error. (#53947, @crassirostris)
- fix PV Recycle failed on non-amd64 platfrom (#53958, @dixudx)
- Verbose option is added to each status function in CRI. Container runtime could return extra information in status response for debugging. (#53965, @Random-Liu)
- Fixed log fallback termination messages when using docker with journald log driver (#52503, @joelsmith)
- falls back to parse Docker runtime version as generic if not semver (#54040, @dixudx)
- kubelet: prevent removal of default labels from Node API objects on startup (#54073, @liggitt)
- Change scheduler to skip pod with updates only on pod annotations (#54008, @yguo0905)
- PodSecurityPolicy: when multiple policies allow a submitted pod, priority is given to ones which do not require any fields in the pod spec to be defaulted. If the pod must be defaulted, the first policy (ordered by name) that allows the pod is used. (#52849, @liggitt)
- Control HPA tolerance through the
horizontal-pod-autoscaler-tolerance
flag. (#52275, @mattjmcnaughton) - bump CNI to v0.6.0 (#51250, @dixudx)
- Improve resilience by annotating kube-dns addon with podAntiAffinity to prefer scheduling on different nodes. (#52193, @StevenACoffman)
- Azure cloudprovider: Fix controller manager crash issue on a manually created k8s cluster. (#53694, @andyzhangx)
- Enable Priority admission control in kubeadm. (#53175, @andrewsykim)
- Add --no-negcache flag to kube-dns to prevent caching of NXDOMAIN responses. (#53604, @cblecker)
- kubelet provides more specific events when unable to sync pod (#53857, @derekwaynecarr)
- Kubelet evictions take pod priority into account (#53542, @dashpole)
- Adds a new controller which automatically cleans up Certificate Signing Requests that are (#51840, @jcbsmpsn)
- Approved and Issued, or Denied.
- Optimize random string generator to avoid multiple locks & use bit-masking (#53720, @shyamjvs)
- update cluster printer to enable --show-labels (#53771, @dixudx)
- add RequestReceivedTimestamp and StageTimestamp to audit event (#52981, @CaoShuFeng)
- Deprecation: The flag
etcd-quorum-read
of kube-apiserver is deprecated and the ability to switch off quorum read will be removed in a future release. (#53795, @xiangpengzhao) - Use separate client for leader election in scheduler to avoid starving leader election by regular scheduler operations. (#53793, @wojtek-t)
- Support autoprobing node-security-group for openstack cloud provider, Support multiple Security Groups for cluster's nodes. (#50836, @FengyunPan)
- fix a bug where disk pressure could trigger prematurely when using overlay2 (#53684, @dashpole)
- "kubectl cp" updated to honor destination names (#51215, @juanvallejo)
- kubeadm: Strip bootstrap tokens from the
kubeadm-config
ConfigMap (#53559, @fabriziopandini) - Skip podpreset test if the alpha feature setttings/v1alpha1 is disabled (#53080, @jennybuckley)
- Log when node is successfully initialized by Cloud Controller Manager (#53517, @andrewsykim)
- apiserver: --etcd-quorum-read now defaults to true, to ensure correct operation with HA etcd clusters (#53717, @liggitt)
- The Kubelet's feature gates are now specified as a map when provided via a JSON or YAML KubeletConfiguration, rather than as a string of key-value pairs. (#53025, @mtaufen)
- Address a bug which allowed the horizontal pod autoscaler to allocate
desiredReplicas
>maxReplicas
in certain instances. (#53690, @mattjmcnaughton) - Horizontal pod autoscaler uses REST clients through the kube-aggregator instead of the legacy client through the API server proxy. (#53205, @kawych)
- Fix to prevent downward api change break on older versions (#53673, @timothysc)
- API chunking via the
limit
andcontinue
request parameters is promoted to beta in this release. Client libraries using the Informer or ListWatch types will automatically opt in to chunking. (#52949, @smarterclayton) - GCE: Bump GLBC version to 0.9.7. (#53625, @nikhiljindal)
- kubelet's
--cloud-provider
flag no longer defaults to "auto-detect". If you want cloud-provider support in kubelet, you must set a specific cloud-provider explicitly. (#53573, @dims) - Ignore extended resources that are not registered with kubelet during container resource allocation. (#53547, @jiayingz)
- kubectl top pod and node should sort by namespace / name so that results don't jump around. (#53560, @dixudx)
- Added --dry-run option to
kubectl drain
(#52440, @juanvallejo) - Fix a bug that prevents client-go metrics from being registered in prometheus in multiple components. (#53434, @crassirostris)
- Adjust batching audit webhook default parameters: increase queue size, batch size, and initial backoff. Add throttling to the batching audit webhook. Default rate limit is 10 QPS. (#53417, @crassirostris)
- Added integration test for TaintNodeByCondition. (#53184, @k82cn)
- Add API version apps/v1, and bump DaemonSet to apps/v1 (#53278, @janetkuo)
- Change
kubeadm create token
to default to the group that almost everyone will want to use. The group is system:bootstrappers:kubeadm:default-node-token and is the group that kubeadm sets up, via an RBAC binding, for auto-approval (system:certificates.k8s.io:certificatesigningrequests:nodeclient). (#53512, @jbeda) - Using OpenStack service catalog to do version detection (#53115, @FengyunPan)
- Fix metrics API group name in audit configuration (#53493, @piosz)
- GCE: Fixes ILB sync on legacy networks and auto networks with unique subnet names (#53410, @nicksardo)
- outputs
<none>
for columns specified by-o custom-columns
but not found in object (#51750, @jianhuiz) - Metrics were added to network plugin to report latency of CNI operations (#53446, @sjenning)
- GCE: Fix issue deleting internal load balancers when the firewall resource may not exist. (#53450, @nicksardo)
- Custom resources served through CustomResourceDefinition now support field selectors for
metadata.name
andmetadata.namespace
. (#53345, @ncdc) - Add generate-groups.sh and generate-internal-groups.sh to k8s.io/code-generator to easily run generators against CRD or User API Server types. (#52186, @sttts)
- kubelet
--cert-dir
now defaults to/var/lib/kubelet/pki
, in order to ensure bootstrapped and rotated certificates persist beyond a reboot. resolves an issue in kubeadm with false-positive/var/lib/kubelet is not empty
message during pre-flight checks (#53317, @liggitt) - Fix multi-attach error spam in logs and events (#53401, @gnufied)
- Use
not-ready
to replacenotReady
in node condition taint keys. (#51266, @resouer) - Support completion for --clusterrole of kubectl create clusterrolebinding (#48267, @superbrothers)
- Don't remove extended resource capacities that are not registered with kubelet from node status. (#53353, @jiayingz)
- Kubectl: Remove swagger 1.2 validation. Also removes options
--use-openapi
and--schema-cache-dir
as these are no longer needed. (#53232, @apelisse) kubectl explain
now uses openapi rather than swagger 1.2. (#53228, @apelisse)- Fixes a performance issue (#51899) identified in large-scale clusters when deleting thousands of pods simultaneously across hundreds of nodes, by actively removing containers of deleted pods, rather than waiting for periodic garbage collection and batching resulting pod API deletion requests. (#53233, @dashpole)
- Improve explanation of ReplicaSet (#53403, @rcorre)
- avoid newline " " in the error to break log msg to 2 lines (#49826, @dixudx)
- don't recreate a mirror pod for static pod when node gets deleted (#48339, @dixudx)
- Fix permissions for Metrics Server. (#53330, @kawych)
- default fail-swap-on to false for kubelet on kubernetes-worker charm (#53386, @wwwtyro)
- Add --etcd-compaction-interval to apiserver for controlling request of compaction to etcd3 from apiserver. (#51765, @mitake)
- Apply algorithm in scheduler by feature gates. (#52723, @k82cn)
- etcd: update version to 3.1.10 (#49393, @hongchaodeng)
- support nodeSelector in kubefed init (#50749, @dixudx)
- Upgrade fluentd-elasticsearch addon to Elasticsearch/Kibana 5.6.2 (#53307, @aknuds1)
- enable to specific unconfined AppArmor profile (#52395, @dixudx)
- Update Influxdb image to latest version. (#53319, @kairen)
- Update Grafana image to latest version.
- Change influxdb-grafana-controller resource to Deployment.
- Only do UpdateContainerResources when cpuset is set (#53122, @resouer)
- Fixes an issue with RBAC reconciliation that could cause duplicated subjects in some bootstrapped rolebindings on each restart of the API server. (#53239, @enj)
- gce: remove compute-rw, see what breaks (#53266, @mikedanese)
- Fix the bug that query Kubelet's stats summary with CRI stats enabled results in error. (#53107, @Random-Liu)
- kubeadm allows the kubelets in the cluster to automatically renew their client certificates (#53252, @kad)
- Fixes an issue with
kubectl set
commands encountering conversion errors for ReplicaSet and DaemonSet objects (#53158, @liggitt) - RBAC: The default
admin
andedit
roles now include read/write permissions and theview
role includes read permissions onpoddisruptionbudget.policy
resources. (#52654, @liggitt) - Change ImageGCManage to consume ImageFS stats from StatsProvider (#53094, @yguo0905)
- BugFix: Exited containers are not Garbage Collected by the kubelet while the pod is running (#53167, @dashpole)
- Add a label which prevents a node from being added to a cloud load balancer (#53146, @brendandburns)
- Fixes an issue pulling pod specs referencing unqualified images from docker.io on centos/fedora/rhel (#53161, @dims)
- Update kube-dns to 1.14.5 (#53153, @bowei)
- s390x ingress controller support (#52663, @wwwtyro)
- NONE (#50532, @steveperry-53)
- CRI: Add stdout/stderr fields to Exec and Attach requests. (#52686, @yujuhong)
- NONE (#53001, @ericchiang)
- Cluster Autoscaler 1.0.0 (#53005, @mwielgus)
- Remove the --docker-exec-handler flag. Only native exec handler is supported. (#52287, @yujuhong)
- The Rackspace cloud provider has been removed after a long deprecation period. It was deprecated because it duplicates a lot of the OpenStack logic and can no longer be maintained. Please use the OpenStack cloud provider instead. (#52855, @NickrenREN)
- Fixes an initializer bug where update requests which had an empty pending initializers list were erroneously rejected. (#52558, @jennybuckley)
- BulkVerifyVolumes() implementation for vSphere (#52131, @BaluDontu)
- added --list option to the
kubectl label
command (#51971, @juanvallejo) - Removing
--prom-push-gateway
flag from e2e tests (#52485, @nielsole) - If a container does not create a file at the
terminationMessagePath
, no message should be output about being unable to find the file. (#52567, @smarterclayton) - Support German cloud for azure disk mount feature (#50673, @clement-buchart)
- Add s390x to juju kubernetes (#52537, @ktsakalozos)
- Fix kubernetes charms not restarting services properly after host reboot on LXD (#52445, @Cynerva)
- Add monitoring of Windows Server containers metrics in the kubelet via the stats/summary endpoint. (#50396, @bobbypage)
- Restores redirect behavior for proxy subresources (#52933, @liggitt)
- A new service annotation has been added for services of type LoadBalancer on Azure, (#51757, @itowlson)
- to specify the subnet on which the service's front end IP should be provisioned. The
- annotation is service.beta.kubernetes.io/azure-load-balancer-internal-subnet and its
- value is the subnet name (not the subnet ARM ID). If omitted, the default is the
- master subnet. It is ignored if the service is not on Azure, if the type is not
- LoadBalancer, or if the load balancer is not internal.
- Adds a command-line argument to kube-apiserver called (#51698, @rphillips)
- --alpha-endpoint-reconciler-type=(master-count, lease, none) (default
- "master-count"). The original reconciler is 'master-count'. The 'lease'
- reconciler uses the storageapi and a TTL to keep alive an endpoint within the
kube-apiserver-endpoint
storage namespace. The 'none' reconciler is a noop- reconciler that does not do anything. This is useful for self-hosted
- environments.
- Improved Italian translation for kubectl (#51463, @lucab85)
- Add a metric to the kubelet to monitor remaining lifetime of the certificate that (#51031, @jcbsmpsn)
- authenticates the kubelet to the API server.
- change AddEventHandlerWithResyncPeriod to AddEventHandler in factory.go (#51582, @jiulongzaitian)
- Validate that cronjob names are 52 characters or less (#52733, @julia-stripe)
- add readme file of ipvs (#51937, @Lion-Wei)
filename | sha256 hash |
---|---|
kubernetes.tar.gz | e2dc3eebf79368c783b64f5b6642a287cc2fd777547d99f240a35cce1f620ffc |
kubernetes-src.tar.gz | ca8659187047f2d38a7c0ee313189c19ec35646c6ebaa8f59f2f098eca33dca0 |
filename | sha256 hash |
---|---|
kubernetes-client-darwin-386.tar.gz | 51e0df7e6611ff4a9b3759b05e65c80555317bff03282ef39a9b53b27cdeff42 |
kubernetes-client-darwin-amd64.tar.gz | c6c57cc92cc456a644c0965a6aa2bd260125807b450d69376e0edb6c98aaf4d7 |
kubernetes-client-linux-386.tar.gz | 399c8cb448d76accb71edcb00bee474f172d416c8c4f5253994e4e2d71e0dece |
kubernetes-client-linux-amd64.tar.gz | fde75d7267592b34609299a93ee7e54b26a948e6f9a1f64ced666c0aae4455aa |
kubernetes-client-linux-arm64.tar.gz | b38810cf87735efb0af027b7c77e4e8c8f5821f235cf33ae9eee346e6d1a0b84 |
kubernetes-client-linux-arm.tar.gz | a36427c2f2b81d42702a12392070f7dd3635b651bb04ae925d0bdf3ec50f83aa |
kubernetes-client-linux-ppc64le.tar.gz | 9dee0f636eef09bfec557a50e4f8f4b69e0588bbd0b77f6da50cc155e1679880 |
kubernetes-client-linux-s390x.tar.gz | 4a6246d5de5c3957ed41b8943fa03e74fb646595346f7c72beaf7b030fe6872e |
kubernetes-client-windows-386.tar.gz | 1ee384f4bb02e614c86bf84cdfdc42faffa659aaba4a1c759ec26f03eb438149 |
kubernetes-client-windows-amd64.tar.gz | e70d8935abefea0307780e899238bb10ec27c8f0d77702cf25de230b6abf7fb4 |
filename | sha256 hash |
---|---|
kubernetes-server-linux-amd64.tar.gz | 7fff06370c4f37e1fe789cc160fce0c93535991f63d7fe7d001378f17027d9d8 |
kubernetes-server-linux-arm64.tar.gz | 65cd60512ea0bf508aa65f8d22a6f3094db394f00b3cd6bd63fe02b795514ab2 |
kubernetes-server-linux-arm.tar.gz | 0ecb341a047f1a9dface197f11f05f15853570cfb474c82538c7d61b40bd53ae |
kubernetes-server-linux-ppc64le.tar.gz | cea9eed4c24e7f29994ecc12674bff69d108692d3c9be3e8bd939b3c4f281892 |
kubernetes-server-linux-s390x.tar.gz | 4d50799e5989de6d9ec316d2051497a3617b635e89fa44e01e64fed544d96e07 |
filename | sha256 hash |
---|---|
kubernetes-node-linux-amd64.tar.gz | e956b9c1e5b47f800953ad0f82fae23774a2f43079dc02d98a90d5bfdca0bad6 |
kubernetes-node-linux-arm64.tar.gz | ede6a85db555dd84e8d7180bdd58712933c38567ab6c97a80d0845be2974d968 |
kubernetes-node-linux-arm.tar.gz | 4ac6a1784fa1e20be8a4e7fa0ff8b4defc725e6c058ff97068bf7bfa6a11c77d |
kubernetes-node-linux-ppc64le.tar.gz | 0d9c8c7e0892d7b678f3b4b7736087da91cb40c5f169e4302e9f4637c516207a |
kubernetes-node-linux-s390x.tar.gz | 2fdde192a84410c784e5d1e813985e9a19ce62e3d9bb2215481cbce9286329da |
kubernetes-node-windows-amd64.tar.gz | 543110cc69b57471f3824d96cbd16b003ac2cddaa19ca4bdefced0af61fd24f2 |
- New GCE or GKE clusters created with
cluster/kube-up.sh
will not enable the legacy ABAC authorizer by default. If you would like to enable the legacy ABAC authorizer, export ENABLE_LEGACY_ABAC=true before runningcluster/kube-up.sh
. (#51367, @cjcullen) - The OwnerReferencesPermissionEnforcement admission plugin now requires
update
permission on thefinalizers
subresource of the referenced owner in order to setblockOwnerDeletion
on an owner reference. (#49133, @deads2k) - The deprecated alpha and beta initContainer annotations are no longer supported. Init containers must be specified using the initContainers field in the pod spec. (#51816, @liggitt)
- Action required: validation rule on metadata.initializers.pending[x].name is tightened. The initializer name needs to contain at least three segments separated by dots. If you create objects with pending initializers, (i.e., not relying on apiserver adding pending initializers according to initializerconfiguration), you need to update the initializer name in existing objects and in configuration files to comply to the new validation rule. (#51283, @caesarxuchao)
- Audit policy supports matching subresources and resource names, but the top level resource no longer matches the subresouce. For example "pods" no longer matches requests to the logs subresource of pods. Use "pods/logs" to match subresources. (#48836, @ericchiang)
- Protobuf serialization does not distinguish between
[]
andnull
. (#45294, @liggitt)- API fields previously capable of storing and returning either
[]
andnull
via JSON API requests (for example, the Endpointssubsets
field) can now store onlynull
when created using the protobuf content-type or stored in etcd using protobuf serialization (the default in 1.6+). JSON API clients should toleratenull
values for such fields, and treatnull
and[]
as equivalent in meaning unless specifically documented otherwise for a particular field.
- API fields previously capable of storing and returning either
- PersistentVolumeLabel admission controller is now deprecated. (#52618, @dims)
- Mark the LBaaS v1 of OpenStack cloud provider deprecated. (#52821, @FengyunPan)
- NONE (#52819, @verult)
- Mark image as deliberately optional in v1 Container struct. Many objects in the Kubernetes API inherit the container struct and only Pods require the field to be set. (#48406, @gyliu513)
- [fluentd-gcp addon] Update Stackdriver plugin to version 0.6.7 (#52565, @crassirostris)
- Remove duplicate proto errors in kubelet. (#52132, @adityadani)
- [fluentd-gcp addon] Remove audit logs from the fluentd configuration (#52777, @crassirostris)
- Set defaults for successfulJobsHistoryLimit (3) and failedJobsHistoryLimit (1) in batch/v1beta1.CronJobs (#52533, @soltysh)
- Fix: update system spec to support Docker 17.03 (#52666, @yguo0905)
- Fix panic in ControllerManager on GCE when it has a problem with creating external loadbalancer healthcheck (#52646, @gmarek)
- PSP: add support for using
*
as a value inallowedCapabilities
to allow to request any capabilities (#51337, @php-coder) - [fluentd-gcp addon] By default ingest apiserver audit logs written to file in JSON format. (#52541, @crassirostris)
- The autoscaling/v2beta1 API group is now enabled by default. (#52549, @DirectXMan12)
- Add CLUSTER_SIGNING_DURATION environment variable to cluster (#52497, @jcbsmpsn)
- configuration scripts to allow configuration of signing duration of
- certificates issued via the Certificate Signing Request API.
- Introduce policy to allow the HPA to consume the metrics.k8s.io and custom.metrics.k8s.io API groups. (#52572, @DirectXMan12)
- kubelet to master communication when doing node status updates now has a timeout to prevent indefinite hangs (#52176, @liggitt)
- Introduced Metrics Server in version v0.2.0. For more details see https://github.com/kubernetes-incubator/metrics-server/releases/tag/v0.2.0. (#52548, @piosz)
- Adds ROTATE_CERTIFICATES environment variable to kube-up.sh script for GCE (#52115, @jcbsmpsn)
- clusters. When that var is set to true, the command line flag enabling kubelet
- client certificate rotation will be added to the kubelet command line.
- Make sure that resources being updated are handled correctly by Quota system (#52452, @gnufied)
- WATCHLIST calls are now reported as WATCH verbs in prometheus for the apiserver_request_* series. A new "scope" label is added to all apiserver_request_* values that is either 'cluster', 'resource', or 'namespace' depending on which level the query is performed at. (#52237, @smarterclayton)
- Fixed the webhook admission plugin so that it works even if the apiserver and the nodes are in two networks (e.g., in GKE). (#50476, @caesarxuchao)
- Fixed the webhook admission plugin so that webhook author could use the DNS name of the service as the CommonName when generating the server cert for the webhook.
- Action required:
- Anyone who generated server cert for admission webhooks need to regenerate the cert. Previously, when generating server cert for the admission webhook, the CN value doesn't matter. Now you must set it to the DNS name of the webhook service, i.e.,
<service.Name>.<service.Namespace>.svc
.
- Ignore pods marked for deletion that exceed their grace period in ResourceQuota (#46542, @derekwaynecarr)
- custom resources that use unconventional pluralization now work properly with kubectl and garbage collection (#50012, @deads2k)
- [fluentd-gcp addon] Fluentd will trim lines exceeding 100KB instead of dropping them. (#52289, @crassirostris)
- dockershim: check the error when syncing the checkpoint. (#52125, @yujuhong)
- By default, clusters on GCE no longer sends RequestReceived audit event, if advanced audit is configured. (#52343, @crassirostris)
- [BugFix] Soft Eviction timer works correctly (#52046, @dashpole)
- Azuredisk mount on windows node (#51252, @andyzhangx)
- [fluentd-gcp addon] Bug with event-exporter leaking memory on metrics in clusters with CA is fixed. (#52263, @crassirostris)
- kubeadm: Enable kubelet client certificate rotation (#52196, @luxas)
- Scheduler predicate developer should respect equivalence class cache (#52146, @resouer)
- The
kube-cloud-controller-manager
flag--service-account-private-key-file
was non-functional and is now deprecated. (#50289, @liggitt)- The
kube-cloud-controller-manager
flag--use-service-account-credentials
is now honored consistently, regardless of whether--service-account-private-key-file
was specified.
- The
- Fix credentials providers for docker sandbox image. (#51870, @feiskyer)
- NONE (#52120, @abgworrall)
- Fixed an issue looking up cronjobs when they existed in more than one API version (#52227, @liggitt)
- Add priority-based preemption to the scheduler. (#50949, @bsalamat)
- Add CLUSTER_SIGNING_DURATION environment variable to cluster configuration scripts (#51844, @jcbsmpsn)
- to allow configuration of signing duration of certificates issued via the Certificate
- Signing Request API.
- Adding German translation for kubectl (#51867, @Steffen911)
- The ScaleIO volume plugin can now read the SDC GUID value as node label scaleio.sdcGuid; if binary drv_cfg is not installed, the plugin will still work properly; if node label not found, it defaults to drv_cfg if installed. (#50780, @vladimirvivien)
- A policy with 0 rules should return an error (#51782, @charrywanganthony)
- Log a warning when --audit-policy-file not passed to apiserver (#52071, @CaoShuFeng)
- Fixes an issue with upgrade requests made via pod/service/node proxy subresources sending a non-absolute HTTP request-uri to backends (#52065, @liggitt)
- kubeadm: add
kubeadm phase addons
command (#51171, @andrewrynhard) - Fix for Nodes in vSphere lacking an InternalIP. (#48760) (#49202, @cbonte)
- v2 of the autoscaling API group, including improvements to the HorizontalPodAutoscaler, has moved from alpha1 to beta1. (#50708, @DirectXMan12)
- Fixed a bug where some alpha features were enabled by default. (#51839, @jennybuckley)
- Implement StatsProvider interface using CRI stats (#51557, @yguo0905)
- set AdvancedAuditing feature gate to true by default (#51943, @CaoShuFeng)
- Migrate the metrics/v1alpha1 API to metrics/v1beta1. The HorizontalPodAutoscaler (#51653, @DirectXMan12)
- controller REST client now uses that version. For v1beta1, the API is now known as
- resource-metrics.metrics.k8s.io.
- In GCE with COS, increase TasksMax for Docker service to raise cap on number of threads/processes used by containers. (#51986, @yujuhong)
- Fixes an issue with APIService auto-registration affecting rolling HA apiserver restarts that add or remove API groups being served. (#51921, @liggitt)
- Sharing a PID namespace between containers in a pod is disabled by default in 1.8. To enable for a node, use the --docker-disable-shared-pid=false kubelet flag. Note that PID namespace sharing requires docker >= 1.13.1. (#51634, @verb)
- Build test targets for all server platforms (#51873, @luxas)
- Add EgressRule to NetworkPolicy (#51351, @cmluciano)
- Allow DNS resolution of service name for COS using containerized mounter. It fixed the issue with DNS resolution of NFS and Gluster services. (#51645, @jingxu97)
- Fix journalctl leak on kubelet restart (#51751, @dashpole)
- Fix container memory rss
- Add hugepages monitoring support
- Fix incorrect CPU usage metrics with 4.7 kernel
- Add tmpfs monitoring support
- Support for Huge pages in empty_dir volume plugin (#50072, @squall0gd)
- Huge pages can now be used with empty dir volume plugin.
- Alpha support for pre-allocated hugepages (#50859, @derekwaynecarr)
- add support for client-side spam filtering of events (#47367, @derekwaynecarr)
- Provide a way to omit Event stages in audit policy (#49280, @CaoShuFeng)
- Introduced Metrics Server (#51792, @piosz)
- Implement Controller for growing persistent volumes (#49727, @gnufied)
- Kubernetes 1.8 supports docker version 1.11.x, 1.12.x and 1.13.x. And also supports overlay2. (#51845, @Random-Liu)
- The Deployment, DaemonSet, and ReplicaSet kinds in the extensions/v1beta1 group version are now deprecated, as are the Deployment, StatefulSet, and ControllerRevision kinds in apps/v1beta1. As they will not be removed until after a GA version becomes available, you may continue to use these kinds in existing code. However, all new code should be developed against the apps/v1beta2 group version. (#51828, @kow3ns)
- kubeadm: Detect kubelet readiness and error out if the kubelet is unhealthy (#51369, @luxas)
- Fix providerID update validation (#51761, @karataliu)
- Calico has been updated to v2.5, RBAC added, and is now automatically scaled when GCE clusters are resized. (#51237, @gunjan5)
- Add backoff policy and failed pod limit for a job (#51153, @clamoriniere1A)
- Adds a new alpha EventRateLimit admission control that is used to limit the number of event queries that are accepted by the API Server. (#50925, @staebler)
- The OpenID Connect authenticator can now use a custom prefix, or omit the default prefix, for username and groups claims through the --oidc-username-prefix and --oidc-groups-prefix flags. For example, the authenticator can map a user with the username "jane" to "google:jane" by supplying the "google:" username prefix. (#50875, @ericchiang)
- Implemented
kubeadm upgrade plan
for checking whether you can upgrade your cluster to a newer version (#48899, @luxas)- Implemented
kubeadm upgrade apply
for upgrading your cluster from one version to an other
- Implemented
- Switch to audit.k8s.io/v1beta1 in audit. (#51719, @soltysh)
- update QEMU version to v2.9.1 (#50597, @dixudx)
- controllers backoff better in face of quota denial (#49142, @joelsmith)
- The event table output under
kubectl describe
has been simplified to show only the most essential info. (#51748, @smarterclayton) - Use arm32v7|arm64v8 images instead of the deprecated armhf|aarch64 image organizations (#50602, @dixudx)
- audit newest impersonated user info in the ResponseStarted, ResponseComplete audit stage (#48184, @CaoShuFeng)
- Fixed bug in AWS provider to handle multiple IPs when using more than 1 network interface per ec2 instance. (#50112, @jlz27)
- Add flag "--include-uninitialized" to kubectl annotate, apply, edit-last-applied, delete, describe, edit, get, label, set. "--include-uninitialized=true" makes kubectl commands apply to uninitialized objects, which by default are ignored if the names of the objects are not provided. "--all" also makes kubectl commands apply to uninitialized objects. Please see the initializer doc for more details. (#50497, @dixudx)
- GCE: Service object now supports "Network Tiers" as an Alpha feature via annotations. (#51301, @yujuhong)
- When using kube-up.sh on GCE, user could set env
ENABLE_POD_PRIORITY=true
to enable pod priority feature gate. (#51069, @MrHohn) - The names generated for ControllerRevision and ReplicaSet are consistent with the GenerateName functionality of the API Server and will not contain "bad words". (#51538, @kow3ns)
- PersistentVolumeClaim metrics like "volume_stats_inodes" and "volume_stats_capacity_bytes" are now reported via kubelet prometheus (#51553, @wongma7)
- When using IP aliases, use a secondary range rather than subnetwork to reserve cluster IPs. (#51690, @bowei)
- IPAM controller unifies handling of node pod CIDR range allocation. (#51374, @bowei)
- It is intended to supersede the logic that is currently in range_allocator
- and cloud_cidr_allocator. (ALPHA FEATURE)
- Note: for this change, the other allocators still exist and are the default.
- It supports two modes:
- CIDR range allocations done within the cluster that are then propagated out to the cloud provider.
- Cloud provider managed IPAM that is then reflected into the cluster.
- The Kubernetes API server now supports the ability to break large LIST calls into multiple smaller chunks. A client can specify a limit to the number of results to return, and if more results exist a token will be returned that allows the client to continue the previous list call repeatedly until all results are retrieved. The resulting list is identical to a list call that does not perform chunking thanks to capabilities provided by etcd3. This allows the server to use less memory and CPU responding with very large lists. This feature is gated as APIListChunking and is not enabled by default. The 1.9 release will begin using this by default from all informers. (#48921, @smarterclayton)
- add reconcile command to kubectl auth (#51636, @deads2k)
- Advanced audit allows logging failed login attempts (#51119, @soltysh)
- kubeadm: Add support for using an external CA whose key is never stored in the cluster (#50832, @nckturner)
- the custom metrics API (custom.metrics.k8s.io) has moved from v1alpha1 to v1beta1 (#50920, @DirectXMan12)
- Add backoff policy and failed pod limit for a job (#48075, @clamoriniere1A)
- Performs validation (when applying for example) against OpenAPI schema rather than Swagger 1.0. (#51364, @apelisse)
- Make all e2e tests lookup image to use from a centralized place. In that centralized place, add support for multiple platforms. (#49457, @mkumatag)
- kubelet has alpha support for mount propagation. It is disabled by default and it is there for testing only. This feature may be redesigned or even removed in a future release. (#46444, @jsafrane)
- Add selfsubjectrulesreview API for allowing users to query which permissions they have in a given namespace. (#48051, @xilabao)
- Kubelet re-binds /var/lib/kubelet directory with rshared mount propagation during startup if it is not shared yet. (#45724, @jsafrane)
- Deviceplugin jiayingz (#51209, @jiayingz)
- Make logdump support kubemark and support gke with 'use_custom_instance_list' (#51834, @shyamjvs)
- add apps/v1beta2 conversion test (#49645, @dixudx)
- Fixed an issue (#47800) where
kubectl logs -f
failed withunexpected stream type ""
. (#50381, @sczizzo) - GCE: Internal load balancer IPs are now reserved during service sync to prevent losing the address to another service. (#51055, @nicksardo)
- Switch JSON marshal/unmarshal to json-iterator library. Performance should be close to previous with no generated code. (#48287, @thockin)
- Adds optional group and version information to the discovery interface, so that if an endpoint uses non-default values, the proper value of "kind" can be determined. Scale is a common example. (#49971, @deads2k)
- Fix security holes in GCE metadata proxy. (#51302, @ihmccreery)
- #43077 introduced a condition where DaemonSet controller did not respect the TerminationGracePeriodSeconds of the Pods it created. This is now corrected. (#51279, @kow3ns)
- Tainted nodes by conditions as following: (#49257, @k82cn) * 'node.kubernetes.io/network-unavailable=:NoSchedule' if NetworkUnavailable is true * 'node.kubernetes.io/disk-pressure=:NoSchedule' if DiskPressure is true * 'node.kubernetes.io/memory-pressure=:NoSchedule' if MemoryPressure is true * 'node.kubernetes.io/out-of-disk=:NoSchedule' if OutOfDisk is true
- rbd: default image format to v2 instead of deprecated v1 (#51574, @dillaman)
- Surface reasonable error when client detects connection closed. (#51381, @mengqiy)
- Allow PSP's to specify a whitelist of allowed paths for host volume (#50212, @jhorwit2)
- For Deployment, ReplicaSet, and DaemonSet, selectors are now immutable when updating via the new
apps/v1beta2
API. For backward compatibility, selectors can still be changed when updating viaapps/v1beta1
orextensions/v1beta1
. (#50719, @crimsonfaith91) - Allows kubectl to use http caching mechanism for the OpenAPI schema. The cache directory can be configured through
--cache-dir
command line flag to kubectl. If set to empty string, caching will be disabled. (#50404, @apelisse) - Pod log attempts are now reported in apiserver prometheus metrics with verb
CONNECT
since they can run for very long periods of time. (#50123, @WIZARD-CXY) - The
emptyDir.sizeLimit
field is now correctly omitted from API requests and responses when unset. (#50163, @jingxu97) - Promote CronJobs to batch/v1beta1. (#51465, @soltysh)
- Add local ephemeral storage support to LimitRange (#50757, @NickrenREN)
- Add mount options field to StorageClass. The options listed there are automatically added to PVs provisioned using the class. (#51228, @wongma7)
- Add 'kubectl set env' command for setting environment variables inside containers for resources embedding pod templates (#50998, @zjj2wry)
- Implement IPVS-based in-cluster service load balancing (#46580, @dujun1990)
- Release the kubelet client certificate rotation as beta. (#51045, @jcbsmpsn)
- Adds --append-hash flag to kubectl create configmap/secret, which will append a short hash of the configmap/secret contents to the name during creation. (#49961, @mtaufen)
- Add validation for CustomResources via JSON Schema. (#47263, @nikhita)
- enqueue a sync task to wake up jobcontroller to check job ActiveDeadlineSeconds in time (#48454, @weiwei04)
- Remove previous local ephemeral storage resource names: "ResourceStorageOverlay" and "ResourceStorageScratch" (#51425, @NickrenREN)
- Add
retainKeys
to patchStrategy for v1 Volumes and extentions/v1beta1 DeploymentStrategy. (#50296, @mengqiy) - Add mount options field to PersistentVolume spec (#50919, @wongma7)
- Use of the alpha initializers feature now requires enabling the
Initializers
feature gate. This feature gate is auto-enabled if theInitialzers
admission plugin is enabled. (#51436, @liggitt) - Fix inconsistent Prometheus cAdvisor metrics (#51473, @bboreham)
- Add local ephemeral storage to downward API (#50435, @NickrenREN)
- kubectl zsh autocompletion will work with compinit (#50561, @cblecker)
- [Experiment Only] When using kube-up.sh on GCE, user could set env
KUBE_PROXY_DAEMONSET=true
to run kube-proxy as a DaemonSet. kube-proxy is run as static pods by default. (#50705, @MrHohn) - Add --request-timeout to kube-apiserver to make global request timeout configurable. (#51415, @jpbetz)
- Deprecate auto detecting cloud providers in kubelet. Auto detecting cloud providers go against the initiative for out-of-tree cloud providers as we'll now depend on cAdvisor integrations with cloud providers instead of the core repo. In the near future,
--cloud-provider
for kubelet will either be an empty string orexternal
. (#51312, @andrewsykim) - Add local ephemeral storage support to Quota (#49610, @NickrenREN)
- Kubelet updates default labels if those are deprecated (#47044, @mrIncompetent)
- Add error count and time-taken metrics for storage operations such as mount and attach, per-volume-plugin. (#50036, @wongma7)
- A new predicates, named 'CheckNodeCondition', was added to replace node condition filter. 'NetworkUnavailable', 'OutOfDisk' and 'NotReady' maybe reported as a reason when failed to schedule pods. (#51117, @k82cn)
- Add support for configurable groups for bootstrap token authentication. (#50933, @mattmoyer)
- Fix forbidden message format (#49006, @CaoShuFeng)
- make volumesInUse sorted in node status updates (#49849, @dixudx)
- Adds
InstanceExists
andInstanceExistsByProviderID
to cloud provider interface for the cloud controller manager (#51087, @prydie) - Dynamic Flexvolume plugin discovery. Flexvolume plugins can now be discovered on the fly rather than only at system initialization time. (#50031, @verult)
- add fieldSelector spec.schedulerName (#50582, @dixudx)
- Change eviction manager to manage one single local ephemeral storage resource (#50889, @NickrenREN)
- Cloud Controller Manager now sets Node.Spec.ProviderID (#50730, @andrewsykim)
- Paramaterize session affinity timeout seconds in service API for Client IP based session affinity. (#49850, @m1093782566)
- Changing scheduling part of the alpha feature 'LocalStorageCapacityIsolation' to manage one single local ephemeral storage resource (#50819, @NickrenREN)
- set --audit-log-format default to json (#50971, @CaoShuFeng)
- kubeadm: Implement a
--dry-run
mode and flag forkubeadm
(#51122, @luxas) - kubectl rollout
history
,status
, andundo
subcommands now support StatefulSets. (#49674, @crimsonfaith91) - Add IPBlock to Network Policy (#50033, @cmluciano)
- Adding Italian translation for kubectl (#50155, @lucab85)
- Simplify capabilities handling in FlexVolume. (#51169, @MikaelCluseau)
- NONE (#50669, @jiulongzaitian)
- cloudprovider.Zones should support external cloud providers (#50858, @andrewsykim)
- Finalizers are now honored on custom resources, and on other resources even when garbage collection is disabled via the apiserver flag
--enable-garbage-collector=false
(#51148, @ironcladlou) - Renamed the API server flag
--experimental-bootstrap-token-auth
to--enable-bootstrap-token-auth
. The old value is accepted with a warning in 1.8 and will be removed in 1.9. (#51198, @mattmoyer) - Azure file persistent volumes can use a new
secretNamespace
field to reference a secret in a different namespace than the one containing their bound persistent volume claim. The azure file persistent volume provisioner honors a correspondingsecretNamespace
storage class parameter to determine where to place secrets containing the storage account key. (#47660, @rootfs) - Bumped gRPC version to 1.3.0 (#51154, @RenaudWasTaken)
- Delete load balancers if the UIDs for services don't match. (#50539, @brendandburns)
- Show events when describing service accounts (#51035, @mrogers950)
- implement proposal 34058: hostPath volume type (#46597, @dixudx)
- HostAlias is now supported for both non-HostNetwork Pods and HostNetwork Pods. (#50646, @rickypai)
- CRDs support metadata.generation and implement spec/status split (#50764, @nikhita)
- Allow attach of volumes to multiple nodes for vSphere (#51066, @BaluDontu)
Please see the Releases Page for older releases.
Release notes of older releases can be found in: