v1.24.0-beta.3

Release Notes

https://kops.sigs.k8s.io/releases/1.24-notes/

What's Changed

• Automated cherry pick of #13809: replace flexdriver with busybox by @zetaab in #13810
• Automated cherry pick of #13824: Update etcd-manager to v3.0.20220617 by @hakman in #13825
• Automated cherry pick of #13846: Do not run CAS on spot instances by @olemarkus in #13847
• Automated cherry pick of #13857: Fix GCE resource tracking by @hakman in #13863
• Automated cherry pick of #13707: Adding GuestAccelerators to InstanceTemplate by @hakman in #13865
• Automated cherry pick of #13866: Limit GCE tag for role to 63 chars by @hakman in #13867
• Automated cherry pick of #13819: Replace manifests after apply by @olemarkus in #13871
• Automated cherry pick of #13764: Don't try to manage the kube-system namespace
  #13768: Remove unneeded kube-proxy service account by @hakman in #13874
• Release 1.24.0-beta.3 by @olemarkus in #13880

Full Changelog: v1.24.0-beta.2...v1.24.0-beta.3

v1.24.0-beta.2

Release Notes

https://kops.sigs.k8s.io/releases/1.24-notes/

What's Changed

• Automated cherry pick of #13749: Channels to have exit status 1 on apply failure by @olemarkus in #13756
• Automated cherry pick of #13715: Add support for setting mode field on file assets by @hakman in #13759
• Automated cherry pick of #13761: Revert "Use kubectl replace instead of apply when updating by @hakman in #13762
• Automated cherry pick of #13750: Fix API group being incorrect for ingresses by @hakman in #13766
• Automated cherry pick of #13741: Update containerd and Docker versions by @hakman in #13743
• Automated cherry pick of #13748: Update AWS CCM images for k8s 1.20-1.22 by @hakman in #13771
• Automated cherry pick of #13763: Update runc to v1.1.3 by @hakman in #13769
• Automated cherry pick of #13773: Fix namespace for cert manager webhook config by @hakman in #13775
• Automated cherry pick of #13779: Add back the metrics-server 443 port with a new name by @olemarkus in #13786
• Automated cherry pick of #13774: Avoid spurious changes with ed25519 keys by @hakman in #13776
• Automated cherry pick of #13781: Fix broken node selector for node termination handler by @olemarkus in #13787
• Release 1.24.0-beta.2 by @olemarkus in #13788

Full Changelog: v1.24.0-beta.1...v1.24.0-beta.2

v1.24.0-beta.1

Release Notes

https://kops.sigs.k8s.io/releases/1.24-notes/

What's Changed

• Release notes for 1.24.0-alpha.5 by @olemarkus in #13676
• Bump coredns to 1.8.6 by @olemarkus in #13677
• Add Support for OVN Load Balancer for OpenStack by @ching-kuo in #13678
• Add release note and getting started entries for Hetzner by @hakman in #13680
• Fix kops update for OpenStack with LB by @ching-kuo in #13682
• Update Calico and Canal to v3.23.1 by @hakman in #13672
• bump alpha k8s versions with May releases by @MoShitrit in #13683
• Update troubleshoot.md by @simonccc in #13685
• Add support for configuring which metrics cilium will export by @olemarkus in #13684
• Remove unused DNS logic from Protokube by @hakman in #13689
• Fix Protokube gossip flag by @hakman in #13692
• Bump actions/setup-go from 3.1.0 to 3.2.0 by @dependabot in #13694
• Refactor cloud providers and remove unused code from Protokube by @hakman in #13691
• Use dependabot for Go deps by @hakman in #13696
• Fix links to go docs by @diversario in #13705
• Update gophercloud to v0.25.0 by @ching-kuo in #13710
• Use build tags for Protokube by @hakman in #13706
• Clarify difference between terraform and kOps state stores by @hakman in #13709
• Bump node termination handler to 1.16.5 by @olemarkus in #13711
• promote alpha to stable (k8s releases) by @MoShitrit in #13713
• Migrate EBS CSI images back to registry.k8s.io by @rifelpet in #13718
• Bump github.com/prometheus/client_golang from 1.12.1 to 1.12.2 by @dependabot in #13697
• update openstack ccm + csi by @zetaab in #13716
• Bump github.com/spotinst/spotinst-sdk-go from 1.118.0 to 1.120.0 by @dependabot in #13699
• Bump aws cni to 1.11.2 by @MoShitrit in #13726
• Add CSI driver for Hetzner by @hakman in #13728
• Use kubectl replace instead of apply when updating addons by @olemarkus in #13731
• Release 1.24.0-beta.1 by @hakman in #13730

New Contributors

• @simonccc made their first contribution in #13685

Full Changelog: v1.24.0-alpha.5...v1.24.0-beta.1

v1.24.0-alpha.5

Release Notes

https://kops.sigs.k8s.io/releases/1.24-notes/

What's Changed

• Release notes for 1.23.2 by @olemarkus in #13632
• Release notes for 1.24.0-alpha.4 by @hakman in #13634
• Use fixed staging AWS CCM for k8s 1.24+ by @hakman in #13637
• Update runc to v1.1.2 by @hakman in #13638
• add annotation support to aws-ebs-csi pods by @avish42 in #13600
• Bump cluster autoscaler image for 1.24 by @olemarkus in #13642
• Ignore digest for kube-apiserver-healthcheck model test by @hakman in #13639
• Update documentation for manageStorageClasses by @minkimipt in #13641
• fix typo in docs/instance-groups.md by @marquezika in #13635
• Fix code block in manageStorageClasses docs by @minkimipt in #13645
• [Digital Ocean] Add CSI driver for DO block storage by @srikiz in #13643
• Update AWS CCM to 13.05.2022 releases by @hakman in #13644
• Skip nfs tests in all scenarios by @hakman in #13648
• Tweak integration tests to be simpler by @justinsb in #13647
• Use Calico v3.21 with older versions of k8s by @hakman in #13649
• Use -ginkgo.junit-report instead of -ginkgo.reportFile by @hakman in #13650
• Allow editing clusters with Hetzner by @hakman in #13654
• Bump actions/setup-go from 3.0.0 to 3.1.0 by @dependabot in #13653
• Promote May AMIs in channels by @olemarkus in #13658
• Allow the AWS Load Balancer Controller to use WAFs by @seh in #13636
• Update controller-runtime to v0.12.0 by @hakman in #13655
• Set nodeSelector and command to null by @zetaab in #13656
• Add a nameservers parameter for cert-manager. by @jim-barber-he in #13567
• Allow overriding the kubernetes version when upgrading the cluster by @hakman in #13652
• Bump EBS CSI driver to 1.6.1 by @olemarkus in #13664
• Bump Load Balancer Controller to 2.4.1 by @olemarkus in #13665
• Bump Cilium to 1.11.5 by @olemarkus in #13666
• Add missing backslash to aws.md by @piec in #13669
• Bump NTH to 1.16.4 and add support for scheduled instance change events by @olemarkus in #13662
• Bump EBS CSI driver to 1.6.2 by @olemarkus in #13670
• Bump metrics-server to 0.6.1 by @olemarkus in #13674
• Bump external-dns to 0.11.0 by @olemarkus in #13673
• Release 1.24.0-alpha.5 by @hakman in #13675

New Contributors

• @avish42 made their first contribution in #13600
• @minkimipt made their first contribution in #13641
• @marquezika made their first contribution in #13635
• @piec made their first contribution in #13669

Full Changelog: v1.24.0-alpha.4...v1.24.0-alpha.5

v1.24.0-alpha.4

Release Notes

https://kops.sigs.k8s.io/releases/1.24-notes/

What's Changed

• Release notes for 1.24.0-alpha.3 by @heybronson in #13375
• Spotinst: Ocean as a template for VNGs by @liranp in #13234
• [Digital Ocean] Use available regions as per the latest DO documentation by @srikiz in #13394
• Build kops images with ko by @olemarkus in #13341
• Clean up kops build targets by @olemarkus in #13390
• update k8s dependencies by @heybronson in #13397
• Update golangci-lint to v1.45.0 by @hakman in #13403
• Use k8s.gcr.io for k8s side-loaded images by @hakman in #13402
• Use ko-builds for dev-upload by @olemarkus in #13401
• Clean up channels and protokube targets by @olemarkus in #13404
• Don't use bazel for dev-upload by @olemarkus in #13407
• Clean up the rest of the dev-upload targets by @olemarkus in #13408
• AWS-NODE-TERMINATION: Add possibility to set a tune image version by @anthonyhaussman in #13405
• Update netflify deps by @hakman in #13412
• Promote alpha to stable by @MoShitrit in #13415
• Correctly detect GovCloud regions by @mixja in #13410
• dev-upload from upload directory, not bazelupload by @olemarkus in #13419
• fix member update when draining by @zetaab in #13414
• Update the security docs by @olemarkus in #13421
• Remove id var, which is never used beyond that if test by @olemarkus in #13420
• Pin actions to a full length commit SHA by @naveensrinivasan in #13395
• Digest images during remapping by @olemarkus in #13422
• Do not return a '-1' exit if no keys found and json/yaml output by @hierynomus in #13378
• Use non-bazel builds in kubetest2 by @olemarkus in #13409
• Run CSI controller in masters by @zetaab in #13426
• Push ko-built images to staging by @olemarkus in #13428
• Included githubactions in dependabot config by @naveensrinivasan in #13423
• Bump actions/setup-go from 2.2.0 to 3 by @dependabot in #13429
• Use golang 1.18 for building by @olemarkus in #13430
• Use golang 1.18.0 explicitly by @hakman in #13432
• Install gcloud instead of gsutil by @hakman in #13434
• Use the correct upload folder for the latest.txt file by @olemarkus in #13435
• Fix upload dir in cloudbuild-artifacts target by @olemarkus in #13437
• Skip upstream e2e log dump by @olemarkus in #13438
• Remove direct dependency on klog v1 by @olemarkus in #13447
• Bump semver for kubetest2 by @olemarkus in #13446
• fix dns controller crashing for DO by @zak905 in #13443
• Add possibility to set PodAnnotations into NodeLocalDNS by @anthonyhaussman in #13396
• Disable CGO and enable trimpath by @olemarkus in #13451
• Possibility to add additional routes in route tables of subnets by @guillomep in #13318
• Update containerd to v1.6.2 by @hakman in #13455
• Don't run the CSI snapshot plugin if snapshot controller is not installed by @olemarkus in #13453
• Add back hash for containerd v1.6.1 by @hakman in #13462
• Use Cilium 1.11 as default by @olemarkus in #12919
• Bump Cert Manager to 1.8 by @olemarkus in #13464
• Pick the right OS server group when creating cloud groups by @ederst in #13461
• Don't hash parts of the cluster name for e2e by @olemarkus in #13354
• Enable etcd corruption check as mitigatio of 3.5 corruption issue by @olemarkus in #13454
• Move Azure settings to cloudProvider.azure by @johngmyers in #13065
• Add PDBs to addons where this was missing by @olemarkus in #13475
• Bump NTH 1.16 and add excludeFromLoadBalancers option by @DingGGu in #13467
• Move Openstack settings to cloudProvider.openstack by @johngmyers in #13326
• Bump viper and cobra by @olemarkus in #13482
• Bump cert-manager deps by @olemarkus in #13481
• Remove explicit dependency on yamlv2 by @olemarkus in #13483
• Use latest stable release by default for scenario test by @olemarkus in #13476
• Remove GOPATH dependency for apimachinery by @hakman in #13472
• Document NodeLocalDNS forwardToKubeDNS breaking change by @jorge07 in #13448
• Fix typos in docs/getting_started/arguments by @scottchiang in #13485
• Update kubetest2 by @olemarkus in #13486
• Bump Ubuntu AMIs in alpha and stable by @olemarkus in #13487
• Bump AWS CNI to version 1.10.3 by @MoShitrit in #13488
• Use aws_s3_object instead of deprecated aws_s3_bucket_object by @hakman in #13491
• Docs getting started aws by @anthonytwh in #13489
• Update Calico and Canal to v3.21.5 by @hakman in #13497
• Update to etcd-manager 3.0.20220417 by @justinsb in #13499
• Revert "Enable etcd corruption check" by @hakman in #13495
• etcd 3 5 3 by @justinsb in #13501
• Remove bazel targets and tools by @olemarkus in #13484
• Bump CCM 1.22 and 1.23 images to stable versions by @olemarkus in #13506
• Use Cluster Autoscaler 1.23 for k8s 1.24 by @olemarkus in #13510
• Adopt control-plane taint and remove master role labels by @olemarkus in #13452
• Update aws-sdk-go to v1.43.41 by @hakman in #13515
• Revert to using 1.23.0-alpha.0 for AWS CCM by @hakman in #13514
• add cluster autoscaler pod annotations by @heybronson in #13511
• Trim GCE firewall rule names to their max length by @rifelpet in #13513
• kubetest2-kops - Create ephemeral SSH keys by @rifelpet in #13522
• Skip topology hints tests in k8s 1.23 by @rifelpet in #13524
• Update remaining addon manifests for the control-plane node role by @rifelpet in #13521
• Release notes for 1.22.5 by @olemarkus in #13528
• Release notes for 1.23.1 by @olemarkus in #13531
• Allow cluster autoscaler to read EC2 instance types to build catalog dynamically by @seh in #13532
• Use expected pointer type in type assertion when iterating over GS ACLs by @tesspib in #13534
• Shell out to ssh-keygen for creating ed25519 keys by @rifelpet in #13538
• Update control plane toleration for external-dns by @rifelpet in #13539
• Pin AWS CCM image tag for k8s 1.25 by @rifelpet in #13543
• fix pod annotations in addon yamls by @heybronson in #13536
• Skip SCTP tests in k8s 1.25 as well by @rifelpet in #13545
• Bump k8s deps to 1.24.0-rc.0 by @olemarkus in #13548
• Trim GCE Subnet and Disk names by @rifelpet in #13546
• Update codegen to v1.24.0-rc.0 by @hakman in #13549
• Update Go to v1.18.1 by @hakman in #13550
• Upgrade flannel to 0.17.0 by @rifelpet in #13552
• Always set cluster-id flag for Protokube by @hakman in #13555
• Creaate kubeconfig for the root user on Ubunt...

v1.23.2

Release notes for kOps 1.23 series

Significant changes

• If the Kubernetes version is 1.23 or later and the external AWS Cloud Controller Manager is
  being used, then Kubernetes Node resources will be named after their AWS instance ID instead of their domain name and
  managed subnets will be configured to launch instances with Resource Based Names.

• Support for ShutdownGracePeriod and ShutdownGracePeriodCriticalPods. By default, kOps will set ShutdownGracePeriod to 30 seconds and ShutdownGracePeriodCriticalPods to 10 seconds if the Kubernetes version is above 1.21.

• By enabling the pod identity webhook, you no longer need to modify your Pod specs to assume IAM roles.

Breaking changes

• Support for Kubernetes version 1.17 has been removed.

• Support for the Lyft CNI has been removed.

• The Weave CNI is not supported for Kubernetes 1.23 or later.

• Support for CentOS 7 has been removed.

• Support for CentOS 8 has been removed (replaced by Rocky Linux 8).

• Support for Debian 9 has been removed.

• Support for RHEL 7 is has been removed.

• Support for Ubuntu 16.04 (Xenial) has been removed.

• Cilium now has disable-cnp-status-updates: true by default. Set this to false if you rely on the CiliumNetworkPolicy status fields.

Required actions

Deprecations

• Support for Kubernetes version 1.18 is deprecated and will be removed in kOps 1.24.

• Support for Kubernetes version 1.19 is deprecated and will be removed in kOps 1.25.

• All legacy addons are deprecated in favor of managed addons, including the metrics server addon and the autoscaler addon.

• The node-role.kubernetes.io/master and kubernetes.io/role labels are deprecated and might be removed from control plane nodes in future versions of kOps.

• Due to lack of maintainers, the Aliyun/Alibaba Cloud support has been deprecated and will be removed in kOps 1.24.

• Due to lack of maintainers, the CloudFormation support has been deprecated. The current implementation will be left as-is until the implementation needs updates or otherwise becomes incompatible. At that point, it will be removed. We very much welcome anyone willing to contribute to this target.

Other changes of note

• The kops create cluster command has a new --discovery-store flag for specifying a public store for the OIDC-compatible discovery documents.
  If this flag is used in AWS, it will enable IRSA.

• If externalDns.provider is external-dns, then externalDns.watchIngress will now default to true.

• This release introduces a v1alpha3 API version. This API version is a work in progress and is likely to be replaced in kOps 1.24.
  It is recommended to keep using the v1alpha2 API version.

• IPv6 pod subnets is in a working state using public IPv6 addresses for the Pod network. This works with both Cilium and Calico. IPv6 is still behind a feature flag until service controllers and addons implement support for IPv6. See the IPv6 documentation.

• The kops rolling-update cluster command has a new --drain-timeout flag for specifying the maximum amount of time to wait when attempting to drain a node. Previously, rolling-updates would attempt to drain a node for an indefinite amount of time. If --drain-timeout is not specified, a default of 15 minutes is applied.

• Fix inconsistent output of kops get clusters -ojson. This will now always return a list (irrespective of a single or multiple clusters) to keep the format consistent. However, note that kops get cluster dev.example.com -ojson will continue to work as previously, and will return a single object.

• Digital Ocean kops now has vpc support. You can specify a network-cidr range while creating the kops cluster. kops resources will be created in the new vpc range. Also supports shared vpc; you can specify the vpc uuid while creating kops cluster.

1.23.1 to 1.23.2

• Use expected pointer type in type assertion when iterating over GS ACLs @tesspib #13534
• Allow cluster autoscaler to read EC2 instance types to build catalog dynamically @seh #13532
• Update Go to v1.17.9 @hakman #13551
• Add back support for Ubuntu 18.04 @hakman #13557
• Update Canal's Flannel to v0.15.1 @tesspib #13562
• Include sysctls in toolbox dump @rifelpet #13570
• Add support for Rocky Linux 8 @hakman #13559
• Fix OIDC Provider cleanup @rifelpet #13571
• Update containerd to v1.6.3 @hakman #13578
• Re-add net.bridge settings for flannel @rifelpet #13564
• Revert containerd v1.6.3 upgrade @rifelpet #13582
• Fix unexpected type for object metadata when using gossip DNS @hakman #13592
• Update containerd to v1.6.4 @hakman #13596
• Update etcd-manager to v3.0.20220503 @hakman #13598
• Add hashes for containerd and Docker in order to fix CVE-2022-23648 @drequena #13606
• Avoid "/etc/resolv.conf" file loopback for Flatcar Container Linux distribution @seh #13617

v1.23.1

Release notes for kOps 1.23 series

Significant changes

• If the Kubernetes version is 1.23 or later and the external AWS Cloud Controller Manager is
  being used, then Kubernetes Node resources will be named after their AWS instance ID instead of their domain name and
  managed subnets will be configured to launch instances with Resource Based Names.

• Support for ShutdownGracePeriod and ShutdownGracePeriodCriticalPods. By default, kOps will set ShutdownGracePeriod to 30 seconds and ShutdownGracePeriodCriticalPods to 10 seconds if the Kubernetes version is above 1.21.

• By enabling the pod identity webhook, you no longer need to modify your Pod specs to assume IAM roles.

Breaking changes

• Support for Kubernetes version 1.17 has been removed.

• Support for the Lyft CNI has been removed.

• The Weave CNI is not supported for Kubernetes 1.23 or later.

• Support for CentOS 7 has been removed.

• Support for CentOS 8 has been removed.

• Support for Debian 9 has been removed.

• Support for RHEL 7 is has been removed.

• Support for Ubuntu 16.04 (Xenial) has been removed.

• Support for Ubuntu 18.04 (Bionic) has been removed.

• Cilium now has disable-cnp-status-updates: true by default. Set this to false if you rely on the CiliumNetworkPolicy status fields.

Required actions

Deprecations

• Support for Kubernetes version 1.18 is deprecated and will be removed in kOps 1.24.

• Support for Kubernetes version 1.19 is deprecated and will be removed in kOps 1.25.

• All legacy addons are deprecated in favor of managed addons, including the metrics server addon and the autoscaler addon.

• The node-role.kubernetes.io/master and kubernetes.io/role labels are deprecated and might be removed from control plane nodes in future versions of kOps.

• Due to lack of maintainers, the Aliyun/Alibaba Cloud support has been deprecated and will be removed in kOps 1.24.

• Due to lack of maintainers, the CloudFormation support has been deprecated. The current implementation will be left as-is until the implementation needs updates or otherwise becomes incompatible. At that point, it will be removed. We very much welcome anyone willing to contribute to this target.

Other changes of note

• The kops create cluster command has a new --discovery-store flag for specifying a public store for the OIDC-compatible discovery documents.
  If this flag is used in AWS, it will enable IRSA.

• If externalDns.provider is external-dns, then externalDns.watchIngress will now default to true.

• This release introduces a v1alpha3 API version. This API version is a work in progress and is likely to be replaced in kOps 1.24.
  It is recommended to keep using the v1alpha2 API version.

• IPv6 pod subnets is in a working state using public IPv6 addresses for the Pod network. This works with both Cilium and Calico. IPv6 is still behind a feature flag until service controllers and addons implement support for IPv6. See the IPv6 documentation.

• The kops rolling-update cluster command has a new --drain-timeout flag for specifying the maximum amount of time to wait when attempting to drain a node. Previously, rolling-updates would attempt to drain a node for an indefinite amount of time. If --drain-timeout is not specified, a default of 15 minutes is applied.

• Fix inconsistent output of kops get clusters -ojson. This will now always return a list (irrespective of a single or multiple clusters) to keep the format consistent. However, note that kops get cluster dev.example.com -ojson will continue to work as previously, and will return a single object.

• Digital Ocean kops now has vpc support. You can specify a network-cidr range while creating the kops cluster. kops resources will be created in the new vpc range. Also supports shared vpc; you can specify the vpc uuid while creating kops cluster.

1.23.0 to 1.23.1

• Add missing permissions to aws lbc for IP targeting @olemarkus #13369
• Add protocol explicitly to services @olemarkus #13383
• If kubetest2 fails cluster validation, we run down before exiting @olemarkus #13373
• Allow duplicate taint keys @olemarkus #13366
• Fix long role names @olemarkus #13364
• update k8s dependencies @heybronson #13397
• Update golangci-lint to v1.45.0 @hakman #13403
• Correctly detect GovCloud regions @mixja #13410
• Do not return a '-1' exit if no keys found and json/yaml output @hierynomus #13378
• Tag on create for remaining CCM privileges @olemarkus #12911
• Update containerd to v1.6.2 @hakman #13455
• Add back hash for containerd v1.6.1 @hakman #13462
• Enable etcd corruption check as mitigatio of 3.5 corruption issue @olemarkus #13454
• Pick the right OS server group when creating cloud groups @ederst #13461
• Only delete node object on GCE @olemarkus #13289
• Bump AWS CNI to version 1.10.3 @MoShitrit #13488
• Update Calico and Canal to v3.21.5 @hakman #13497
• Update to etcd-manager 3.0.20220417 @justinsb #13499
• Revert "Enable etcd corruption check" @hakman #13495
• etcd 3 5 3 @justinsb #13501
• Bump CCM 1.22 and 1.23 images to stable versions @olemarkus #13506
• Update aws-sdk-go to v1.43.41 @hakman #13515
• Revert to using 1.23.0-alpha.0 for AWS CCM @hakman #13514
• add cluster autoscaler pod annotations @heybronson #13511

v1.22.5

Release notes for kOps 1.22 series

Significant changes

Instance metadata service version 2

On AWS, kOps will enable Instance Metadata Service Version 2 and require tokens on new clusters with Kubernetes 1.22. In addition, the following max hop limits will be set by default:

• worker and API server Nodes, and bastions, will have a limit of 1 hop.
• control plane nodes will have a limit of 3 hops to accommodate for controller Pods without host networking that need to assume roles.

This will increase security by default, but may break some types of workloads. In order to revert to old behavior, add the following to the InstanceGroup:

spec:
  instanceMetadata:
    httpTokens: optional

External ServiceAccountPermissions

Many of kOps addons can now make direct use of external permissions.
This can be enabled by adding the following to the Cluster spec:

spec:
  iam:
    useServiceAccountExternalPermissions: true

Currently this is only available using the AWS cloud provider.

Managed nvidia instances

kOps can now provision instances with nvidia GPUs and configure it for container workloads without the need of hooks and operators. See GPU support

Breacking change in NodeLocalDNS

Since 1.22.0 Cluster spec.kubeDNS.nodeLocalDNS.forwardToKubeDNS default behaviour changes from true to false.

Other significant changes

• New clusters on AWS will no longer provision an SSH public key by default. To provision
  an SSH public key on a new cluster, use the --ssh-public-key flag to kops create cluster.

• The kOps Terraform support now renders managed files through the Terraform configuration instead
  of writing them to S3 directly. This defers changes to these files until the time of terraform apply.
  This feature may be temporarily disabled by turning off the TerraformManagedFiles feature flag
  using export KOPS_FEATURE_FLAGS="-TerraformManagedFiles".

• kOps now implements graceful rotation of its Certificate Authorities and the service
  account signing key. See the documentation on How to rotate all secrets / credentials

• New clusters running Kubernetes 1.22 will have AWS EBS CSI driver enabled by default.

• kOps now supports Debian 11 (Bullseye).

• kOps can now use external-dns as a drop-in replacement for dns-controller.

Breaking changes

Control plane pods no longer mount /srv/kubernetes

For security reasons, /srv/kubernetes is no longer mounted in the kube-apiserver and kube-controller-manager Pods. This also means the files in the default file assets path will be unavailable. If you have file assets or other files needed by kube-apiserver, you must put these into /srv/kubernetes/kube-apiserver/ or /srv/kubernetes/kube-controller-manager, respectively.

For file assets, it means adding an explicit path as shown below:

  fileAssets:
  - name: audit-policy-config
    path: /srv/kubernetes/kube-apiserver/audit-policy-config.yaml # make sure you add the path
    roles:
    - Master
    content: |
      apiVersion: audit.k8s.io/v1
      kind: Policy
      rules:
      - level: Metadata

Other breaking changes

• Support for Kubernetes versions 1.15 and 1.16 has been removed.

• The legacy addons from https://github.com/kubernetes/kops/tree/master/addons have been deprecated and will not be available in Kubernetes 1.23+. Use managed addons instead.

• The legacy location for downloads s3://https://kubeupv2.s3.amazonaws.com/kops/ has been deprecated and will not be used for new releases. The new canonical downloads location is https://artifacts.k8s.io/binaries/kops/.

• The assets phase of kops update cluster has been removed. It is replaced by the new kops get assets --copy command.

• Support for importing and converting kubeup clusters has been removed.

• Support for Cilium and RHEL 8 has been removed. Cilium users will need to migrate to a distribution with a newer Linux kernel.

Required actions

• Amazon Linux 2 users are encouraged to use the AMIs based on the 5.10 Linux kernel. See the documentation for more information.

• Terraform support now requires Terraform >=0.15.0.
  Users on older versions must follow Terraform's recommended upgrade path of applying one minor version at a time prior to running kops update cluster --target terraform.

• The kOps Terraform support now renders managed files through the Terraform configuration instead
  of writing them to S3 directly. If, after upgrading kOps and applying a new Terraform plan,
  you subsequently downgrade to an earlier version of kOps, the generated plan will delete these
  files, breaking the cluster. Prior to applying the plan, you will need to orphan all the
  aws_s3_bucket_object objects the plan wants to destroy. Use terraform state rm on each of them.
  Then re-run terraform plan until there are no such objects in the plan.

  If you applied the plan without first orphaning all of these objects, fix the cluster by re-running
  kops update cluster --target terraform.

• Terraform users of clusters with names beginning with digits will need to move resources prior to upgrading to kOps 1.22. Some of the following commands will need to be run depending on the particular cluster configuration. Confirm the Terraform plan doesn't destroy any of these resources before running terraform apply.

  # View the existing terraform resource names for the exact value to use
  HYPHENATED_CLUSTER_NAME=123-cluster-example-com
  terraform state mv "aws_iam_openid_connect_provider.${HYPHENATED_CLUSTER_NAME}" "aws_iam_openid_connect_provider.prefix_${HYPHENATED_CLUSTER_NAME}"
  terraform state mv "aws_internet_gateway.${HYPHENATED_CLUSTER_NAME}" "aws_internet_gateway.prefix_${HYPHENATED_CLUSTER_NAME}"
  terraform state mv "aws_route_table.${HYPHENATED_CLUSTER_NAME}" "aws_route_table.prefix_${HYPHENATED_CLUSTER_NAME}"
  terraform state mv "aws_vpc.${HYPHENATED_CLUSTER_NAME}" "aws_vpc.prefix_${HYPHENATED_CLUSTER_NAME}"
  terraform state mv "aws_vpc_dhcp_options.${HYPHENATED_CLUSTER_NAME}" "aws_vpc_dhcp_options.prefix_${HYPHENATED_CLUSTER_NAME}"
  terraform state mv "aws_vpc_dhcp_options_association.${HYPHENATED_CLUSTER_NAME}" "aws_vpc_dhcp_options_association.prefix_${HYPHENATED_CLUSTER_NAME}"

Deprecations

• Support for Kubernetes version 1.17 is deprecated and will be removed in kOps 1.23.

• Support for Kubernetes version 1.18 is deprecated and will be removed in kOps 1.24.

• Support for the Lyft CNI is deprecated and will be removed in kOps 1.23.

• Support for CentOS 7 is deprecated and will be removed in future versions of kOps.

• Support for CentOS 8 is deprecated and will be removed in future versions of kOps.

• Support for Debian 9 (Stretch) is deprecated and will be removed in future versions of kOps.

• Support for RHEL 7 is deprecated and will be removed in future versions of kOps.

• Support for Ubuntu 18.04 (Bionic) is deprecated and will be removed in future versions of kOps.

• All legacy addons are deprecated in favor of managed addons, including the metrics server addon and the autoscaler addon.

• The node-role.kubernetes.io/master and kubernetes.io/role labels are deprecated and might be removed from control plane nodes in kOps 1.23.

• The TerraformJSON feature flag is deprecated and will be removed in kOps 1.23. Only native HCL2 Terraform output will be supported.

• Due to lack of maintainers, the Aliyun/Alibaba Cloud support has been deprecated. The current implementation will be left as-is until the implementation needs updates or otherwise becomes incompatible. At that point, it will be removed. We very much welcome anyone willing to contribute to this cloud provider.

• Due to lack of maintainers, the CloudFormation support has been deprecated. The current implementation will be left as-is until the implementation needs updates or otherwise becomes incompatible. At that point, it will be removed. We very much welcome anyone willing to contribute to this target.

Other changes of note

• Support for shell completion has been substantially improved. kOps has added support for shell completion in fish and PowerShell.

• It is no longer necessary to set AWS_SDK_LOAD_CONFIG=1 in the environment when using AWS assumed roles with the kops CLI.

• There is a new command kops get assets for listing image and file assets used by a cluster.
  It also includes a --copy flag to copy the assets to local repositories.
  See the documentation on Using local asset repositories for more information.

• kOps now provisions TLS server certificates signed by the Kubernetes general CA to kube-controller-manager and kube-scheduler.
  The previous behavior of using self-signed certs may be restored by setting kubeControllerManager.tlsCertFile and/or
  kubeScheduler.tlsCertFile to "" in the cluster spec.

• Cilium now supports the wireguard protocol for transparent encryption.

1.22.4 to 1.22.5

• Add support for ed25519 keys in AWS @aclevername #13304
• If kubetest2 fails cluster validation, we run down before exiting @olemarkus #13373
• Fix long role names [@olearkus](https://github.com/ol...

v1.24.0-alpha.3

Release notes for kOps 1.24 series

⚠ kOps 1.24 has not been released yet! ⚠

This is a document to gather the release notes prior to the release.

Significant changes

Karpenter support

By enabling the Karpenter feature flag, users can now create InstanceGroups managed by (https://karpenter.sh)[Karpenter]:

spec:
  manager: Karpenter

You can also start a Karpenter-only cluster with kops create cluster --instance-manager=karpenter ...

kOps will directly manage the Karpenter Provisioner resources. Read more about how Karpenter works on kOps in the Karpenter docs.

Other significant changes

Breaking changes

• Support for Kubernetes version 1.18 has been removed.

• Support for Aliyun/Alibaba Cloud has been removed.

• Support for Docker has been removed for Kubernetes 1.24+. See https://kubernetes.io/blog/2020/12/02/dockershim-faq

Required actions

Deprecations

• Support for Kubernetes version 1.19 is deprecated and will be removed in kOps 1.25.

• Support for Kubernetes version 1.20 is deprecated and will be removed in kOps 1.26.

• All legacy addons are deprecated in favor of managed addons, including the metrics server addon and the autoscaler addon.

• The node-role.kubernetes.io/master and kubernetes.io/role labels are deprecated and might be removed from control plane nodes in future versions of kOps.

• Due to lack of maintainers, the CloudFormation support has been deprecated. The current implementation will be left as-is until the implementation needs updates or otherwise becomes incompatible. At that point, it will be removed. We very much welcome anyone willing to contribute to this target.

• Support for Docker has been removed for Kubernetes 1.24+. See https://kubernetes.io/blog/2020/12/02/dockershim-faq

Other changes of note

Full change list since 1.24.0-alpha.2 release

• Release notes for 1.24.0-alpha.2 @johngmyers #13070
• Update release process for automatic tagging @johngmyers #13075
• Remove temporary restrictions on automatically tagging releases @johngmyers #13071
• add flatcar note related to additionalUserData @shubhindia #13061
• Drain OpenStack loadbalancers @zetaab #12983
• Extend terraform support for IPv6 @rifelpet #13028
• Update containerd to v1.6.0-beta.5 @hakman #13084
• Release notes for 1.22.3 @johngmyers #13085
• Spotinst: Update spotinst/ocean-controller to v1.0.81 @liranp #13086
• Support price and priority cluster-autoscaler expanders @danports #13081
• Update containerd to v1.6.0-rc.0 @hakman #13098
• decrease the openstack monitoring default timeout @zetaab #13097
• Don't try to add node name to instances without node object @olemarkus #13106
• fix ipv4+ipv6 sec groups/listeners in OpenStack @zetaab #13093
• Do not create an IAM role for dns-controller on gossip clusters @olemarkus #13110
• Add ipv6 to relnotes @olemarkus #13088
• Use IPv6-only subnets for worker nodes in private IPv6 topology @johngmyers #13030
• Remove networking flags as of k8s 1.24 @olemarkus #13120
• Create helper function for ec2 create/tag-on-create IAM permissions @olemarkus #13104
• Add DescribeRegions to nodeup privs @olemarkus #13114
• Remove featureflag for creating IPv6 clusters @hakman #12788
• Preload channel versions from namespaces @olemarkus #13049
• Don't set unsupported configs by default @olemarkus #13111
• Update pause image to v3.6 @hakman #13125
• Clean up kubelet networking flags for dockershim @hakman #13128
• January bump of channels @olemarkus #13130
• expose external ccm metrics for OpenStack @zetaab #13131
• Update to aws-sdk-go to v1.42.37 @jinhong- #13132
• Fix recommended kops versions in channels @olemarkus #13134
• Tag on create for remaining CCM privileges @olemarkus #12911
• Bump metrics-server to 0.6.0 and enable HA mode @olemarkus #13135
• OpenStack - Add loadbalancer pool monitor to API LB @zetaab #13096
• Bump CCM images @olemarkus #13143
• Bump karpenter to 0.5.6 @olemarkus #13151
• Promote alpha AMIs to stable @yurrriq #13152
• Bump 1.23 version in alpha channel @olemarkus #13153
• Add missing v prefix to default upgrade test version @olemarkus #13155
• Bump cert-manager and related godep to 1.6.2 @olemarkus #13154
• add node-drain-timeout flag to rolling-update @heybronson #13103
• Bump etcd-manager to v3.0.20220128 @olemarkus #13158
• Replace deprecated aws.BackgroundContext with context.Background @justinsb #13162
• Fix nil pointer when IAM not populated @justinsb #13167
• JWKS / IRSA: Expose public ACLs to terraform @justinsb #13166
• [DigitalOcean] update ccm version to 0.1.36 @srikiz #13175
• Bump Ubuntu AMI in alpha @olemarkus #13177
• Use etcd-manager pre-release until final release has been cut @olemarkus #13183
• Bump karpenter to 0.6.0 @olemarkus #13185
• More descriptive error message when public key file can't be opened @nckturner #13186
• update GCE default images @zetaab #13181
• Fix etcd-manager for ipv6 @olemarkus #13191
• Update Calico and Canal to v3.21.4 @hakman #13189
• Update to etcd-manager v3.0.20220203 @justinsb #13196
• Pull k8s-custom-iptables from k8s.gcr.io @justinsb #13194
• Add support for AB tests starting out with released kops version @olemarkus #13174
• Update containerd to v1.6.0-rc.2 @hakman #13198
• tests: ensure that we use ACLs with memf...

v1.23.0

Release notes for kOps 1.23 series

Significant changes

• If the Kubernetes version is 1.23 or later and the external AWS Cloud Controller Manager is
  being used, then Kubernetes Node resources will be named after their AWS instance ID instead of their domain name and
  managed subnets will be configured to launch instances with Resource Based Names.

• Support for ShutdownGracePeriod and ShutdownGracePeriodCriticalPods. By default, kOps will set ShutdownGracePeriod to 30 seconds and ShutdownGracePeriodCriticalPods to 10 seconds if the Kubernetes version is above 1.21.

• By enabling the pod identity webhook, you no longer need to modify your Pod specs to assume IAM roles.

Breaking changes

• Support for Kubernetes version 1.17 has been removed.

• Support for the Lyft CNI has been removed.

• The Weave CNI is not supported for Kubernetes 1.23 or later.

• Support for CentOS 7 has been removed.

• Support for CentOS 8 has been removed.

• Support for Debian 9 has been removed.

• Support for RHEL 7 is has been removed.

• Support for Ubuntu 16.04 (Xenial) has been removed.

• Support for Ubuntu 18.04 (Bionic) has been removed.

• Cilium now has disable-cnp-status-updates: true by default. Set this to false if you rely on the CiliumNetworkPolicy status fields.

Required actions

Deprecations

• Support for Kubernetes version 1.18 is deprecated and will be removed in kOps 1.24.

• Support for Kubernetes version 1.19 is deprecated and will be removed in kOps 1.25.

• All legacy addons are deprecated in favor of managed addons, including the metrics server addon and the autoscaler addon.

• The node-role.kubernetes.io/master and kubernetes.io/role labels are deprecated and might be removed from control plane nodes in future versions of kOps.

• Due to lack of maintainers, the Aliyun/Alibaba Cloud support has been deprecated and will be removed in kOps 1.24.

• Due to lack of maintainers, the CloudFormation support has been deprecated. The current implementation will be left as-is until the implementation needs updates or otherwise becomes incompatible. At that point, it will be removed. We very much welcome anyone willing to contribute to this target.

Other changes of note

• The kops create cluster command has a new --discovery-store flag for specifying a public store for the OIDC-compatible discovery documents.
  If this flag is used in AWS, it will enable IRSA.

• If externalDns.provider is external-dns, then externalDns.watchIngress will now default to true.

• This release introduces a v1alpha3 API version. This API version is a work in progress and is likely to be replaced in kOps 1.24.
  It is recommended to keep using the v1alpha2 API version.

• IPv6 pod subnets is in a working state using public IPv6 addresses for the Pod network. This works with both Cilium and Calico. IPv6 is still behind a feature flag until service controllers and addons implement support for IPv6. See the IPv6 documentation.

• The kops rolling-update cluster command has a new --drain-timeout flag for specifying the maximum amount of time to wait when attempting to drain a node. Previously, rolling-updates would attempt to drain a node for an indefinite amount of time. If --drain-timeout is not specified, a default of 15 minutes is applied.

• Fix inconsistent output of kops get clusters -ojson. This will now always return a list (irrespective of a single or multiple clusters) to keep the format consistent. However, note that kops get cluster dev.example.com -ojson will continue to work as previously, and will return a single object.

• Digital Ocean kops now has vpc support. You can specify a network-cidr range while creating the kops cluster. kops resources will be created in the new vpc range. Also supports shared vpc; you can specify the vpc uuid while creating kops cluster.

Full change list since 1.23.0-beta.2 release

• Update to etcd-manager v3.0.20220203 @justinsb #13196
• use own function to define CSI image version @zetaab #13311
• Add support for ed25519 keys in AWS @aclevername #13304
• Backport of #13176: Add support to install EKS Pod Identity Webhook @h3poteto,@olemarkus #13315
• Bump AWS SDK to v1.43.11 @olemarkus #13322
• Update containerd to v1.6.1 @hakman #13325
• Use proper image and add health check @olemarkus #13328
• Append policy config map arguments only if UsePolicyConfigmap is true @vivekjainx86 #13308