Version 2.4.7-1.15.10
Changelog since 2.4.6-1.15.6
Improvements
- Kubernetes 1.15.10
- dcos-commons 0.57.3
- Calico 3.10.3
- Update Debian base container images to version stable-20200130-slim
Changelog since 2.4.5-1.15.5
Improvements
- Kubernetes 1.15.6
- Calico 3.10.1
- CoreDNS v1.6.5
- Add option to enable AlwaysPullImages Kubernetes admission controller. See Admission Controllers for more details.
- Add option to enable Kubernetes secret encryption. See Kubernetes secret encryption for more details.
- Update Debian base container images to version stable-20191118-slim.
- Remove timeout option from
dcos kubernetes cluster update
command. Now you need to check the status of deployment plan after initiating a package options update or a package version update. Use dcos kubernetes cluster debug plan show deploy
to check when the update operation finished. This is in line with other DC/OS frameworks behavior.
- Add node controller from calico/kube-controllers that watches for the removal of Kubernetes nodes and removes corresponding data from Calico.
Bug Fixes
- Fix a bug where sometimes a Kubernetes pod is assigned an IP from a calico-node. Changes the default Calico CNI plugin from host-local to calico-ipam. When upgrading to this MKE version installing the mandatory-addons will take longer since it has to ensure Calico deployment finishes upgrading to calico-ipam before proceeding.
Documentation
- Add instructions to install Gatekeeper and how to use it as a replacement for Kubernetes PodSecurity policies.
Changelog since 2.4.4-1.15.4
Improvements
- Kubernetes 1.15.5
- Docker 19.03.3
Bug Fixes
- Fix an issue where the kubelets running in control-plane tasks sometimes report invalid allocatable resources for pods.
- Ensure that control-plane kubelets are always labeled correctly.
Changelog since 2.4.3-1.15.3
Improvements
Bug Fixes
- Disable Api server insecure port. It was only accessible via localhost on the kube-control-plane task, but to be CIS compliant, we now set the
--insecure-port
flag to 0.
Changelog since 2.4.2-1.15.3
Improvements
- dcos-commons 0.57.0
- Adds configuration options for DC/OS Quota support. See Quota Support for more details.
- Control Plane tasks are now launched with labels that support auto exposure of Kubernetes API via EdgeLB
Version 2.4.2-1.15.3
Changelog since 2.4.1-1.15.2
Improvements
- Kubernetes 1.15.3
- dcos-commons 0.56.3
- Adds configuration options to enable Kubernetes auditing. Kubernetes auditing provides a security-relevant chronological set of records. These document the sequence of activities that have affected the system by users, administrators or other components of the system.
Changelog since 2.4.0-1.15.1
Improvements
- Kubernetes 1.15.2
- Docker 19.03.1
- Calico 3.8.1
- CoreDNS 1.6.1
- dcos-commons 0.56.2
- Improve security of kube-nodes by mounting required host volumes read only.
Bug Fixes
- Fix a bug where a custom OIDC certificate file isn’t available to the Kubernetes Apiserver when OIDC support is enabled.
Changelog since 2.3.3-1.14.3
Improvements
- Kubernetes v1.15.1
- CoreDNS v1.5.0
- Calico v3.8.0
- dcos-commons v0.56.1
- Add option to deploy etcd cluster with 5 nodes. When high_availability is set to “true” in the package JSON, a Kubernetes cluster with 3 etcd nodes will be created. However, some Kubernetes clusters require more than 3 etcd nodes for production. Cluster administrators can use this option for those scenarios. This option will provision 5 etcd nodes for the Kubernetes cluster instead. Deploying an etcd cluster with 5 nodes requires a cluster with at least 5 private agents.
- Add required options to configure an OIDC authentication provider for the Kubernetes API Server. See Configuring the API Server for more information.
Bug Fixes
- Disable API server anonymous authentication
- Fix a bug where Kubernetes clusters created under a DC/OS folder don’t export metrics with the correct Kubernetes cluster name.
Changelog since 2.3.2-1.14.1
Improvements
- Kubernetes 1.14.3.
- Calico 3.7.2.
Changelog since 2.3.1-1.14.2
Improvements
- Add media types required to show dropdown box in secrets and service account configuration. This UI feature will ship as an update and with DC/OS 1.13.1. It is not part of 1.13.0. It is backwards compatible such that a simple text input is displayed on older versions of the UI.
Bug Fixes
- Downgrade to Kubernernetes 1.14.1 to mitigate https://github.com/kubernetes/kubernetes/issues/78308.
- Correctly configure TLS for the Kubernetes API server to work with intermediate CA certificates.
Changelog since 2.3.0-1.14.1
Improvements
Changelog since 2.2.2-1.13.5
Improvements
- Kubernetes 1.14.1
- Docker 18.09.4
- CoreDNS v1.4.0
- Calico 3.5.4
- Enable Pod Priority scheduling and preemption
- Allow for defining the maximum amount of disk space taken by pods’ containers’ log files (defaults to 1MB).
The default can be overriden by setting the
kubernetes.maximum_container_log_size
configuration option.
Documentation
Changelog since 2.2.1-1.13.4
Improvements
- Kubernetes v1.13.5
- Expose the Kubernetes controller manager secure port to access metrics with authentication and authorization, and disable the localhost insecure port.
- Expose the scheduler secure port to access metrics with authentication and authorization, and disable the localhost insecure port.
- Improve security of kubelet unauthenticated healthz endpoint by only binding to localhost.
- Improve security of kube-proxy unauthenticated healthz endpoint by only binding to localhost.
- Enable unauthenticated etcd /metrics endpoint on port 2381 by default. Available using DCOS VIP
http://etcd-N-peer.${KUBERNETES_CLUSTER_NAME}.autoip.dcos.thisdcos.directory:2381/metrics
where N is the task instance index.
Changelog since 2.2.0-1.13.3
Improvements
- Kubernetes v1.13.4
- Docker v18.09.3
- Calico v3.5.2
- Support for Mesos pre-reserved roles for etcd, control-plane, public-node and private-node, and placement rules for etcd.
- Modify how etcd placement constraints are defined, there is now a separate
etcd.placement
option. For backwards compatibility, if left empty, the value from kubernetes.control_plane_placement
will be used.
Bug Fixes
- Fix a bug where sometimes Kubernetes workloads running on public agents would not have access to Kubernetes workloads running on private agents.
- Fix a bug where using
--path-to-custom-ca
in dcos kubernetes cluster kubeconfig
resulted in an improperly encoded certificate-authority-data
in the generated kubeconfig
file.
Documentation
- Fix the
etcd
snapshotting instructions.
- Add section
Mesos Roles
to Advanced Installation
page.
Version 2.2.0-1.13.3
Changelog since 2.1.1-1.12.5
Improvements
- Kubernetes v1.13.3
- dcos-commons v0.55.4
- CoreDNS v1.3.1
- Enable CSI features required for CSI integration.
- Automate the task replacement when a DC/OS agent is decommissioned.
- Allow changing automated DC/OS proxy configuration into Kubernetes cluster tasks.
Bug Fixes
- Fix a bug where providing
--aws-session-token
for cluster backup
and cluster restore
commands did not actually work.
- Fix a bug affecting clusters in which the Kubernetes service CIDR or Calico network CIDR overlapped with Docker’s default bridge network by disabling the bridge.
Documentation
- Add a Storage page documenting Container Storage Interface (CSI).
Version 2.1.1-1.12.5
Changelog since 2.1.0-1.12.3
Improvements
- dcos-commons v0.55.0
- Kubernetes v1.12.5
- Docker v18.09.1
- Kubernetes Dashboard v1.10.1
- Enable local-dns-dispatcher in control plane tasks.
Bug Fixes
- Fix a bug that might cause pods that have resource limits crash on RHEL based systems. The issue is related to Linux kmem accounting turned-on by default by runc. We now turn-off kmem accounting on RHEL-based systems, and on these systems alone. No user intervention is needed, however all of Kubernetes cluster tasks will be replaced, which may cause some downtime.
Version 2.1.0-1.12.3
Changelog since 2.0.1-1.12.2
Improvements
- dcos-commons v0.54.3
- Kubernetes v1.12.3
- CoreDNS v1.2.6
- Calico v3.2.4
- Enable
--peer-client-cert-auth
for etcd
. When set, etcd will check all incoming peer requests from the cluster for valid client certificates signed by the supplied CA.
- Enable the selection of the desired region where to deploy the Kubernetes cluster.
- Add the new flag
--force
in the cluster update
command to force the update of the cluster configuration.
- Support relative paths in
--path-to-custom-ca
for cluster kubeconfig
command, e.g. --path-to-custom-ca=./my-custom-ca.pem
.
- Move the validation of the service configuration to the Mesosphere Kubernetes Engine.
- Enable
--aws-session-token
for cluster backup
and cluster restore
commands. The AWS session token can now be used as part of the AWS credentials.
- Increase the number of retries an etcd task will perform during installation to resolve its own DNS name. This should prevent etcd tasks from getting stuck in a retry loop on larger clusters.
Bug Fixes
- Fix a bug that might cause segfault when running
dcos kubernetes cluster kubeconfig
.
Documentation
- Documentation section on how to upgrade the
kubernetes
package.
Version 2.0.1-1.12.2
Changelog since 2.0.0-1.12.1
Improvements
- dcos-commons v0.54.2.
- Kubernetes v1.12.2
Bug Fixes
- Fix a bug affecting use of private Docker registries.
Documentation
Version 2.0.0-1.12.1
Changelog since 1.x
Improvements
- Kubernetes v1.12.1 and other components’ version changes.
- Enable high density deployments of multiple Kubernetes clusters on DC/OS.
- Replace
kube-apiserver
, kube-controller-manager
and kube-scheduler
tasks with static pods in a new task kube-control-plane
.
- Replace
kube-proxy
and coredns
tasks with static pods, and rename coredns
to local-dns-dispatcher
.
- Replace cluster DNS
kube-dns
deployment with coredns
and prevent co-location of these pods.
- Add the
priorityClassName
field to critical system pods.
- The Kubernetes Dashboard is now secured using HTTPS and will now show the login view when accessed.
- Use a dedicated RBAC role for the
kubelet-resource-watchdog
.
- Add options to enable Calico’s Typha.
- Public Kubernetes nodes now reserve ports
80
and 443
of the underlying public DC/OS agent to help prevent issues with port binding, and to making them available for Ingress.
- Installation and package options upgrades are now faster.
- Scaling up a cluster is now performed in parallel and therefore faster. Scaling down a cluster is still performed serially to ensure workload stability while decommissioning Kubernetes nodes.
Bug Fixes
- Fix a bug that might cause
kube-node
and kube-node-public
tasks to freeze in the STARTED
state, causing installations or upgrades to stop indefinitely.
- Fix a bug that could forever fail to run public Kubernetes node tasks.
- Fix a bug affecting node decommission that could cause Kubernetes apps temporary downtime.
Documentation