-
Bump Kubernetes version to 1.18.13 (PR#2973)
-
Bump
corednsversion to 1.6.7 (PR #2816) -
#2203 - Migrate Salt to Python3 and bump to version 3002.2 (PR #2839)
-
Bump
calicoversion to 3.17.0 (PR #2943) -
Bump
fluent-bitchart to 2.0.1 andlokichart to 2.1.0 (PR #2946) -
Replace the prometheus-operator chart by the kube-prometheus-stack one and bump the version to 12.2.3. All the container images of this stack have also been bumped:
- alertmanager from v0.20.0 to v0.21.0
- grafana from 6.7.4 to 7.3.5 (PR #3006)
- k8s-sidecar from 0.1.20 to 1.1.0
- kube-state-metrics from v1.9.5 to v1.9.7
- node-exporter from v0.18.1 to v1.0.1
- prometheus from v2.16.0 to v2.22.1
- prometheus-config-reload from v0.38.1 to v0.43.2
- prometheus-operator from v0.38.1 to v0.43.2 (PR #2948)
-
Bump
prometheus-adapterchart to 2.10.1 (PR#3007) -
Bump
ingress-nginxchart to 3.13.0 (PR#2961) -
#2953 - Allow customization of Prometheus retention (time and size based), see MetalK8s documentation (PR #2968)
-
#2908 - Make upgrade script more robust about static pod restart and improve user experience (PR #2928)
-
#2726 - Ensure sparse loop volumes are all provisioned on reboot (PR #2936)
-
Make sure container engine is ready before trying to import container images (PR #3020)
- #1887 - All Kubernetes kubeconfig, client and server certificates are now automatically regenerated when close to the expiration date (less than 45 days) (PR #2914)
- #2581 - Solution UI are no longer deployed by MetalK8s, it's now the responsibility of the Solution Operators (PR #2617)
- Extend the set of packages installed in the
metalk8s-utilscontainer image (Partially resolves issue #2156, PR #2374) - Upgrade
containerdto 1.2.14 (PR #2874) - Enable
seccompsupport incontainerd(Issue #2259, PR #2369) - #1095 - Ability to use multiple CIDRs for control plane and workload plane networks and to specify the workload plane MTU to compute the MTU used by Calico (PR #2677)
- Deploy log aggregation layer, based on Loki and Fluentbit (see #2722, #2723, #2727, #2738, and #2745)
-
Due to vulnerabilities ( CVE-2020-16846 and CVE-2020-25592) affecting all Salt-API versions inferior to
3000.5, this release ships with all Saltstack updated to3000.5.Upgrade Salt to version
3000.5(PR #2916)
-
Bump Calico version to 3.16.1 (PR#2824)
-
#2854 - Bump containerd version to 1.2.14 to fix CVE-2020-15157 (PR #2874)
-
#2653 - Bind MetalK8s OIDC static admin user to a Grafana Admin role (PR #2742)
- Solutions product information format has changed, there is a new
manifest.yamlfile to describe the whole Solution instead of theproduct.txtandconfig.yaml(#2422). Solution archives working on previous versions of MetalK8s will no longer be compatible and will need to be regenerated. See Solutions documentation for details about the new format.
-
#2423 - Bump nginx-ingress-controller version to 0.30.0 (PR #2446)
-
#2430 - Bump prometheus-operator version to 8.13.0 (PR #2557)
-
#2488 - Update default CSC value during upgrade/downgrade (PR #2513)
-
#2493 - Use async call for disk.dump during Volume provisioning (PR #2571)
-
Add support for CustomResourceDefinition apiextensions.k8s.io/v1 in
metalk8s_kubernetesSalt module (PR #2583)
-
#2434 - Wait for a single Salt Master container during Bootstrap (PR #2435)
-
#2526 - Add 'groups' scope when requesting an id_token from Dex in the UI (PR #2529)
-
#2443 - Improve error handling for Salt jobs in the UI (PR #2475)
-
#2495 - Fix monitoring page to display all alerts in the UI (PR #2503)
-
#2569 - Restart Dex Pod automatically upon CSC Dex configuration changes (PR #2573)
-
Basic authentication has been deprecated in favour of OpenID Connect (OIDC) with Dex being deployed as a local Identity Provider, used by Kubernetes API and Grafana.
This implies:
- The existing users defined for Kubernetes API Basic Auth in
(
/etc/kubernetes/htpasswd) and for the Grafana admin will become unusable - A default admin user will be created in Dex, with the new
credentials
[email protected]:passwordwhich can be used to access the MetalK8s UI and Grafana - Procedures to edit and add new users can now be found here
- The existing users defined for Kubernetes API Basic Auth in
(
-
A new framework for persisting Cluster and Services Configurations (CSC) has been added to ensure configurations set by administrators are not lost during upgrade or downgrade and can be found here.
-
User-provided configuration is now stored in ConfigMaps, and MetalK8s tooling will honor the values provided when deploying its services:
- Dex uses
metalk8s-auth/metalk8s-dex-config - Grafana uses
metalk8s-monitoring/metalk8s-grafana-config - Prometheus uses
metalk8s-monitoring/metalk8s-prometheus-config - Alertmanager uses
metalk8s-monitoring/metalk8s-alertmanager-config
- Dex uses
-
Documentation for changing and applying configuration values is found here.
Note that any configuration applied on other Kubernetes objects (e.g. a configuration Secret that Alertmanager uses, or the Deployment of Grafana) will be lost upon upgrade, and admins should make sure to prepare the relevant ConfigMaps from their existing configuration before upgrading to this version.
-
-
The MetalK8s UI has been re-branded with lots of changes to the Login screens and Navbar to offer a smoother experience.
-
Upgrade Calico to 3.12.0 (PR #2253)
-
#2007 - Deploy Dex in a MetalK8s cluster from stable Helm Charts (PR #2025)
-
#2015 - Configure MetalK8s UI to require authentication through Dex (OIDC) (PR #2042)
-
#2016 - Brand the Dex GUI to match MetalK8s UI specifications (PR #2062)
-
#2072 - Remove support for Kubernetes API server basic authentication (PR #2119)
-
#2078 - Store Dex authentication access_token in the browser localStorage (PR #2088)
-
#2255 - Template and store replicas count for Prometheus, Grafana & Alertmanager as service configurations (PR #2258)
-
#2261 - Template and store Dex backend settings as service configurations (PR #2274)
-
#2262 - Template and store Alertmanager Secret as a service configuration (PR #2289)
-
Enable OIDC based authentication for Grafana service (PR #2378)
-
#2351 - Update documentation with default credentials for Metalk8s UI and Grafana UI (PR #2377)
-
#2264 - Add documentation on the list of Cluster and Service configurations (PR #2291)
-
Due to critical vulnerabilities ( CVE-2020-11652 and CVE-2020-11651) with CVSS score of 10.0 affecting all Salt master versions inferior to
3000.2, this release ships with all Saltstack updated to3000.3. Users, especially those who expose the Salt master to the Internet must therefore upgrade immediately. -
Due to an access control vulnerability CVE-2020-13379 with CVSS score of 5.3 that was discovered affecting Grafana versions from
3.0.1through7.0.1, this release ships with a Grafana version updated to6.7.4. For more, see here -
A potential risk for privilege escalation in SaltAPI described here was fixed in this release.
#2634 - Prevent impersonation in SaltAPI (PR #2642)
#1528 and #2084 - Tighten storage-operator permissions against Salt (PR #2635)
-
Make etcd expansions more resilient (PR #2147)
-
#2585 - Add state to cleanup PrometheusRule CRs after upgrade/downgrade (PR #2594)
-
#2444 - Fix flaky SLS rendering when missing a pillar key (PR #2445)
-
#2551 Fix downgrade pre-check regarding the saltenv version (PR #2552)
-
#2592 - Fix invalid custom object listing in
metalk8s_kubernetesSalt module (PR #2593) -
Fix apiserver-proxy to no longer proxy to non-master nodes (PR #2555)
-
#2530 - Make cluster upgrade more robust to Pod disruption constraints (PR #2531)
-
#2028 - Improve the resilience of node deployment (PR #2147)
-
Fix various issues in the bootstrap restore script (PR #2061)
- #1993 - Add Solutions management, CLI tooling to deploy Solutions (complex Kubernetes applications) (PR #2279)
-
Add
label_selectorin MetalK8s custom kubernetes salt module for listing kubernetes objects (PR #2236) -
Salt grains cache is now enabled (PR #2417
-
#2334 - Add and install
yum-utilspackage required for cluster expansion (PR #2343) -
#2245 - Rephrase volume status from
AvailabletoReady(PR #2248)
- If
apiServer.hostis configured inBootstrapConfiguration, this is no longer used (and must no longer be defined). - If
apiServer.keepalivedis configured inBootstrapConfiguration, this is no longer used, and Keepalived is no longer deployed at all. - Generated
admin.confKubeConfigfiles point to the control-plane IP of the host on which they are generated. You can override this when using them usingkubectls-s/--serverargument to point to another address.
-
#1891 - Allow adding labels to Volumes from the UI (PRs #1979 and #2066)
-
#2049 - Deploy prometheus-adapter to implement the
metrics.k8s.ioAPI, to supportkubectl topand other consumers of this API (PR #2057) -
#2103 - Add a host-local
nginxon every node to provide highly-available and load-balanced access tokube-apiserver(PR #2106) -
#2052 - Handle configuration of an HTTP proxy for
containerd(PRs #2071 and #2201) -
#2149 - Provide access to the product documentation from the UI (PR #2176)