v1.13.3
Documentation
Downloads for v1.13.3
filename |
sha512 hash |
kubernetes.tar.gz |
151af896b72c7fd09c05da1a7685e8b2f167c717adbe5776f80a264171e5f3359a948af93642856e0bfbabb49d3bf9c274085eacf6109c4b972ba5bc9d24b8a7 |
kubernetes-src.tar.gz |
6b9afce63c970e62304767f4a3a58b6974608f7052ede634bffd3b8cc9562e8af56b26c66b8420fb748a0f9aa6336a90454cb57992c7e56c0ff85c37ddb02af8 |
Client Binaries
Server Binaries
Node Binaries
Changelog since v1.13.2
Other notable changes
- Update to go1.11.5 (#73326, @ixdy)
- add goroutine to move unschedulable pods to activeq if they are not retried for more than 1 minute (#72558, @denkensk)
- A new
TaintNodesByCondition
admission plugin taints newly created Node objects as "not ready", to fix a race condition that could cause pods to be scheduled on new nodes before their taints were updated to accurately reflect their reported conditions. This admission plugin is enabled by default if the TaintNodesByCondition
feature is enabled. (#73097, @bsalamat)
- kubeadm: add back
--cert-dir
option for kubeadm init phase certs sa
(#73239, @mattkelly)
- Scale max-inflight limits together with master VM sizes. (#73268, @wojtek-t)
- kubeadm: explicitly wait for
etcd
to have grown when joining a new control plane (#72984, @ereslibre)
- Improve efficiency of preemption logic in clusters with many pending pods. (#72895, @bsalamat)
- Fix AWS NLB security group updates where valid security group ports were incorrectly removed (#68422, @kellycampbell)
- when updating a service or when node changes occur.
- Allow for watching objects larger than 1MB given etcd accepts objects of size up to 1.5MB (#72053, @wojtek-t)
- kubectl: fixed an issue with "too old resource version" errors continuously appearing when calling
kubectl delete
(#72825, @liggitt)
- Fix scheduling starvation of pods in cluster with large number of unschedulable pods. (#72619, @everpeace)
- Fixes spurious 0-length API responses. (#72856, @liggitt)
v1.13.2
Documentation
Downloads for v1.13.2
filename |
sha512 hash |
kubernetes.tar.gz |
fe1c30efaffb70b4102879580470031baf78f11c94fc37773bd69568a3aca9a93a0350d067faa2fa0f25f3e85005fe5944cecd7a33d48326f55c60d0c0408004 |
kubernetes-src.tar.gz |
a6fb14fef46a566a68847cbb522ea091c545293f16af7ddf9ab26a801e548debcd4e4dc48aa6e38cc92bd65f69ca78e7db27d137e915efe687d3228962b94ecb |
Client Binaries
Server Binaries
Node Binaries
Changelog since v1.13.1
Other notable changes
- client-go: shortens refresh period for token files to 1 minute to ensure auto-rotated projected service account tokens are read frequently enough. (#72437, @liggitt)
- Updates the kubernetes dashboard add-on to v1.10.1. Skipping dashboard login is no longer enabled by default. (#72495, @liggitt)
- Fixes a bug in HPA controller so HPAs are always updated every resyncPeriod (15 seconds). (#72373, @krzysztof-jastrzebski)
- Fix device mountable volume names in DSW to prevent races in device mountable plugin, e.g. local. (#71509, @cofyc)
- change azure disk host cache to ReadOnly by default (#72229, @andyzhangx)
- Fixes issue with cleaning up stale NFS subpath mounts (#71804, @msau42)
- Fix a race condition in the scheduler preemption logic that could cause nominatedNodeName of a pod not to be considered in one or more scheduling cycles. (#72259, @bsalamat)
- Fixes
kubectl create secret docker-registry
compatibility (#72344, @liggitt)
- Fix race condition introduced by graceful termination which can lead to a deadlock in kube-proxy (#72361, @lbernail)
- Support graceful termination with IPVS when deleting a service (#71895, @lbernail)
- Fixes issue where subpath volume content was deleted during orphaned pod cleanup for Local volumes that are directories (and not mount points) on the root filesystem. (#72291, @msau42)
- kube-proxy in IPVS mode will stop initiating connections to terminating pods for services with sessionAffinity set. (#71834, @lbernail)
- fix race condition when attach azure disk in vmss (#71992, @andyzhangx)
- Reduce CSI log and event spam. (#71581, @saad-ali)
- fix kubelet log flushing issue in azure disk (#71990, @andyzhangx)
- Update to use go1.11.3 with fix for CVE-2018-16875 (#72035, @seemethere)
- Fix a race condition in which kubeadm only waits for the kubelets kubeconfig file when it has performed the TLS bootstrap, but wasn't waiting for certificates to be present in the filesystem (#72030, @ereslibre)
- kubeadm: fix a possible panic when joining a new control plane node in HA scenarios (#72123, @anitgandhi)
- kubeadm: fix a bug when syncing etcd endpoints (#71945, @pytimer)
v1.13.1
Documentation
Downloads for v1.13.1
filename |
sha512 hash |
kubernetes.tar.gz |
de3858357b2b4444bccc0599c7d0edd3e6ec1a80267ef96883ebcfb06c518ce467dd8720b48084644677a42b8e3ffad9a7d4745b40170ce9dfe5b43310979be1 |
kubernetes-src.tar.gz |
7f0a8dbd3c7397cc5a5bc0297eb24b8e734c3c7b78e48fc794c525377c3895f4fd84fd0a2fa70c5513cc47ee5a174c22bab54796abc5a8f2b30687642c819a68 |
Client Binaries
Server Binaries
Node Binaries
Changelog since v1.13.0
Other notable changes
- Fix overlapping filenames in diff if multiple resources have the same name. (#71923, @apelisse)
- Disable proxy to loopback and linklocal (#71980, @micahhausler)
- kube-scheduler: restores ability to run without authentication configuration lookup permissions (#71755, @liggitt)
- client-go: restores behavior of populating the BearerToken field in rest.Config objects constructed from kubeconfig files containing tokenFile config, or from in-cluster configuration. An additional BearerTokenFile field is now populated to enable constructed clients to periodically refresh tokens. (#71713, @liggitt)
- apply: fix detection of non-dry-run enabled servers (#71854, @apelisse)
- Scheduler only activates unschedulable pods if node's scheduling related properties change. (#71551, @mlmhl)
- Fixes pod deletion when cleaning old cronjobs (#71802, @soltysh)
- fix issue: vm sku restriction policy does not work in azure disk attach/detach (#71941, @andyzhangx)
- Include CRD for BGPConfigurations, needed for calico 2.x to 3.x upgrade. (#71868, @satyasm)
- UDP connections now support graceful termination in IPVS mode (#71515, @lbernail)
- kubeadm: use kubeconfig flag instead of kubeconfig-dir on init phase bootstrap-token (#71803, @yagonobre)
- On GCI, NPD starts to monitor kubelet, docker, containerd crashlooping, read-only filesystem and corrupt docker overlay2 issues. (#71522, @wangzhen127)
- Fixes an issue where Portworx volumes cannot be mounted if 9001 port is already in use on the host and users remap 9001 to another port. (#70392, @harsh-px)
- Only use the first IP address got from instance metadata. This is because Azure CNI would set up a list of IP addresses in instance metadata, while only the first one is the Node's IP. (#71736, @feiskyer)
- kube-controller-manager: fixed issue display help for the deprecated insecure --port flag (#71601, @liggitt)
- Update Cluster Autoscaler version in gce manifests to 1.13.1 (https://github.com/kubernetes/autoscaler/releases/tag/cluster-autoscaler-1.13.1) (#71842, @losipiuk)
- kubectl: fixes regression in --sort-by behavior (#71805, @liggitt)
- Fixes apiserver nil pointer panics when requesting v2beta1 autoscaling object metrics (#71744, @yue9944882)
- Fix scheduling starvation of pods in cluster with large number of unschedulable pods. (#71488, @bsalamat)
v1.13.0
Documentation
Downloads for v1.13.0
filename |
sha512 hash |
kubernetes.tar.gz |
7b6a81c9f1b852b1e889c1b62281569a4b8853c79e5675b0910d941dfa7863c97f244f6d607aae3faf60bccd596dedb9d136b7fffeae199876e780904fd9f31e |
kubernetes-src.tar.gz |
844b9fbba21374dd190c8f12dd0e5b3303dd2cd7ad25f241d6f7e46f74adf6987afad021553521d4f479c19d87aa8d4d5be77ac7a6715d31a9187a5bab3b397b |
Client Binaries
Server Binaries
Node Binaries
Kubernetes 1.13 Release Notes
Security Content
- CVE-2018-1002105, a critical security issue in the Kubernetes API Server, is resolved in v1.13.0 (and in v1.10.11, v1.11.5, and v1.12.3). We recommend all clusters running previous versions update to one of these releases immediately. See issue #71411 for details.
Urgent Upgrade Notes
(No, really, you MUST do this before you upgrade)
Before upgrading to Kubernetes 1.13, you must keep the following in mind:
- kube-apiserver
- The deprecated
etcd2
storage backend has been removed. Before upgrading a kube-apiserver using --storage-backend=etcd2
, etcd v2 data must be migrated to the v3 storage backend, and kube-apiserver invocations changed to use --storage-backend=etcd3
. Please consult the installation procedure used to set up etcd for specific migration instructions. Backups prior to upgrade are always a good practice, but since the etcd2 to etcd3 migration is not reversible, an etcd backup prior to migration is essential.
- The deprecated
--etcd-quorum-read
flag has been removed. Quorum reads are now always enabled when fetching data from etcd. Remove the --etcd-quorum-read
flag from kube-apiserver invocations before upgrading.
- kube-controller-manager
- The deprecated
--insecure-experimental-approve-all-kubelet-csrs-for-group
flag has been removed.
- kubelet
- The deprecated
--google-json-key
flag has been removed. Remove the --google-json-key
flag from kubelet invocations before upgrading. (#69354, @yujuhong)
- DaemonSet pods now make use of scheduling features that require kubelets to be at 1.11 or above. Ensure all kubelets in the cluster are at 1.11 or above before upgrading kube-controller-manager to 1.13.
- The schema for the alpha
CSINodeInfo
CRD has been split into spec
and status
fields, and new fields status.available
and status.volumePluginMechanism
added. Clusters using the previous alpha schema must delete and recreate the CRD using the new schema. (#70515, @davidz627)
- kube-scheduler dropped support for configuration files with apiVersion
componentconfig/v1alpha1
. Ensure kube-scheduler is configured using command-line flags or a configuration file with apiVersion kubescheduler.config.k8s.io/v1alpha1
before upgrading to 1.13.
- kubectl
- The deprecated command
run-container
has been removed. Invocations should use kubectl run
instead (#70728, @Pingan2017)
- client-go releases will no longer have bootstrap (k8s.io/client-go/tools/bootstrap) related code. Any reference to it will break. Please redirect all references to k8s.io/bootstrap instead. (#67356, @yliaog)
- Kubernetes cannot distinguish between GCE Zonal PDs and Regional PDs with the same name. To workaround this issue, precreate PDs with unique names. PDs that are dynamically provisioned do not encounter this issue. (#70716, @msau42)
Known Issues
- If kubelet plugin registration for a driver fails, kubelet will not retry. The driver must delete and recreate the driver registration socket in order to force kubelet to attempt registration again. Restarting only the driver container may not be sufficient to trigger recreation of the socket, instead a pod restart may be required. (#71487)
- In some cases, a Flex volume resize may leave a PVC with erroneous Resizing condition even after volume has been successfully expanded. Users may choose to delete the condition, but it is not required. (#71470)
- The CSI driver-registrar external sidecar container v1.0.0-rc2 is known to take up to 1 minute to start in some cases. We expect this issue to be resolved in a future release of the sidecar container. For verification, please see the release notes of future releases of the external sidecar container. (#76)
- When using IPV6-only, be sure to use
proxy-mode=iptables
as proxy-mode=ipvs
is known to not work. (#68437)
Deprecations
- kube-apiserver
- The
--service-account-api-audiences
flag is deprecated in favor of --api-audiences
. The old flag is accepted with a warning but will be removed in a future release. (#70105, @mikedanese)
- The
--experimental-encryption-provider-config
flag is deprecated in favor of --encryption-provider-config
. The old flag is accepted with a warning but will be removed in 1.14. (#71206, @stlaz)
- As part of graduating the etcd encryption feature to beta, the configuration file referenced by
--encryption-provider-config
now uses kind: EncryptionConfiguration
and apiVersion: apiserver.config.k8s.io/v1
. Support for kind: EncryptionConfig
and apiVersion: v1
is deprecated and will be removed in a future release. (#67383, @stlaz)
- The
--deserialization-cache-size
flag is deprecated, and will be removed in a future release. The flag is inactive since the etcd2 storage backend was removed. (#69842, @liggitt)
- The
Node
authorization mode no longer allows kubelets to delete their Node API objects (prior to 1.11, in rare circumstances related to cloudprovider node ID changes, kubelets would attempt to delete/recreate their Node object at startup) (#71021, @liggitt)
- The built-in
system:csi-external-provisioner
and system:csi-external-attacher
cluster roles are deprecated and will not be auto-created in a future release. CSI deployments should provide their own RBAC role definitions with required permissions. (#69868, @pohly)
- The built-in
system:aws-cloud-provider
cluster role is deprecated and will not be auto-created in a future release. Deployments using the AWS cloud provider should grant required permissions to the aws-cloud-provider
service account in the kube-system
namespace as part of deployment. (#66635, @wgliang)
- kubelet
- Use of the beta plugin registration directory
{kubelet_root_dir}/plugins/
for registration of external drivers via the kubelet plugin registration protocol is deprecated in favor of {kubelet_root_dir}/plugins_registry/
. Support for the old directory is planned to be removed in v1.15. Device plugin and CSI storage drivers should switch to the new directory prior to v1.15. Only CSI storage drivers that support 0.x versions of the CSI API are allowed in the old directory. (#70494 by @RenaudWasTaken and #71314 by @saad-ali)
- With the release of the CSI 1.0 API, support for CSI drivers using 0.3 and older releases of the CSI API is deprecated, and is planned to be removed in Kubernetes v1.15. CSI drivers should be updated to support the CSI 1.0 API, and deployed in the new kubelet plugin registration directory (
{kubelet_root_dir}/plugins_registry/
) once all nodes in the cluster are at 1.13 or higher (#71020 and #71314, both by @saad-ali)
- Use of the
--node-labels
flag to set labels under the kubernetes.io/
and k8s.io/
prefix will be subject to restriction by the NodeRestriction
admission plugin in future releases. See admission plugin documentation for allowed labels. (#68267, @liggitt)
- kube-scheduler
- The alpha critical pod annotation (
scheduler.alpha.kubernetes.io/critical-pod
) is deprecated. Pod priority should be used instead to mark pods as critical. (#70298, @bsalamat)
- The following features are now GA, and the associated feature gates are deprecated and will be removed in a future release:
- CSIPersistentVolume
- GCERegionalPersistentDisk
- KubeletPluginsWatcher
- VolumeScheduling
- kubeadm
- The DynamicKubeletConfig feature gate is deprecated. The functionality is still accessible by using the kubeadm alpha kubelet enable-dynamic command.
- The command
kubeadm config print-defaults
is deprecated in favor of kubeadm config print init-defaults
and kubeadm config print join-defaults
(#69617, @rosti)
- support for the
v1alpha3
configuration file format is deprecated and will be removed in 1.14. Use kubeadm config migrate
to migrate v1alpha3
configuration files to v1beta1
, which provides improvements in image repository management, addons configuration, and other areas. The documentation for v1beta1
can be found here: https://godoc.org/k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm/v1beta1
- The
node.status.volumes.attached.devicePath
field is deprecated for CSI volumes and will not be set in future releases (#71095, @msau42)
- kubectl
- The
kubectl convert
command is deprecated and will be removed in a future release (#70820, @seans3)
- Support for passing unknown provider names to the E2E test binaries is deprecated and will be removed in a future release. Use
--provider=skeleton
(no ssh access) or --provider=local
(local cluster with ssh) instead. (#70141, @pohly)
Major Themes
SIG API Machinery
For the 1.13 release, SIG API Machinery is happy to announce that the dry-run functionality is now beta.
SIG Auth
With this release we've made several important enhancements to core SIG Auth areas. In the authorization category, we've further reduced Kubelet privileges by restricting node self-updates of labels to a whitelisted selection and by disallowing kubelets from deleting their Node API object. In authentication, we added alpha-level support for automounting improved service account tokens through projected volumes. We also enabled audience validation in TokenReview for the new tokens for improved scoping. Under audit logging, the new alpha-level "dynamic audit configuration" adds support for dynamically registering webhooks to receive a stream of audit events. Finally, we've enhanced secrets protection by graduating etcd encryption out of experimental.
SIG AWS
In v1.13 we worked on tighter integrations of Kubernetes API objects with AWS services. These include three out-of-tree alpha feature releases:
- Alpha for AWS ALB (Application Load Balancer) integration to Kubernetes Ingress resources.
- Alpha for CSI specification 0.3 integration to AWS EBS (Elastic Block Store)
- Alpha for the cloudprovider-aws cloud controller manager binary. Additionally we added aws-k8s-tester, deployer interface for kubetest, to the test-infra repository. This plugin allowed us to integrate Prow to the 3 subprojects defined above in order to provide CI signal for all 3 features. The CI signal is visible here under SIG-AWS.
For detailed release notes on the three alpha features from SIG AWS, please refer to the following Changelogs:
SIG Azure
For 1.13 SIG Azure was focused on adding additional Azure Disk support for Ultra SSD, Standard SSD, and Premium Azure Files. Azure Availability Zones and cross resource group nodes were also moved from Alpha to Beta in 1.13.
SIG Big Data
During the 1.13 release cycle, SIG Big Data has been focused on community engagements relating to 3rd-party project integrations with Kubernetes. There have been no impacts on the 1.13 release.
SIG CLI
Over the course of 1.13 release SIG CLI mostly focused on stabilizing the items we’ve been working on over the past releases such as server-side printing and its support in kubectl, as well as finishing kubectl diff which is based on server-side dry-run feature. We’ve continued separating kubectl code to prepare for extraction out of main repository. Finally, thanks to the awesome support and feedback from community we’ve managed to promote the new plugin mechanism to Beta.
SIG Cloud Provider
For v1.13, SIG Cloud Provider has been focused on stabilizing the common APIs and interfaces consumed by cloud providers today. This involved auditing the cloud provider APIs for anything that should be deprecated as well as adding changes where necessary. In addition, SIG Cloud Provider has begun exploratory work around having a “cloud provider” e2e test suite which can be used to test common cloud provider functionalities with resources such as nodes and load balancers.
We are also continuing our long running effort to extract all the existing cloud providers that live in k8s.io/kubernetes into their own respective repos. Along with this migration, we are slowly transitioning users to use the cloud-controller-manager for any cloud provider features instead of the kube-controller-manager.
SIG Cluster Lifecycle
For 1.13 SIG Cluster Lifecycle is pleased to announce the long awaited promotion of kubeadm to stable GA, and the promotion of kubeadm’s configuration API to v1beta1
.
In this release the SIG again focused on further improving the user experience on cluster creation and also fixing a number of bugs and other assorted improvements.
Some notable changes in kubeadm since Kubernetes 1.12:
- kubeadm’s configuration API is now
v1beta1
. The new configuration format provides improvements in - image repository management, addons configuration, and other areas. We encourage v1alpha3
users to migrate to this configuration API using kubeadm config migrate
, as v1alpha3
will be removed in 1.14. The documentation for v1beta1
can be found here: https://godoc.org/k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm/v1beta1
- kubeadm has graduated
kubeadm alpha phase
commands to kubeadm init phase
. This means that the phases of creating a control-plane node are now tightly integrated as part of the init
command. Alpha features, not yet ready for GA are still kept under kubeadm alpha
and we appreciate feedback on them.
kubeadm init
and kubeadm init phase
now have a --image-repository
flag, improving support for environments with limited access to official kubernetes repository.
- The DynamicKubeletConfig and SelfHosting functionality was moved outside of
kubeadm init
and feature gates and is now exposed under kubeadm alpha
.
- Kubeadm init phase certs now support the
--csr-only
option, simplifying custom CA creation.
kubeadm join --experimental-control-plane
now automatically adds a new etcd member for local etcd
mode, further simplifying required tasks for HA clusters setup.
- Improvements were made to
kubeadm reset
related to cleaning etcd and notifying the user about the state of iptables.
- kubeadm commands now print warnings if input YAML documents contain unknown or duplicate fields.
- kubeadm now properly recognizes Docker 18.09.0 and newer, but still treats 18.06 as the default supported version.
- kubeadm now automatically sets the
--pod-infra-container-image
flag when starting the kubelet.
SIG IBM Cloud
The IBM Cloud SIG was focused on defining its charter and working towards moving its cloud provider code to an external repository with a goal to have this work done by the end of Kubernetes 1.14 release cycle. In the SIG meetings, we also made sure to share updates on the latest Kubernetes developments in the IBM Cloud like the availability of Kubernetes v1.12.2 in the IBM Cloud Kubernetes Service (IKS). The SIG updates were provided in the Kubernetes community weekly call and at the KubeCon China 2018.
SIG Multicluster
Moving Federation v2 from Alpha towards Beta has been the focus of our effort over the past quarter. To this end we engaged with end users, and successfully enlisted additional contributors from companies including IBM, Amadeus, Cisco and others. Federation v2 provides a suite of decoupled API’s and re-usable components for building multi-cluster control planes. We plan to start releasing Beta components in late 2018. In addition, more minor updates were made to our cluster-registry and multi-cluster ingress sub-projects.
SIG Network
For 1.13, the areas of focus were in IPv6, DNS improvements and some smaller items:
CoreDNS is now the default cluster DNS passing all of the scale/resource usage tests
Node-local DNS cache feature is available in Alpha. This feature deploys a lightweight DNS caching Daemonset that avoids the conntrack and converts queries from UDP to more reliable TCP.
PodReady++ feature now has kubectl
CLI support.
Progress was made towards finalizing the IPv6 dual stack support KEP and support for topological routing of services.
SIG Node
SIG Node focused on stability and performance improvements in the 1.13 release. A new alpha feature is introduced to improve the mechanism that nodes heartbeat back to the control plane. The NodeLease
feature results in the node using a Lease
resource in the kube-node-lease
namespace that is renewed periodically. The NodeStatus
that was used previously to heartbeat back to the control plane is only updated when it changes. This reduces load on the control plane for large clusters. The Kubelet plugin registration mechanism, which enables automatic discovery of external plugins (including CSI and device plugins) has been promoted to stable in this release (introduced as alpha in 1.11 and promoted to beta in 1.12).
SIG Openstack
The major theme for the SIG OpenStack release is the work-in-progress for removing the in-tree provider. This work, being done in conjunction with SIG Cloud Provider, is focusing on moving internal APIs that the OpenStack (and other providers) depends upon to staging to guarantee API stability. This work also included abstracting the in-tree Cinder API and refactoring code to the external Cinder provider to remove additional Cinder volume provider code.
Additional work was also done to implement an OpenStack driver for the Cluster API effort lead by SIG Cluster Lifecycle. For the external Cloud-Provider-OpenStack code, the SIG largely focused on bug fixes and updates to match K8s 1.13 development.
SIG Scalability
SIG Scalability has mostly focused on stability and deflaking our tests, investing into framework for writing scalability tests (ClusterLoader v2) with a goal to migrate all tests to it by the end of 2018 and on the work towards extending definition of Kubernetes scalability by providing more/better user-friendly SLIs/SLOs.
SIG Scheduling
SIG Scheduling has mostly focused on stability in 1.13 and has postponed some of the major features to the next versions. There are still two notable changes: 1. TaintBasedEviction is moved to Beta and will be enabled by default. With this feature enabled, condition taints are automatically added to the nodes and pods can add tolerations for them if needed. 2. Pod critical annotation is deprecated. Pods should use pod priority instead of the annotation.
It is worth noting again that kube-scheduler will use apiVersion kubescheduler.config.k8s.io/v1alpha1
instead of componentconfig/v1alpha1
in its configuration files in 1.13.
SIG Service Catalog
The Service Plan Defaults feature is still under active development.
We continue to improve the UX for the svcat CLI, specifically filling in gaps for the new Namespaced Service Broker feature.
SIG Storage
Over the last year, SIG Storage has been focused on adding support for the Container Storage Interface (CSI) to Kubernetes. The specification recently moved to 1.0, and on the heels of this achievement, Kubernetes v1.13 moves CSI support for PersistentVolumes to GA.
With CSI the Kubernetes volume layer becomes truly extensible, allowing third party storage developers to write drivers making their storage systems available in Kubernetes without having to touch the core code.
CSI was first introduction as alpha in Kubernetes v1.9 and moved to beta in Kubernetes v1.10.
You can find a list of sample and production drivers in the CSI Documentation.
SIG Storage also moves support for Block Volumes to beta (introduced as alpha in v1.9) and support for Topology Aware Volume Scheduling to stable (introduced as alpha in v1.9 and promoted to beta in 1.10).
SIG UI
The migration to the newest version of Angular is still under active development as it is most important thing on the roadmap at the moment. We are getting closer to to the new release. We continue fixing bugs and adding other improvements.
SIG VMWare
Major focus for SIG VMware for this release is the work on moving internal APIs that the vSphere provider depends upon to staging to guarantee API stability. This work is being done in conjunction with SIG Cloud Provider and includes the creation of a brand new vsphere-csi plugin to replace the current volume functionalities in-tree.
Additional work was also done to implement a vSphere provider for the Cluster API effort lead by SIG Cluster Lifecycle. For the out-of-tree vSphere cloud provider, the SIG largely focused on bug fixes and updates to match K8s 1.13 development.
SIG Windows
SIG Windows focused on improving reliability for Windows and Kubernetes support
New Features
- kubelet: When node lease feature is enabled, kubelet reports node status to api server only if there is some change or it didn't report over last report interval. (#69753, @wangzhen127)
- vSphereVolume implements Raw Block Volume Support (#68761, @fanzhangio)
- CRD supports multi-version Schema, Subresources and AdditionalPrintColumns (NOTE that CRDs created prior to 1.13 populated the top-level additionalPrinterColumns field by default. To apply an updated that changes to per-version additionalPrinterColumns, the top-level additionalPrinterColumns field must be explicitly set to null). (#70211, @roycaihw)
- New addon in addon manager that automatically installs CSI CRDs if CSIDriverRegistry or CSINodeInfo feature gates are true. (#70193, @saad-ali)
- Delegated authorization can now allow unrestricted access for
system:masters
like the main kube-apiserver (#70671, @deads2k)
- Added dns capabilities for Windows CNI plugins: (#67435, @feiskyer)
- kube-apiserver:
--audit-webhook-version
and --audit-log-version
now default to audit.k8s.io/v1
if unspecified (#70476, @charrywanganthony)
- kubeadm: timeoutForControlPlane is introduced as part of the API Server config, that controls the timeout for the wait for control plane to be up. Default value is 4 minutes. (#70480, @rosti)
--api-audiences
now defaults to the --service-account-issuer
if the issuer is provided but the API audience is not. (#70308, @mikedanese)
- Added support for projected volume in describe function (#70158, @WanLinghao)
- kubeadm now automatically creates a new stacked etcd member when joining a new control plane node (does not applies to external etcd) (#69486, @fabriziopandini)
- Display the usage of ephemeral-storage when using
kubectl describe node
(#70268, @Pingan2017)
- Added functionality to enable br_netfilter and ip_forward for debian packages to improve kubeadm support for CRI runtime besides Docker. (#70152, @ashwanikhemani)
- Added regions ap-northeast-3 and eu-west-3 to the list of well known AWS regions. (#70252, @nckturner)
- kubeadm: Implemented preflight check to ensure that number of CPUs (#70048, @bart0sh)
- CoreDNS is now the default DNS server in kube-up deployments. (#69883, @chrisohaver)
- Opt out of chowning and chmoding from kubectl cp. (#69573, @bjhaid)
- Failed to provision volume with StorageClass "azurefile-premium": failed to create share andy-mg1121-dynamic-pvc-1a7b2813-d1b7-11e8-9e96-000d3a03e16b in account f7228f99bcde411e8ba4900: failed to create file share, err: storage: service returned error: StatusCode=400, ErrorCode=InvalidHeaderValue, ErrorMessage=The value for one of the HTTP headers is not in the correct format. (#69718, @andyzhangx)
TaintBasedEvictions
feature is promoted to beta. (#69824, @Huang-Wei)
- Fixed https://github.com/kubernetes/client-go/issues/478 by adding support for JSON Patch in client-go/dynamic/fake (#69330, @vaikas-google)
- Dry-run is promoted to Beta and will be enabled by default. (#69644, @apelisse)
kubectl get priorityclass
now prints value column by default. (#69431, @Huang-Wei)
- Added a new container based image for running e2e tests (#69368, @dims)
- The
LC_ALL
and LC_MESSAGES
env vars can now be used to set desired locale for kubectl
while keeping LANG
unchanged. (#69500, @m1kola)
- NodeLifecycleController: Now node lease renewal is treated as the heartbeat signal from the node, in addition to NodeStatus Update. (#69241, @wangzhen127)
- Added dynamic shared informers to write generic, non-generated controllers (#69308, @p0lyn0mial)
- Upgraded to etcd 3.3 client (#69322, @jpbetz)
- It is now possible to use named ports in the
kubectl port-forward
command (#69477, @m1kola)
kubectl wait
now supports condition value checks other than true using --for condition=available=false
(#69295, @deads2k)
- Updated defaultbackend image to 1.5. Users should concentrate on updating scripts to the new version. (#69120, @aledbf)
- Bumped Dashboard version to v1.10.0 (#68450, @jeefy)
- Added env variables to control CPU requests of kube-controller-manager and kube-scheduler. (#68823, @loburm)
- PodSecurityPolicy objects now support a
MayRunAs
rule for fsGroup
and supplementalGroups
options. This allows specifying ranges of allowed GIDs for pods/containers without forcing a default GID the way MustRunAs
does. This means that a container to which such a policy applies to won't use any fsGroup/supplementalGroup GID if not explicitly specified, yet a specified GID must still fall in the GID range according to the policy. (#65135, @stlaz)
- Upgrade Stackdriver Logging Agent addon image to 0.6-1.6.0-1 to use Fluentd v1.2. This provides nanoseconds timestamp granularity for logs. (#70954, @qingling128)
- When the BoundServiceAccountTokenVolumes Alpha feature is enabled, ServiceAccount volumes now use a projected volume source and their names have the prefix "kube-api-access". (#69848, @mikedanese)
- Raw block volume support is promoted to beta, and enabled by default. This is accessible via the
volumeDevices
container field in pod specs, and the volumeMode
field in persistent volume and persistent volume claims definitions. (#71167, @msau42)
- TokenReview now supports audience validation of tokens with audiences other than the kube-apiserver. (#62692, @mikedanese)
- StatefulSet is supported in
kubectl autoscale
command (#71103, @Pingan2017)
- Kubernetes v1.13 moves support for Container Storage Interface to GA. As part of this move Kubernetes now supports CSI v1.0.0 and deprecates support for CSI 0.3 and older releases. Older CSI drivers must be updated to CSI 1.0 and moved to the new kubelet plugin registration directory in order to work with Kubernetes 1.15+. (#71020, @saad-ali)
- Added option to create CSRs instead of certificates for kubeadm init phase certs and kubeadm alpha certs renew (#70809, @liztio)
- Added a kubelet socket which serves an grpc service containing the devices used by containers on the node. (#70508, @dashpole)
- Added DynamicAuditing feature which allows for the configuration of audit webhooks through the use of an AuditSink API object. (#67257, @pbarker)
- The kube-apiserver's healthz now takes in an optional query parameter which allows you to disable health checks from causing healthz failures. (#70676, @logicalhan)
- Introduced support for running a nodelocal dns cache. It is disabled by default, can be enabled by setting KUBE_ENABLE_NODELOCAL_DNS=true (#70555, @prameshj)
- Added readiness gates in extended output for pods (#70775, @freehan)
- Added
Ready
column and improve human-readable output of Deployments and StatefulSets (#70466, @Pingan2017)
- Added
kubelet_container_log_size_bytes
metric representing the log file size of a container. (#70749, @brancz)
- NodeLifecycleController: When node lease feature is enabled, node lease will be deleted when the corresponding node is deleted. (#70034, @wangzhen127)
- GCERegionalPersistentDisk feature is GA now! (#70716, @jingxu97)
- Added secure port 10259 to the kube-scheduler (enabled by default) and deprecate old insecure port 10251. Without further flags self-signed certs are created on startup in memory. (#69663, @sttts)
Release Notes From SIGs
SIG API Machinery
- The OwnerReferencesPermissionEnforcement admission plugin now checks authorization for the correct scope (namespaced or cluster-scoped) of the owner resource type. Previously, it always checked permissions at the same scope as the child resource. (#70389, @caesarxuchao)
- OpenAPI spec now correctly marks delete request's body parameter as optional (#70032, @iamneha)
- The rules for incrementing
metadata.generation
of custom resources changed: (#69059, @caesarxuchao)
- If the custom resource participates the spec/status convention, the metadata.generation of the CR increments when there is any change, except for the changes to the metadata or the changes to the status.
- If the custom resource does not participate the spec/status convention, the metadata.generation of the CR increments when there is any change to the CR, except for changes to the metadata.
- A custom resource is considered to participate the spec/status convention if and only if the "CustomResourceSubresources" feature gate is turned on and the CRD has
.spec.subresources.status={}
.
- Fixed patch/update operations on multi-version custom resources (#70087, @liggitt)
- Reduced memory utilization of admission webhook metrics by removing resource related labels. (#69895, @jpbetz)
- Kubelet can now parse PEM file containing both TLS certificate and key in arbitrary order. Previously key was always required to be first. (#69536, @awly)
- Code-gen: Removed lowercasing for project imports (#68484, @jsturtevant)
- Fixed client cert setup in delegating authentication logic (#69430, @DirectXMan12)
- OpenAPI spec and API reference now reflect dryRun query parameter for POST/PUT/PATCH operations (#69359, @roycaihw)
- Fixed the sample-apiserver so that its BanFlunder admission plugin can be used. (#68417, @MikeSpreitzer)
- APIService availability related to networking glitches are corrected faster (#68678, @deads2k)
- Fixed an issue with stuck connections handling error responses (#71412, @liggitt)
- apiserver: fixed handling and logging of panics in REST handlers (#71076, @liggitt)
- kube-controller-manager no longer removes ownerReferences from ResourceQuota objects (#70035, @liggitt)
- "unfinished_work_microseconds" is added to the workqueue metrics; it can be used to detect stuck worker threads. (kube-controller-manager runs many workqueues.) (#70884, @lavalamp)
- Timeouts set in ListOptions for clients are also be respected locally (#70998, @deads2k)
- Added support for CRD conversion webhook (#67006, @mbohlool)
- client-go: fixed sending oversized data frames to spdystreams in remotecommand.NewSPDYExecutor (#70999, @liggitt)
- Fixed missing flags in
-controller-manager --help
. (#71298, @stewart-yu)
- Fixed missing flags in
kube-apiserver --help
. (#70204, @imjching)
- The caBundle and service fields in admission webhook API objects now correctly indicate they are optional (#70138, @liggitt)
- Fixed an issue with stuck connections handling error responses (#71419, @liggitt)
- kube-controller-manager and cloud-controller-manager now hold generated serving certificates in-memory unless a writeable location is specified with --cert-dir (#69884, @liggitt)
- CCM server will not listen insecurely if secure port is specified (#68982, @aruneli)
- List operations against the API now return internal server errors instead of partially complete lists when a value cannot be transformed from storage. The updated behavior is consistent with all other operations that require transforming data from storage such as watch and get. (#69399, @mikedanese)
SIG Auth
- API Server can be configured to reject requests that cannot be audit-logged. (#65763, @x13n)
- Go clients created from a kubeconfig that specifies a TokenFile now periodically reload the token from the specified file. (#70606, @mikedanese)
- When
--rotate-server-certificates
is enabled, kubelet will no longer request a new certificate on startup if the current certificate on disk is satisfactory. (#69991, @agunnerson-ibm)
- Added dynamic audit configuration api (#67547, @pbarker)
- Added ability to control primary GID of containers through Pod Spec and PodSecurityPolicy (#67802, @krmayankk)
- kube-apiserver: the
NodeRestriction
admission plugin now prevents kubelets from modifying Node
labels prefixed with node-restriction.kubernetes.io/
. The node-restriction.kubernetes.io/
label prefix is reserved for cluster administrators to use for labeling Node
objects to target workloads to nodes in a way that kubelets cannot modify or spoof. (#68267, @liggitt)
SIG Autoscaling
SIG AWS
service.beta.kubernetes.io/aws-load-balancer-internal
now supports true and false values, previously it only supported non-empty strings (#69436, @mcrute)
- Added
service.beta.kubernetes.io/aws-load-balancer-security-groups
annotation to set the security groups to the AWS ELB to be the only ones specified in the annotation in case this is present (does not add 0.0.0.0/0
). (#62774, @Raffo)
SIG Azure
- Ensured orphan public IPs on Azure deleted when service recreated with the same name. (#70463, @feiskyer)
- Improved Azure instance metadata handling by adding caches. (#70353, @feiskyer)
- Corrected check for non-Azure managed nodes with the Azure cloud provider (#70135, @marc-sensenich)
- Fixed azure disk attach/detach failed forever issue (#71377, @andyzhangx)
- DisksAreAttached --> getNodeDataDisks--> GetDataDisks --> getVirtualMachine --> vmCache.Get (#71495, @andyzhangx)
SIG CLI
kubectl apply
can now change a deployment strategy from rollout to recreate without explicitly clearing the rollout-related fields (#70436, @liggitt)
- The
kubectl plugin list
command now displays discovered plugin paths in the same order as they are found in a user's PATH variable. (#70443, @juanvallejo)
kubectl get
no longer exits before printing all of its results if an error is found (#70311, @juanvallejo)
- Fixed a runtime error occuring when sorting the output of
kubectl get
with empty results (#70740, @mfpierre)
- kubectl: support multiple arguments for cordon/uncordon and drain (#68655, @goodluckbot)
- Fixed ability for admin/edit/view users to see controller revisions, needed for kubectl rollout commands (#70699, @liggitt)
kubectl rollout undo
now returns errors when attempting to rollback a deployment to a non-existent revision (#70039, @liggitt)
- kubectl run now generates apps/v1 deployments by default (#71006, @liggitt)
- The "kubectl cp" command now supports path shortcuts (../) in remote paths. (#65189, @juanvallejo)
- Fixed dry-run output in kubectl apply --prune (#69344, @zegl)
- The kubectl wait command must handle when a watch returns an error vs closing by printing out the error and retrying the watch. (#69389, @smarterclayton)
- kubectl: support multiple arguments for cordon/uncordon and drain (#68655, @goodluckbot)
SIG Cloud Provider
SIG Cluster Lifecycle
- kubeadm: Updates version of CoreDNS to 1.2.6 (#70796, @detiber)
- kubeadm: Validate kubeconfig files in case of external CA mode. (#70537, @yagonobre)
- kubeadm: The writable config file option for extra volumes is renamed to readOnly with a reversed meaning. With readOnly defaulted to false (as in pod specs). (#70495, @rosti)
- kubeadm: Multiple API server endpoints support upon join is removed as it is now redundant. (#69812, @rosti)
kubeadm reset
now cleans up custom etcd data path (#70003, @yagonobre)
- kubeadm: Fixed unnecessary upgrades caused by undefined order of Volumes and VolumeMounts in manifests (#70027, @bart0sh)
- kubeadm: Fixed node join taints. (#69846, @andrewrynhard)
- Fixed cluster autoscaler addon permissions so it can access batch/job. (#69858, @losipiuk)
- kubeadm: JoinConfiguration now houses the discovery options in a nested Discovery structure, which in turn has a couple of other nested structures to house more specific options (BootstrapTokenDiscovery and FileDiscovery) (#67763, @rosti)
- kubeadm: Fixed a possible scenario where kubeadm can pull much newer control-plane images (#69301, @neolit123)
- kubeadm now allows mixing of init/cluster and join configuration in a single YAML file (although a warning gets printed in this case). (#69426, @rosti)
- kubeadm: Added a
v1beta1
API. (#69289, @fabriziopandini)
- kubeadm init correctly uses
--node-name
and --cri-socket
when --config
option is also used (#71323, @bart0sh)
- kubeadm: Always pass spec.nodeName as
--hostname-override
for kube-proxy (#71283, @Klaven)
kubeadm join
correctly uses --node-name
and --cri-socket
when --config
option is also used (#71270, @bart0sh)
- kubeadm now supports the
--image-repository
flag for customizing what registry to pull images from (#71135, @luxas)
- kubeadm: The writable config file option for extra volumes is renamed to readOnly with a reversed meaning. With readOnly defaulted to false (as in pod specs). (#70495, @rosti)
- kubeadm: Multiple API server endpoints support upon join is removed as it is now redundant. (#69812, @rosti)
- kubeadm: JoinConfiguration now houses the discovery options in a nested Discovery structure, which in turn has a couple of other nested structures to house more specific options (BootstrapTokenDiscovery and FileDiscovery) (#67763, @rosti)
- kubeadm: Added a
v1beta1
API. (#69289, @fabriziopandini)
- kubeadm: Use
advertise-client-urls
instead of listen-client-urls
as and etcd-servers
options for apiserver. (#69827, @tomkukral)
- Kubeadm now respects the custom image registry configuration across joins and upgrades. Kubeadm passes the custom registry to the kubelet for a custom pause container. (#70603, @chuckha)
kubeadm reset
now outputs instructions about manual iptables rules cleanup. (#70874, @rdodev)
- kubeadm: remove the AuditPolicyConfiguration feature gate (#70807, @Klaven)
- kubeadm pre-pulls Etcd image only if external Etcd is not used and (#70743, @bart0sh)
- kubeadm: UnifiedControlPlaneImage is replaced by UseHyperKubeImage boolean value. (#70793, @rosti)
- For kube-up and derived configurations, CoreDNS will honor master taints, for consistency with kube-dns behavior. (#70868, @justinsb)
- Recognize newer docker versions without -ce/-ee suffix: 18.09.0 (#71001, @thomas-riccardi)
- Any external provider should be aware the cloud-provider interface should be imported from :- (#68310, @cheftako)
- Fixed 'kubeadm upgrade' infinite loop waiting for pod restart (#69886, @bart0sh)
- Bumped addon-manager to v8.8 (#69337, @MrHohn)
- GCE: Filter out spammy audit logs from cluster autoscaler. (#70696, @loburm)
- GCE: Enable by default audit logging truncating backend. (#68288, @loburm)
- Bumped cluster-proportional-autoscaler to 1.3.0 (#69338, @MrHohn)
- Updated defaultbackend to v1.5 (#69334, @bowei)
SIG GCP
- Added tolerations for Stackdriver Logging and Metadata Agents. (#69737, @qingling128)
- Enabled insertId generation, and updated Stackdriver Logging Agent image to 0.5-1.5.36-1-k8s. This help reduce log duplication and guarantee log order. (#68920, @qingling128)
- Updated crictl to v1.12.0 (#69033, @feiskyer)
SIG Network
- Corrected family type (inet6) for ipsets in ipv6-only clusters (#68436, @uablrek)
- kube-proxy argument
hostname-override
can be used to override hostname defined in the configuration file (#69340, @stevesloka)
- CoreDNS correctly implements DNS spec for Services with externalNames that look like IP addresses. Kube-dns does not follow the spec for the same case, resulting in a behavior change when moving from Kube-dns to CoreDNS. See: coredns/coredns#2324
- IPVS proxier now set net/ipv4/vs/conn_reuse_mode to 0 by default, which will highly improve IPVS proxier performance. (#71114, @Lion-Wei)
- CoreDNS is now version 1.2.6 (#70799, @rajansandeep)
- Addon configuration is introduced in the kubeadm config API, while feature flag CoreDNS is now deprecated. (#70024, @fabriziopandini)
SIG Node
- Fixed a bug in previous releases where a pod could be placed inside another pod's cgroup when specifying --cgroup-root (#70678, @dashpole)
- Optimized calculating stats when only CPU and Memory stats are returned from Kubelet stats/summary http endpoint. (#68841, @krzysztof-jastrzebski)
- kubelet now supports
log-file
option to write logs directly to a specific file (#70917, @dims)
- Do not detach volume if mount in progress (#71145, @gnufied)
- The runtimeHandler field on the RuntimeClass resource now accepts the empty string. (#69550, @tallclair)
- kube-apiserver: fixes
procMount
field incorrectly being marked as required in openapi schema (#69694, @jessfraz)
SIG OpenStack
- Fixed cloud-controller-manager crash when using OpenStack provider and PersistentVolume initializing controller (#70459, @mvladev)
SIG Release
- Use debian-base instead of busybox as base image for server images (#70245, @ixdy)
- Images for cloud-controller-manager, kube-apiserver, kube-controller-manager, and kube-scheduler now contain a minimal /etc/nsswitch.conf and should respect /etc/hosts for lookups (#69238, @BenTheElder)
SIG Scheduling
- Added metrics for volume scheduling operations (#59529, @wackxu)
- Improved memory use and performance when processing large numbers of pods containing tolerations (#65350, @liggitt)
- Fixed a bug in the scheduler that could cause the scheduler to go to an infinite loop when all nodes in a zone are removed. (#69758, @bsalamat)
- Clear pod binding cache on bind error to make sure stale pod binding cache will not be used. (#71212, @cofyc)
- Fixed a scheduler panic due to internal cache inconsistency (#71063, @Huang-Wei)
- Report kube-scheduler unhealthy if leader election is deadlocked. (#71085, @bsalamat)
- Fixed a potential bug that scheduler preempts unnecessary pods. (#70898, @Huang-Wei)
SIG Storage
- Fixed CSI volume limits not showing up in node's capacity and allocatable (#70540, @gnufied)
- CSI drivers now have access to mountOptions defined on the storage class when attaching volumes. (#67898, @bswartz)
- change default azure file mount permission to 0777 (#69854, @andyzhangx)
- Fixed subpath in containerized kubelet. (#69565, @jsafrane)
- Fixed panic on iSCSI volume tear down. (#69140, @jsafrane)
- CSIPersistentVolume feature, i.e. PersistentVolumes with CSIPersistentVolumeSource, is GA. (#69929, @jsafrane)
- Fixed CSIDriver API object to allow missing fields. (#69331, @jsafrane)
- Flex volume plugins now support expandvolume (to increase underlying volume capacity) and expanfs (resize filesystem) commands that Flex plugin authors can implement to support expanding in use Flex PersistentVolumes (#67851, @aniket-s-kulkarni)
- Enabled AttachVolumeLimit feature (#69225, @gnufied)
- The default storage class annotation for the storage addons has been changed to use the GA variant (#68345, @smelchior)
- GlusterFS PersistentVolumes sources can now reference endpoints in any namespace using the
spec.glusterfs.endpointsNamespace
field. Ensure all kubelets are upgraded to 1.13+ before using this capability. (#60195, @humblec)
- Fixed GetVolumeLimits log flushing issue (#69558, @andyzhangx)
- The
MountPropagation
feature is unconditionally enabled in v1.13, and can no longer be disabled. (#68230, @bertinatto)
SIG Windows
kubelet --system-reserved
and --kube-reserved
are supported now on Windows nodes (#69960, @feiskyer)
- Windows runtime endpoints is now switched to
npipe:////./pipe/dockershim
from tcp://localhost:3735
. (#69516, @feiskyer)
- Fixed service issues with named targetPort for Windows (#70076, @feiskyer)
- Handle Windows named pipes in host mounts. (#69484, @ddebroy)
- Fixed inconsistency in windows kernel proxy when updating HNS policy. (#68923, @delulu)
External Dependencies
- Default etcd server is unchanged at v3.2.24 since Kubernetes 1.12. (#68318)
- The list of validated docker versions remain unchanged at 1.11.1, 1.12.1, 1.13.1, 17.03, 17.06, 17.09, 18.06 since Kubernetes 1.12. (#68495)
- The default Go version was updated to 1.11.2. (#70665)
- The minimum supported Go version was updated to 1.11.2 (#69386)
- CNI is unchanged at v0.6.0 since Kubernetes 1.10 (#51250)
- CSI is updated to 1.0.0. Pre-1.0.0 API support is now deprecated. (#71020])
- The dashboard add-on has been updated to v1.10.0. (#68450)
- Heapster remains at v1.6.0-beta, but is now retired in Kubernetes 1.13 (#67074)
- Cluster Autoscaler has been upgraded to v1.13.0 (#71513)
- kube-dns is unchanged at v1.14.13 since Kubernetes 1.12 (#68900)
- Influxdb is unchanged at v1.3.3 since Kubernetes 1.10 (#53319)
- Grafana is unchanged at v4.4.3 since Kubernetes 1.10 (#53319)
- Kibana has been upgraded to v6.3.2. (#67582)
- CAdvisor has been updated to v0.32.0 (#70964)
- fluentd-gcp-scaler has been updated to v0.5.0 (#68837)
- Fluentd in fluentd-elasticsearch is unchanged at v1.2.4 since Kubernetes 1.11 (#67434)
- fluentd-elasticsearch has been updated to v2.2.1 (#68012)
- The fluent-plugin-kubernetes_metadata_filter plugin in fluentd-elasticsearch is unchanged at 2.0.0 since Kubernetes 1.12 (#67544)
- fluentd-gcp has been updated to v3.2.0 (#70954)
- OIDC authentication is unchanged at coreos/go-oidc v2 since Kubernetes 1.10 (#58544)
- Calico was updated to v3.3.1 (#70932)
- Upgraded crictl on GCE to v1.12.0 (#69033)
- CoreDNS has been updated to v1.2.6 (#70799)
- event-exporter has been updated to v0.2.3 (#67691)
- Es-image remains unchanged at Elasticsearch 6.3.2 since Kubernetes 1.12 (#67484)
- metrics-server remains unchanged at v0.3.1 since Kubernetes 1.12 (#68746)
- GLBC remains unchanged at v1.2.3 since Kubernetes 1.12 (#66793)
- Ingress-gce remains unchanged at v1.2.3 since Kubernetes 1.12 (#66793)
- ip-masq-agen remains unchanged at v2.1.1 since Kubernetes 1.12 (#67916)
v1.13.0-rc.2
Documentation
Downloads for v1.13.0-rc.2
filename |
sha512 hash |
kubernetes.tar.gz |
12fbaf943ae72711cd93c9955719ec1773a229dbb8f86a44fcda179229beb82add4dc1a54ceb50b9f48fde48e2464ed0cd4b2e57d9689a7ae784cb052beb6751 |
kubernetes-src.tar.gz |
8e94f0fe73909610e85c201bb1ba4f66fd55ca2b4ded77217a4dfad2874d402cc1cc94203ecc195f909126c186701e5e1e62890ad288895493a1759f88a190d0 |
Client Binaries
Server Binaries
Node Binaries
Changelog since v1.13.0-rc.1
Other notable changes
v1.13.0-rc.1
Documentation
Downloads for v1.13.0-rc.1
filename |
sha512 hash |
kubernetes.tar.gz |
1c047e4edcf3553a568679e6e5083988b06df9d938f299a9193c72ad96a9c439a1f47f98b86f75d94746e8c1ae363b7a3de3c29dbdf7585b5e5e67b95f309d4a |
kubernetes-src.tar.gz |
d2fd47c38abd29a2037b9e2a3a958ec250e2c6ae77532f6e935a6422bd626485fd720932b18fe2fdfcc7b17c6014a9da08cd9e6f9272f19f666ec52ffc02b564 |
Client Binaries
Server Binaries
Node Binaries
Changelog since v1.13.0-beta.2
Other notable changes
v1.13.0-beta.2
Documentation
Downloads for v1.13.0-beta.2
filename |
sha512 hash |
kubernetes.tar.gz |
e8607473e2b3946a3655fa895c2b7dee74818b4c2701047fee5343ab6b2f2aa3d97b19b11c7e7aeaca322a95bf99cbb5a7dafca187922fd40eaf24daaaf3bc8d |
kubernetes-src.tar.gz |
6ca15ad729a82b41587e1dbbd4e9ad5447e202e8e7ee8c01c411090031ee3feb83f0cc65e211e8634a01e7c52d5f1f7b47cd2ac601708542227853f312401e8f |
Client Binaries
Server Binaries
Node Binaries
Changelog since v1.13.0-beta.1
Other notable changes
- Fix missing flags in kube-apiserver --help. (#70204, @imjching)
- kubeadm init correctly uses --node-name and --cri-socket when --config option is also used (#71323, @bart0sh)
- API server flag
--experimental-encryption-provider-config
was renamed to --encryption-provider-config
. The old flag is accepted with a warning but will be removed in 1.14. (#71206, @stlaz)
- Fix missing flags in *-controller-manager --help. (#71298, @stewart-yu)
- Clear pod binding cache on bind error to make sure stale pod binding cache will not be used. (#71212, @cofyc)
- kubeadm: always pass spec.nodeName as --hostname-override for kube-proxy (#71283, @Klaven)
- kubeadm join correctly uses --node-name and --cri-socket when --config option is also used (#71270, @bart0sh)
- apiserver can be configured to reject requests that cannot be audit-logged. (#65763, @x13n)
- Kubelet Device Plugin Registration directory changed from from
{kubelet_root_dir}/plugins/
to {kubelet_root_dir}/plugins_registry/
. Any drivers (CSI or device plugin) that were using the old path must be updated to work with this version. (#70494, @RenaudWasTaken)
- When the BoundServiceAccountTokenVolumes Alpha feature is enabled, ServiceAccount volumes now use a projected volume source and their names have the prefix "kube-api-access". (#69848, @mikedanese)
v1.13.0-beta.1
Documentation
Downloads for v1.13.0-beta.1
filename |
sha512 hash |
kubernetes.tar.gz |
78245b2357a5eeafd193d28f86655327edce7bbc4da142c826eba5f5c05a624cd30b2551f63da37f38e9ca3fcf6990d77a3a068cbfc9075ff19fcdb235db9acb |
kubernetes-src.tar.gz |
880c5a8b16215bc58b307922474703048020b38be1d41672425cd07bdcf0626a88f04a080eac13ebb63c42214454420063289ba147d0a6cdf8dc3fe942382964 |
Client Binaries
Server Binaries
Node Binaries
Changelog since v1.13.0-alpha.3
Action Required
- ACTION REQUIRED: The Node.Status.Volumes.Attached.DevicePath fields is deprecated for CSI volumes and will be unset in a future release (#71095, @msau42)
Other notable changes
- Raw block volume support is promoted to beta, and enabled by default. This is accessible via the
volumeDevices
container field in pod specs, and the volumeMode
field in persistent volume and persistent volume claims definitions. (#71167, @msau42)
- Fix a scheduler panic due to internal cache inconsistency (#71063, @Huang-Wei)
- Fix a potential bug that scheduler preempts unnecessary pods. (#70898, @Huang-Wei)
- The API server encryption configuration file format has graduated to stable and moved to
apiVersion: apiserver.config.k8s.io/v1
and kind: EncryptionConfiguration
. (#67383, @stlaz)
- kubelet now supports
log-file
option to write logs directly to a specific file (#70917, @dims)
- kubeadm now supports the
--image-repository
flag for customizing what registry to pull images from (#71135, @luxas)
- timeouts set in ListOptions for clients will also be respected locally (#70998, @deads2k)
- IPVS proxier now set net/ipv4/vs/conn_reuse_mode to 0 by default, which will highly improve IPVS proxier performance. (#71114, @Lion-Wei)
- StatefulSet is supported in
kubectl autoscale
command (#71103, @Pingan2017)
- Report kube-scheduler unhealthy if leader election is deadlocked. (#71085, @bsalamat)
- apiserver: fixes handling and logging of panics in REST handlers (#71076, @liggitt)
- kubelets are no longer allowed to delete their own Node API object. Prior to 1.11, in rare circumstances related to cloudprovider node ID changes, kubelets would attempt to delete/recreate their Node object at startup. Kubelets older than 1.11 are not supported running against a v1.13+ API server. If an unsupported legacy kubelet encounters this situation, a cluster admin can remove the Node object: (#71021, @liggitt)
*
kubectl delete node/<nodeName>
- or grant self-deletion permission explicitly:
kubectl create clusterrole self-deleting-nodes --verb=delete --resource=nodes
kubectl create clusterrolebinding self-deleting-nodes --clusterrole=self-deleting-nodes --group=system:nodes
- Kubernetes v1.13 moves support for Container Storage Interface to GA. As part of this move Kubernetes now supports CSI v1.0.0 and drops support for CSI 0.3 and older releases. Older CSI drivers must be updated to CSI 1.0 in order to work with Kubernetes 1.13+. (#71020, @saad-ali)
- Remove deprecated kubectl command aliases 'run-container' (#70728, @Pingan2017)
- kubeadm: enable strict unmarshaling of YAML configuration files and show warnings for unknown and duplicate fields. (#70901, @neolit123)
- For kube-up and derived configurations, CoreDNS will honor master taints, for consistency with kube-dns behavior. (#70868, @justinsb)
- CoreDNS is now version 1.2.6 (#70799, @rajansandeep)
- kubeadm: Use
advertise-client-urls
instead of listen-client-urls
as and etcd-servers
options for apiserver. (#69827, @tomkukral)
- Add option to create CSRs instead of certificates for kubeadm init phase certs and kubeadm alpha certs renew (#70809, @liztio)
- Add a kubelet socket which serves an grpc service containing the devices used by containers on the node. (#70508, @dashpole)
- kube-apiserver: the
NodeRestriction
admission plugin now prevents kubelets from modifying Node
labels prefixed with node-restriction.kubernetes.io/
. The node-restriction.kubernetes.io/
label prefix is reserved for cluster administrators to use for labeling Node
objects to target workloads to nodes in a way that kubelets cannot modify or spoof. (#68267, @liggitt)
- kubelet: it is now deprecated to use the
--node-labels
flag to set kubernetes.io/
and k8s.io/
-prefixed labels other than the following labels:
kubernetes.io/hostname
kubernetes.io/instance-type
kubernetes.io/os
kubernetes.io/arch
beta.kubernetes.io/instance-type
beta.kubernetes.io/os
beta.kubernetes.io/arch
failure-domain.kubernetes.io/zone
failure-domain.kubernetes.io/region
failure-domain.beta.kubernetes.io/zone
failure-domain.beta.kubernetes.io/region
[*.]kubelet.kubernetes.io/*
[*.]node.kubernetes.io/*
- Setting other
kubernetes.io/
- and k8s.io/
-prefixed labels using the --node-labels
flag will produce a warning in v1.13, and be disallowed in v1.15. Setting labels that are not prefixed with kubernetes.io/
or k8s.io/
is still permitted.
- Adds DynamicAuditing feature which allows for the configuration of audit webhooks through the use of an AuditSink API object. (#67257, @pbarker)
- The Kubelet plugin registration mechanism used by device plugins and CSI plugins is now GA (#70559, @vladimirvivien)
- CSIPersistentVolume feature, i.e. PersistentVolumes with CSIPersistentVolumeSource, is GA. (#69929, @jsafrane)
- CSIPersistentVolume feature gate is now deprecated and will be removed according to deprecation policy.
- kubectl: support multiple arguments for cordon/uncordon and drain (#68655, @goodluckbot)
- The kube-apiserver's healthz now takes in an optional query parameter which allows you to disable health checks from causing healthz failures. (#70676, @logicalhan)
- client-go: fixes sending oversized data frames to spdystreams in remotecommand.NewSPDYExecutor (#70999, @liggitt)
- kube-controller-manager no longer removes ownerReferences from ResourceQuota objects (#70035, @liggitt)
- Introduces support for running a nodelocal dns cache. It is disabled by default, can be enabled by setting KUBE_ENABLE_NODELOCAL_DNS=true (#70555, @prameshj)
- An ip address is required for the cache instance to listen for requests on, default is a link local ip address of value 169.254.20.10
- Fix dry-run output in kubectl apply --prune (#69344, @zegl)
- kubectl run now generates apps/v1 deployments by default (#71006, @liggitt)
kubeadm reset
now outputs instructions about manual iptables rules cleanup. (#70874, @rdodev)
- Recognize newer docker versions without -ce/-ee suffix: 18.09.0 (#71001, @thomas-riccardi)
- "unfinished_work_microseconds" is added to the workqueue metrics; it can be used to detect stuck worker threads. (kube-controller-manager runs many workqueues.) (#70884, @lavalamp)
- add readiness gates in extended output for pods (#70775, @freehan)
- add
Ready
column and improve human-readable output of Deployments and StatefulSets (#70466, @Pingan2017)
- Kubeadm now respects the custom image registry configuration across joins and upgrades. Kubeadm passes the custom registry to the kubelet for a custom pause container. (#70603, @chuckha)
- kubeadm: deprecate the DynamicKubeletConfig feature gate. The functionality is still accessible by using the kubeadm alpha kubelet enable-dynamic command. (#70849, @yagonobre)
- Add
kubelet_container_log_size_bytes
metric representing the log file size of a container. (#70749, @brancz)
- kubeadm: remove the AuditPolicyConfiguration feature gate (#70807, @Klaven)
- Kubeadm: attributes for join --control-plane workflow are now grouped into a dedicated JoinControlPlane struct (#70870, @fabriziopandini)
- Addon configuration is introduced in the kubeadm config API, while feature flag CoreDNS is now deprecated. (#70024, @fabriziopandini)
- Fixes ability for admin/edit/view users to see controller revisions, needed for kubectl rollout commands (#70699, @liggitt)
- kubeadm pre-pulls Etcd image only if external Etcd is not used and (#70743, @bart0sh)
- --etcd-upgrade=false is not specified
- Add support for CRD conversion webhook (#67006, @mbohlool)
- Delete node lease if the corresponding node is deleted (#70034, @wangzhen127)
- In a future release the kubectl convert command will be deprecated. (#70820, @seans3)
- kubeadm: UnifiedControlPlaneImage is replaced by UseHyperKubeImage boolean value. (#70793, @rosti)
- kubeadm v1beta1 API: InitConfiguration.APIEndpoint has been renamed to .LocalAPIEndpoint (#70761, @luxas)
- Breaking change: CSINodeInfo split into Spec and Status. New fields Available and VolumePluginMechanism added to CSINodeInfo csi-api object. CSIDriverInfo no longer deleted on Driver uninstallation, instead Available flag is set to false. (#70515, @davidz627)
- GCERegionalPersistentDisk feature is GA now! (#70716, @jingxu97)
- Add secure port 10259 to the kube-scheduler (enabled by default) and deprecate old insecure port 10251. Without further flags self-signed certs are created on startup in memory. (#69663, @sttts)
--feature-gates
argument has been removed from the kubeadm join
command. Feature gates will be retrieved from the cluster configuration during the join process. (#70755, @ereslibre)
- [kubeadm] Updates version of CoreDNS to 1.2.6 (#70796, @detiber)
- kubelet: When node lease feature is enabled, kubelet reports node status to api server only if there is some change or it didn't report over last report interval. (#69753, @wangzhen127)
- Self hosted is no longer supported in the standard workflow. The feature flags have been removed and your self hosted cluster is no longer able to upgrade via kubeadm. (#69878, @Klaven)
- vSphereVolume implements Raw Block Volume Support (#68761, @fanzhangio)
- [GCE] Filter out spammy audit logs from cluster autoscaler. (#70696, @loburm)
- CRD supports multi-version Schema, Subresources and AdditionalPrintColumns (NOTE that CRDs created prior to 1.13 populated the top-level additionalPrinterColumns field by default. To apply an update that changes to per-version additionalPrinterColumns, the top-level additionalPrinterColumns field must be explicitly set to null). (#70211, @roycaihw)
- Fixes a bug in previous releases where a pod could be placed inside another pod's cgroup when specifying --cgroup-root (#70678, @dashpole)
- Upgrade golang.org/x/net image to release-branch.go1.10 (#70663, @wenjiaswe)
- New addon in addon manager that automatically installs CSI CRDs if CSIDriverRegistry or CSINodeInfo feature gates are true. (#70193, @saad-ali)
- delegated authorization can now allow unrestricted access for
system:masters
like the main kube-apiserver (#70671, @deads2k)
- Update to use go1.11.2 (#70665, @cblecker)
- Add dns capabilities for Windows CNI plugins: (#67435, @feiskyer)
- "dns" {
- "servers": ["10.0.0.10"],
- "searches": ["default.svc.cluster.local","svc.cluster.local","cluster.local"],
- "options": []
- }
- The VolumeScheduling feature is GA. The VolumeScheduling feature gate is deprecated and will be removed in a future release. (#70673, @msau42)
- Go clients created from a kubeconfig that specifies a TokenFile now periodically reload the token from the specified file. (#70606, @mikedanese)
- kubeadm: validate kubeconfig files in case of external CA mode. (#70537, @yagonobre)
- kube-apiserver:
--audit-webhook-version
and --audit-log-version
now default to audit.k8s.io/v1
if unspecified (#70476, @charrywanganthony)
- kubeadm: timeoutForControlPlane is introduced as part of the API Server config, that controls the timeout for the wait for control plane to be up. Default value is 4 minutes. (#70480, @rosti)
- kubeadm: The writable config file option for extra volumes is renamed to readOnly with a reversed meaning. With readOnly defaulted to false (as in pod specs). (#70495, @rosti)
- remove retry operation on attach/detach azure disk (#70568, @andyzhangx)
- Fix CSI volume limits not showing up in node's capacity and allocatable (#70540, @gnufied)
- Flex volume plugins now support expandvolume (to increase underlying volume capacity) and expanfs (resize filesystem) commands that Flex plugin authors can implement to support expanding in use Flex PersistentVolumes (#67851, @aniket-s-kulkarni)
- kubeadm: Control plane component configs are separated into ClusterConfiguration sub-structs. (#70371, @rosti)
- The
MountPropagation
feature is unconditionally enabled in v1.13, and can no longer be disabled. (#68230, @bertinatto)
- add azure UltraSSD, StandardSSD disk type support (#70477, @andyzhangx)
- The OwnerReferencesPermissionEnforcement admission plugin now checks authorization for the correct scope (namespaced or cluster-scoped) of the owner resource type. Previously, it always checked permissions at the same scope as the child resource. (#70389, @caesarxuchao)
- Ensure orphan public IPs on Azure deleted when service recreated with the same name. (#70463, @feiskyer)
kubectl apply
can now change a deployment strategy from rollout to recreate without explicitly clearing the rollout-related fields (#70436, @liggitt)
- Fix cloud-controller-manager crash when using OpenStack provider and PersistentVolume initializing controller (#70459, @mvladev)
v1.13.0-alpha.3
Documentation
Downloads for v1.13.0-alpha.3
filename |
sha512 hash |
kubernetes.tar.gz |
1d50cfd34306ace7354516125c45f8c546bba3ca5081af2b21969b535967d302821c06e7d4d590ba05f3e1e89ba56cc3d890b2e5bf2e07456532ac28e7c6c4a8 |
kubernetes-src.tar.gz |
bf097b99d7b9af15bc1d592ee3782da1e811d8eb68dc9ae9d287589ce9174d3743beaf51422283c42ad03775e43839954bdeb44b1aa5707f73eebabed0cc199e |
Client Binaries
Server Binaries
Node Binaries
Changelog since v1.13.0-alpha.2
Other notable changes
- kubelet --system-reserved and --kube-reserved are supported now on Windows nodes (#69960, @feiskyer)
- CSI drivers now have access to mountOptions defined on the storage class when attaching volumes. (#67898, @bswartz)
- The
kubectl plugin list
command will now display discovered plugin paths in the same order as they are found in a user's PATH variable. (#70443, @juanvallejo)
- Handle Windows named pipes in host mounts. (#69484, @ddebroy)
- kubeadm: Multiple API server endpoints support upon join is removed as it is now redundant. (#69812, @rosti)
- OpenAPI spec marks delete request's body parameter as optional (#70032, @iamneha)
- kube-controller-manager and cloud-controller-manager now hold generated serving certificates in-memory unless a writeable location is specified with --cert-dir (#69884, @liggitt)
- Scheduler only activates unschedulable pods if node's scheduling related properties change. (#70366, @mlmhl)
- --api-audiences now defaults to the --service-account-issuer if the issuer is provided but the API audience is not. (#70308, @mikedanese)
- Refactor scheduler_test.go to use a fake k8s client. (#70290, @tossmilestone)
kubectl rollout undo
now returns errors when attempting to rollback a deployment to a non-existent revision (#70039, @liggitt)
kubectl rollout undo
no longer uses the deprecated extensions/v1beta1 rollback API, which means that Events are no longer emitted when rolling back a deployment
-
- The builtin system:csi-external-provisioner and system:csi-external-attacher cluster roles (#69868, @pohly)
- are deprecated and will not be updated for deployments of CSI sidecar container versions >= 0.4.
- Deployments with the current CSI sidecar containers have to provide their own RBAC
- definitions. The reason is that the rules depend on how the sidecar containers are used,
- which is defined by the deployment.
- Use debian-base instead of busybox as base image for server images (#70245, @ixdy)
- add support for projected volume in describe function (#70158, @WanLinghao)
- Speedup process lookup in /proc (#66367, @cpuguy83)
- Kubeadm reset now clean up custom etcd data path (#70003, @yagonobre)
- We changed when the
metadata.generation
of a custom resource (CR) increments. (#69059, @caesarxuchao)
- If the CR participates the spec/status convention, the metadata.generation of the CR increments when there is any change, except for the changes to the metadata or the changes to the status.
- If the CR does not participate the spec/status convention, the metadata.generation of the CR increments when there is any change to the CR, except for changes to the metadata.
- A CR is considered to participate the spec/status convention if and only if the "CustomResourceSubresources" feature gate is turned on and the CRD has
.spec.subresources.status={}
.
- Improve Azure instance metadata handling by adding caches. (#70353, @feiskyer)
- adding cn-northwest-1 for AWS China Ningxia region (#70155, @pahud)
- "kubectl get" no longer exits before printing all of its results if an error is found (#70311, @juanvallejo)
- kubeadm now automatically creates a new stacked etcd member when joining a new control plane node (does not applies to external etcd) (#69486, @fabriziopandini)
- Critical pod annotation is deprecated. Pod priority should be used instead to mark pods as critical. (#70298, @bsalamat)
- Display the usage of ephemeral-storage when using
kubectl describe node
(#70268, @Pingan2017)
- Added functionality to enable br_netfilter and ip_forward for debian packages to improve kubeadm support for CRI runtime besides Docker. (#70152, @ashwanikhemani)
- Add regions ap-northeast-3 and eu-west-3 to the list of well known AWS regions. (#70252, @nckturner)
- Remove kube-controller-manager flag '--insecure-experimental-approve-all-kubelet-csrs-for-group'(deprecated in v1.7) (#69209, @Pingan2017)
- GCE/GKE load balancer health check default interval changes from 2 seconds to 8 seconds, unhealthyThreshold to 3. (#70099, @grayluck)
- Health check parameters are configurable to be bigger than default values.
- The kubectl wait command must handle when a watch returns an error vs closing by printing out the error and retrying the watch. (#69389, @smarterclayton)
- Updates to use debian-iptables v11.0, debian-hyperkube-base 0.12.0, and kube-addon-manager:v8.9. (#70209, @ixdy)
- Fixed patch/update operations on multi-version custom resources (#70087, @liggitt)
- When
--rotate-server-certificates
is enabled, kubelet will no longer request a new certificate on startup if the current certificate on disk is satisfactory. (#69991, @agunnerson-ibm)
-
- Support for passing unknown provider names to the E2E test binaries is going to be deprecated. Use
--provider=skeleton
(no ssh access) or --provider=local
(local cluster with ssh) instead. (#70141, @pohly)
- Add scheduler benchmark tests for PodAffinity and NodeAffinity. (#69898, @Huang-Wei)
- fix azure disk attachment error on Linux (#70002, @andyzhangx)
v1.13.0-alpha.2
Documentation
Downloads for v1.13.0-alpha.2
filename |
sha512 hash |
kubernetes.tar.gz |
cbe7ef29c7e7bbed82e173289f5f84d7a85ee4965cc5b7ccd16cf8236a3b8171bb8f52011d00ea4dd1119cfeee32a3326260e968038431f2834f194e84f6f070 |
kubernetes-src.tar.gz |
8b0b8e1b635cd849c2974d755fe174f0ce8fe8c690721d8ac6312683bbd2ca2c6f7eada38e4e470d3a0172138b10a994fa3bebc01abd76d835431660247e8a71 |
Client Binaries
Server Binaries
Node Binaries
Changelog since v1.13.0-alpha.1
Other notable changes
- Corrected family type (inet6) for ipsets in ipv6-only clusters (#68436, @uablrek)
- Corrects check for non-Azure managed nodes with the Azure cloud provider (#70135, @marc-sensenich)
- Windows runtime endpoints is now switched to 'npipe:////./pipe/dockershim' from 'tcp://localhost:3735'. (#69516, @feiskyer)
- The caBundle and service fields in admission webhook API objects now correctly indicate they are optional (#70138, @liggitt)
- The --service-account-api-audiences on kube-apiserver is deprecated in favor of --api-audiences. (#70105, @mikedanese)
- kubeadm: fix unnecessary upgrades caused by undefined order of Volumes and VolumeMounts in manifests (#70027, @bart0sh)
- kubeadm: Implemented preflight check to ensure that number of CPUs (#70048, @bart0sh)
- on the master node is not less than required.
- Reduce memory utilization of admission webhook metrics by removing resource related labels. (#69895, @jpbetz)
- kubeadm: Introduce config print init/join-defaults that deprecate config print-defaults by decoupling init and join configs. (#69617, @rosti)
- Images based on debian-base no longer include the libsystemd0 package. This should have no user-facing impact. (#69995, @ixdy)
- Additionally, the addon-manager image is updated to use kubectl v1.11.3.
- fix 'kubeadm upgrade' infinite loop waiting for pod restart (#69886, @bart0sh)
- add more logging for azure disk diagnostics (#70012, @andyzhangx)
- Fluentd: concatenate long logs (#68012, @desaintmartin)
- CoreDNS is now the default DNS server in kube-up deployments. (#69883, @chrisohaver)
- Optimizes calculating stats when only CPU and Memory stats are returned from Kubelet stats/summary http endpoint. (#68841, @krzysztof-jastrzebski)
- kubeadm: Fix node join taints. (#69846, @andrewrynhard)
- Opt out of chowning and chmoding from kubectl cp. (#69573, @bjhaid)
- support Azure premium file for azure file plugin (#69718, @andyzhangx)
TaintBasedEvictions
feature is promoted to beta. (#69824, @Huang-Wei)
- improves memory use and performance when processing large numbers of pods containing tolerations (#65350, @liggitt)
- Add dynamic audit configuration api (#67547, @pbarker)
- Promote resource limits priority function to beta (#69437, @ravisantoshgudimetla)
- Fix cluster autoscaler addon permissions so it can access batch/job. (#69858, @losipiuk)
- change default azure file mount permission to 0777 (#69854, @andyzhangx)
- kubeadm: JoinConfiguration now houses the discovery options in a nested Discovery structure, which in turn has a couple of other nested structures to house more specific options (BootstrapTokenDiscovery and FileDiscovery) (#67763, @rosti)
- Fix tests to use fsync instead of sync (#69755, @mrunalp)
- kube-proxy argument
hostname-override
can be used to override hostname defined in the configuration file (#69340, @stevesloka)
- kube-apiserver: the
--deserialization-cache-size
flag is no longer used, is deprecated, and will be removed in a future release (#69842, @liggitt)
- Add support for JSON patch in fake client (#69330, @vaikas-google)
v1.13.0-alpha.1
Documentation
Downloads for v1.13.0-alpha.1
filename |
sha512 hash |
kubernetes.tar.gz |
9f8a34b54a22ea4d7925c2f8d0e0cb2e2005486b1ed89e594bc0100ec7202fc247b89c5cbde5dc50c1f9d9f27e4f92aa0ca71fdffb9d079f63751bb1859d5bb4 |
kubernetes-src.tar.gz |
a27a7c254d3677c823bd6fd1d0d5f9b1e78ccf807837173669a0079b0812a23444d646d80c2433c167ae50bf1a0e2a4b1d7cbd7457a505fc666464b069bd1e5f |
Client Binaries
Server Binaries
Node Binaries
Changelog since v1.12.0
Action Required
- kube-apiserver: the deprecated
--etcd-quorum-read
flag has been removed, and quorum reads are always enabled when fetching data from etcd. (#69527, @liggitt)
- Moved staging/src/k8s.io/client-go/tools/bootstrap to staging/src/k8s… (#67356, @yliaog)
- [action required] kubeadm: The
v1alpha2
config API has been removed. (#69055, @fabriziopandini)
- Please convert your
v1alpha2
configuration files to v1alpha3
using the
kubeadm config migrate
command of kubeadm v1.12.x
Other notable changes
- Refactor factory_test.go to use a fake k8s client. (#69412, @tossmilestone)
- kubeadm: fix a case where fetching a kubernetesVersion from the internet still happened even if some commands don't need it. (#69645, @neolit123)
- Add tolerations for Stackdriver Logging and Metadata Agents. (#69737, @qingling128)
- Fix a bug in the scheduler that could cause the scheduler to go to an infinite loop when all nodes in a zone are removed. (#69758, @bsalamat)
- Dry-run is promoted to Beta and will be enabled by default. (#69644, @apelisse)
kubectl get priorityclass
now prints value column by default. (#69431, @Huang-Wei)
- Added a new container based image for running e2e tests (#69368, @dims)
- Remove the deprecated --google-json-key flag from kubelet. (#69354, @yujuhong)
- kube-apiserver: fixes
procMount
field incorrectly being marked as required in openapi schema (#69694, @jessfraz)
- The
LC_ALL
and LC_MESSAGES
env vars can now be used to set desired locale for kubectl
while keeping LANG
unchanged. (#69500, @m1kola)
- Add ability to control primary GID of containers through Pod Spec and PodSecurityPolicy (#67802, @krmayankk)
- NodeLifecycleController: Now node lease renewal is treated as the heartbeat signal from the node, in addition to NodeStatus Update. (#69241, @wangzhen127)
- [GCE] Enable by default audit logging truncating backend. (#68288, @loburm)
- Enable insertId generation, and update Stackdriver Logging Agent image to 0.5-1.5.36-1-k8s. This help reduce log duplication and guarantee log order. (#68920, @qingling128)
- Move NodeInfo utils into pkg/scheduler/cache. (#69495, @wgliang)
- adds dynamic shared informers to write generic, non-generated controllers (#69308, @p0lyn0mial)
- Move CacheComparer to pkg/scheduler/internal/cache/comparer. (#69317, @wgliang)
- Updating OWNERS list for vSphere Cloud Provider. (#69187, @SandeepPissay)
- The default storage class annotation for the storage addons has been changed to use the GA variant (#68345, @smelchior)
- Upgrade to etcd 3.3 client (#69322, @jpbetz)
- fix GetVolumeLimits log flushing issue (#69558, @andyzhangx)
- It is now possible to use named ports in the
kubectl port-forward
command (#69477, @m1kola)
- kubeadm: fix a possible scenario where kubeadm can pull much newer control-plane images (#69301, @neolit123)
- test/e2e/e2e.test: (#69105, @pohly)
* -viper-config can be used to set also the options defined by command line flags
* the default config file is "e2e.yaml/toml/json/..." and the test starts when no such config is found (as before) but if -viper-config is used, the config file must exist
* -viper-config can be used to select a file with full path, with or without file suffix
* the csiImageVersion/Registry flags were renamed to storage.csi.imageVersion/Registry
- Move FakeCache to pkg/scheduler/internal/cache/fake. (#69318, @wgliang)
- The "kubectl cp" command now supports path shortcuts (../) in remote paths. (#65189, @juanvallejo)
- Fixed subpath in containerized kubelet. (#69565, @jsafrane)
- The runtimeHandler field on the RuntimeClass resource now accepts the empty string. (#69550, @tallclair)
- Kubelet can now parse PEM file containing both TLS certificate and key in arbitrary order. Previously key was always required to be first. (#69536, @awly)
- Scheduling conformance tests related to daemonsets should set the annotation that relaxes node selection restrictions, if any are set. This ensures conformance tests can run on a wider array of clusters. (#68793, @aveshagarwal)
- Replace Parallelize with function ParallelizeUntil and formally deprecate the Parallelize. (#68403, @wgliang)
- Move scheduler cache interface and implementation to pkg/scheduler/internal/cache. (#68968, @wgliang)
- Update to use go1.11.1 (#69386, @cblecker)
- Any external provider should be aware the cloud-provider interface should be imported from :- (#68310, @cheftako)
- cloudprovider "k8s.io/cloud-provider"
- kubeadm: Fix a crash if the etcd local alpha phase is called when the configuration contains an external etcd cluster (#69420, @ereslibre)
- kubeadm now allows mixing of init/cluster and join configuration in a single YAML file (although a warning gets printed in this case). (#69426, @rosti)
- Code-gen: Remove lowercasing for project imports (#68484, @jsturtevant)
- Fix client cert setup in delegating authentication logic (#69430, @DirectXMan12)
- service.beta.kubernetes.io/aws-load-balancer-internal now supports true and false values, previously it only supported non-empty strings (#69436, @mcrute)
- OpenAPI spec and API reference now reflect dryRun query parameter for POST/PUT/PATCH operations (#69359, @roycaihw)
- kubeadm: Add a
v1beta1
API. (#69289, @fabriziopandini)
- kube-apiserver has removed support for the
etcd2
storage backend (deprecated since v1.9). Existing clusters must migrate etcd v2 data to etcd v3 storage before upgrading to v1.13. (#69310, @liggitt)
- List operations against the API now return internal server errors instead of partially complete lists when a value cannot be transformed from storage. The updated behavior is consistent with all other operations that require transforming data from storage such as watch and get. (#69399, @mikedanese)
kubectl wait
now supports condition value checks other than true using --for condition=available=false
(#69295, @deads2k)
- CCM server will not listen insecurely if secure port is specified (#68982, @aruneli)
- Bump cluster-proportional-autoscaler to 1.3.0 (#69338, @MrHohn)
-
- Rebase docker image on scratch.
- fix inconsistency in windows kernel proxy when updating HNS policy. (#68923, @delulu)
- Fixes the sample-apiserver so that its BanFlunder admission plugin can be used. (#68417, @MikeSpreitzer)
- Fixed CSIDriver API object to allow missing fields. (#69331, @jsafrane)
- Bump addon-manager to v8.8 (#69337, @MrHohn)
-
- Rebase docker image on debian-base:0.3.2.
- Update defaultbackend image to 1.5. Users should concentrate on updating scripts to the new version. (#69120, @aledbf)
- Bump Dashboard version to v1.10.0 (#68450, @jeefy)
- Fixed panic on iSCSI volume tear down. (#69140, @jsafrane)
- Update defaultbackend to v1.5 (#69334, @bowei)
- Remove unused chaosclient. (#68409, @wgliang)
- Enable AttachVolumeLimit feature (#69225, @gnufied)
- Update crictl to v1.12.0 (#69033, @feiskyer)
- Wait for pod failed event in subpath test. (#69300, @mrunalp)
- [GCP] Added env variables to control CPU requests of kube-controller-manager and kube-scheduler. (#68823, @loburm)
- Bump up pod short start timeout to 2 minutes. (#69291, @mrunalp)
- Use the mounted "/var/run/secrets/kubernetes.io/serviceaccount/token" as the token file for running in-cluster based e2e testing. (#69273, @dims)
- apiservice availability related to networking glitches are corrected faster (#68678, @deads2k)
- extract volume attachment status checking operation as a common function when attaching a CSI volume (#68931, @mlmhl)
- PodSecurityPolicy objects now support a
MayRunAs
rule for fsGroup
and supplementalGroups
options. This allows specifying ranges of allowed GIDs for pods/containers without forcing a default GID the way MustRunAs
does. This means that a container to which such a policy applies to won't use any fsGroup/supplementalGroup GID if not explicitly specified, yet a specified GID must still fall in the GID range according to the policy. (#65135, @stlaz)
- Images for cloud-controller-manager, kube-apiserver, kube-controller-manager, and kube-scheduler now contain a minimal /etc/nsswitch.conf and should respect /etc/hosts for lookups (#69238, @BenTheElder)
- add deprecation warning for all cloud providers (#69171, @andrewsykim)
- IPVS proxier mode now support connection based graceful termination. (#66012, @Lion-Wei)
- Fix panic in kubectl rollout commands (#69150, @soltysh)
- Add fallbacks to ARM API when getting empty node IP from Azure IMDS (#69077, @feiskyer)
- Deduplicate PATH items when reading plugins. (#69089, @soltysh)
- Adds permissions for startup of an on-cluster kube-controller-manager (#69062, @dghubble)
- Fixes issue [#68899](https://github.com/kubernetes/kubernetes/issues/68899) where pods might schedule on an unschedulable node. (#68984, @k82cn)
- Returns error if NodeGetInfo fails. (#68979, @xing-yang)
- Pod disruption budgets shouldn't be checked for terminal pods while evicting (#68892, @ravisantoshgudimetla)
- Fix scheduler crashes when Prioritize Map function returns error. (#68563, @DylanBLE)
- kubeadm: create control plane with ClusterFirstWithHostNet DNS policy (#68890, @andrewrynhard)
- Reduced excessive logging from fluentd-gcp-scaler. (#68837, @x13n)
- adds dynamic lister (#68748, @p0lyn0mial)
- kubectl: add the --no-headers flag to
kubectl top ...
(#67890, @WanLinghao)
- Restrict redirect following from the apiserver to same-host redirects, and ignore redirects in some cases. (#66516, @tallclair)
- Fixed pod cleanup when /var/lib/kubelet is a symlink. (#68741, @jsafrane)
- Add "only_cpu_and_memory" GET parameter to /stats/summary http handler in kubelet. If parameter is true then only cpu and memory will be present in response. (#67829, @krzysztof-jastrzebski)
- Start synchronizing pods after network is ready. (#68752, @krzysztof-jastrzebski)
- kubectl has gained new --profile and --profile-output options to output go profiles (#68681, @dlespiau)
- Provides FSGroup capability on FlexVolume driver. It allows to disable the VolumeOwnership operation when volume is mounted (#68680, @benoitf)
- Apply _netdev mount option on bind mount (#68626, @gnufied)
- fix UnmountDevice failure on Windows (#68608, @andyzhangx)
- Allows changing nodeName in endpoint update. (#68575, @prameshj)
- kube-apiserver would return 400 Bad Request when it couldn't decode a json patch. (#68346, @CaoShuFeng)
- kube-apiserver would return 422 Unprocessable Entity when a json patch couldn't be applied to one object.
- remove unused ReplicasetControllerOptions (#68121, @dixudx)
- Pass signals to fluentd process (#68064, @gianrubio)
- Flex drivers by default do not produce metrics. Flex plugins can enable metrics collection by setting the capability 'supportsMetrics' to true. Make sure the file system can support fs stat to produce metrics in this case. (#67508, @brahmaroutu)
- Use monotonically increasing generation to prevent scheduler equivalence cache race. (#67308, @cofyc)
- Fix kubelet service file permission warning (#66669, @daixiang0)
- Add prometheus metric for scheduling throughput. (#64526, @misterikkit)
- Get public IP for Azure vmss nodes. (#68498, @feiskyer)
- test/integration: add a basic test for covering CronJobs (#66937, @mortent)
- Make service environment variables optional (#68754, @bradhoekstra)