Skip to content
This repository has been archived by the owner on Sep 30, 2020. It is now read-only.

Releases: kubernetes-retired/kube-aws

v0.13.0-rc.2

31 May 14:37
cd86e8f
Compare
Choose a tag to compare
v0.13.0-rc.2 Pre-release
Pre-release

This is a Beta release candidate and is NOT considered ready for deploying/upgrading ANY kubernetes clusters that you care about! Please do try out this version on your test clusters and help us to identify bugs! Please raise any bugs as issues on the project - thanks for your help!

With the v0.13.0 release of kube-aws we have decided to better align our release numbers with the release of kubernetes that they deploy, and so we have jumped over the kubernetes v1.12 release and our version 0.13.0 will deploy kubernetes v1.13 (presently v1.13.5). This release brings a number of changes related to the security and the stability of our kubernetes clusters and a number of other features.

Components

Kubernetes: 1.13.6
Etcd: 3.2.26

Important Upgrade Notes

  • It is expected that you should be able to upgrade from existing kube-aws v0.12.x clusters to v0.13.0 release.
  • If you use the Experimental Kiam feature you must regenerate your kiam credentials when upgrading to this release (you probably won't want to re-generate ALL of the certificates on an existing cluster though). We are now targeting Kiam release 3.2 which requires additional SANs on the server certificatekiam-server and localhost. Failure the update the certs will result in kiam-server and kiam-agents stuck in CrashLoopBackOff.
  • A number of Experimental Features are no longer available and will need to be removed from your cluster.yaml files.
    • TLSBootstrap - is now active by default.
    • PodPriority - is now active by default.
    • PodSecurityPolicy - is now active by default (see warning below)
    • NodeAuthorizer - is now active by default.
    • PersistentVolumeClaimResize - is now active by default.
    • DenyEscalatingExec - is deprecated and has been removed (please use PodSecurityPolicy)
  • The previously unavailable admission controllers EventRateLimit and ExtendedResourceToleration are now included and enabled by default.
  • If you do not have any existing PodSecurityPolicies in your cluster, kube-aws creates a permissive policy and binds it to all service accounts, authenticated users and nodes. Please create your own policies and then remove the permissive bindings by removing the ClusterRoleBinding kube-aws:permissive-psp-cluster-wide.
    Warning! If you do not have any existing PodSecurityPolicies you must ensure that they cover/allow all the workloads/pods that you want to run in your cluster, because once upgraded, no pods without a policy are allowed in the cluster!
  • If you have any scripts which connect to the kube-apiserver on port 8080 you will need to change them to use certificate based authentication via port 443.

Other Core Changes

  • The kube-apiserver no longer listens on the insecure port localhost:8080. All kube-aws services and scripts now communicate via the secure port (443) and use the admin certificate to authenticate.
  • The kubelets have authentication switched on and employ Webhook authorization to protect their services. We have added a number of RBAC objects to ensure scripts (such as cfn-signal) still have unauthenticated access to a kubelets /healthz endpoint. A number of kubelet settings are now set via a configuration file /etc/kubernetes/config/kubelet.yaml rather than by command-line switches.
  • We have removed heapster and enabled metrics-server by default.
  • We have moved to using CoreDNS instead of KubeDNS (but you can still select to use KubeDNS if you wish)
  • install-kube-system has undergone a refactoring which improves performance and adds flexibility in removing deprecated services. The apply-kube-aws-plugins service has been rolled into the install-kube-system and no longer exists.
  • A number of internal cluster components have seen version upgrades: -
    • Calico/Typha v3.6.1
    • Flannel v0.11.0
    • Cluster AutoScaler v1.13.4
    • Cluster Proportional Autoscaler 1.5.0
    • CoreDNS 1.5.0
    • KubeDNS 1.15.2
    • Kiam 3.2
    • DNSMasqMetrics 1.15.2
    • Helm/Tiller v2.13.1
    • Metrics Server v0.3.2
    • Addon Resizer 2.1

Changes since v0.13.0-rc.1

v 0.14.0-rc.1

16 May 12:39
b7c5e99
Compare
Choose a tag to compare
v 0.14.0-rc.1 Pre-release
Pre-release

This is a Beta release candidate and is NOT considered ready for deploying/upgrading ANY kubernetes clusters that you care about! Please do try out this version on your test clusters and help us to identify bugs!

Components

Kubernetes: 1.14.1
Etcd: 3.2.13

Important Upgrade Notes

This release builds on our v0.13.x release, please make consult the features and notes for https://github.com/kubernetes-incubator/kube-aws/releases/tag/v0.13.0-rc.1 before using this release.

Do not attempt to upgrade an existing 0.12.x cluster directly to v0.14.0-rc.1 unless you are comfortable with downtime! For existing clusters, please migrate through a v0.13.x release before updating to this release.

Changelog since v0.13.0-rc.1

  • Kubernetes 1.14.1
  • TLSBootstrapping is now also used for the kubelet certificate provision on the controller nodes as well as the worker nodes.
  • The NodeRestriction admission controller is now enabled by default.
  • Kube-aws kube-system components use the node.kubernetes.io/role labels.

v0.13.0-rc.1

15 May 16:17
Compare
Choose a tag to compare
v0.13.0-rc.1 Pre-release
Pre-release

This is a Beta release candidate and is NOT considered ready for deploying/upgrading ANY kubernetes clusters that you care about! Please do try out this version on your test clusters and help us to identify bugs! Please raise any bugs as issues on the project - thanks for your help!

With the v0.13.0 release of kube-aws we have decided to better align our release numbers with the release of kubernetes that they deploy, and so we have jumped over the kubernetes v1.12 release and our version 0.13.0 will deploy kubernetes v1.13 (presently v1.13.5). This release brings a number of changes related to the security and the stability of our kubernetes clusters and a number of other features.

Components

Kubernetes: 1.13.5
Etcd: 3.2.13

Important Upgrade Notes

  • It is expected that you should be able to upgrade from existing kube-aws v0.12.x clusters to v0.13.0 release.
  • If you use the Experimental Kiam feature you must regenerate your kiam credentials when upgrading to this release (you probably won't want to re-generate ALL of the certificates on an existing cluster though). We are now targeting Kiam release 3.2 which requires additional SANs on the server certificatekiam-server and localhost. Failure the update the certs will result in kiam-server and kiam-agents stuck in CrashLoopBackOff.
  • A number of Experimental Features are no longer available and will need to be removed from your cluster.yaml files.
    • TLSBootstrap - is now active by default.
    • PodPriority - is now active by default.
    • PodSecurityPolicy - is now active by default (see warning below)
    • NodeAuthorizer - is now active by default.
    • PersistentVolumeClaimResize - is now active by default.
    • DenyEscalatingExec - is deprecated and has been removed (please use PodSecurityPolicy)
  • The previously unavailable admission controllers EventRateLimit and ExtendedResourceToleration are now included and enabled by default.
  • If you do not have any existing PodSecurityPolicies in your cluster, kube-aws creates a permissive policy and binds it to all service accounts, authenticated users and nodes. Please create your own policies and then remove the permissive bindings by removing the ClusterRoleBinding kube-aws:permissive-psp-cluster-wide.
    Warning! If you do not have any existing PodSecurityPolicies you must ensure that they cover/allow all the workloads/pods that you want to run in your cluster, because once upgraded, no pods without a policy are allowed in the cluster!
  • If you have any scripts which connect to the kube-apiserver on port 8080 you will need to change them to use certificate based authentication via port 443.

Other Core Changes

  • The kube-apiserver no longer listens on the insecure port localhost:8080. All kube-aws services and scripts now communicate via the secure port (443) and use the admin certificate to authenticate.
  • The kubelets have authentication switched on and employ Webhook authorization to protect their services. We have added a number of RBAC objects to ensure scripts (such as cfn-signal) still have unauthenticated access to a kubelets /healthz endpoint. A number of kubelet settings are now set via a configuration file /etc/kubernetes/config/kubelet.yaml rather than by command-line switches.
  • We have removed heapster and enabled metrics-server by default.
  • We have moved to using CoreDNS instead of KubeDNS (but you can still select to use KubeDNS if you wish)
  • install-kube-system has undergone a refactoring which improves performance and adds flexibility in removing deprecated services. The apply-kube-aws-plugins service has been rolled into the install-kube-system and no longer exists.
  • A number of internal cluster components have seen version upgrades: -
    • Calico/Typha v3.6.1
    • Flannel v0.11.0
    • Cluster AutoScaler v1.13.4
    • Cluster Proportional Autoscaler 1.5.0
    • CoreDNS 1.5.0
    • KubeDNS 1.15.2
    • Kiam 3.2
    • DNSMasqMetrics 1.15.2
    • Helm/Tiller v2.13.1
    • Metrics Server v0.3.2
    • Addon Resizer 2.1

Features

Improvements

  • #1536: Master: Bump default Kubernetes Dashboard version and add AllowSkipLogin option(Thanks to @kylehodgetts)
  • #1567: Removing all references to the already removed kube-aws up/update commands(Thanks to @omar-nahhas)

Bug fixes

Documentation

Other changes

  • #1553: Fixing adding cf resources to etcd and networking stack - master(Thanks to @omar-nahhas)

v0.11.5

10 Apr 09:36
Compare
Choose a tag to compare

This is a bug fix release that improves cluster roll/upgrade stability

Bug fixes

v0.12.3

15 Feb 16:38
Compare
Choose a tag to compare

Changelog since v0.12.2

Component versions
Kubernetes: 1.11.3
Etcd: 3.2.13

Features

Bug fixes

  • #1552: Fixing adding cf resources to etcd and networking stack v.0.12.x(Thanks to @omar-nahhas)

v0.11.4

15 Feb 16:27
Compare
Choose a tag to compare

Changelog since v0.11.3

Component versions

Kubernetes: v1.10.5
Etcd: v3.2.13

Features

Bug fixes

  • #1551: Fixing adding cf resources to etcd and networking stack v.0.11.x(Thanks to @omar-nahhas)

v0.12.2

21 Jan 10:02
Compare
Choose a tag to compare

Aggregating milestones:

Changelog since v0.12.1

This is a maintenance release and contains an important bug fix for looking up etcd stacks introduced in v0.12.1.

Component versions

Kubernetes: 1.11.3
Etcd: 3.2.13

Features

  • #1543: V0.12.x configurable dashboard replicas(Thanks to @kylehodgetts)
  • #1544: Porting "Adding the ability to add feature gates to controller components" to 0.12.X(Thanks to @omar-nahhas)

Bug fixes

v0.11.3

21 Jan 10:49
Compare
Choose a tag to compare

Changelog since v0.11.2

Minor feature release

Component versions

Kubernetes: v1.10.5
Etcd: v3.2.13

Features

  • #1542: V0.11.x configurable dashboard replicas(Thanks to @kylehodgetts)
  • #1545: Porting "Adding the ability to add feature gates to controller components" to 0.11.X(Thanks to @omar-nahhas)

Improvements

  • #1538: v0.11.x: Bump default Kubernetes Dashboard version and add AllowSkipLogin option(Thanks to @kylehodgetts)

v0.12.1

11 Jan 13:32
Compare
Choose a tag to compare

Changelog since v0.12.0

Component versions

Kubernetes: v1.11.3
Etcd: v3.2.13

Features

  • #1487: v0.12.x: feat: add CF stackNameOverride in cluster.yaml(Thanks to @koen92)
  • #1529: Add DnsMasq (node local resolver) command-line arguments/options(Thanks to @davidmccormick)

Bug fixes

  • #1482: Bug/fix cf stack paging v0.12.x(Thanks to @c-knowles)
  • #1524: fix: Partial upgrades with stack name overrides(Thanks to @koen92)

v0.11.2

11 Jan 11:57
65918bf
Compare
Choose a tag to compare

Changelog since v0.11.1

Improvements

  • #1486: v0.11.x: feat: add CF stackNameOverride in cluster.yaml(Thanks to @koen92)
  • #1519: Do not leak unqualified dns requests to upstream dns servers(Thanks to @davidmccormick)
  • #1528: Add DnsMasq (node local resolver) command-line arguments/options(Thanks to @davidmccormick)

Bug fixes