merged renovate PR 75 onto a branch forced pushed. renamed to not block new automerges

[renovate]

This PR contains the following updates:

Package	Update	Change
k3s-io/k3s	patch	v1.25.0 -> v1.25.16+k3s4

---

Release Notes

k3s-io/k3s (k3s-io/k3s)

v1.25.16+k3s1: v1.25.16+k3s1

Compare Source

v1.25.16+k3s1 should not be used, please use v1.25.16+k3s3.

v1.25.16+k3s2: v1.25.16+k3s2

Compare Source

Due to CI issues, v1.26.11+k3s2 should not be used. Please use v1.25.16+k3s4.

v1.25.16+k3s3: v1.25.16+k3s3

Compare Source

Due to CI issues, v1.26.11+k3s3 should not be used. Please use v1.25.16+k3s4.

v1.25.16+k3s4: v1.25.16+k3s4

Compare Source

This release updates Kubernetes to v1.25.16, and fixes a number of issues.

For more details on what's new, see the Kubernetes release notes.

Changes since v1.25.15+k3s2:

• Etcd status condition (#​8819)
• Backports for 2023-11 release (#​8880)
  • New timezone info in Docker image allows the use of spec.timeZone in CronJobs
  • Bumped kine to v0.11.0 to resolve issues with postgres and NATS, fix performance of watch channels under heavy load, and improve compatibility with the reference implementation.
  • Containerd may now be configured to use rdt or blockio configuration by defining rdt_config.yaml or blockio_config.yaml files.
  • Add agent flag disable-apiserver-lb, agent will not start load balance proxy.
  • Improved ingress IP ordering from ServiceLB
  • Disable helm CRD installation for disable-helm-controller
  • Omit snapshot list configmap entries for snapshots without extra metadata
  • Add jitter to client config retry to avoid hammering servers when they are starting up
• Handle nil pointer when runtime core is not ready in etcd (#​8889)
• Improve dualStack log (#​8867)
• Bump dynamiclistener; reduce snapshot controller log spew (#​8904)
  • Bumped dynamiclistener to address a race condition that could cause a server to fail to sync its certificates into the Kubernetes secret
  • Reduced etcd snapshot log spam during initial cluster startup
• Fix etcd snapshot S3 issues (#​8939)
  • Don't apply S3 retention if S3 client failed to initialize
  • Don't request metadata when listing S3 snapshots
  • Print key instead of file path in snapshot metadata log message
• Update to v1.25.16 (#​8923)
• Remove s390x steps temporarily since runners are disabled (#​8993)
• Remove s390x from manifest script (#​8994)

Embedded Component Versions

Component	Version
Kubernetes	v1.25.16
Kine	v0.11.0
SQLite	3.42.0
Etcd	v3.5.3-k3s1
Containerd	v1.7.7-k3s1
Runc	v1.1.8
Flannel	v0.22.2
Metrics-server	v0.6.3
Traefik	v2.10.5
CoreDNS	v1.10.1
Helm-controller	v0.15.4
Local-path-provisioner	v0.0.24

Helpful Links

As always, we welcome and appreciate feedback from our community of users. Please feel free to:

• Open issues here
• Join our Slack channel
• Check out our documentation for guidance on how to get started or to dive deep into K3s.
• Read how you can contribute here

v1.25.15+k3s1: v1.25.15+k3s1

Compare Source

This release updates Kubernetes to v1.25.15, and fixes a number of issues.

For more details on what's new, see the Kubernetes release notes.

Changes since v1.25.14+k3s1:

• Fix error reporting (#​8413)
• Add context to flannel errors (#​8421)
• Testing Backports for September (#​8301)
• Include the interface name in the error message (#​8437)
• Add extraArgs to tailscale (#​8466)
• Update kube-router (#​8445)
• Added error when cluster reset while using server flag (#​8457)
  • The user will receive a error when --cluster-reset with the --server flag
• Cluster reset from non bootstrap nodes (#​8454)
• Fix spellcheck problem (#​8511)
• Take IPFamily precedence based on order (#​8506)
• Network defaults are duplicated, remove one (#​8553)
• Advertise address integration test (#​8518)
• Fixed tailscale node IP dualstack mode in case of IPv4 only node (#​8560)
• Server Token Rotation (#​8578)
  • Users can now rotate the server token using k3s token rotate -t <OLD_TOKEN> --new-token <NEW_TOKEN>. After command succeeds, all server nodes must be restarted with the new token.
• Clear remove annotations on cluster reset (#​8589)
  • Fixed an issue that could cause k3s to attempt to remove members from the etcd cluster immediately following a cluster-reset/restore, if they were queued for removal at the time the snapshot was taken.
• Use IPv6 in case is the first configured IP with dualstack (#​8599)
• Backports for 2023-10 release (#​8617)
• Update kube-router package in build script (#​8636)
• Add etcd-only/control-plane-only server test and fix control-plane-only server crash (#​8644)
• Windows agent support (#​8646)
• Use version.Program not K3s in token rotate logs (#​8654)
• Add --image-service-endpoint flag (#​8279) (#​8664)
  • Add --image-service-endpoint flag to specify an external image service socket.
• Backport etcd fixes (#​8692)
  • Re-enable etcd endpoint auto-sync
  • Manually requeue configmap reconcile when no nodes have reconciled snapshots
• Update to v1.25.15 and Go to v1.20.10 (#​8679)
• Fix s3 snapshot restore (#​8735)

Embedded Component Versions

Component	Version
Kubernetes	v1.25.15
Kine	v0.10.3
SQLite	3.42.0
Etcd	v3.5.3-k3s1
Containerd	v1.7.7-k3s1
Runc	v1.1.8
Flannel	v0.22.2
Metrics-server	v0.6.3
Traefik	v2.10.5
CoreDNS	v1.10.1
Helm-controller	v0.15.4
Local-path-provisioner	v0.0.24

Helpful Links

As always, we welcome and appreciate feedback from our community of users. Please feel free to:

• Open issues here
• Join our Slack channel
• Check out our documentation for guidance on how to get started or to dive deep into K3s.
• Read how you can contribute here

v1.25.15+k3s2: v1.25.15+k3s2

Compare Source

This release updates Kubernetes to v1.25.15, and fixes a number of issues.

For more details on what's new, see the Kubernetes release notes.

Changes since v1.25.15+k3s1:

• E2E Domain Drone Cleanup (#​8584)
• Fix SystemdCgroup in templates_linux.go (#​8767)
  • Fixed an issue with identifying additional container runtimes
• Update traefik chart to v25.0.0 (#​8777)
• Update traefik to fix registry value (#​8791)

Embedded Component Versions

Component	Version
Kubernetes	v1.25.15
Kine	v0.10.3
SQLite	3.42.0
Etcd	v3.5.3-k3s1
Containerd	v1.7.7-k3s1
Runc	v1.1.8
Flannel	v0.22.2
Metrics-server	v0.6.3
Traefik	v2.10.5
CoreDNS	v1.10.1
Helm-controller	v0.15.4
Local-path-provisioner	v0.0.24

Helpful Links

As always, we welcome and appreciate feedback from our community of users. Please feel free to:

• Open issues here
• Join our Slack channel
• Check out our documentation for guidance on how to get started or to dive deep into K3s.
• Read how you can contribute here

v1.25.14+k3s1: v1.25.14+k3s1

Compare Source

This release updates Kubernetes to v1.25.14, and fixes a number of issues.

For more details on what's new, see the Kubernetes release notes.

Changes since v1.25.13+k3s1:

• Bump kine to v0.10.3 (#​8326)
• Update Kubernetes to v1.25.14 and go to 1.20.8 (#​8350)
• Backport containerd bump and and test fixes (#​8384)
  • Bump embedded containerd to v1.7.6
  • Bump embedded stargz-snapshotter plugin to latest
  • Fixed intermittent drone CI failures due to race conditions in test environment setup scripts
  • Fixed CI failures due to changes to api discovery changes in Kubernetes 1.28

Embedded Component Versions

Component	Version
Kubernetes	v1.25.14
Kine	v0.10.3
SQLite	3.42.0
Etcd	v3.5.3-k3s1
Containerd	v1.7.6-k3s1
Runc	v1.1.8
Flannel	v0.22.2
Metrics-server	v0.6.3
Traefik	v2.9.10
CoreDNS	v1.10.1
Helm-controller	v0.15.4
Local-path-provisioner	v0.0.24

Helpful Links

As always, we welcome and appreciate feedback from our community of users. Please feel free to:

• Open issues here
• Join our Slack channel
• Check out our documentation for guidance on how to get started or to dive deep into K3s.
• Read how you can contribute here

v1.25.13+k3s1: v1.25.13+k3s1

Compare Source

This release updates Kubernetes to v1.25.13, and fixes a number of issues.

⚠️ IMPORTANT: This release includes support for remediating CVE-2023-32187, a potential Denial of Service attack vector on K3s servers. See GHSA-m4hf-6vgr-75r2 for more information, including mandatory steps necessary to harden clusters against this vulnerability.

For more details on what's new, see the Kubernetes release notes.

Changes since v1.25.12+k3s1:

• Update flannel and plugins (#​8076)
• Fix tailscale bug with ip modes (#​8098)
• Etcd snapshots retention when node name changes (#​8123)
• August Test Backports (#​8127)
• Backports for 2023-08 release (#​8132)
  • K3s's external apiserver listener now declines to add to its certificate any subject names not associated with the kubernetes apiserver service, server nodes, or values of the --tls-san option. This prevents the certificate's SAN list from being filled with unwanted entries.
  • K3s no longer enables the apiserver's enable-aggregator-routing flag when the egress proxy is not being used to route connections to in-cluster endpoints.
  • Updated the embedded containerd to v1.7.3+k3s1
  • Updated the embedded runc to v1.1.8
  • User-provided containerd config templates may now use {{ template "base" . }} to include the default K3s template content. This makes it easier to maintain user configuration if the only need is to add additional sections to the file.
  • Bump docker/docker module version to fix issues with cri-dockerd caused by recent releases of golang rejecting invalid host headers sent by the docker client.
  • Updated kine to v0.10.2
• K3s etcd-snapshot delete fail to delete local file when called with s3 flag (#​8145)
• Fix for cluster-reset backup from s3 when etcd snapshots are disabled (#​8169)
• Fixed the etcd retention to delete orphaned snapshots based on the date (#​8190)
• Additional backports for 2023-08 release (#​8213)
  • The version of helm used by the bundled helm controller's job image has been updated to v3.12.3
  • Bumped dynamiclistener to address an issue that could cause the apiserver/supervisor listener on 6443 to stop serving requests on etcd-only nodes.
  • The K3s external apiserver/supervisor listener on 6443 now sends a complete certificate chain in the TLS handshake.
• Move flannel to 0.22.2 (#​8223)
• Update to v1.25.13 (#​8241)
• Fix runc version bump (#​8246)
• Add new CLI flag to enable TLS SAN CN filtering (#​8259)
  • Added a new --tls-san-security option. This flag defaults to false, but can be set to true to disable automatically adding SANs to the server's TLS certificate to satisfy any hostname requested by a client.
• Add RWMutex to address controller (#​8275)

Embedded Component Versions

Component	Version
Kubernetes	v1.25.13
Kine	v0.10.2
SQLite	3.42.0
Etcd	v3.5.3-k3s1
Containerd	v1.7.3-k3s1
Runc	v1.1.8
Flannel	v0.22.2
Metrics-server	v0.6.3
Traefik	v2.9.10
CoreDNS	v1.10.1
Helm-controller	v0.15.4
Local-path-provisioner	v0.0.24

Helpful Links

As always, we welcome and appreciate feedback from our community of users. Please feel free to:

• Open issues here
• Join our Slack channel
• Check out our documentation for guidance on how to get started or to dive deep into K3s.
• Read how you can contribute here

v1.25.12+k3s1: v1.25.12+k3s1

Compare Source

This release updates Kubernetes to v1.25.12, and fixes a number of issues.
​
For more details on what's new, see the Kubernetes release notes.
​

Changes since v1.25.11+k3s1:

​

• Remove file_windows.go (#​7856)
• Fix code spell check (#​7860)
• Allow k3s to customize apiServerPort on helm-controller (#​7873)
• Check if we are on ipv4, ipv6 or dualStack when doing tailscale (#​7883)
• Support setting control server URL for Tailscale. (#​7894)
• S3 and Startup tests (#​7886)
• Fix rootless node password (#​7900)
• Backports for 2023-07 release (#​7909)
  • Resolved an issue that caused agents joined with kubeadm-style bootstrap tokens to fail to rejoin the cluster when their node object is deleted.
  • The k3s certificate rotate-ca command now supports the data-dir flag.
• Adding cli to custom klipper helm image (#​7915)
  • The default helm-controller job image can now be overridden with the --helm-job-image CLI flag
• Generation of certs and keys for etcd gated if etcd is disabled (#​7945)
• Don't use zgrep in check-config if apparmor profile is enforced (#​7954)
• Fix image_scan.sh script and download trivy version (#​7950) (#​7969)
• Adjust default kubeconfig file permissions (#​7984)
• Update to v1.25.12 (#​8021)
  ​

Embedded Component Versions

Component	Version
Kubernetes	v1.25.12
Kine	v0.10.1
SQLite	3.39.2
Etcd	v3.5.3-k3s1
Containerd	v1.7.1-k3s1
Runc	v1.1.7
Flannel	v0.22.0
Metrics-server	v0.6.3
Traefik	v2.9.10
CoreDNS	v1.10.1
Helm-controller	v0.15.2
Local-path-provisioner	v0.0.24
​

Helpful Links

As always, we welcome and appreciate feedback from our community of users. Please feel free to:

• Open issues here
• Join our Slack channel
• Check out our documentation for guidance on how to get started or to dive deep into K3s.
• Read how you can contribute here

v1.25.11+k3s1: v1.25.11+k3s1

Compare Source

This release updates Kubernetes to v1.25.11, and fixes a number of issues.

For more details on what's new, see the Kubernetes release notes.

Changes since v1.25.10+k3s1:

• Update flannel version (#​7649)
• Bump vagrant libvirt with fix for plugin installs (#​7659)
• E2E Backports - June (#​7705)
  • Shortcircuit commands with version or help flags #​7683
  • Add Rotation certification Check, remove func to restart agents #​7097
  • E2E: Sudo for RunCmdOnNode #​7686
• Add private registry e2e test (#​7722)
• VPN integration (#​7728)
• Fix spelling test (#​7752)
• Remove unused libvirt config (#​7758)
• Backport version bumps and bugfixes (#​7718)
  • The bundled metrics-server has been bumped to v0.6.3, and now uses only secure TLS ciphers by default.
  • The coredns-custom ConfigMap now allows for *.override sections to be included in the .:53 default server block.
  • The K3s core controllers (supervisor, deploy, and helm) no longer use the admin kubeconfig. This makes it easier to determine from access and audit logs which actions are performed by the system, and which are performed by an administrative user.
  • Bumped klipper-lb image to v0.4.4 to resolve an issue that prevented access to ServiceLB ports from localhost when the Service ExternalTrafficPolicy was set to Local.
  • Make LB image configurable when compiling k3s
  • K3s now allows nodes to join the cluster even if the node password secret cannot be created at the time the node joins. The secret create will be retried in the background. This resolves a potential deadlock created by fail-closed validating webhooks that block secret creation, where the webhook is unavailable until new nodes join the cluster to run the webhook pod.
  • The bundled containerd's aufs/devmapper/zfs snapshotter plugins have been restored. These were unintentionally omitted when moving containerd back into the k3s multicall binary in the previous release.
  • The embedded helm controller has been bumped to v0.15.0, and now supports creating the chart's target namespace if it does not exist.
• Add format command on Makefile (#​7763)
• Fix logging and cleanup in Tailscale (#​7784)
• Update Kubernetes to v1.25.11 (#​7788)
• Path normalization affecting kubectl proxy conformance test for /api endpoint (#​7818)

Embedded Component Versions

Component	Version
Kubernetes	v1.25.11
Kine	v0.10.1
SQLite	3.39.2
Etcd	v3.5.3-k3s1
Containerd	v1.7.1-k3s1
Runc	v1.1.7
Flannel	v0.22.0
Metrics-server	v0.6.3
Traefik	v2.9.10
CoreDNS	v1.10.1
Helm-controller	v0.15.0
Local-path-provisioner	v0.0.24

Helpful Links

As always, we welcome and appreciate feedback from our community of users. Please feel free to:

• Open issues here
• Join our Slack channel
• Check out our documentation for guidance on how to get started or to dive deep into K3s.
• Read how you can contribute here

v1.25.10+k3s1: v1.25.10+k3s1

Compare Source

This release updates Kubernetes to v1.25.10, and fixes a number of issues.

For more details on what's new, see the Kubernetes release notes.

Changes since v1.25.9+k3s1:

• Ensure that klog verbosity is set to the same level as logrus (#​7361)
• Add E2E testing in Drone (#​7375)
• Add integration tests for etc-snapshot server flags #​7377 (#​7378)
• CLI + Config Enhancement (#​7404)
  • --Tls-sans now accepts multiple arguments: --tls-sans="foo,bar"
  • Prefer-bundled-bin: true now works properly when set in config.yaml.d files
• Migrate netutil methods into /utils/net.go (#​7433)
• Bump Runc + Containerd + Docker for CVE fixes (#​7452)
• Bump kube-router version to fix a bug when a port name is used (#​7461)
• Kube flags and longhorn storage tests 1.25 (#​7466)
• Local-storage: Fix permission (#​7473)
• Backport version bumps and bugfixes (#​7515)
  • K3s now retries the cluster join operation when receiving a "too many learners" error from etcd. This most frequently occurred when attempting to add multiple servers at the same time.
  • K3s once again supports aarch64 nodes with page size > 4k
  • The packaged Traefik version has been bumped to v2.9.10 / chart 21.2.0
  • K3s now prints a more meaningful error when attempting to run from a filesystem mounted noexec.
  • K3s now exits with a proper error message when the server token uses a bootstrap token id.secret format.
  • Fixed an issue where Addon, HelmChart, and HelmChartConfig CRDs were created without structural schema, allowing the creation of custom resources of these types with invalid content.
  • Servers started with the (experimental) --disable-agent flag no longer attempt to run the tunnel authorizer agent component.
  • Fixed an regression that prevented the pod and cluster egress-selector modes from working properly.
  • K3s now correctly passes through etcd-args to the temporary etcd that is used to extract cluster bootstrap data when restarting managed etcd nodes.
  • K3s now properly handles errors obtaining the current etcd cluster member list when a new server is joining the managed etcd cluster.
  • The embedded kine version has been bumped to v0.10.1. This replaces the legacy lib/pq postgres driver with pgx.
  • The bundled CNI plugins have been upgraded to v1.2.0-k3s1. The bandwidth and firewall plugins are now included in the bundle.
  • The embedded Helm controller now supports authenticating to chart repositories via credentials stored in a Secret, as well as passing repo CAs via ConfigMap.
• Bump containerd/runc to v1.7.1-k3s1/v1.1.7 (#​7535)
  • The bundled containerd and runc versions have been bumped to v1.7.1-k3s1/v1.1.7
• Wrap error stating that it is coming from netpol (#​7548)
• Add '-all' flag to apply to inactive units (#​7574)
• Update to v1.25.10-k3s1 (#​7582)

Embedded Component Versions

Component	Version
Kubernetes	v1.25.10
Kine	v0.10.1
SQLite	3.39.2
Etcd	v3.5.3-k3s1
Containerd	v1.7.1-k3s1
Runc	v1.1.7
Flannel	v0.21.4
Metrics-server	v0.6.2
Traefik	v2.9.10
CoreDNS	v1.10.1
Helm-controller	v0.14.0
Local-path-provisioner	v0.0.24

Helpful Links

As always, we welcome and appreciate feedback from our community of users. Please feel free to:

• Open issues here
• Join our Slack channel
• Check out our documentation for guidance on how to get started or to dive deep into K3s.
• Read how you can contribute here

v1.25.9+k3s1: v1.25.9+k3s1

Compare Source

This release updates Kubernetes to v1.25.9, and fixes a number of issues.

For more details on what's new, see the Kubernetes release notes.

Changes since v1.25.8+k3s1:

• Enhance check-config (#​7164)
• Remove deprecated nodeSelector label beta.kubernetes.io/os (#​6970) (#​7121)
• Backport version bumps and bugfixes (#​7228)
  • The bundled local-path-provisioner version has been bumped to v0.0.24
  • The bundled runc version has been bumped to v1.1.5
  • The bundled coredns version has been bumped to v1.10.1
  • When using an external datastore, K3s now locks the bootstrap key while creating initial cluster bootstrap data, preventing a race condition when multiple servers attempted to initialize the cluster simultaneously.
  • The client load-balancer that maintains connections to active server nodes now closes connections to servers when they are removed from the cluster. This ensures that agent components immediately reconnect to a current cluster member.
  • Fixed a race condition during cluster reset that could cause the operation to hang and time out.
• Updated kube-router to move the default ACCEPT rule at the end of the chain (#​7221)
  • The embedded kube-router controller has been updated to fix a regression that caused traffic from pods to be blocked by any default drop/deny rules present on the host. Users should still confirm that any externally-managed firewall rules explicitly allow traffic to/from pod and service networks, but this returns the old behavior that was relied upon by some users.
• Update klipper lb and helm-controller (#​7240)
• Update Kube-router ACCEPT rule insertion and install script to clean rules before start (#​7276)
  • The embedded kube-router controller has been updated to fix a regression that caused traffic from pods to be blocked by any default drop/deny rules present on the host. Users should still confirm that any externally-managed firewall rules explicitly allow traffic to/from pod and service networks, but this returns the old behavior that was relied upon by some users.
• Update to v1.25.9-k3s1 (#​7283)

Embedded Component Versions

Component	Version
Kubernetes	v1.25.9
Kine	v0.9.9
SQLite	3.39.2
Etcd	v3.5.3-k3s1
Containerd	v1.6.19-k3s1
Runc	v1.1.5
Flannel	v0.21.4
Metrics-server	v0.6.2
Traefik	v2.9.4
CoreDNS	v1.10.1
Helm-controller	v0.13.3
Local-path-provisioner	v0.0.24

Helpful Links

As always, we welcome and appreciate feedback from our community of users. Please feel free to:

• Open issues here
• Join our Slack channel
• Check out our documentation for guidance on how to get started or to dive deep into K3s.
• Read how you can contribute here

v1.25.8+k3s1: v1.25.8+k3s1

Compare Source

This release updates Kubernetes to v1.25.8, and fixes a number of issues.

For more details on what's new, see the Kubernetes release notes.

Changes since v1.25.7+k3s1:

• Update flannel and kube-router (#​7061)
• Bump various dependencies for CVEs (#​7043)
• Enable dependabot (#​7045)
• Wait for kubelet port to be ready before setting (#​7064)
  • The agent tunnel authorizer now waits for the kubelet to be ready before reading the kubelet port from the node object.
• Adds a warning about editing to the containerd config.toml file (#​7075)
• Improve support for rotating the default self-signed certs (#​7079)
  • The k3s certificate rotate-ca checks now support rotating self-signed certificates without the --force option.
• Update to v1.25.8-k3s1 (#​7106)
• Update flannel to fix NAT issue with old iptables version (#​7138)

Embedded Component Versions

Component	Version
Kubernetes	v1.25.8
Kine	v0.9.9
SQLite	3.39.2
Etcd	v3.5.3-k3s1
Containerd	v1.6.19-k3s1
Runc	v1.1.4
Flannel	v0.21.4
Metrics-server	v0.6.2
Traefik	v2.9.4
CoreDNS	v1.9.4
Helm-controller	v0.13.1
Local-path-provisioner	v0.0.23

Helpful Links

As always, we welcome and appreciate feedback from our community of users. Please feel free to:

• Open issues here
• Join our Slack channel
• Check out our documentation for guidance on how to get started or to dive deep into K3s.
• Read how you can contribute here

v1.25.7+k3s1: v1.25.7+k3s1

Compare Source

This release updates Kubernetes to v1.25.7, and fixes a number of issues.

For more details on what's new, see the Kubernetes release notes.

Changes since v1.25.6+k3s1:

• Add jitter to scheduled snapshots and retry harder on conflicts (#​6782)
  • Scheduled etcd snapshots are now offset by a short random delay of up to several seconds. This should prevent multi-server clusters from executing pathological behavior when attempting to simultaneously update the snapshot list ConfigMap. The snapshot controller will also be more persistent in attempting to update the snapshot list.
• Bump cri-dockerd (#​6798)
  • The embedded cri-dockerd has been updated to v0.3.1
• Bugfix: do not break cert-manager when pprof is enabled (#​6837)
• Wait for cri-dockerd socket (#​6853)
• Bump vagrant boxes to fedora37 (#​6858)
• Fix cronjob example (#​6864)
• Ensure flag type consistency (#​6867)
• Consolidate E2E tests (#​6887)
• Ignore value conflicts when reencrypting secrets (#​6919)
• Use default address family when adding kubernetes service address to SAN list (#​6904)
  • The apiserver advertised address and IP SAN entry are now set correctly on clusters that use IPv6 as the default IP family.
• Allow ServiceLB to honor ExternalTrafficPolicy=Local (#​6907)
  • ServiceLB now honors the Service's ExternalTrafficPolicy. When set to Local, the LoadBalancer will only advertise addresses of Nodes with a Pod for the Service, and will not forward traffic to other cluster members.
• Fix issue with servicelb startup failure when validating webhooks block creation (#​6916)
  • The embedded cloud controller manager will no longer attempt to unconditionally re-create its namespace and serviceaccount on startup. This resolves an issue that could cause a deadlocked cluster when fail-closed webhooks are in use.
• Backport user-provided CA cert and kubeadm bootstrap token support (#​6929)
  • K3s now functions properly when the cluster CA certificates are signed by an existing root or intermediate CA. You can find a sample script for generating such certificates before K3s starts in the github repo at contrib/util/certs.sh.
  • K3s now supports kubeadm style join tokens. k3s token create now creates join token secrets, optionally with a limited TTL.
  • K3s agents joined with an expired or deleted token stay in the cluster using existing client certificates via the NodeAuthorization admission plugin, unless their Node object is deleted from the cluster.
• Fix access to hostNetwork port on NodeIP when egress-selector-mode=agent (#​6936)
  • Fixed an issue that would cause the apiserver egress proxy to attempt to use the agent tunnel to connect to service endpoints even in agent or disabled mode.
• Updated flannel version to v0.21.1 (#​6915)
• Allow for multiple sets of leader-elected controllers (#​6941)
  • Fixed an issue where leader-elected controllers for managed etcd did not run on etcd-only nodes
• Fix etcd and ca-cert rotate issues (#​6954)
• Fix ServiceLB dual-stack ingress IP listing (#​6987)
  • Resolved an issue with ServiceLB that would cause it to advertise node IPv6 addresses, even if the cluster or service was not enabled for dual-stack operation.
• Bump kine to v0.9.9 (#​6975)
  • The embedded kine version has been bumped to v0.9.9. Compaction log messages are now omitted at info level for increased visibility.
• Update to v1.25.7-k3s1 (#​7010)

Embedded Component Versions

Component	Version
Kubernetes	v1.25.7
Kine	v0.9.9
SQLite	3.39.2
Etcd	v3.5.3-k3s1
Containerd	v1.6.15-k3s1
Runc	v1.1.4
Flannel	v0.21.1
Metrics-server	v0.6.2
Traefik	v2.9.4
CoreDNS	v1.9.4
Helm-controller	v0.13.1
Local-path-provisioner	v0.0.23

Helpful Links

As always, we welcome and appreciate feedback from our community of users. Please feel free to:

• Open issues here
• Join our Slack channel
• Check out our documentation for guidance on how to get started or to dive deep into K3s.
• Read how you can contribute here

v1.25.6+k3s1: v1.25.6+k3s1

Compare Source

This release updates Kubernetes to v1.25.6, and fixes a number of issues.

For more details on what's new, see the Kubernetes release notes.

Changes since v1.25.5+k3s2:

• Pass through default tls-cipher-suites (#​6730)
  • The K3s default cipher suites are now explicitly passed in to kube-apiserver, ensuring that all listeners use these values.
• Bump containerd to v1.6.15-k3s1 (#​6735)
  • The embedded containerd version has been bumped to v1.6.15-k3s1
• Bump action/download-artifact to v3 (#​6747)
• Backport dependabot/updatecli updates (#​6761)
• Fix Drone plugins/docker tag for 32 bit arm (#​6768)
• Update to v1.25.6+k3s1 (#​6775)

Embedded Component Versions

Component	Version
Kubernetes	v1.25.6
Kine	v0.9.6
SQLite	3.39.2
Etcd	v3.5.3-k3s1
Containerd	v1.6.15-k3s1
Runc	v1.1.4
Flannel	v0.20.2
Metrics-server	v0.6.2
Traefik	v2.9.4
CoreDNS	v1.9.4
Helm-controller	v0.13.1
Local-path-provisioner	v0.0.23

Helpful Links

As always, we welcome and appreciate feedback from our community of users. Please feel free to:

• Open issues here
• Join our Slack channel
• Check out our documentation for guidance on how to get started or to dive deep into K3s.
• Read how you can contribute here

v1.25.5+k3s1: v1.25.5+k3s1

Compare Source

⚠️ WARNING

This release is affected by https://github.com/containerd/containerd/issues/7843, which causes the kubelet to restart all pods whenever K3s is restarted. For this reason, we have removed this K3s release from the channel server. Please use v1.25.5+k3s2 instead.

This release updates Kubernetes to v1.25.5, and fixes a number of issues.

Breaking Change: K3s no longer includes swanctl and charon binaries. If you are using the ipsec flannel backend, please ensure that the strongswan swanctl and charon packages are installed on your node before upgrading K3s to this release.

For more details on what's new, see the Kubernetes release notes.

Changes since v1.25.4+k3s1:

• Fix log for flannelExternalIP use case (#​6531)
• Fix Carolines github id (#​6464)
• Github CI Updates (#​6522)
• Add new prefer-bundled-bin experimental flag (#​6420)
  • Added new prefer-bundled-bin flag which force K3s to use its bundle binaries over that of the host tools
• Bump containerd to v1.6.10 (#​6512)
  • The embedded containerd version has been updated to v1.6.10-k3s1
• Stage the Traefik charts through k3s-charts (#​6519)
• Make rootless settings configurable (#​6498)
  • The rootless port-driver, cidr, mtu, enable-ipv6, and disable-host-loopback settings can now be configured via environment variables.
• Remove stuff which belongs in the windows executor implementation (#​6517)
• Mark v1.25.4+k3s1 as stable (#​6534)
• Add prefer-bundled-bin as an agent flag (#​6545)
• Bump klipper-helm and klipper-lb versions (#​6549)
  • The embedded Load-Balancer controller image has been bumped to klipper-lb:v0.4.0, which includes support for the LoadBalancerSourceRanges field.
  • The embedded Helm controller image has been bumped to klipper-helm:v0.7.4-build20221121
• Switch from Google Buckets to AWS S3 Buckets (#​6497)
• Fix passing AWS creds through Dapper (#​6567)
• Fix artifact upload with aws s3 cp (#​6568)
• Disable CCM metrics port when legacy CCM functionality is disabled (#​6572)
  • The embedded cloud-controller-manager's metrics listener on port 10258 is now disabled when the --disable-cloud-controller flag is set.
• Sync packaged component Deployment config (#​6552)
  • Deployments for K3s packaged components now have consistent upgrade strategy and revisionHistoryLimit settings, and will not override scaling decisions by hardcoding the replica count.
  • The packaged metrics-server has been bumped to v0.6.2
• Mark secrets-encryption flag as GA (#​6582)
• Bump k3s root to v0.12.0 and remove strongswan binaries (#​6400)
  • The embedded k3s-root version has been bumped to v0.12.0, based on buildroot 2022.08.1.
  • The embedded swanctl and charon binaries have been removed. If you are using the ipsec flannel backend, please ensure that the strongswan swanctl and charon packages are installed on your node before upgrading k3s.
• Update flannel to v0.20.2 (#​6588)
• Add ADR for security bumps automation (#​6559)
• Update node12->node16 based GH actions (#​6593)
• Updating rel docs (#​6237)
• Update install.sh to recommend current version of k3s-selinux (#​6453)
• Update to v1.25.5-k3s1 (#​6622)
• Bump containerd to v1.6.12-k3s1 (#​6631)
  • The embedded containerd version has been bumped to v1.6.12
• Preload iptable_filter/ip6table_filter (#​6646)

Embedded Component Versions

Component	Version
Kubernetes	[v1.25.5](https://togithub.co

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.

[gberche-orange]

through rename-previously-merged-renovate-PRs-that-block-automerge.bash: this PR was likely blocking automerge, see #52 (comment) for diagnostics steps