You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Check if pathExists before performing Unmount (#39311, @rkouj)
Unmount operation should not fail if volume is already unmounted (#38547, @rkouj)
Updates base image used for kube-addon-manager to latest python:2.7-slim and embedded kubectl to v1.3.10. No functionality changes expected. (#42842, @ixdy)
list-resources: don't fail if the grep fails to match any resources (#41933, @ixdy)
Update gcr.io/google-containers/rescheduler to v0.2.2, which uses busybox as a base image instead of ubuntu. (#41911, @ixdy)
Fix AWS device allocator to only use valid device names (#41455, @gnufied)
Reverts to looking up the current VM in vSphere using the machine's UUID, either obtained via sysfs or via the vm-uuid parameter in the cloud configuration file. (#40892, @robdaemon)
We change the default attach_detach_controller sync period to 1 minute to reduce the query frequency through cloud provider to check whether volumes are attached or not. (#41363, @jingxu97)
Bump GCI to gci-stable-56-9000-84-2: Fixed google-accounts-daemon breaks on GCI when network is unavailable. Fixed iptables-restore performance regression. (#41831, @freehan)
Update fluentd-gcp addon to 1.25.2 (#41863, @ixdy)
Bump GCE ContainerVM to container-vm-v20170214 to address CVE-2016-9962. (#41449, @zmerlynn)
Move b.gcr.io/k8s_authenticated_test to gcr.io/k8s-authenticated-test (#40335, @zmerlynn)
Prep node_e2e for GCI to COS name change (#41088, @jessfraz)
If ExperimentalCriticalPodAnnotation=True flag gate is set, kubelet will ensure that pods with scheduler.alpha.kubernetes.io/critical-pod annotation will be admitted even under resource pressure, will not be evicted, and are reasonably protected from system OOMs. (#41052, @vishh)
Kubelet will no longer set hairpin mode on every interface on the machine when an error occurs in setting up hairpin for a specific interface. (#36990, @bboreham)
Bump GCE ContainerVM to container-vm-v20170201 to address CVE-2016-9962. (#40828, @zmerlynn)
Adding vmdk file extension for vmDiskPath in vsphere DeleteVolume (#40538, @divyenpatel)
Prevent hotloops on error conditions, which could fill up the disk faster than log rotation can free space. (#40497, @lavalamp)
Update GCE ContainerVM deployment to container-vm-v20170117 to pick up CVE fixes in base image. (#40094, @zmerlynn)
Update kube-proxy image to be based off of Debian 8.6 base image. (#39695, @ixdy)
Update amd64 kube-proxy base image to debian-iptables-amd64:v5 (#39725, @ixdy)
Provide kubernetes-controller-manager flags to control volume attach/detach reconciler sync. The duration of the syncs can be controlled, and the syncs can be shut off as well. (#39551, @chrislovecnm)
Fix issue in reconstruct volume data when kubelet restarts (#36616, @jingxu97)
Add sync state loop in master's volume reconciler (#34859, @jingxu97)
AWS: strong-typing for k8s vs aws volume ids (#35883, @justinsb)
Bump GCI version to gci-beta-55-8872-47-0 (#36679, @mtaufen)
gci-beta-55-8872-47-0:
Date: Nov 11, 2016
Kernel: ChromiumOS-4.4
Kubernetes: v1.4.5
Docker: v1.11.2
Changelog (vs 55-8872-18-0)
* Cherry-pick runc PR#608: Eliminate redundant parsing of mountinfo
* Updated kubernetes to v1.4.5
* Fixed a bug in e2fsprogs that caused mke2fs to take a very long time. Upstream fix: http://git.kernel.org/cgit/fs/ext2/e2fsprogs.git/commit/?h=next&id=d33e690fe7a6cbeb51349d9f2c7fb16a6ebec9c2
Fix fetching pids running in a cgroup, which caused problems with OOM score adjustments & setting the /system cgroup ("misc" in the summary API). (#36614, @timstclair)
DELETE requests can now pass in their DeleteOptions as a query parameter or a body parameter, rather than just as a body parameter. (#35806, @bdbauer)
rkt: Convert image name to be a valid acidentifier (#34375, @euank)
Remove stale volumes if endpoint/svc creation fails. (#35285, @humblec)
Remove Job also from .status.active for Replace strategy (#35420, @soltysh)
Update PodAntiAffinity to ignore calls to subresources (#35608, @soltysh)
Adds TCPCloseWaitTimeout option to kube-proxy for sysctl nf_conntrack_tcp_timeout_time_wait (#35919, @bowei)
Fix how we iterate over active jobs when removing them for Replace policy (#36161, @soltysh)
Bump GCI version to latest m55 version in GCE for K8s 1.4 (#36302, @mtaufen)
Add a check for file size if the reading content returns empty (#33976, @jingxu97)
Add a retry when reading a file content from a container (#35560, @jingxu97)
Skip CLOSE_WAIT e2e test if server is 1.4.5 (#36404, @bowei)
Avoid overriding system and kubelet cgroups on GCI (#35319, @vishh)
* Make the kubectl from k8s release the default on GCI
kubelet summary rootfs now refers to the filesystem that contains the Kubelet RootDirectory (var/lib/kubelet) instead of cadvisor's rootfs ( / ), since they may be different filesystems. (#35136, @dashpole)
Fix cadvisor_unsupported and the crossbuild (#35817, @luxas)
kubenet: SyncHostports for both running and ready to run pods. (#31388, @yifan-gu)
Fix non-starting node controller in 1.4 branch (#34895, @wojtek-t)
Cherrypick #34851 "Only wait for cache syncs once in NodeController" (#34861, @jessfraz)
NodeController waits for informer sync before doing anything (#34809, @gmarek)
Make NodeController recognize deletion tombstones (#34786, @davidopp)
Fix panic in NodeController caused by receiving DeletedFinalStateUnknown object from the cache. (#34694, @gmarek)
Update GlusterFS provisioning readme with endpoint/service details (#31854, @humblec)
Add logging for enabled/disabled API Groups (#32198, @deads2k)
New federation deployment mechanism now allows non-GCP clusters. (#34620, @madhusudancs)
* Writes the federation kubeconfig to the local kubeconfig file.
Cherrypick #34851 "Only wait for cache syncs once in NodeController" (#34861, @jessfraz)
NodeController waits for informer sync before doing anything (#34809, @gmarek)
Make NodeController recognize deletion tombstones (#34786, @davidopp)
Fix panic in NodeController caused by receiving DeletedFinalStateUnknown object from the cache. (#34694, @gmarek)
Update GlusterFS provisioning readme with endpoint/service details (#31854, @humblec)
Add logging for enabled/disabled API Groups (#32198, @deads2k)
New federation deployment mechanism now allows non-GCP clusters. (#34620, @madhusudancs)
* Writes the federation kubeconfig to the local kubeconfig file.
Update GCI base image: (#34156, @adityakali)
* Enabled VXLAN and IP_SET config options in kernel to support some networking tools (ebtools)
* OpenSSL CVE fixes
ContainerVm/GCI image: try to use ifdown/ifup if available (#33595, @freehan)
Make the informer library available for the go client library. (#32718, @mikedanese)
Enforce Disk based pod eviction with GCI base image in Kubelet (#33520, @vishh)
Fix nil pointer issue when getting metrics from volume mounter (#34251, @jingxu97)
Enable kubectl describe rs to work when apiserver does not support pods (#33794, @nikhiljindal)
Add missing argument to log message in federated ingress controller. (#34158, @quinton-hoole)
Fix issue in updating device path when volume is attached multiple times (#33796, @jingxu97)
To reduce memory usage to reasonable levels in smaller clusters, kube-apiserver now sets the deserialization cache size based on the target memory usage. (#34000, @wojtek-t)
Fix possible panic in PodAffinityChecker (#33086, @ivan4th)
Fix race condition in setting node statusUpdateNeeded flag (#32807, @jingxu97)
kube-proxy: Add a lower-bound for conntrack (128k default) (#33051, @thockin)
Use patched golang1.7.1 for cross-builds targeting darwin (#33803, @ixdy)
Move HighWaterMark to the top of the struct in order to fix arm (#33117, @luxas)
Move HighWaterMark to the top of the struct in order to fix arm, second time (#33376, @luxas)
This is the first release tracked via the use of the kubernetes/features issues repo. Each Feature issue is owned by a Special Interest Group from kubernetes/community
API Machinery
[alpha] Generate audit logs for every request user performs against secured API server endpoint. (docs) (kubernetes/features#22)
[beta] kube-apiserver now publishes a swagger 2.0 spec in addition to a swagger 1.2 spec (kubernetes/features#53)
[beta] Server-side garbage collection is enabled by default. See user-guide
Apps
[alpha] Introducing 'ScheduledJobs', which allow running time based Jobs, namely once at a specified time or repeatedly at specified point in time. (docs) (kubernetes/features#19)
Auth
[alpha] Container Image Policy allows an access controller to determine whether a pod may be scheduled based on a policy (docs) (kubernetes/features#59)
[alpha] Access Review APIs expose authorization engine to external inquiries for delegation, inspection, and debugging (docs) (kubernetes/features#37)
Cluster Lifecycle
[alpha] Ensure critical cluster infrastructure pods (Heapster, DNS, etc.) can schedule by evicting regular pods when necessary to make the critical pods schedule. (docs) (kubernetes/features#62)
[alpha] Simplifies bootstrapping of TLS secured communication between the API server and kubelet. (docs) (kubernetes/features#43)
[alpha] Creating a Federated Ingress is as simple as submitting
an Ingress creation request to the Federation API Server. The
Federation control system then creates and maintains a single
global virtual IP to load balance incoming HTTP(S) traffic across
some or all the registered clusters, across all regions. Google's
GCE L7 LoadBalancer is the first supported implementation, and
is available in this release.
(docs)
(kubernetes/features#82)
[beta] Federated Replica Sets create and maintain matching
Replica Sets in some or all clusters in a federation, with the
desired replica count distributed equally or according to
specified per-cluster weights.
(docs)
(kubernetes/features#46)
[beta] Federated Secrets are created and kept consistent across all clusters in a federation.
(docs)
(kubernetes/features#68)
[beta] Federation API server gained support for events and many
federation controllers now report important events.
(docs)
(kubernetes/features#70)
[alpha] Creating a Federated Namespace causes matching
Namespaces to be created and maintained in all the clusters registered with that federation. (docs) (kubernetes/features#69)
[alpha] ingress has alpha support for a single master multi zone cluster (docs) (kubernetes/features#52)
Network
[alpha] Service LB now has alpha support for preserving client source IP (docs) (kubernetes/features#27)
[alpha] Pods now have alpha support for setting whitelisted, safe sysctls. Unsafe sysctls can be whitelisted on the kubelet. (docs) (kubernetes/features#34)
[alpha] Allows pods to require or prohibit (or prefer or prefer not) co-scheduling on the same node (or zone or other topology domain) as another set of pods. (docs (kubernetes/features#51)
Storage
[beta] Persistent Volume provisioning now supports multiple provisioners using StorageClass configuration. (docs) (kubernetes/features#36)
[stable] Kubernetes Dashboard UI - a great looking Kubernetes Dashboard UI with 90% CLI parity for at-a-glance management. docs
[stable] kubectl no longer applies defaults before sending objects to the server in create and update requests, allowing the server to apply the defaults. (kubernetes/features#55)
Known Issues
Completed pods lose logs across node upgrade (#32324)
non-hostNetwork daemonsets will almost always have a pod that fails to schedule (#32900)
Service loadBalancerSourceRanges doesn't respect updates (#33033)
disallow user to update loadbalancerSourceRanges (#33346)
Notable Changes to Existing Behavior
Deployments
ReplicaSets of paused Deployments are now scaled while the Deployment is paused. This is retroactive to existing Deployments.
When scaling a Deployment during a rollout, the ReplicaSets of all Deployments are now scaled proportionally based on the number of replicas they each have instead of only scaling the newest ReplicaSet.
kubectl rolling-update: < v1.4.0 client vs >=v1.4.0 cluster
Old version kubectl's rolling-update command is compatible with Kubernetes 1.4 and higher only if you specify a new replication controller name. You will need to update to kubectl 1.4 or higher to use the rolling update command against a 1.4 cluster if you want to keep the original name, or you'll have to do two rolling updates.
If you do happen to use old version kubectl's rolling update against a 1.4 cluster, it will fail, usually with an error message that will direct you here. If you saw that error, then don't worry, the operation succeeded except for the part where the new replication controller is renamed back to the old name. You can just do another rolling update using kubectl 1.4 or higher to change the name back: look for a replication controller that has the original name plus a random suffix.
Unfortunately, there is a much rarer second possible failure mode: the replication controller gets renamed to the old name, but there is a duplicated set of pods in the cluster. kubectl will not report an error since it thinks its job is done.
If this happens to you, you can wait at most 10 minutes for the replication controller to start a resync, the extra pods will then be deleted. Or, you can manually trigger a resync by change the replicas in the spec of the replication controller.
kubectl delete: < v1.4.0 client vs >=v1.4.0 cluster
If you use an old version kubectl to delete a replication controller or replicaset, then after the delete command has returned, the replication controller or the replicaset will continue to exist in the key-value store for a short period of time (<1s). You probably will not notice any difference if you use kubectl manually, but you might notice it if you are using kubectl in a script.
DELETE operation in REST API
Replication controller & Replicaset: the DELETE request of a replication controller or a replicaset becomes asynchronous by default. The object will continue to exist in the key-value store for some time. The API server will set its metadata.deletionTimestamp, add the "orphan" finalizer to its metadata.finalizers. The object will be deleted from the key-value store after the garbage collector orphans its dependents. Please refer to this user-guide for more information regarding the garbage collection.
Other objects: no changes unless you explicitly request orphaning.
Action Required Before Upgrading
If you are using Kubernetes to manage docker containers, please be aware Kubernetes has been validated to work with docker 1.9.1, docker 1.11.2 (#23397), and docker 1.12.0 (#28698)
If you upgrade your apiserver to 1.4.x but leave your kubelets at 1.3.x, they will not report init container status, but init containers will work properly. Upgrading kubelets to 1.4.x fixes this.
The NamespaceExists and NamespaceAutoProvision admission controllers have been removed, use the NamespaceLifecycle admission controller instead (#31250, @derekwaynecarr)
If upgrading Cluster Federation components from 1.3.x, the federation-apiserver and federation-controller-manager binaries have been folded into hyperkube. Please switch to using that instead. (#29929, @madhusudancs)
If you are using the PodSecurityPolicy feature (eg: kubectl get podsecuritypolicy does not error, and returns one or more objects), be aware that init containers have moved from alpha to beta. If there are any pods with the key pods.beta.kubernetes.io/init-containers, then that pod may not have been filtered by the PodSecurityPolicy. You should find such pods and either delete them or audit them to ensure they do not use features that you intend to be blocked by PodSecurityPolicy. (#31026, @erictune)
If upgrading Cluster Federation components from 1.3.x, please ensure your cluster name is a valid DNS label (#30956, @nikhiljindal)
kubelet's --config flag has been deprecated, use --pod-manifest-path instead (#29999, @mtaufen)
If upgrading Cluster Federation components from 1.3.x, be aware the federation-controller-manager now looks for a different secret name. Run the following to migrate (#28938, @madhusudancs)
kubectl --namespace=federation get secret federation-apiserver-secret -o json | sed 's/federation-apiserver-secret/federation-apiserver-kubeconfig/g' | kubectl create -f -
# optionally, remove the old secret
kubectl delete secret --namespace=federation federation-apiserver-secret
Kubernetes components no longer handle panics, and instead actively crash. All Kubernetes components should be run by something that actively restarts them. This is true of the default setups, but those with custom environments may need to double-check (#28800, @lavalamp)
kubelet now defaults to --cloud-provider=auto-detect, use --cloud-provider='' to preserve previous default of no cloud provider (#28258, @vishh)
Previous Releases Included in v1.4.0
For a detailed list of all changes that were included in this release, please refer to the following CHANGELOG entries:
Behavior changes caused by enabling the garbage collector
kubectl rolling-update
Old version kubectl's rolling-update command is compatible with Kubernetes 1.4 and higher only if you specify a new replication controller name. You will need to update to kubectl 1.4 or higher to use the rolling update command against a 1.4 cluster if you want to keep the original name, or you'll have to do two rolling updates.
If you do happen to use old version kubectl's rolling update against a 1.4 cluster, it will fail, usually with an error message that will direct you here. If you saw that error, then don't worry, the operation succeeded except for the part where the new replication controller is renamed back to the old name. You can just do another rolling update using kubectl 1.4 or higher to change the name back: look for a replication controller that has the original name plus a random suffix.
Unfortunately, there is a much rarer second possible failure mode: the replication controller gets renamed to the old name, but there is a duplicate set of pods in the cluster. kubectl will not report an error since it thinks its job is done.
If this happens to you, you can wait at most 10 minutes for the replication controller to start a resync, the extra pods will then be deleted. Or, you can manually trigger a resync by change the replicas in the spec of the replication controller.
kubectl delete
If you use an old version kubectl to delete a replication controller or a replicaset, then after the delete command has returned, the replication controller or the replicaset will continue to exist in the key-value store for a short period of time (<1s). You probably will not notice any difference if you use kubectl manually, but you might notice it if you are using kubectl in a script. To fix it, you can poll the API server to confirm the object is deleted.
DELETE operation in REST API
Replication controller & Replicaset: the DELETE request of a replication controller or a replicaset becomes asynchronous by default. The object will continue to exist in the key-value store for some time. The API server will set its metadata.deletionTimestamp, add the "orphan" finalizer to its metadata.finalizers. The object will be deleted from the key-value store after the garbage collector orphans its dependents. Please refer to this user-guide for more information regarding the garbage collection.
Other objects: no changes unless you explicitly request orphaning.
AWS: Change default networking for kube-up to kubenet (#32239, @zmerlynn)
Make sure finalizers prevent deletion on storage that supports graceful deletion (#32351, @caesarxuchao)
Some components like kube-dns and kube-proxy could fail to load the service account token when started within a pod. Properly handle empty configurations to try loading the service account config. (#31947, @smarterclayton)
Use federated namespace instead of the bootstrap cluster's namespace in Ingress e2e tests. (#32105, @madhusudancs)
The NamespaceExists and NamespaceAutoProvision admission controllers have been removed. (#31250, @derekwaynecarr)
All cluster operators should use NamespaceLifecycle.
Federation binaries and their corresponding docker images - federation-apiserver and federation-controller-manager are now folded in to the hyperkube binary. If you were using one of these binaries or docker images, please switch to using the hyperkube version. Please refer to the federation manifests - federation/manifests/federation-apiserver.yaml and federation/manifests/federation-controller-manager-deployment.yaml for examples. (#29929, @madhusudancs)
Use upgraded container-vm by default on worker nodes for GCE k8s clusters (#31023, @vishh)
Other notable changes
Enable kubelet eviction whenever inodes free is < 5% on GCE (#31545, @vishh)
Some components like kube-dns and kube-proxy could fail to load the service account token when started within a pod. Properly handle empty configurations to try loading the service account config. (#31947, @smarterclayton)
Removed comments in json config when using kubectl edit with -o json (#31685, @jellonek)
fixes invalid null selector issue in sysdig example yaml (#31393, @baldwinSPC)
Rescheduler which ensures that critical pods are always scheduled enabled by default in GCE. (#31974, @piosz)
Added liveness probe to Heapster service. (#31878, @mksalawa)
Adding clusters to the list of valid resources printed by kubectl help (#31719, @nikhiljindal)
Kubernetes server components using kubeconfig files no longer default to http://localhost:8080. Administrators must specify a server value in their kubeconfig files. (#30808, @smarterclayton)
Include security options in the container created event (#31557, @timstclair)
Federation can now be deployed using the federation/deploy/deploy.sh script. This script does not depend on any of the development environment shell library/scripts. This is an alternative to the current federation-up.sh/federation-down.sh scripts. Both the scripts are going to co-exist in this release, but the federation-up.sh/federation-down.sh scripts might be removed in a future release in favor of federation/deploy/deploy.sh script. (#30744, @madhusudancs)
Add get/delete cluster, delete context to kubectl config (#29821, @alexbrand)
rkt: Force rkt fetch to fetch from remote to conform the image pull policy. (#31378, @yifan-gu)
Allow services which use same port, different protocol to use the same nodePort for both (#30253, @AdoHe)
Remove environment variables and internal Kubernetes Docker labels from cAdvisor Prometheus metric labels. (#31064, @grobie)
Old behavior:
environment variables explicitly whitelisted via --docker-env-metadata-whitelist were exported as container_env_*=*. Default is zero so by default non were exported
all docker labels were exported as container_label_*=*
New behavior:
Only container_name, pod_name, namespace, id, image, and name labels are exposed
no environment variables will be exposed ever via /metrics, even if whitelisted
Moved init-container feature from alpha to beta. (#31026, @erictune)
Security Action Required:
This only applies to you if you use the PodSecurityPolicy feature. You are using that feature if kubectl get podsecuritypolicy returns one or more objects. If it returns an error, you are not using it.
If there are any pods with the key pods.beta.kubernetes.io/init-containers, then that pod may not have been filtered by the PodSecurityPolicy. You should find such pods and either delete them or audit them to ensure they do not use features that you intend to be blocked by PodSecurityPolicy.
Explanation of Feature
In 1.3, an init container is specified with this annotation key
on the pod or pod template: pods.alpha.kubernetes.io/init-containers.
In 1.4, either that key or this key: pods.beta.kubernetes.io/init-containers,
can be used.
When you GET an object, you will see both annotation keys with the same values.
You can safely roll back from 1.4 to 1.3, and things with init-containers
will still work (pods, deployments, etc).
If you are running 1.3, only use the alpha annotation, or it may be lost when
rolling forward.
The status has moved from annotation key
pods.beta.kubernetes.io/init-container-statuses to
pods.beta.kubernetes.io/init-container-statuses.
Any code that inspects this annotation should be changed to use the new key.
State of Initialization will continue to be reported in both pods.alpha.kubernetes.io/initialized
and in podStatus.conditions.{status: "True", type: Initialized}
Action required: federation-only: Please update your cluster name to be a valid DNS label. (#30956, @nikhiljindal)
Updating federation.v1beta1.Cluster API to disallow subdomains as valid cluster names. Only DNS labels are allowed as valid cluster names now.
[Kubelet] Rename --config to --pod-manifest-path. --config is deprecated. (#29999, @mtaufen)
Other notable changes
rkt: Improve support for privileged pod (pod whose all containers are privileged) (#31286, @yifan-gu)
The pod annotation security.alpha.kubernetes.io/sysctls now allows customization of namespaced and well isolated kernel parameters (sysctls), starting with kernel.shm_rmid_forced, net.ipv4.ip_local_port_range and net.ipv4.tcp_syncookies for Kubernetes 1.4. (#27180, @sttts)
The pod annotation security.alpha.kubernetes.io/unsafe-sysctls allows customization of namespaced sysctls where isolation is unclear. Unsafe sysctls must be enabled at-your-own-risk on the kubelet with the --experimental-allowed-unsafe-sysctls flag. Future versions will improve on resource isolation and more sysctls will be considered safe.
Increase request timeout based on termination grace period (#31275, @dims)
Fixed two issues of kubectl bash completion. (#31135, @xingzhou)
Action required: If you have a running federation control plane, you will have to ensure that for all federation resources, the corresponding namespace exists in federation control plane. (#31139, @nikhiljindal)
federation-apiserver now supports NamespaceLifecycle admission control, which is enabled by default. Set the --admission-control flag on the server to change that.
The implicit registration of Prometheus metrics for request count and latency have been removed, and a plug-able interface was added. If you were using our client libraries in your own binaries and want these metrics, add the following to your imports in the main package: "k8s.io/pkg/client/metrics/prometheus". (#30638, @krousey)
Add support for --image-pull-policy to 'kubectl run' (#30614, @AdoHe)
x509 authenticator: get groups from subject's organization field (#30392, @ericchiang)
Add initial support for TokenFile to the client config file. (#29696, @brendandburns)
update kubectl help output for better organization (#25524, @AdoHe)
Implement TLS bootstrap for kubelet using --experimental-bootstrap-kubeconfig (2nd take) (#30922, @yifan-gu)
rkt: Support subPath volume mounts feature (#30934, @yifan-gu)
Return container command exit codes in kubectl run/exec (#26541, @sttts)
Fix kubectl describe to display a container's resource limit env vars as node allocatable when the limits are not set (#29849, @aveshagarwal)
The valueFrom.fieldRef.name field on environment variables in pods and objects with pod templates now allows two additional fields to be used: (#27880, @smarterclayton)
* spec.nodeName will return the name of the node this pod is running on
* spec.serviceAccountName will return the name of the service account this pod is running under
Add Events for operation_executor to show status of mounts, failed/successful to show in describe events (#27778, @screeley44)
Alpha support for OpenAPI (aka. Swagger 2.0) specification served on /swagger.json (enabled by default) (#30233, @mbohlool)
Disable linux/ppc64le compilation by default (#30659, @ixdy)
Implement dynamic provisioning (beta) of PersistentVolumes via StorageClass (#29006, @jsafrane)
Allow setting permission mode bits on secrets, configmaps and downwardAPI files (#28936, @rata)
Skip safe to detach check if node API object no longer exists (#30737, @saad-ali)
The Kubelet now supports the --require-kubeconfig option which reads all client config from the provided --kubeconfig file and will cause the Kubelet to exit with error code 1 on error. It also forces the Kubelet to use the server URL from the kubeconfig file rather than the --api-servers flag. Without this flag set, a failure to read the kubeconfig file would only result in a warning message. (#30798, @smarterclayton)
In a future release, the value of this flag will be defaulted to true.
Set pod state as "unknown" when CNI plugin fails (#30137, @nhlfr)
Cluster Federation components can now be built and deployed using the make command. Please see federation/README.md for details. (#29515, @madhusudancs)
Modified influxdb petset to provision persistent volume. (#28840, @jszczepkowski)
Allow service names up to 63 characters (RFC 1035) (#29523, @fraenkel)
Change eviction policies in NodeController: (#28897, @gmarek)
add a "partialDisruption" mode, when more than 33% of Nodes in the zone are not Ready
add "fullDisruption" mode, when all Nodes in the zone are not Ready
Eviction behavior depends on the mode in which NodeController is operating:
if the new state is "partialDisruption" or "fullDisruption" we call a user defined function that returns a new QPS to use (default 1/10 of the default rate, and the default rate respectively),
if the new state is "normal" we resume normal operation (go back to default limiter settings),
if all zones in the cluster are in "fullDisruption" state we stop all evictions.
Add a flag for kubectl exposeto set ClusterIP and allow headless services (#28239, @ApsOps)
Federation API server kubeconfig secret consumed by federation-controller-manager has a new name. (#28938, @madhusudancs)
If you are upgrading your Cluster Federation components from v1.3.x, please run this command to migrate the federation-apiserver-secret to federation-apiserver-kubeconfig serect;
$ kubectl --namespace=federation get secret federation-apiserver-secret -o json | sed 's/federation-apiserver-secret/federation-apiserver-kubeconfig/g' | kubectl create -f -
You might also want to delete the old secret using this command:
If a service of type node port declares multiple ports, quota on "services.nodeports" will charge for each port in the service. (#29457, @derekwaynecarr)
Change setting "kubectl --record=false" to stop updating the change-cause when a previous change-cause is found. (#28234, @damemi)
Add "kubectl --overwrite" flag to automatically resolve conflicts between the modified and live configuration using values from the modified configuration. (#26136, @AdoHe)
Make discovery summarizer call servers in parallel (#26705, @nebril)
Don't recreate lb cloud resources on kcm restart (#29082, @bprashanth)
List all nodes and occupy cidr map before starting allocations (#29062, @bprashanth)
An alpha implementation of the TLS bootstrap API described in docs/proposals/kubelet-tls-bootstrap.md. (#25562, @gtank)
Action Required
[kubelet] Allow opting out of automatic cloud provider detection in kubelet. By default kubelet will auto-detect cloud providers (#28258, @vishh)
If you use one of the kube-dns replication controller manifest in cluster/saltbase/salt/kube-dns, i.e. cluster/saltbase/salt/kube-dns/{skydns-rc.yaml.base,skydns-rc.yaml.in}, either substitute one of __PILLAR__FEDERATIONS__DOMAIN__MAP__ or {{ pillar['federations_domain_map'] }} with the corresponding federation name to domain name value or remove them if you do not support cluster federation at this time. If you plan to substitute the parameter with its value, here is an example for {{ pillar['federations_domain_map'] }} (#28132, @madhusudancs)