v1.25.1

What's Changed

• Automated cherry pick of #14309: hetzner: Generate CCM args from external CCM config by @hakman in #14310
• Update dependencies for kOps 1.25 by @hakman in #14314
• Automated cherry pick of #14319: Avoid spurious changes with NLB due to access log config by @hakman in #14324
• Add --network-id alias for --vpc flag by @hakman in #14326
• Automated cherry pick of #14318: Avoid spurious changes with bastion hosts due to user by @hakman in #14320
• Automated cherry pick of #14317: cluster-autoscaler : Add iam permission by @olemarkus in #14329
• Automated cherry pick of #14343: Validate --zones flag earlier by @hakman in #14344
• Automated cherry pick of #14350: hetzner: Fix metrics-server config to use internal IP by @hakman in #14352
• Automated cherry pick of #14339: Set higher verbosity when logging Gossip DNS info by @hakman in #14341
• Automated cherry pick of #14347: Add create cluster test for arm64 by @olemarkus in #14355
• Automated cherry pick of #14333: Ensure kubelet configuration from IG takes precedence by @hakman in #14356
• Release 1.25.1 by @hakman in #14357

Full Changelog: v1.25.0...v1.25.1

v1.26.0-alpha.1

What's Changed

• support for scaleway in s3 buckets by @Mia-Cross in #14214
• AWS IAM Role listing: don't ignore "other" errors by @justinsb in #14215
• Some minor docs fixes by @olemarkus in #14221
• Update dependencies by @github-actions in #14222
• Remove warning for FindClusterStatus not implemented for Hetzner by @hakman in #14223
• Add support for installing dcgm exporter by @olemarkus in #14203
• Release notes for 1.23.4 by @justinsb in #14230
• Makefile: Don't assume GOBIN is set by @justinsb in #14232
• Release notes for 1.24.2 by @justinsb in #14231
• Update Calico and Canal to v3.24.1 by @hakman in #14225
• Update Flannel to v0.19.2 by @hakman in #14226
• applylib: Better health checking by @justinsb in #14234
• Bump cluster-autoscaler images by @olemarkus in #14235
• Allow cert-manager the privileges needed to resolve dns-01 challenges by @olemarkus in #14229
• GCE: change default control-plane instance type to e2-medium by @justinsb in #14233
• Small release notes cleanup for 1.25 by @olemarkus in #14237
• Add suport to --cordon-node-before-terminating autoscaler flag by @dcfranca in #14236
• Fix openstack tag limitation by @akkina2107 in #13853
• Bump versions in netlify and mkdocs by @rifelpet in #14248
• aws-node-termination-handler to match node using providerID instead of AWS DNS name by @anthonyhaussman in #14244
• Update dependencies by @github-actions in #14250
• kOps managed OIDC provider is no longer needed for IRSA by @olemarkus in #14243
• Update recommended kOps versions in alpha and stable by @MoShitrit in #14252
• AWS LBC needs ec2:DescribeVpcPeeringConnections for IPv6 by @johngmyers in #14255
• Add back missing permissions for legacy CCM. Again. by @olemarkus in #14253
• Fix CAS cordon flag by @olemarkus in #14254
• Bump verbosity level for some log statements by @olemarkus in #14260
• Warm pool-enabled ASGs scaled to zero will no longer panic by @olemarkus in #14251
• Bump aws-cni to v1.11.4 by @MoShitrit in #14265
• aws-cni clusterRole fix by @MoShitrit in #14272
• bump k8s versions in alpha with September releases by @MoShitrit in #14278
• rolling-update: don't deregister our only apiserver by @justinsb in #13163
• Update dependencies by @github-actions in #14280
• Delete the oldest servers when over the desired count for Hetzner by @hakman in #14282
• Release notes for 1.24.3 by @olemarkus in #14281
• [Docs] Fix karpenter link by @jorge07 in #14284
• Bump stable and alpha channels with latest k8s/kops releases by @olemarkus in #14288
• Prevent kops edit cluster from writing the populated IG spec to state store by @olemarkus in #14287
• User IG without image should be allowed by @olemarkus in #14290
• Remove k8s GTE 1.20 checks as it is always true by @olemarkus in #14291
• Add support for using an existing network for Hetzner by @hakman in #14294
• Update Hetzner CCM to v1.13.0 by @hakman in #14297
• hetzner: Move out of alpha and drop feature flag by @hakman in #14299
• Add release 1.25.0 to channels by @hakman in #14306
• Release notes for 1.25.0 by @hakman in #14305
• Remove support for K8s 1.20 by @olemarkus in #14307
• Hetzner: Generate CCM args from external CCM config by @hakman in #14309
• Release 1.26.0-alpha.1 by @hakman in #14311

New Contributors

• @Mia-Cross made their first contribution in #14214
• @dcfranca made their first contribution in #14236
• @akkina2107 made their first contribution in #13853

Full Changelog: v1.25.0-beta.1...v1.26.0-alpha.1

v1.25.0

Significant changes

• GCE cloud provider support has been promoted to stable.
• Hetzner cloud provider support has been promoted to beta.
• Karpenter support has been promoted to stable on Kubernetes versions 1.22, 1.23 and 1.24. Karpenter does not yet support Kubernetes above 1.25.
• IAM roles on AWS used for ServiceAccounts are now tagged with the name and namespace of the ServiceAccount.
• Cert Manager may now solve dns-01 challenges. See the cert manager documentation.
• Add support to --cordon-node-before-terminating on the cluster autoscaler addon (CordonNodeBeforeTerminating)
• EBS CSI driver can now be self-managed. See the addon docs.

Breaking changes

Cinder CSI snapthot controller changes

The CSI Cinder plugin for OpenStack will now only use the CSI snapshotter when the CSI snapshot controller is enabled in the cluster spec. This changes the default behavior where the CSI snaphotter container was always present, but spammed the log with error messages (see #13890). In case of manually deployed CRDs to make the snapshotter work it is now necessary to enable the snapshot controller.

Other breaking changes

• Support for Kubernetes version 1.19 has been removed.

Deprecations

• Support for Kubernetes version 1.20 is deprecated and will be removed in kOps 1.26.
• Support for Kubernetes version 1.21 is deprecated and will be removed in kOps 1.27.

What's Changed

• Release notes for 1.24.0-beta.1 by @hakman in #13732
• Bump github.com/spf13/viper from 1.11.0 to 1.12.0 by @dependabot in #13698
• Add GHA workflow for updating dependabot PRs by @rifelpet in #13735
• Bump github.com/hashicorp/vault/api from 1.5.0 to 1.6.0 by @dependabot in #13734
• Bump github.com/google/go-containerregistry from 0.8.0 to 0.9.0 by @dependabot in #13720
• Bump helm.sh/helm/v3 from 3.8.2 to 3.9.0 by @dependabot in #13733
• Only rewrite to k8s.gcr.io until k8s 1.25 by @rifelpet in #13739
• Bump github.com/stretchr/testify from 1.7.1 to 1.7.2 by @dependabot in #13738
• Update containerd and Docker versions by @hakman in #13741
• Remove support for K8s 1.19 by @olemarkus in #13742
• [DigitalOcean] Restart journald service on node startup by @srikiz in #13717
• Drop older cilium versions and add support for k8s 1.25 by @olemarkus in #13747
• Update AWS CCM images for k8s 1.20-1.22 by @hakman in #13748
• Channels to have exit status 1 on apply failure by @olemarkus in #13749
• Add support for setting mode field on file assets by @yurrriq in #13715
• Revert "Use kubectl replace instead of apply when updating addons" by @hakman in #13761
• Don't try to manage the kube-system namespace by @hakman in #13764
• Run channels on upgrade e2e tests to verify addons are being applied by @olemarkus in #13757
• Fix API group name for ingresses in DNS Controller by @julienperignon in #13750
• Remove some unused legacy addons by @hakman in #13765
• Bump nvidia device plugin to 0.12.0 by @ddelange in #13745
• Update runc to v1.1.3 by @hakman in #13763
• Fix namespace for cert manager webhook config by @olemarkus in #13773
• Avoid spurious changes with ed25519 keys by @hakman in #13774
• Make the cert-manager breaking change more visible. by @olemarkus in #13780
• Bump go.uber.org/multierr from 1.6.0 to 1.8.0 by @dependabot in #13782
• Bump github.com/aws/aws-sdk-go from 1.44.6 to 1.44.32 by @dependabot in #13783
• Bump github.com/hashicorp/vault/api from 1.6.0 to 1.7.2 by @dependabot in #13785
• Add back the metrics-server 443 port with a new name by @olemarkus in #13779
• Fix broken node selector for node termination handler by @olemarkus in #13781
• Bump google.golang.org/api from 0.81.0 to 0.83.0 by @dependabot in #13784
• Release notes for 1.24.0-beta.2 by @olemarkus in #13790
• Fix PDB api version for a set of addons by @olemarkus in #13791
• Remove replaces from go.mod by @olemarkus in #13789
• Remove core addons from addons by @hakman in #13768
• Use exported interface to detect SSH key type by @AaronFriel in #13805
• Use node.k8s.io/v1 API in the nvidia addon by @olemarkus in #13806
• Merge the cilium templates by @olemarkus in #13807
• fix tenv linter by @remyleone in #13802
• Replace flexdriver with busybox by @zetaab in #13809
• add support for varcheck linter by @remyleone in #13801
• Depend on external cloud providers rather than cloud-providers-legacy by @olemarkus in #13808
• bump k8s versions and ubuntu ami (aws) in alpha channel by @MoShitrit in #13822
• chore(deps): Included dependency review by @naveensrinivasan in #13651
• add metric port to nth deployment by @raffis in #13811
• Recommend the latest kOps version in alpha & stable channels and add 1.24 to alpha by @MoShitrit in #13823
• Ensure clusters with internal load balancers have a private subnet by @olemarkus in #13793
• Update etcd-manager to v3.0.20220617 by @hakman in #13824
• Use legacy-cloud-providers repo for the gcp provider dep by @olemarkus in #13840
• Bump actions/dependency-review-action from 1 to 2 by @dependabot in #13829
• Remove the removable replaces in kubetest2 by @olemarkus in #13841
• Add kubetest2 scenario for testing many addons by @olemarkus in #13828
• Skip known failing cilium e2e test by @olemarkus in #13842
• Add manual job for updating dependencies by @hakman in #13827
• Update dependencies by @github-actions in #13843
• Do not run cluster autoscaler on spot instances by @olemarkus in #13846
• Fix GCE resource tracking by @hakman in #13857
• Adding GuestAccelerators to InstanceTemplate by @jonasasx in #13707
• Align website and readme file by @sxt90128 in #13862
• Limit GCE tag for role to 63 chars by @hakman in #13866
• Promote alpha to stable by @MoShitrit in #13868
• Clean-up firewall rules that contain targets with the cluster name hash by @hakman in #13869
• Replace manifests after apply by @olemarkus in #13819
• Bump kubetest2 to test rundir by @olemarkus in #13870
• Release notes for 1.24.0-beta.3 by @olemarkus in #13881
• Generate cli docs after updating dependencies by @hakman in #13885
• Fix unexpected symbol error in update-deps workflow by @hakman in #13886
• Update troubleshoot.md by @Deepak1100 in #13891
• Update dependencies by @github-actions in #13889
• Replace Dependabot with regular update-deps run by @hakman in #13894
• Log errors from detachInstance by @olemarkus in #13896
• increase backoff time when updating loadbalancer pool member by @zetaab in #13854
• gce: Move out of beta, drop feature flag by @justinsb in #13903
• Update CoreDNS to v1.9.3 by @hakman in #13895
• gce: set ProvisioningModel on InstanceTemplate by @justinsb in #13902
• Set Makefile GITSHA to the git sha instead of ...

v1.24.3

General release notes for kOps 1.24

• https://kops.sigs.k8s.io/releases/1.24-notes/

What's Changed

• Automated cherry pick of #14244: aws-node-termination-handler: Add option to fetch node name by @olemarkus in #14246
• Automated cherry pick of #14255: AWS LBC needs ec2:DescribeVpcPeeringConnections for IPv6 by @olemarkus in #14257
• Automated cherry pick of #13914: Ignore the _rundir that kubetest2 now creates by @olemarkus in #14258
• Automated cherry pick of #13853: Fix openstack tag limitation by @hakman in #14264
• Automated cherry pick of #14251: Warm pool-enabled ASGs scaled to zero will no longer panic by @hakman in #14267
• Automated cherry pick of #14107: bump aws cni to 1.11.13
  #14265: bump aws-cni to version 1.11.4 by @hakman in #14271
• Release 1.24.3 by @olemarkus in #14279

Full Changelog: v1.24.2...v1.24.3

v1.24.2

What's Changed

• Automated cherry pick of #13845: Add config drive as a source for OpenStack instance metadata by @ederst in #13950
• Automated cherry pick of #14017: Allow configuring OpenStack CCM networking options by @ederst in #14079
• Automated cherry pick of #14081: aws-ebs-csi-driver: remove preStop hook by @hakman in #14085
• Automated cherry pick of #14090: Add option to configure runc version for containerd by @hakman in #14091
• Automated cherry pick of #13745: Bump nvidia device plugin to 0.12.0 by @olemarkus in #14104
• Automated cherry pick of #14093: Add hashes for containerd v1.6.7
  #14106: Update containerd to v1.6.8 by @hakman in #14108
• Automated cherry pick of #14113: Add deployment-specific selectors to nth pdb by @olemarkus in #14123
• Automated cherry pick of #14115: Disable some flags in kube-controller-manager and by @hakman in #14119
• Automated cherry pick of #14134: Limit GCE network names to 63 chars by @hakman in #14136
• Automated cherry pick of #14130: Bump the CCM images by @olemarkus in #14131
• Automated cherry pick of #14188: Update runc to v1.1.4 by @hakman in #14189
• Automated cherry pick of #14175: OIDC: Tolerate extra service-account key set items by @hakman in #14192
• Automated cherry pick of #14137: Always disable rp_filter when using cilium by @olemarkus in #14196
• Bump cert-manager to 1.8.2 by @olemarkus in #14212
• Automated cherry pick of #14205: Calico: Work around host port/conntrack problem by @hakman in #14209
• Release 1.24.2 by @justinsb in #14219

Full Changelog: v1.24.1...v1.24.2

v1.23.4

What's Changed

• Automated cherry pick of #14081: aws-ebs-csi-driver: remove preStop hook by @hakman in #14086
• cilium: fix wrong pod annotations templating #1.23 by @sterchelen in #14105
• Automated cherry pick of #14115: Disable some flags in kube-controller-manager and by @hakman in #14120
• Automated cherry pick of #14188: Update runc to v1.1.4 by @hakman in #14197
• Release 1.23.4 by @justinsb in #14220

Full Changelog: v1.23.3...v1.23.4

v1.25.0-beta.1

What's Changed

• Release notes for 1.24.1 by @hakman in #14073
• Use SSA for updating addon channel objects by @olemarkus in #14074
• Merge cmd factories by @olemarkus in #14075
• Remove passing cluster name as positional argument by @olemarkus in #14076
• Allow configuring OpenStack CCM networking options by @ederst in #14017
• Upgrade kubetest2 by @rifelpet in #14061
• Fix Karpenter IAM permissions and make karpenter respect IG subnets by @olemarkus in #14077
• Remove --files flag from channels and make single arg mandatory by @olemarkus in #14082
• Fix typo in channels error message by @rifelpet in #14083
• Set higher verbosity when logging the endpoint of non-AWS S3 backend by @hakman in #14084
• aws-ebs-csi-driver: remove preStop hook by @sterchelen in #14081
• Hide klog flags from --help output by @justinsb in #14088
• Positional deprecation warning should go to stderr by @justinsb in #14089
• Add back conversion struct to cert-manager CRDs by @olemarkus in #14087
• Support kube-scheduler config by @justinsb in #13618
• Add option to configure runc version for containerd by @hakman in #14090
• Add template for e2e test with cpuManagerPolicy: static by @olemarkus in #14092
• Update dependencies by @github-actions in #14094
• Add support for ci and stable builds in upgrade-ab script by @olemarkus in #14095
• Add hashes for containerd v1.6.7 by @hakman in #14093
• Test the aws ebs csi driver in e2e if installed by @olemarkus in #14098
• Specify the full url for CI versions in upgrade-ab tests by @olemarkus in #14099
• Bump AWS CNI to 1.11.3 by @MoShitrit in #14107
• Update containerd to v1.6.8 by @hakman in #14106
• Don't add previous-gen instances to Karpenter provisioners by @olemarkus in #14109
• Skip testing the in-tree aws-ebs driver if CSI driver is enabled by @olemarkus in #14110
• cilium: fix wrong pod annotations templating by @sterchelen in #14111
• Add deployment-specific selectors to nth pdb by @olemarkus in #14113
• Disable some flags in kube-controller-manager and kube-scheduler when logging-format is not text by @h3poteto in #14115
• Use semver for skipregex ifs instead of strings.Contains by @olemarkus in #14112
• Update dependencies by @github-actions in #14116
• Fix more e2e skips by @olemarkus in #14124
• Create etcd-manager config for each instance group by @hakman in #14080
• Revert back to using kubectl in channels by @olemarkus in #14125
• Limit GCE network names to 63 chars by @hakman in #14134
• Bump the CCM images by @olemarkus in #14130
• Update Go to v1.19.0 by @hakman in #14135
• Bump cilium to 1.11.8 by @olemarkus in #14137
• Revert "Remove passing cluster name as positional argument" by @olemarkus in #14138
• Remove life cycle hooks when warmpool is disabled by @olemarkus in #14141
• Update dependencies by @github-actions in #14144
• Bump Karpenter to 0.15 and enable consolidation by @olemarkus in #14142
• Add more create_cluster integration tests by @olemarkus in #14147
• Add more cluster_update tests by @olemarkus in #14148
• Plug the IAM role leak by @olemarkus in #14151
• Write the user provided IG spec to state store instead of the full spec by @olemarkus in #14127
• Add default image for CAS that exists by @olemarkus in #14150
• Introduce library for applying objects by @justinsb in #14030
• Bump k8s releases and Ubuntu AMI version in Alpha by @MoShitrit in #14152
• Ignore entities not found when deleting IAM roles and profiles by @olemarkus in #14153
• Bump actions/dependency-review-action from 2.0.4 to 2.1.0 by @dependabot in #14156
• Bump peter-evans/create-pull-request from 4.0.4 to 4.1.1 by @dependabot in #14157
• Fix no such entity check for iam profiles and roles by @olemarkus in #14155
• Update and clean up etcdcli and etcd backup documentation by @olemarkus in #14158
• Fix bugs and typo in iam resource deletion logic by @olemarkus in #14159
• Fix test package location when using k8s ci versions in the upgrade AB scenario by @olemarkus in #14161
• Don't set unused test package flags to empty string by @olemarkus in #14163
• Fix the non-ci markers by @olemarkus in #14166
• Trim space around SSH public key by @hakman in #14168
• Bump K8s libs to 0.25.0 by @olemarkus in #14167
• Tag IAM Roles with service account info by @rifelpet in #13052
• Fix policy API version for LBC and NTH by @olemarkus in #14169
• Skip tests related to metadata concealment on GCE k8s <= 1.23 by @olemarkus in #14170
• Bump karpenter to 0.16 by @olemarkus in #14173
• Allow self-managed aws-ebs-csi-driver by @torredil in #14164
• Bump node termination handler to 1.17.0 by @olemarkus in #14177
• Bump AWS Load Balancer Controller to v2.4.3 by @olemarkus in #14178
• Merge kubeletConfigs earlier by @olemarkus in #14114
• Add Terraform target support for Hetzner by @hakman in #14179
• Bump Cert Manager to 1.9.1 by @olemarkus in #14180
• Bump snapshot-controller to 6.0.1 by @olemarkus in #14184
• Bump the nvidia addon by @olemarkus in #14185
• Update runc to v1.1.4 by @hakman in #14188
• Bump node local dns cache to 1.22.8 by @olemarkus in #14187
• Update cloud.google.com/go/storage to v1.25.0 by @hakman in #14191
• Update dependencies by @github-actions in #14190
• OIDC: Tolerate extra service-account key set items by @seh in #14175
• Bump external-dns to 0.12.2 by @olemarkus in #14193
• Update CSI driver to latest for Hetzner by @hakman in #14186
• Map up kubelet config to karpenter provisioners and add CCM startup taint by @olemarkus in #14183
• Fix karpenter update test by @olemarkus in #14199
• Bump actions/setup-go from 3.2.1 to 3.3.0 by @dependabot in #14200
• Use runpath for kubectl binary by @olemarkus in #14198
• Promote alpha to stable by @MoShitrit in #14202
• Run etcd-manager with instance group name as volume name tag for Hetzner by @hakman in #14181
• Show the reason for which an AWS image is invalid by @hakman in #14206
• Calico: Work around host port/conntrack problem by @seh in #14205
• Update etcd-manager to v3.0.20220831 by @hakman in #14208
• Bumping AWS CCM to 1.25 by @olemarkus in #14207
• Release 1.25.0-beta.1 by @hakman in #14210

New Contributors

• @torredil made their first contribution in #14164

Full Changelog: v1.25.0-alpha.2...v1.25.0-beta.1

v1.25.0-alpha.2

What's Changed

• Ignore the _rundir that kubetest2 now creates by @olemarkus in #13914
• Remove obsolete protokube test for mirrored assets by @hakman in #13916
• Use Calico v3.23 for Kubernetes 1.22+ by @hakman in #13901
• gce: Refactor ClusterPrefixedName and ClusterSuffixedName to not return error by @hakman in #13920
• Mount /etc/hosts from host for CoreDNS by @hakman in #13922
• Wait longer after update in the e2e upgrade scenario by @olemarkus in #13925
• Limit GCE names to 63 chars for various resources by @hakman in #13873
• Make IRSA webhook configure apps to use regional STS and set the default region on them by @olemarkus in #13926
• Use csi-snapshotter for OS only when the controller is enabled by @ederst in #13890
• Make it possible to enable the shield addon for LBC by @olemarkus in #13929
• Update Cilium to 1.11.6 by @ReillyBrogan in #13917
• Limit GCE router name to 63 chars by @hakman in #13932
• fix typos by @yojay11717 in #13851
• Fix unsetting ASG max price by @olemarkus in #13852
• Bump EBS CSI driver to 1.8.0 by @hakman in #13939
• Revert "Add back the metrics-server 443 port with a new name" by @olemarkus in #13940
• Add config drive as a source for OpenStack instance metadata by @ederst in #13845
• Be more specific when filtering OS instance ports by @ederst in #13861
• aws: introduce maximum instance lifetime in cluster by @sterchelen in #13892
• Upgrade karpenter to 0.13.1 by @rifelpet in #13918
• Fix broken links by @Ladicle in #13942
• Set SpecOverrideFlag to true by default by @hakman in #13955
• Release notes for 1.24.0 by @hakman in #13959
• Fix release notes for 1.24.0 by @hakman in #13960
• Use dynamic client for applying channels manifest rather than calling kubectl by @olemarkus in #13753
• Add release 1.24.0 to channels by @hakman in #13961
• Fix AWS IAM Authenticator nodeSelector in k8s 1.24 by @rifelpet in #13965
• Remove non-functional scheduler annotations from addons by @rifelpet in #13969
• Skip deregistering the instance during rolling update for Spotinst by @hakman in #13970
• bump alpha channel k8s releases by @MoShitrit in #13977
• Upgrade aws-iam-authenticator to v0.5.9 by @rifelpet in #13979
• Update dependencies by @github-actions in #13981
• Use only IPv4 for Hetzner servers by @hakman in #13982
• Add option to set etcd-manager backup interval by @hakman in #13975
• Add option to set number of replicas for pod-identity-webhook by @hakman in #13986
• Adding GCE SPOT support by @jonasasx in #13946
• Update etcd-manager to v3.0.20220717 by @hakman in #13990
• Update Go to v1.18.4 by @hakman in #13994
• Add S3_REGION to Hetzner docs by @tom-dudley in #13987
• Update GitHub workflows by @hakman in #13995
• Bump actions/setup-go from 3.2.0 to 3.2.1 by @dependabot in #14002
• Add missing namespace to external-dns Service by @rifelpet in #14001
• Upgrade DO CSI controller to 4.2.0 by @rifelpet in #14005
• Applier should be more tolerant of errors by @justinsb in #13963
• Switch to latest MacOS version for CI by @hakman in #14015
• delete t.FailNow after t.Fatalf by @Abirdcfly in #14014
• fix hyperlinks in calico docs by @mostafahussein in #14016
• Update dependencies by @github-actions in #14022
• Revert to using instance private DNS name to lookup hostname by @hakman in #14024
• Add server group management for Hetzner by @hakman in #14018
• promote alpha k8s versions to stable by @MoShitrit in #14029
• Update Calico and Canal to v3.23.3 by @hakman in #14009
• Update etcd-manager to v3.0.20220727 by @hakman in #14038
• Update continuous_integration.md by @yurrriq in #14032
• Check keyset existence before attempting to distrust by @yurrriq in #14041
• Make control plane size configurable in kops-up by @olemarkus in #14036
• Do not allow PodSecurityPolicy using K8s 1.25 by @olemarkus in #14045
• Fix SIGSEGV when deleting a Hetzner instance by @hakman in #14046
• Use cabundle for etcd CA files to fix key rotation in HA clusters by @olemarkus in #14054
• Use stable kops release for kops 1.21 by @olemarkus in #14056
• Remove namespaces from cluster-scoped resources in CNI manifests by @rifelpet in #14053
• Update dependencies by @github-actions in #14055
• Enable rolling updates for Hetzner by @hakman in #14034
• Release notes for 1.22.6 by @justinsb in #14062
• Release notes for 1.23.3 by @justinsb in #14063
• Wait for load balancer to be ready for Hetzner by @hakman in #14057
• Add multiple SSH keys support for Hetzner by @hakman in #14058
• Release 1.25.0-alpha.2 by @hakman in #14070

New Contributors

• @Ladicle made their first contribution in #13942
• @tom-dudley made their first contribution in #13987
• @Abirdcfly made their first contribution in #14014
• @mostafahussein made their first contribution in #14016

Full Changelog: v1.25.0-alpha.1...v1.25.0-alpha.2

v1.24.1

What's Changed

• Automated cherry pick of #13901: Use Calico v3.23 for Kubernetes 1.22+ by @hakman in #13968
• Automated cherry pick of #13965: Use control-plane node role for AWS IAM Authenticator by @rifelpet in #13967
• Automated cherry pick of #13970: Skip deregistering the instance during rolling update for by @hakman in #13971
• Automated cherry pick of #13979: Upgrade aws-iam-authenticator to v0.5.9 by @rifelpet in #13980
• Automated cherry pick of #13982: Use only IPv4 for Hetzner servers by @hakman in #13984
• Automated cherry pick of #13975: Add option to set etcd-manager backup interval by @hakman in #13983
• Automated cherry pick of #13990: Update etcd-manager to v3.0.20220717 by @hakman in #13991
• Automated cherry pick of #13994: Update Go to v1.18.4 by @hakman in #13996
• Automated cherry pick of #13986: Add option to set number of replicas for pod-identity-webhook by @hakman in #13988
• Automated cherry pick of #14005: Upgrade DO CSI driver to 4.2.0 by @hakman in #14006
• Update k8s.io/client-go to match k8s.io/api by @hakman in #14003
• Automated cherry pick of #14015: Switch to latest MacOS version for CI by @hakman in #14019
• Automated cherry pick of #14024: Revert to using instance private DNS name to lookup hostname by @hakman in #14025
• Automated cherry pick of #14018: Add server group management for Hetzner by @hakman in #14028
• Update dependencies for kOps 1.24 by @hakman in #13989
• Automated cherry pick of #13908: Update Calico to v3.23.2 #14009: Update Calico to v3.23.3 by @hakman in #14010
• Automated cherry pick of #14038: Update etcd-manager to v3.0.20220727 by @hakman in #14039
• Automated cherry pick of #14041: Check keyset existence before attempting to distrust by @hakman in #14042
• Automated cherry pick of #14046: Fix SIGSEGV when deleting a Hetzner instance by @hakman in #14047
• Automated cherry pick of #14053: Remove namespaces from cluster-scoped resources in CNI by @hakman in #14059
• Automated cherry pick of #14034: Enable rolling updates for Hetzner
  #14057: Wait for load balancer to be ready for Hetzner
  #14058: Add multiple SSH keys support for Hetzner by @hakman in #14067
• Automated cherry pick of #14054: Use cabundle for etcd CA files by @olemarkus in #14069
• Release 1.24.1 by @hakman in #14071

Full Changelog: v1.24.0...v1.24.1

v1.23.3

Release notes for kOps 1.23 series

Significant changes

• If the Kubernetes version is 1.23 or later and the external AWS Cloud Controller Manager is
  being used, then Kubernetes Node resources will be named after their AWS instance ID instead of their domain name and
  managed subnets will be configured to launch instances with Resource Based Names.

• Support for ShutdownGracePeriod and ShutdownGracePeriodCriticalPods. By default, kOps will set ShutdownGracePeriod to 30 seconds and ShutdownGracePeriodCriticalPods to 10 seconds if the Kubernetes version is above 1.21.

• By enabling the pod identity webhook, you no longer need to modify your Pod specs to assume IAM roles.

Breaking changes

• Support for Kubernetes version 1.17 has been removed.

• Support for the Lyft CNI has been removed.

• The Weave CNI is not supported for Kubernetes 1.23 or later.

• Support for CentOS 7 has been removed.

• Support for CentOS 8 has been removed (replaced by Rocky Linux 8).

• Support for Debian 9 has been removed.

• Support for RHEL 7 is has been removed.

• Support for Ubuntu 16.04 (Xenial) has been removed.

• Cilium now has disable-cnp-status-updates: true by default. Set this to false if you rely on the CiliumNetworkPolicy status fields.

Required actions

Deprecations

• Support for Kubernetes version 1.18 is deprecated and will be removed in kOps 1.24.

• Support for Kubernetes version 1.19 is deprecated and will be removed in kOps 1.25.

• All legacy addons are deprecated in favor of managed addons, including the metrics server addon and the autoscaler addon.

• The node-role.kubernetes.io/master and kubernetes.io/role labels are deprecated and might be removed from control plane nodes in future versions of kOps.

• Due to lack of maintainers, the Aliyun/Alibaba Cloud support has been deprecated and will be removed in kOps 1.24.

• Due to lack of maintainers, the CloudFormation support has been deprecated. The current implementation will be left as-is until the implementation needs updates or otherwise becomes incompatible. At that point, it will be removed. We very much welcome anyone willing to contribute to this target.

Other changes of note

• The kops create cluster command has a new --discovery-store flag for specifying a public store for the OIDC-compatible discovery documents.
  If this flag is used in AWS, it will enable IRSA.

• If externalDns.provider is external-dns, then externalDns.watchIngress will now default to true.

• This release introduces a v1alpha3 API version. This API version is a work in progress and is likely to be replaced in kOps 1.24.
  It is recommended to keep using the v1alpha2 API version.

• IPv6 pod subnets is in a working state using public IPv6 addresses for the Pod network. This works with both Cilium and Calico. IPv6 is still behind a feature flag until service controllers and addons implement support for IPv6. See the IPv6 documentation.

• The kops rolling-update cluster command has a new --drain-timeout flag for specifying the maximum amount of time to wait when attempting to drain a node. Previously, rolling-updates would attempt to drain a node for an indefinite amount of time. If --drain-timeout is not specified, a default of 15 minutes is applied.

• Fix inconsistent output of kops get clusters -ojson. This will now always return a list (irrespective of a single or multiple clusters) to keep the format consistent. However, note that kops get cluster dev.example.com -ojson will continue to work as previously, and will return a single object.

• Digital Ocean kops now has vpc support. You can specify a network-cidr range while creating the kops cluster. kops resources will be created in the new vpc range. Also supports shared vpc; you can specify the vpc uuid while creating kops cluster.

1.23.2 to 1.23.3

• Increase timeout for pushing binaries to staging @hakman #13633
• Update runc to v1.1.2 @hakman #13638
• Add a nameservers parameter for cert-manager. @jim-barber-he #13567
• Remove unused DNS logic from Protokube @hakman #13689
• Fix Protokube gossip flag @hakman #13692
• Add support for setting mode field on file assets @yurrriq #13715
• Update containerd and Docker versions @hakman #13741
• Fix API group name for ingresses in DNS Controller @julienperignon #13750
• Update runc to v1.1.3 @hakman #13763
• Update AWS CCM images for k8s 1.20-1.22 @hakman #13748
• Avoid spurious changes with ed25519 keys @hakman #13774
• Update etcd-manager to v3.0.20220617 @hakman #13824
• Mount /etc/hosts from host for CoreDNS @hakman #13922
• Update etcd-manager to v3.0.20220717 @hakman #13990
• Update Go to v1.17.12 for kOps 1.23 @hakman #13997
• Switch to latest MacOS version for CI @hakman #14015
• Revert to using instance private DNS name to lookup hostname @hakman #14024
• Check keyset existence before attempting to distrust @yurrriq #14041
• Fix SIGSEGV when deleting a Hetzner instance @hakman #14046