Skip to content

Latest commit

 

History

History
2033 lines (1442 loc) · 232 KB

CHANGELOG-1.10.md

File metadata and controls

2033 lines (1442 loc) · 232 KB

v1.10.0

Documentation & Examples

Downloads for v1.10.0

filename sha256 hash
kubernetes.tar.gz a48d4f6eb4bf329a87915d2264250f2045aab1e8c6cc3e574a887ec42b5c6edc
kubernetes-src.tar.gz 3b51bf50370fc022f5e4578b071db6b63963cd64b35c41954d4a2a8f6738c0a7

Client Binaries

filename sha256 hash
kubernetes-client-darwin-386.tar.gz 8f35d820d21bfdb3186074eb2ed5212b983e119215356a7a76a9f773f2a1e6a3
kubernetes-client-darwin-amd64.tar.gz ae06d0cd8f6fa8d145a9dbdb77e6cba99ad9cfce98b01c766df1394c17443e42
kubernetes-client-linux-386.tar.gz 8147723a68763b9791def5b41d75745e835ddd82f23465a2ba7797b84ad73554
kubernetes-client-linux-amd64.tar.gz 845668fe2f854b05aa6f0b133314df83bb41a486a6ba613dbb1374bf3fbe8720
kubernetes-client-linux-arm.tar.gz 5d2552a6781ef0ecaf308fe6a02637faef217c98841196d4bd7c52a0f1a4bfa0
kubernetes-client-linux-arm64.tar.gz 9d5e4ba43ad7250429015f33f728c366daa81e894e8bfe8063d73ce990e82944
kubernetes-client-linux-ppc64le.tar.gz acabf3a26870303641ce60a59b5bb9702c8a7445b16f4293abc7868e91d252c8
kubernetes-client-linux-s390x.tar.gz 8d836df10b50d11434b5ee797aecc21714723f02fc47fe3dd600426eb83b9e38
kubernetes-client-windows-386.tar.gz ca183b66f910ff11fa468e47251c68d256ef145fcfc2d23d4347d066e7787971
kubernetes-client-windows-amd64.tar.gz 817aea754a059c635f4d690aa0232a8e77eb74e76357cafd8f10556972022e9e

Server Binaries

filename sha256 hash
kubernetes-server-linux-amd64.tar.gz f2e0505bee7d9217332b96be11d1b88c06f51049f7a44666b0ede80bfb92fdf6
kubernetes-server-linux-arm.tar.gz a7be68c32a299c98353633f3161f910c4b970c8364ccee5f98e1991364b3ce69
kubernetes-server-linux-arm64.tar.gz 4df4add2891d02101818653ac68b57e6ce4760fd298f47467ce767ac029f4508
kubernetes-server-linux-ppc64le.tar.gz 199b52461930c0218f984884069770fb7e6ceaf66342d5855b209ff1889025b8
kubernetes-server-linux-s390x.tar.gz 578f93fc22d2a5bec7dc36633946eb5b7359d96233a2ce74f8b3c5a231494584

Node Binaries

filename sha256 hash
kubernetes-node-linux-amd64.tar.gz 8c03412881eaab5f3ea828bbb81e8ebcfc092d311b2685585817531fa7c2a289
kubernetes-node-linux-arm.tar.gz d6a413fcadb1b933a761ac9b0c864f596498a8ac3cc4922c1569306cd0047b1d
kubernetes-node-linux-arm64.tar.gz 46d6b74759fbc3b2aad42357f019dae0e882cd4639e499e31b5b029340dabd42
kubernetes-node-linux-ppc64le.tar.gz bdecc12feab2464ad917623ade0cbf58675e0566db38284b79445841d246fc08
kubernetes-node-linux-s390x.tar.gz afe35c2854f35939be75ccfb0ec81399acf4043ae7cf19dd6fbe6386288972c2
kubernetes-node-windows-amd64.tar.gz eac14e3420ca9769e067cbf929b5383cd77d56e460880a30c0df1bbfbb5a43db

Major Themes

Node

Many of the changes within SIG-Node revolve around control. With the beta release of the kubelet.config.k8s.io API group, a significant subset of Kubelet configuration can now be configured via a versioned config file. Kubernetes v1.10 adds alpha support for the ability to configure whether containers in a pod should share a single process namespace, and the CRI has been upgraded to v1alpha2, which adds support for Windows Container Configuration. Kubernetes v1.10 also ships with the beta release of the CRI validation test suite.

The Resource Management Working Group graduated three features to beta in the 1.10 release. First, CPU Manager, which allows users to request exclusive CPU cores. This helps performance in a variety of use-cases, including network latency sensitive applications, as well as applications that benefit from CPU cache residency. Next, Huge Pages, which allows pods to consume either 2Mi or 1Gi Huge Pages. This benefits applications that consume large amounts of memory. Use of Huge Pages is a common tuning recommendation for databases and JVMs. Finally, the Device Plugin feature, which provides a framework for vendors to advertise their resources to the Kubelet without changing Kubernetes core code. Targeted devices include GPUs, High-performance NICs, FPGAs, InfiniBand, and other similar computing resources that may require vendor specific initialization and setup.

Storage

This release brings additional power to both local storage and Persistent Volumes. Mount namespace propagation allows a container to mount a volume as rslave so that host mounts can be seen inside the container, or as rshared so that mounts made inside a container can be seen by the host. (Note that this is not supported on Windows.) Local Ephemeral Storage Capacity Isolation makes it possible to set requests and limits on ephemeral local storage resources. In addition, you can now create Local Persistent Storage, which enables PersistentVolumes to be created with locally attached disks, and not just network volumes.

On the Persistent Volumes side, this release Prevents deletion of Persistent Volume Claims that are used by a pod and Persistent Volumes that are bound to a Persistent Volume Claim, making it impossible to delete storage that is in use by a pod.

This release also includes Topology Aware Volume Scheduling for local persistent volumes, the stable release of Detailed storage metrics of internal state, and beta support for Out-of-tree CSI Volume Plugins.

Windows

This release continues to enable more existing features on Windows, including container CPU resources, image filesystem stats, and flexvolumes. It also adds Windows service control manager support and experimental support for Hyper-V isolation of single-container pods.

OpenStack

SIG-OpenStack updated the OpenStack provider to use newer APIs, consolidated community code into one repository, engaged with the Cloud Provider Working Group to have a consistent plan for moving provider code into individual repositories, improved testing of provider code, and strengthened ties with the OpenStack developer community.

API-machinery

API Aggregation has been upgraded to "stable" in Kubernetes 1.10, so you can use it in production. Webhooks have seen numerous improvements, including alpha Support for self-hosting authorizer webhooks.

Auth

This release lays the groundwork for new authentication methods, including the alpha release of External client-go credential providers and the TokenRequest API. In addition, Pod Security Policy now lets administrators decide what contexts pods can run in, and gives administrators the ability to limit node access to the API.

Azure

Kubernetes 1.10 includes alpha Azure support for cluster-autoscaler, as well as support for Azure Virtual Machine Scale Sets.

CLI

This release includes a change to kubectl get and describe to work better with extensions, as the server, rather than the client, returns this information for a smoother user experience.

Network

In terms of networking, Kubernetes 1.10 is about control. Users now have beta support for the ability to configure a pod's resolv.conf, rather than relying on the cluster DNS, as well as configuring the NodePort IP address. You can also switch the default DNS plugin to CoreDNS (beta).

Before Upgrading

  • If you need to downgrade from 1.10 to 1.9.x, downgrade to v1.9.6 to ensure PV and PVC objects can be deleted properly.

  • In-place node upgrades to this release from versions 1.7.14, 1.8.9, and 1.9.4 are not supported if using subpath volumes with PVCs. Such pods should be drained from the node first.

  • The minimum supported version of Docker is now 1.11; if you are using Docker 1.10 or below, be sure to upgrade Docker before upgrading Kubernetes. (#57845, @yujuhong)

  • The Container Runtime Interface (CRI) version has increased from v1alpha1 to v1alpha2. Runtimes implementing the CRI will need to update to the new version, which configures container namespaces using an enumeration rather than booleans. This change to the alpha API is not backwards compatible; implementations of the CRI such as containerd, will need to update to the new API version. (#58973, @verb)

  • The default Flexvolume plugin directory for COS images on GCE has changed to /home/kubernetes/flexvolume, rather than /etc/srv/kubernetes/kubelet-plugins/volume/exec. Existing Flexvolume installations in clusters using COS images must be moved to the new directory, and installation processes must be updated with the new path. (#58171, @verult)

  • Default values differ between the Kubelet's componentconfig (config file) API and the Kubelet's command line. Be sure to review the default values when migrating to using a config file. For example, the authz mode is set to "AlwaysAllow" if you rely on the command line, but defaults to the more secure "Webhook" mode if you load config from a file. (#59666, @mtaufen)

  • [GCP kube-up.sh] Variables that were part of kube-env that were only used for kubelet flags are no longer being set, and are being replaced by the more portable mechanism of the kubelet configuration file. The individual variables in the kube-env metadata entry were never meant to be a stable interface and this release note only applies if you are depending on them. (#60020, @roberthbailey)

  • kube-proxy: feature gates are now specified as a map when provided via a JSON or YAML KubeProxyConfiguration, rather than as a string of key-value pairs. For example:

KubeProxyConfiguration Before:

apiVersion: kubeproxy.config.k8s.io/v1alpha1
kind: KubeProxyConfiguration
**featureGates: "SupportIPVSProxyMode=true"**

KubeProxyConfiguration After:

apiVersion: kubeproxy.config.k8s.io/v1alpha1
kind: KubeProxyConfiguration
**featureGates:**
**  SupportIPVSProxyMode: true**

(#57962, @xiangpengzhao)

  • The kubeletconfig API group has graduated from alpha to beta, and the name has changed to kubelet.config.k8s.io. Please use kubelet.config.k8s.io/v1beta1, as kubeletconfig/v1alpha1 is no longer available. (#53833, @mtaufen)

  • kube-apiserver: the experimental in-tree Keystone password authenticator has been removed in favor of extensions that enable use of Keystone tokens. (#59492, @dims)

  • The udpTimeoutMilliseconds field in the kube-proxy configuration file has been renamed to udpIdleTimeout. Administrators must update their files accordingly. (#57754, @ncdc)

  • The kubelet's --cloud-provider=auto-detect feature has been removed; make certain to specify the cloud provider. (#56287, @stewart-yu)

  • kube-apiserver: the OpenID Connect authenticator no longer accepts tokens from the Google v3 token APIs; users must switch to the "https://www.googleapis.com/oauth2/v4/token" endpoint.

  • kube-apiserver: the root /proxy paths have been removed (deprecated since v1.2). Use the /proxy subresources on objects that support HTTP proxying. (#59884, @mikedanese)

  • Eviction thresholds set to 0% or 100% will turn off eviction. (#59681, @mtaufen)

  • CustomResourceDefinitions: OpenAPI v3 validation schemas containing $refreferences are no longer permitted. Before upgrading, ensure CRD definitions do not include those $ref fields. (#58438, @carlory)

  • Webhooks now do not skip cluster-scoped resources. Before upgrading your Kubernetes clusters, double check whether you have configured webhooks for cluster-scoped objects (e.g., nodes, persistentVolume), as these webhooks will start to take effect. Delete/modify the configs if that's not desirable. (#58185, @caesarxuchao)

  • Using kubectl gcp auth plugin with a Google Service Account to authenticate to a cluster now additionally requests a token with the "userinfo.email" scope. This way, users can write ClusterRoleBindings/RoleBindings with the email address of the service account directly. (This is a breaking change if the numeric uniqueIDs of the Google service accounts were being used in RBAC role bindings. The behavior can be overridden by explicitly specifying the scope values as comma-separated string in the "users[*].config.scopes" field in the KUBECONFIG file.) This way, users can now set a Google Service Account JSON key in the GOOGLE_APPLICATION_CREDENTIALS environment variable, craft a kubeconfig file with GKE master IP+CA cert, and authenticate to GKE in headless mode without requiring gcloud CLI. (#58141, @ahmetb)

  • kubectl port-forward no longer supports the deprecated -p flag; the flag itself is unnecessary and should be replaced by just the <pod-name>. (#59705, @phsiao)

  • Removed deprecated --require-kubeconfig flag, removed default --kubeconfig value ((#58367, @zhangxiaoyu-zidif)

  • The public-address-override, address, and port flags have been removed and replaced by bind-address, insecure-bind-address, and insecure-port, respectively. They are marked as deprecated in #36604, which is more than a year ago. (#59018, @hzxuzhonghu)

  • The alpha --init-config-dir flag has been removed. Instead, use the --config flag to reference a kubelet configuration file directly. (#57624, @mtaufen)

  • Removed deprecated and unmaintained salt support. kubernetes-salt.tar.gz will no longer be published in the release tarball. (#58248, @mikedanese)

  • The deprecated –mode switch for GCE has been removed.(#61203)

  • The word “manifest” has been expunged from the Kubelet API. (#60314)

  • kubernetes#49213 sig-cluster-lifecycle has decided to phase out the cluster/ directory over the next couple of releases in favor of deployment automations maintained outside of the core repo and outside of kubernetes orgs. @kubernetes/sig-cluster-lifecycle-misc)

  • The DaemonSet controller, its integration tests, and its e2e tests, have been updated to use the apps/v1 API. Users should, but are not yet required to, update their scripts accordingly. (#59883, @kow3ns)

  • MountPropagation feature is now beta. As a consequence, all volume mounts in containers are now rslave on Linux by default. To make this default work in all Linux environments the entire mount tree should be marked as shareable, e.g. via mount --make-rshared /. All Linux distributions that use systemd already have the root directory mounted as rshared and hence they need not do anything. In Linux environments without systemd we recommend running mount --make-rshared / during boot before docker is started, (@jsafrane)

Known Issues

  • If you need to downgrade from 1.10 to 1.9.x, downgrade to v1.9.6 to ensure PV and PVC objects can be deleted properly.

  • Use of subPath module with hostPath volumes can cause issues during reconstruction (#61446) and with containerized kubelets (#61456). The workaround for this issue is to specify the complete path in the hostPath volume. Use of subPathmounts nested within atomic writer volumes (configmap, secret, downwardAPI, projected) does not work (#61545), and socket files cannot be loaded from a subPath (#62377). Work on these issues is ongoing.

  • Kubeadm is currently omitting etcd certificates in a self-hosted deployment; this will be fixed in a point relelase. (#61322)

  • Some users, especially those with very large clusters, may see higher memory usage by the kube-controller-manager in 1.10. (#61041)

Deprecations

  • etcd2 as a backend is deprecated and support will be removed in Kubernetes 1.13.

  • VolumeScheduling and LocalPersistentVolume features are beta and enabled by default. The PersistentVolume NodeAffinity alpha annotation is deprecated and will be removed in a future release. (#59391, @msau42)

  • The alpha Accelerators feature gate is deprecated and will be removed in v1.11. Please use device plugins (kubernetes/enhancements#368) instead. They can be enabled using the DevicePlugins feature gate. (#57384, @mindprince)

  • The ability to use kubectl scale jobs is deprecated. All other scale operations remain in place, but the ability to scale jobs will be removed in a future release. (#60139, @soltysh)

  • Flags that can be set via the Kubelet's --config file are now deprecated in favor of the file. (#60148, @mtaufen)

  • --show-all (which only affected pods and only for human readable/non-API printers) is now defaulted to true and deprecated. The flag determines whether pods in a terminal state are displayed. It will be inert in 1.11 and removed in a future release. (#60210, @deads2k)

  • The ability to use the insecure HTTP port of kube-controller-manager and cloud-controller-manager has been deprecated, and will be removed in a future release. Use --secure-port and --bind-address instead. (#59582, @sttts)

  • The ability to use the insecure flags --insecure-bind-address, --insecure-port in the apiserver has been deprecated and will be removed in a future release. Use --secure-port and --bind-address instead. (#59018, @hzxuzhonghu)

  • The recycling reclaim policy has been deprecated. Users should use dynamic provisioning instead. (#59063, @ayushpateria)

  • kube-apiserver flag --tls-ca-file has had no effect for some time. It is now deprecated and slated for removal in 1.11. If you are specifying this flag, you must remove it from your launch config before upgrading to 1.11. (#58968, @deads2k)

  • The PodSecurityPolicy API has been moved to the policy/v1beta1 API group. The PodSecurityPolicy API in the extensions/v1beta1 API group is deprecated and will be removed in a future release. Authorizations for using pod security policy resources should change to reference the policy API group after upgrading to 1.11. (#54933, @php-coder)

  • Add --enable-admission-plugin --disable-admission-plugin flags and deprecate --admission-control. When using the separate flag, the order in which they're specified doesn't matter. (#58123, @hzxuzhonghu)

  • The kubelet --docker-disable-shared-pid flag, which runs docker containers with a process namespace that is shared between all containers in a pod, is now deprecated and will be removed in a future release. It is replaced by v1.Pod.Spec.ShareProcessNamespace, which configures this behavior. This field is alpha and can be enabled with --feature-gates=PodShareProcessNamespace=true. (#58093, @verb)

  • The kubelet's cadvisor port has been deprecated. The default will change to 0 (disabled) in 1.12, and the cadvisor port will be removed entirely in 1.13. (#59827, @dashpole)

  • rktnetes has been deprecated in favor of rktlet. Please see https://github.com/kubernetes-incubator/rktlet for more information. (#58418, @yujuhong)

  • The Kubelet now explicitly registers all of its command-line flags with an internal flagset, which prevents flags from third party libraries from unintentionally leaking into the Kubelet's command-line API. Many unintentionally leaked flags are now marked deprecated, so that users have a chance to migrate away from them before they are removed. In addition, one previously leaked flag, --cloud-provider-gce-lb-src-cidrs, has been entirely removed from the Kubelet's command-line API, because it is irrelevant to Kubelet operation. The deprecated flags are:

    • --application_metrics_count_limit
    • --boot_id_file
    • --container_hints
    • --containerd
    • --docker
    • --docker_env_metadata_whitelist
    • --docker_only
    • --docker-tls
    • --docker-tls-ca
    • --docker-tls-cert
    • --docker-tls-key
    • --enable_load_reader
    • --event_storage_age_limit
    • --event_storage_event_limit
    • --global_housekeeping_interval
    • --google-json-key
    • --log_cadvisor_usage
    • --machine_id_file
    • --storage_driver_user
    • --storage_driver_password
    • --storage_driver_host
    • --storage_driver_db
    • --storage_driver_table
    • --storage_driver_secure
    • --storage_driver_buffer_duration

(#57613, @mtaufen)

  • The boostrapped RBAC role and rolebinding for the cloud-provider service account is now deprecated. If you're currently using this service account, you must create and apply your own RBAC policy for new clusters. (#59949, @nicksardo)

  • Format-separated endpoints for the OpenAPI spec, such as /swagger.json, /swagger-2.0.0.0.json, and so on, have been deprecated. The old endpoints will remain in 1.10, 1.11, 1.12 and 1.13, and get removed in 1.14. Please use single /openapi/v2 endpoint with the appropriate Accept: header instead. For example:

previous now
GET /swagger.json GET /openapi/v2 Accept: application/json
GET /swagger-2.0.0.pb-v1 GET /openapi/v2 Accept: application/[email protected]+protobuf
GET /swagger-2.0.0.pb-v1.gz GET /openapi/v2 Accept: application/[email protected]+protobuf Accept-Encoding: gzip

(#59293, @roycaihw)

Other Notable Changes

Apps

  • Updated defaultbackend image to 1.4 and deployment apiVersion to apps/v1. Users should concentrate on updating scripts to the new version. (#57866, @zouyee)

  • Fix StatefulSet to work correctly with set-based selectors. (#59365, @ayushpateria)

  • Fixes a case when Deployment with recreate strategy could get stuck on old failed Pod. (#60301, @tnozicka)

  • ConfigMap objects now support binary data via a new binaryData field. When using kubectl create configmap --from-file, files containing non-UTF8 data will be placed in this new field in order to preserve the non-UTF8 data. Note that kubectl's --append-hash feature doesn't take binaryData into account. Use of this feature requires 1.10+ apiserver and kubelets. (#57938, @dims)

AWS

  • Add AWS cloud provider option to use an assumed IAM role. For example, this allows running Controller Manager in a account separate from the worker nodes, but still allows all resources created to interact with the workers. ELBs created would be in the same account as the worker nodes for instance.(#59668, @brycecarman)

  • AWS EBS volume plugin now includes block and volumeMode support. (#58625, @screeley44)

  • On AWS kubelet returns an error when started under conditions that do not allow it to work (AWS has not yet tagged the instance), rather than failing silently. (#60125, @vainu-arto)

  • AWS Security Groups created for ELBs will now be tagged with the same additional tags as the ELB; that is, the tags specified by the "service.beta.kubernetes.io/aws-load-balancer-additional-resource-tags" annotation. This is useful for identifying orphaned resources. (#58767, @2rs2ts)

  • AWS Network Load Balancers will now be deleted properly, including security group rules. Fixes #57568 (#57569, @micahhausler)

  • Time for attach/detach retry operations has been decreased from 10-12s to 2-6s (#56974, @gnufied)

Auth

  • Contexts must be named in kubeconfigs. (#56769, @dixudx)

  • vSphere operations will no longer fail due to authentication errors. (#57978, @prashima)

  • This removes the cloud-provider role and role binding from the rbac boostrapper and replaces it with a policy applied via addon mgr. This also creates a new clusterrole allowing the service account to create events for any namespace.

  • client-go: alpha support for out-of-tree exec-based credential providers. For example, a cloud provider could create their own authentication system rather than using the standard authentication provided with Kubernetes. (#59495, @ericchiang)

  • The node authorizer now allows nodes to request service account tokens for the service accounts of pods running on them. This allows agents using the node identity to take actions on behalf of local pods. (#55019, @mikedanese)

  • kube-apiserver: the OpenID Connect authenticator can now verify ID Tokens signed with JOSE algorithms other than RS256 through the --oidc-signing-algs flag. (#58544, @ericchiang)

  • Requests with invalid credentials no longer match audit policy rules where users or groups are set, correcting a problem where authorized requests were getting through. (#59398, @CaoShuFeng)

  • The Stackdriver Metadata Agent addon now includes RBAC manifests, enabling it to watch nodes and pods. (#57455, @kawych)

  • Fix RBAC role for certificate controller to allow cleaning up of Certificate Signing Requests that are Approved and issued or Denied. (#59375, @mikedanese)

  • kube-apiserver: Use of the --admission-control-config-file with a file containing an AdmissionConfiguration apiserver.k8s.io/v1alpha1 config object no longer leads to an error when launching kube-apiserver. (#58439 @liggitt)

  • Default enabled admission plugins are now NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,DefaultTolerationSeconds,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,ResourceQuota. Please note that if you previously had not set the --admission-control flag, your cluster behavior may change (to be more standard). (#58684, @hzxuzhonghu)

  • Encryption key and encryption provider rotation now works properly. (#58375, @liggitt

  • RBAC: The system:kubelet-api-admin cluster role can be used to grant full access to the kubelet API so integrators can grant this role to the --kubelet-client-certificate credential given to the apiserver. (#57128, @liggitt)

  • DenyEscalatingExec admission controller now checks psp HostNetwork as well as hostIPC and hostPID. hostNetwork is also checked to deny exec /attach. (#56839, [@hzxuzhonghu]=(https://github.com/hzxuzhonghu))

  • When using Role-Based Access Control, the "admin", "edit", and "view" roles now have the expected permissions on NetworkPolicy resources, rather than reserving those permissions to only cluster-admin. (#56650, @danwinship)

  • Added docker-logins config to kubernetes-worker charm. (#56217, @Cynerva)

  • Add ability to control primary GID of containers through Pod Spec at Pod level and Per Container SecurityContext level. (#52077, @krmayankk)

CLI

  • Use structured generator for kubectl autoscale. (#55913, @wackxu)

  • Allow kubectl to set image|env on a cronjob (#57742, @soltysh)

  • Fixed crash in kubectl cp when path has multiple leading slashes. (#58144, @tomerf)

  • kubectl port-forward now allows using resource name (e.g., deployment/www) to select a matching pod, as well as the use of --pod-running-timeout to wait until at least one pod is running. (#59705, @phsiao)

  • 'cj' has been added as a shortname for CronJobs, as in kubectl get cj (#59499, @soltysh)

  • crds has been added as a shortname for CustomResourceDefinition, as in kubectl get crds (#59061, @nikhita)

  • Fix kubectl explain for resources not existing in default version of API group, such as batch/v1, Kind=CronJob. (#58753, @soltysh)

  • Added the ability to select pods in a chosen node to be drained based on given pod label-selector. (#56864, @juanvallejo)

  • Kubectl explain now prints out the Kind and API version of the resource being explained. (#55689, @luksa)

Cluster Lifecycle

  • The default Kubernetes version for kubeadm is now 1.10. (#61127, @timothysc)

  • The minimum Kubernetes version in kubeadm is now v1.9.0. (#57233, @xiangpengzhao)

  • Fixes a bug in Heapster deployment for google sink. (#57902, @kawych)

  • On cluster provision or upgrade, kubeadm now generates certs and secures all connections to the etcd static-pod with mTLS. This includes the etcd serving cert, the etcd peer cert, and the apiserver etcd client cert. Flags and hostMounts are added to the etcd and apiserver static-pods to load these certs. For connections to etcd, https is now used in favor of http. (#57415, @stealthybox These certs are also generated on upgrade. (#60385, @stealthybox)

  • Demoted controlplane passthrough flags apiserver-extra-args, controller-manager-extra-args, scheduler-extra-args to alpha flags (#59882, @kris-nova)

  • The new flag --apiserver-advertise-dns-address is used in the node's kubelet.confg to point to the API server, allowing users to define a DNS entry instead of an IP address. (#59288, @stevesloka)

  • MasterConfiguration manifiest The criSocket flag is now usable within the MasterConfiguration and NodeConfiguration manifest files that exist for configuring kubeadm. Before it only existed as a command line flag and was not able to be configured when using the --config flag and the manifest files. (#59057(#59292, @JordanFaust)

  • kubeadm init can now omit the tainting of the master node if configured to do so in kubeadm.yaml using noTaintMaster: true. For example, uses can create a file with the content:

apiVersion: [kubeadm.k8s.io/v1alpha1](http://kubeadm.k8s.io/v1alpha1)
kind: MasterConfiguration
kubernetesVersion: v1.9.1
noTaintMaster: true

And point to the file using the --config flag, as in

kubeadm init --config /etc/kubeadm/kubeadm.yaml

(#55479, @ijc)

  • kubeadm: New "imagePullPolicy" option in the init configuration file, that gets forwarded to kubelet static pods to control pull policy for etcd and control plane images. This option allows for precise image pull policy specification for master nodes and thus for more tight control over images. It is useful in CI environments and in environments, where the user has total control over master VM templates (thus, the master VM templates can be preloaded with the required Docker images for the control plane services). (#58960, @rosti)

  • Fixed issue with charm upgrades resulting in an error state. (#59064, @hyperbolic2346)

  • kube-apiserver --advertise-address is now set using downward API for self-hosted Kubernetes with kubeadm. (#56084, @andrewsykim)

  • When using client or server certificate rotation, the Kubelet will no longer wait until the initial rotation succeeds or fails before starting static pods. This makes running self-hosted masters with rotation more predictable. (#58930, @smarterclayton)

  • Kubeadm no longer throws an error for the --cloud-provider=external flag. (#58259, @dims)

  • Added support for network spaces in the kubeapi-load-balancer charm. (#58708, @hyperbolic2346)

  • Added support for network spaces in the kubernetes-master charm. (#58704, @hyperbolic2346)

  • Added support for network spaces in the kubernetes-worker charm. (#58523, @hyperbolic2346)

  • Added support for changing nginx and default backend images to kubernetes-worker config. (#58542, @hyperbolic2346)

  • kubeadm now accepts --apiserver-extra-args, --controller-manager-extra-args and --scheduler-extra-args, making it possible to override / specify additional flags for control plane components. One good example is to deploy Kubernetes with a different admission-control flag on API server. (#58080, @simonferquel)

  • Alpha Initializers have been removed from kubadm admission control. Kubeadm users who still want to use Initializers can use apiServerExtraArgs through the kubeadm config file to enable it when booting up the cluster. (#58428, @dixudx)

  • ValidatingAdmissionWebhook and MutatingAdmissionWebhook are beta, and are enabled in kubeadm by default. (#58255, @dixudx)

  • Add proxy_read_timeout flag to kubeapi_load_balancer charm. (#57926, @wwwtyro)

  • Check for known manifests during preflight instead of only checking for non-empty manifests directory. This makes the preflight checks less heavy-handed by specifically checking for well-known files (kube-apiserver.yaml, kube-controller-manager.yaml, kube-scheduler.yaml, etcd.yaml) in /etc/kubernetes/manifests instead of simply checking for a non-empty directory. (#57287, @mattkelly)

  • PVC Protection alpha feature was renamed to Storage Protection. The Storage Protection feature is beta. (#59052, @pospispa)

  • iSCSI sessions managed by kubernetes will now explicitly set startup.mode to 'manual' to prevent automatic login after node failure recovery. This is the default open-iscsi mode, so this change will only impact users who have changed their startup.mode to be 'automatic' in /etc/iscsi/iscsid.conf. (#57475, @stmcginnis)

  • The IPVS feature gateway is now enabled by default in kubeadm, which makes the --feature-gates=SupportIPVSProxyMode=true obsolete, and it is no longer supported. (#60540, @m1093782566)

GCP

Instrumentation

  • For advanced auditing, audit policy supports subresources wildcard matching, such as "resource/", "/subresource","*". (#55306, @hzxuzhonghu)

  • Auditing is now enabled behind a featureGate in kubeadm. A user can supply their own audit policy with configuration option as well as a place for the audit logs to live. If no policy is supplied a default policy will be provided. The default policy will log all Metadata level policy logs. It is the example provided in the documentation. (#59067, @chuckha)

  • Reduce Metrics Server memory requirement from 140Mi + 4Mi per node to 40Mi + 4Mi per node. (#58391, @kawych)

  • Annotations is added to advanced audit api. (#58806, @CaoShuFeng)

  • Reorganized iptables rules to fix a performance regression on clusters with thousands of services. (#56164, @danwinship)

  • Container runtime daemon (e.g. dockerd) logs in GCE cluster will be uploaded to stackdriver and elasticsearch with tag container-runtime. (#59103, @Random-Liu)

  • Enable prometheus apiserver metrics for custom resources. (#57682, @nikhita)

  • Add apiserver metric for number of requests dropped because of inflight limit, making it easier to figure out on which dimension the master is overloaded. (#58340, @gmarek)

  • The Metrics Server now exposes metrics via the /metric endpoint. These metrics are in the prometheus format. (#57456, @kawych)

  • Reduced the CPU and memory requests for the Metrics Server Nanny sidecar container to free up unused resources. (#57252, @kawych)

  • Enabled log rotation for load balancer's api logs to prevent running out of disk space. (#56979, @hyperbolic2346)

  • Fixed etcd-version-monitor to backward compatibly support etcd 3.1 go-grpc-prometheus metrics format. (#56871, @jpbetz)

Node

  • Summary of Container Runtime changes:

    • [beta] cri-tools: CLI and validation tools for CRI is now v1.0.0-beta.0. This release mainly focused on UX improvements. [@feiskyer]
    • [stable] containerd: containerd v1.1 natively supports CRI v1alpha2 now, so users can use Kubernetes v1.10 with containerd v1.1 directly, without having to use the intermediate cri-containerd daemon. All Kubernetes 1.10 tests passed. [@Random-Liu]
    • [stable] cri-o: cri-o v1.10 updated CRI version to v1alpha2 and made several bug and stability fixes. [@mrunalp]
    • [stable] frakti: frakti v1.10 implemented GCE Persistent Disk as a high performance volume, fixed several bugs, added ARM64 support, and passed all CRI validation conformance tests and node e2e conformance tests. [@resouer]
    • [alpha] CRI now supports specifying the GID of the container at both LinuxSandboxSecurityContext and LinuxContainerSecurityContext in addition to specifying the UID. Support is implemented for dockershim. [@krmayankk]
  • Fixed race conditions around devicemanager Allocate() and endpoint deletion. (#60856, @jiayingz)

  • kubelet initial flag parse now normalizes flags instead of exiting. (#61053, @andrewsykim)

  • Fixed regression where kubelet --cpu-cfs-quota flag did not work when --cgroups-per-qos was enabled (#61294, @derekwaynecarr)

  • Kubelet now supports container log rotation for container runtimes implementing CRI (container runtime interface). The feature can be enabled with feature gate CRIContainerLogRotation. The flags --container-log-max-size and --container-log-max-files can be used to configure the rotation behavior. (#59898, @Random-Liu)

  • Fixed a bug where if an error was returned that was not an autorest.DetailedError we would return "not found", nil which caused nodes to go to NotReady state. (#57484, @brendandburns)

  • HugePages feature is beta, and thus enabled by default. (#56939, @derekwaynecarr)

  • Avoid panic when failing to allocate a Cloud CIDR (aka GCE Alias IP Range). (#58186, @negz)

  • 'none' can now be specified in KubeletConfiguration.EnforceNodeAllocatable (--enforce-node-allocatable) to explicitly disable enforcement. (#59515, @mtaufen)

  • The alpha KubeletConfiguration.ConfigTrialDuration field is no longer available. It can still be set using the dynamic configuration alpha feature. (#59628, @mtaufen)

  • Summary API will include pod CPU and Memory stats for CRI container runtime. (#60328, @Random-Liu)

  • Some field names in the Kubelet's now v1beta1 config API differ from the v1alpha1 API: for example, PodManifestPath is renamed to StaticPodPath, ManifestURL is renamed to StaticPodURL, and ManifestURLHeader is renamed to StaticPodURLHeader. Users should focus on switching to the v1beta1 API. (#60314, @mtaufen)

  • The DevicePlugins feature has graduated to beta, and is now enabled by default; users should focus on moving to the v1beta API if possible. (#60170, @jiayingz)

  • Per-cpu metrics have been disabled by default for to improve scalability. (#60106, @dashpole)

  • When the PodShareProcessNamespace alpha feature is enabled, setting pod.Spec.ShareProcessNamespace to true will cause a single process namespace to be shared between all containers in a pod. (#58716, @verb)

  • Resource quotas on extended resources such as GPUs are now supported. (#57302, @lichuqiang)

  • If the TaintNodesByCondition is enabled, a node will be tainted when it is under PID pressure. (#60008, @k82cn)

  • The Kubelet Summary API will now include total usage of pods through the "pods" SystemContainer. (#57802, @dashpole)

  • vSphere Cloud Provider supports VMs provisioned on vSphere v6.5. (#59519, @abrarshivani)

  • Created k8s.gcr.io image repo alias to pull images from the closest regional repo. Replaces gcr.io/google_containers. (#57824, @thockin)

  • Fix the bug where kubelet in the standalone mode would wait for the update from the apiserver source, even if there wasn't one. (#59276, @roboll)

  • Changes secret, configMap, downwardAPI and projected volumes to mount read-only, instead of allowing applications to write data and then reverting it automatically. Until version 1.11, setting the feature gate ReadOnlyAPIDataVolumes=false will preserve the old behavior. (#58720, @joelsmith)

  • Fixes a bug where kubelet crashes trying to free memory under memory pressure. (#58574, @yastij)

  • New alpha feature limits the number of processes running in a pod. Cluster administrators will be able to place limits by using the new kubelet command line parameter --pod-max-pids. Note that since this is a alpha feature they will need to enable the "SupportPodPidsLimit" feature. By default, we do not set any maximum limit, If an administrator wants to enable this, they should enable SupportPodPidsLimit=true in the --feature-gates= parameter to kubelet and specify the limit using the --pod-max-pids parameter. The limit set is the total count of all processes running in all containers in the pod. (#57973,@dims)

  • Fixes bug finding master replicas in GCE when running multiple Kubernetes clusters. (#58561, @jesseshieh)

  • --tls-min-version on kubelet and kube-apiserver allow for configuring minimum TLS versions (#58528, @deads2k)

  • Fix a bug affecting nested data volumes such as secret, configmap, etc. (#57422, @joelsmith)

  • kubelet will no longer attempt to remove images being used by running containers when garbage collecting. (#57020, @dixudx)

  • Allow kubernetes components to react to SIGTERM signal and shutdown gracefully. (#57756, @mborsz)

  • Fixed garbage collection and resource quota issue when the controller-manager uses --leader-elect=false (#57340, @jmcmeek)

  • Fixed issue creating docker secrets with kubectl 1.9 for accessing docker private registries. (#57463, @dims)

  • The CPU Manager feature is now beta, and is enabled by default, but the default policy is no-op so no action is required. (#55977, @ConnorDoyle)

OpenStack

  • Fixed a bug in the OpenStack cloud provider where dual stack deployments (IPv4 and IPv6) did not work well when using kubenet as the network plugin. (#59749, @zioproto)

  • Fixed a bug that tries to use the octavia client to query flip. (#59075, @jrperritt)

  • Kubernetes now registers metadata.hostname as node name for OpenStack nodes, eliminating a problem with invalid node names. (#58502, @dixudx)

  • Authentication information for OpenStack cloud provider can now be specified as environment variables. When we convert the OpenStack cloud provider to run in an external process, we can now use the kubernetes Secrets capability to inject the OS_* variables. This way we can specify the cloud configuration as a configmap, and specify secrets for the userid/password information. The configmap is mounted as a file, and the secrets are made available as environment variables. The external controller itself runs as a pod/daemonset. For backward compatibility, we preload all the OS_* variables, and if anything is in the config file, then that overrides the environment variables. (#58300, @dims)

  • Fixed issue when using OpenStack config drive for node metadata. Since we need to run commands such as blkid, we need to ensure that api server and kube controller are running in the privileged mode. (#57561, @dims)

  • Orphaned routes are properly removed from terminated instances. (#56258, @databus23)

  • OpenStack Cinder will now detach properly when Nova is shut down. (#56846, @zetaab)

Scalability

  • Added the ability to limit the increase in apiserver memory usage when audit logging with buffering is enabled. (#61118, @shyamjvs)

  • Upgrade to etcd client 3.2.13 and grpc 1.7.5 to improve HA etcd cluster stability. (#57480, @jpbetz)

Storage

  • Fixes CVE-2017-1002101 - See https://issue.k8s.io/60813 for details on this major security fix. (#61044, @liggitt)

  • Fixed missing error checking that could cause kubelet to crash in a race condition. (#60962, @technicianted)

  • Fixed a regression that prevented using subPath volume mounts with secret, configMap, projected, and downwardAPI volumes. (#61080, @liggitt)

  • K8s supports cephfs fuse mount. (#55866, @zhangxiaoyu-zidif)

  • Use GiB unit for creating and resizing volumes for Glusterfs. (#56581, @gnufied)

  • Adding support for Block Volume type to rbd plugin. (#56651, @sbezverk)

  • Add FSType for CSI volume source to specify filesystems (alpha defaults to ext4) (#58209, @NickrenREN)

  • Enabled File system resize of mounted volumes. (#58794, @gnufied)

  • The Local Volume Plugin has been updated to support Block volumeMode PVs. With this change, it is now possible to create local volume PVs for raw block devices. (#59303, @dhirajh)

  • Fixed an issue where Portworx volume driver wasn't passing namespace and annotations to the Portworx Create API. (#59607, @harsh-px)

  • Addressed breaking changes introduced by new 0.2.0 release of CSI spec. Specifically, csi.Version was removed from all API calls and CcontrollerProbe and NodeProbe were consolidated into a single Probe API call. (#59209, @sbezverk)

  • GCE PD volume plugin now supports block volumes. (#58710, @screeley44)

  • Implements MountDevice and UnmountDevice for the CSI Plugin, the functions will call through to NodeStageVolume/NodeUnstageVolume for CSI plugins. (#60115, @davidz627)

  • The LocalStorageCapacityIsolation feature is beta and enabled by default. The LocalStorageCapacityIsolation feature added a new resource type ResourceEphemeralStorage "ephemeral-storage" so that this resource can be allocated, limited, and consumed as the same way as CPU/memory. All the features related to resource management (resource request/limit, quota, limitrange) are available for local ephemeral storage. This local ephemeral storage represents the storage for root file system, which will be consumed by containers' writable layer and logs. Some volumes such as emptyDir might also consume this storage. (#60159, @jingxu97)

  • VolumeScheduling and LocalPersistentVolume features are beta and enabled by default. The PersistentVolume NodeAffinity alpha annotation is deprecated and will be removed in a future release. (#59391, @msau42)

  • K8s now supports rbd-nbd for Ceph rbd volume mounts. (#58916, @ianchakeres)

  • CSI now allows credentials to be specified on CreateVolume/DeleteVolume, ControllerPublishVolume/ControllerUnpublishVolume, and NodePublishVolume/NodeUnpublishVolume operations. Before this change all API calls had to fetch key/value stored in secret and use it to authenticate/authorize these operations. With this change API calls receive key/value as a input parameter so they not need to know where and how credentials were stored and fetched. Main goal was to make these API calls CO (Container Orchestrator) agnostic. (#60118, @sbezverk)

  • StorageOS volume plugin has been updated to support mount options and environments where the kubelet runs in a container and the device location should be specified. (#58816, @croomes)

  • Get parent dir via canonical absolute path when trying to judge mount-point, fixing a problem that caused an NFS volume with improper permissions to get stuck in TERMINATING status. (#58433, [@yue9944882]](https://github.com/yue9944882))

  • Clusters with GCE feature 'DiskAlphaAPI' enabled can now dynamically provision GCE PD volumes. (#59447, @verult)

  • Added keyring parameter for Ceph RBD provisioner. (#58287, @madddi)

  • Added xfsprogs to hyperkube container image. (#56937, @redbaron)

  • Improved messages user gets during and after volume resizing is done, providing a clear message to the user explaining what to do when resizing is finished. (#58415, @gnufied)

  • MountPropagation feature is now beta. As consequence, all volume mounts in containers are now "rslave" on Linux by default. To make this default work in all Linux environments you should have entire mount tree marked as shareable via "mount --make-rshared /". All Linux distributions that use systemd already have root directory mounted as rshared and hence they need not do anything. In Linux environments without systemd we recommend running "mount --make-rshared /" during boot, before docker is started. (#59252, @jsafrane)

  • Volume metrics support for vSphere Cloud Provider has been added. You can now monitor available space, capacity, and used space on volumes created using vSphere. (#59328, @divyenpatel)

  • Emit number of bound and unbound persistent volumes as Metrics. This PR adds four kinds of Volume Metrics for kube-controller-manager: bound PVC numbers, unbound PVC numbers, bound PV numbers and unbound PV numbers. The PVC metrics use namespace as dimension and the PV metrics use StorageClassName as its dimension. With these metrics we can better monitor the use of volumes in the cluster. (#57872, @mlmhl)

  • Add windows config to Kubelet CRI so that WindowsContainerResources can be managed. (#57076, @feiskyer)

  • PersistentVolumes that are bound to a PersistentVolumeClaim will not be deleted. (#58743, @NickrenREN)

  • The VolumeAttachment API is now available as V1beta1, and is enabled by default. The Alpha API is deprecated and will be removed in a future release. (#58462, @NickrenREN)

  • Add storage-backend configuration option to kubernetes-master charm. (#58830, @wwwtyro)

  • Fixed dynamic provisioning of GCE PDs to round to the next GB (base 1000) instead of GiB (base 1024). (#56600, @edisonxiang)

  • PersistentVolume flexVolume sources can now reference secrets in a namespace other than the PersistentVolumeClaim's namespace. (#56460, @liggitt)

Windows

  • kubelet and kube-proxy can now be run as native Windows services. (#60144, @alinbalutoiu)

  • WindowsContainerResources is set now for windows containers. (#59333, @feiskyer)

  • Disable mount propagation for windows containers (because it is not supported by the OS). (#60275, @feiskyer)

  • Fix image file system stats for windows nodes. (#59743, @feiskyer)

  • Kubernetes will now return an error if New-SmbGlobalMapping failed when mounting an azure file on Windows. (#59540, @andyzhangx)

  • Kubernetes now uses the more reliable GlobalMemoryStatusEx to get total physical memory on windows nodes. (#57124, @JiangtianLi)

  • Windows containers now support experimental Hyper-V isolation by setting annotation experimental.windows.kubernetes.io/isolation-type=hyperv and feature gates HyperVContainer. At the moment this function only supports one container per pod. (#58751, @feiskyer)

  • Get windows kernel version directly from registry rather than windows.getVersion(). (#58498, @feiskyer)

  • Fixed controller manager crash when using mixed case names in a vSphere cloud provider environment. (#57286, @rohitjogvmw)

  • Flexvolume is now enabled on Windows nodes. (#56921, @andyzhangx)

Autoscaling

  • The getSubnetIDForLB() returns subnet id rather than net id. (#58208, @FengyunPan)

  • kubectl scale can now scale any resource (kube, CRD, aggregate) conforming to the standard scale endpoint (#58298, @p0lyn0mial)

  • Cluster Autoscaler has been updated to Version 1.2.0, which includes fixes around GPUs and base image change. See https://github.com/kubernetes/autoscaler/releases/tag/cluster-autoscaler-1.2.0for details. (#60842, @mwielgus)

  • Allows HorizontalPodAutoscaler to use global metrics not associated with any Kubernetes object (for example metrics from a hosting service running outside of the Kubernetes cluster). (#60096, @MaciekPytel)

  • fluentd-gcp resources can be modified via a ScalingPolicy. (#59657, @x13n)

  • Added anti-affinity to kube-dns pods. Otherwise the "no single point of failure" setting doesn't actually work (a single node failure can still take down the entire cluster). (#57683, @vainu-arto)

API-Machinery

  • Fixed webhooks to use the scheme provided in clientConfig, instead of defaulting to http. (#60943, @jennybuckley)

  • The webhook admission controller in a custom apiserver now works off-the-shelf. (#60995, @caesarxuchao)

  • Upgrade the default etcd server version to 3.1.12 to pick up critical etcd "mvcc "unsynced" watcher restore operation" fix. (#60998, @jpbetz)

  • Fixed bug allowing garbage collector to enter a broken state that could only be fixed by restarting the controller-manager. (#61201, @jennybuckley)

  • kube-apiserver: The external hostname no longer longer use the cloud provider API to select a default. It can be set explicitly using --external-hostname, if needed. If there is no default, AdvertiseAddress or os.Hostname() will be used, in that order. (#56812, @dims)

  • Custom resources can be listed with a set of grouped resources (category) by specifying the categories in the CustomResourceDefinition spec. Example: They can be used with kubectl get important, where important is a category. (#59561, @nikhita)

  • Fixed an issue making it possible to create a situation in which two webhooks make it impossible to delete each other. ValidatingWebhooks and MutatingWebhooks will not be called on admission requests for ValidatingWebhookConfiguration and MutatingWebhookConfiguration objects in the admissionregistration.k8s.io group (#59840, @jennybuckley)

  • Fixed potential deadlock when deleting CustomResourceDefinition for custom resources with finalizers. (#60542, @liggitt)

  • A buffered audit backend can be used with other audit backends. (#60076, @crassirostris)

  • Introduced --http2-max-streams-per-connection command line flag on api-servers and set default to 1000 for aggregated API servers. (#60054, @MikeSpreitzer)

  • APIserver backed by etcdv3 exports metric shows number of resources per kind. (#59757, @gmarek)

  • Add kubectl create job --from-cronjob command. (#60084, @soltysh)

  • /status and /scale subresources have been added for custom resources. See kubernetes#55168 for more details. (#55168, @nikhita)

  • Restores the ability of older clients to delete and scale jobs with initContainers. (#59880, @liggitt)

  • Fixed a race condition causing apiserver crashes during etcd healthchecking. (#60069, @wojtek-t)

  • Fixed a race condition in k8s.io/client-go/tools/cache.SharedInformer that could violate the sequential delivery guarantee and cause panics on shutdown in Kubernetes 1.8.* and 1.9.*. (#59828, @krousey)

  • Add automatic etcd 3.2->3.1 and 3.1->3.0 minor version rollback support to gcr.io/google_container/etcd images. For HA clusters, all members must be stopped before performing a rollback. (#59298, @jpbetz)

  • The meta.k8s.io/v1alpha1 objects for retrieving tabular responses from the server (Table) or fetching just the ObjectMeta for an object (as PartialObjectMetadata) are now beta as part of meta.k8s.io/v1beta1 and configurations must be changed to use the new API. Clients may request alternate representations of normal Kubernetes objects by passing an Accept header like application/json;as=Table;g=meta.k8s.io;v=v1beta1 or application/json;as=PartialObjectMetadata;g=meta.k8s.io;v1=v1beta1. Older servers will ignore this representation or return an error if it is not available. Clients may request fallback to the normal object by adding a non-qualified mime-type to their Accept header like application/json - the server will then respond with either the alternate representation if it is supported or the fallback mime-type which is the normal object response. (#59059, @smarterclayton)

  • kube-apiserver now uses SSH tunnels for webhooks if the webhook is not directly routable from apiserver's network environment. (#58644, @yguo0905)

  • Access to externally managed IP addresses via the kube-apiserver service proxy subresource is no longer allowed by default. This can be re-enabled via the ServiceProxyAllowExternalIPs feature gate, but will be disallowed completely in 1.11 (#57265, @brendandburns)

  • The apiregistration.k8s.io (aggregation) is now generally available. Users should transition from the v1beta1 API to the v1 API. (#58393, @deads2k)

  • Fixes an issue where the resourceVersion of an object in a DELETE watch event was not the resourceVersion of the delete itself, but of the last update to the object. This could disrupt the ability of clients clients to re-establish watches properly. (#58547, @liggitt)

  • kube-apiserver: requests to endpoints handled by unavailable extension API servers (as indicated by an Available condition of false in the registered APIService) now return 503 errors instead of 404 errors. (#58070, @weekface)

  • Custom resources can now be submitted to and received from the API server in application/yaml format, consistent with other API resources. (#58260, @liggitt)

Network

  • Fixed kube-proxy to work correctly with iptables 1.6.2 and later. (#60978, @danwinship)

  • Makes the kube-dns addon optional so that users can deploy their own DNS solution. (#57113, @wwwtyro)

  • kubectl port-forward now supports specifying a service to port forward to, as in kubectl port-forward svc/myservice 8443:443. Additional support has also been added for looking up targetPort for a service, as well as enabling using svc/name to select a pod. (#59809, @phsiao)

  • Make NodePort IP addresses configurable. (#58052, @m1093782566)

  • Fixed the issue in kube-proxy iptables/ipvs mode to properly handle incorrect IP version. (#56880, @MrHohn)

  • Kubeadm: CoreDNS supports migration of the kube-dns configuration to CoreDNS configuration when upgrading the service discovery from kube-dns to CoreDNS as part of Beta. (#58828, @rajansandeep)

  • Adds BETA support for DNSConfig field in PodSpec and DNSPolicy=None, so configurable pod resolve.conf is now enabled by default. (#59771, @MrHohn)

  • Removed some redundant rules created by the iptables proxier to improve performance on systems with very many services. (#57461, @danwinship)

  • Fix an issue where port forwarding doesn't forward local TCP6 ports to the pod (#57457, @vfreex)

  • Correctly handle transient connection reset errors on GET requests from client library. (#58520, @porridge)

  • GCE: Allows existing internal load balancers to continue using a subnetwork that may have been wrongfully chosen due to a bug choosing subnetworks on automatic networks. (#57861, @nicksardo)

Azure

  • Set node external IP for azure node when disabling UseInstanceMetadata. (#60959, @feiskyer)

  • Changed default azure file/dir mode to 0755. (#56551, @andyzhangx)

  • Fixed azure file plugin failure issue on Windows after node restart. (#60625, @andyzhangx)(#60623, @feiskyer)

  • Fixed race condition issue when detaching azure disk, preventing Multi-Attach errors when scheduling one pod from one node to another. (#60183, @andyzhangx)

  • Add AzureDisk support for vmss nodes. (#59716, @feiskyer)

  • Map correct vmset name for Azure internal load balancers. (#59747, @feiskyer)

  • Node's providerID will now follow the Azure resource ID format (azure:///subscriptions/<id>/resourceGroups/<rg>/providers/Microsoft.Compute/virtualMachines/<node-name> rather than azure://d84a1c30-0c9f-11e8-8a34-000d3a919531) when useInstanceMetadata is enabled (#59539, @feiskyer)

  • Azure public IP is now correctly removed after a service is deleted. (#59340, @feiskyer)

  • Added PV size grow feature for azure filesystems. (#57017, @andyzhangx)

  • Ensured IP is set for Azure internal load balancer. (#59083, @feiskyer)

  • Set fsGroup by securityContext.fsGroup in azure file. However,f user both sets gid=xxx in mountOptions in azure storage class and securityContext.fsGroup, gid=xxx setting in mountOptions takes precedence. (#58316, @andyzhangx)

  • If an Azure disk is not found, K8s will immediately detach it. (#58345, @rootfs)

  • Instrumented the Azure cloud provider for Prometheus monitoring. (#58204, @cosmincojocar)

  • Fixed device name change issues for azure disk. (#57953, @andyzhangx) (#57549, @andyzhangx)

  • Support multiple scale sets in Azure cloud provider. (#57543, @feiskyer)

  • Support LoadBalancer for Azure Virtual Machine Scale Sets (#57131, @feiskyer)

  • Fixed incorrect error info when creating an azure file PVC failed. (#56550, @andyzhangx)

  • Added mount options support for azure disk. For example:

kind: StorageClass
apiVersion: storage.k8s.io/v1
metadata:
  name: hdd
provisioner: kubernetes.io/azure-disk
mountOptions:
  - barrier=1
  - acl
parameters:
  skuname: Standard_LRS
  kind: Managed
  fstype: ext3

(#56147, @andyzhangx)

Scheduling

  • Fixed a bug the in scheduler cache by using Pod UID as the cache key instead of namespace/name (#61069, @anfernee)

  • When TaintNodesByCondition is enabled, added node.kubernetes.io/unschedulable:NoSchedule (#61161, @k82cn)

  • kube-scheduler: Support extender managed extended resources in kube-scheduler (#60332, @yguo0905)

  • Updated priority of mirror pod according to PriorityClassName. (#58485, @k82cn)

  • kube-scheduler: restores default leader election behavior. Setting the --leader-elect command line parameter to true (#60524, @dims)

  • All pods with priorityClassName system-node-critical and system-cluster-critical will be critical pods while preserving backwards compatibility. (#58835, @ravisantoshgudimetla)

  • Priority admission controller picks a global default with the lowest priority value if more than one such default PriorityClass exists. (#59991, @bsalamat)

  • Disallow PriorityClass names with 'system-' prefix for user defined priority classes. (#59382, @bsalamat)

  • kube-scheduler: Use default predicates/prioritizers if they are unspecified in the policy config. (#59363, @yguo0905)

  • Scheduler should be able to read from config file if configmap is not present. (#59386, @ravisantoshgudimetla)

  • Add apiserver metric for current inflight-request usage. (#58342, @gmarek)

  • Stability: Make Pod delete event handling of scheduler more robust. (#58712, @bsalamat)* Allow scheduler set AlwaysCheckAllPredicates, short circuit all predicates if one predicate fails can greatly improve the scheduling performance. (#56926, @wgliang)

  • GCE: support passing kube-scheduler policy config via SCHEDULER_POLICY_CONFIG. This allows us to specify a customized scheduler policy configuration. (#57425, @yguo0905)

  • Returns an error for non overcommitable resources if they don't have limit field set in container spec to prevent users from creating invalid configurations. (#57170, @jiayingz)

  • GCE: Fixed ILB creation on automatic networks with manually created subnetworks. (#57351, @nicksardo)

  • Multiple Performance Improvements to the MatchInterPodAffinity predicate (#57476, @misterikkit)(#57477, @misterikkit)

  • The calico-node addon tolerates all NoExecute and NoSchedule taints by default. So Calico components can even be scheduled on tainted nodes. (#57122, @caseydavenport)

  • The scheduler skips pods that use a PVC that either does not exist or is being deleted. (#55957, @jsafrane)

Other changes

  • Updated dashboard version to v1.8.3, which keeps auto-generated certs in memory. (#57326, @floreks)

  • fluentd-gcp addon: Fixed bug with reporting metrics in event-exporter. (#60126, @serathius)

  • Avoid hook errors when effecting label changes on kubernetes-worker charm. (#59803, @wwwtyro)

  • Fixed charm issue where docker login would run prior to daemon options being set. (#59396, @kwmonroe)

  • Implementers of the cloud provider interface will note the addition of a context to this interface. Trivial code modification will be necessary for a cloud provider to continue to compile. (#59287, @cheftako)

  • Added configurable etcd quota backend bytes in GCE. (#59259, @wojtek-t)

  • GCP: allow a master to not include a metadata concealment firewall rule (if it's not running the metadata proxy). (#58104, @ihmccreery)

  • Fixed issue with kubernetes-worker option allow-privileged not properly handling the value True with a capital T. (#59116, @hyperbolic2346)

  • Controller-manager --service-sync-period flag has been removed. (It was never used in the code and should have no user impact.) (#59359, @khenidak)

  • [fluentd-gcp addon] Switch to the image provided by Stackdriver. The Stackdriver Logging Agent container image uses fluentd v0.14.25. (#59128, @bmoyles0117)

Non-user-facing Changes

  • CRI now uses moutpoint as image filesystem identifier instead of UUID. (#59475, @Random-Liu)

  • GCE: support Cloud TPU API in cloud provider (#58029, @yguo0905)

  • kubelet now notifies systemd that it has finished starting, if systemd is available and running. (#60654, @dcbw)

  • Do not count failed pods as unready in HPA controller (#60648, @bskiba)

  • fixed foreground deletion of podtemplates (#60683, @nilebox)

  • Conformance tests are added for the DaemonSet kinds in the apps/v1 group version. Deprecated versions of DaemonSet will not be tested for conformance, and conformance is only applicable to release 1.10 and later. (#60456, @kow3ns)

  • Log audit backend can now be configured to perform batching before writing events to disk. (#60237, @crassirostris)

  • New conformance tests added for the Garbage Collector (#60116, @jennybuckley)

  • Fixes a bug where character devices are not recongized by the kubelet (#60440, @andrewsykim)

  • StatefulSet in apps/v1 is now included in Conformance Tests. (#60336, @enisoc)

  • dockertools: disable memory swap on Linux. (#59404, @ohmystack)

  • Increase timeout of integration tests (#60458, @jennybuckley)

  • force node name lowercase on static pod name generating (#59849, @yue9944882

  • fix device name change issue for azure disk (#60346, @andyzhangx)

  • Additional changes to iptables kube-proxy backend to improve performance on clusters with very large numbers of services. (#60306, @danwinship)

  • add spelling checking script (#59463, @dixudx)

  • Use consts as predicate name in handlers (#59952, @resouer)

  • Fix instanceID for vmss nodes. (#59857, @feiskyer)

  • Increase allowed lag for ssh key sync loop in tunneler to allow for one failure (#60068, @wojtek-t)

  • Set an upper bound (5 minutes) on how long the Kubelet will wait before exiting when the client cert from disk is missing or invalid. This prevents the Kubelet from waiting forever without attempting to bootstrap a new client credentials. (#59316, @smarterclayton)

  • Add ipset binary for IPVS to hyperkube docker image (#57648, @Fsero)

  • Making sure CSI E2E test runs on a local cluster (#60017, @sbezverk)

  • Fix kubelet PVC stale metrics (#59170, @cofyc)

  • Separate current ARM rate limiter into read/write (#59830, @khenidak)

  • Improve control over how ARM rate limiter is used within Azure cloud provider, add generic cache for Azure VM/LB/NSG/RouteTable (#59520, @feiskyer)

  • fix typo (#59619, @jianliao82)

  • DaemonSet, Deployment, ReplicaSet, and StatefulSet objects are now persisted in etcd in apps/v1 format (#58854, @liggitt)

  • YAMLDecoder Read now tracks rest of buffer on io.ErrShortBuffer (#58817, @karlhungus)

  • Prevent kubelet from getting wedged if initialization of modules returns an error. (#59020, @brendandburns)

  • Fixed a race condition inside kubernetes-worker that would result in a temporary error situation. (#59005, @hyperbolic2346)

  • Fix regression in the CRI: do not add a default hostname on short image names (#58955, @runcom)

  • use containing API group when resolving shortname from discovery (#58741, @dixudx)

  • remove spaces from kubectl describe hpa (#56331, @shiywang)

  • fluentd-es addon: multiline stacktraces are now grouped into one entry automatically (#58063, @monotek)

  • Default scheduler code is moved out of the plugin directory. (#57852, @misterikkit)

  • CDK nginx ingress is now handled via a daemon set. (#57530, @hyperbolic2346)

  • Move local PV negative scheduling tests to integration (#57570, @sbezverk)

  • Only create Privileged PSP binding during e2e tests if RBAC is enabled. (#56382, @mikkeloscar)

  • ignore nonexistent ns net file error when deleting container network in case a retry (#57697, @dixudx)

  • Use old dns-ip mechanism with older cdk-addons. (#57403, @wwwtyro)

  • Retry 'connection refused' errors when setting up clusters on GCE. (#57394, @mborsz)

  • YAMLDecoder Read now returns the number of bytes read (#57000, @sel)

  • Drop hacks used for Mesos integration that was already removed from main kubernetes repository (#56754, @dims)

  • Compare correct file names for volume detach operation (#57053, @prashima)

  • Fixed documentation typo in IPVS README. (#56578, @shift)

  • The ConfigOK node condition has been renamed to KubeletConfigOk. (#59905, @mtaufen)

  • Adding pkg/kubelet/apis/deviceplugin/v1beta1 API. (#59588, @jiayingz)

  • Fixes volume predicate handler for equiv class (#59335, @resouer)

  • Bugfix: vSphere Cloud Provider (VCP) does not need any special service account anymore. (#59440, @rohitjogvmw)

  • fix the error prone account creation method of blob disk (#59739, @andyzhangx)

  • Updated kubernetes-worker to request new security tokens when the aws cloud provider changes the registered node name. (#59730, @hyperbolic2346)

  • Pod priority can be specified ins PodSpec even when the feature is disabled, but it will be effective only when the feature is enabled. (#59291, @bsalamat)* Add generic cache for Azure VMSS (#59652, @feiskyer)

  • fix the create azure file pvc failure if there is no storage account in current resource group (#56557, @andyzhangx)

  • Implement envelope service with gRPC, so that KMS providers can be pulled out from API server. (#55684, @wu-qiang)

  • Enable golint for pkg/scheduler and fix the golint errors in it. (#58437, @tossmilestone)

  • Ensure euqiv hash calculation is per schedule (#59245, @resouer)

  • Upped the timeout for apiserver communication in the juju kubernetes-worker charm. (#59219, @hyperbolic2346)

  • kubeadm init: skip checking cri socket in preflight checks (#58802, @dixudx)

  • Configurable etcd compaction frequency in GCE (#59106, @wojtek-t)

  • Fixed a bug which caused the apiserver reboot failure in the presence of malfunctioning webhooks. (#59073, @caesarxuchao)

  • GCE: Apiserver uses InternalIP as the most preferred kubelet address type by default. (#59019, @MrHohn)

  • CRI: Add a call to reopen log file for a container. (#58899, @yujuhong)

  • The alpha KubeletConfigFile feature gate has been removed, because it was redundant with the Kubelet's --config flag. It is no longer necessary to set this gate to use the flag. The --config flag is still considered alpha. (#58978, @mtaufen)

  • Fixing extra_sans option on master and load balancer. (#58843, @hyperbolic2346)

  • Ensure config has been created before attempting to launch ingress. (#58756, @wwwtyro)

  • Support metrics API in kubectl top commands. (#56206, @brancz)

  • Bump GCE metadata proxy to v0.1.9 to pick up security fixes. (#58221, @ihmccreery)

  • "ExternalTrafficLocalOnly" has been removed from feature gate. It has been a GA feature since v1.7. (#56948, @MrHohn)

  • feat(fakeclient): push event on watched channel on add/update/delete (#57504, @yue9944882)

  • Fixes a possible deadlock preventing quota from being recalculated (#58107, @ironcladlou)

  • Bump metadata proxy version to v0.1.7 to pick up security fix. (#57762, @ihmccreery)

  • The kubelet uses a new release 3.1 of the pause container with the Docker runtime. This version will clean up orphaned zombie processes that it inherits. (#57517, @verb)

  • Add cache for VM get operation in azure cloud provider (#57432, @karataliu)

  • Configurable liveness probe initial delays for etcd and kube-apiserver in GCE (#57749, @wojtek-t)

  • Fixed garbage collection hang (#57503, @liggitt

  • Improve scheduler performance of MatchInterPodAffinity predicate. (#57478, @misterikkit)

  • Add the path '/version/' to the system:discovery cluster role. (#57368, @brendandburns)

  • adding predicates ordering for the kubernetes scheduler. (#57168, @yastij)

  • Fix ipvs proxier nodeport ethassumption (#56685, @m1093782566)

  • Fix Heapster configuration and Metrics Server configuration to enable overriding default resource requirements. (#56965, @kawych)

  • Improved event generation in volume mount, attach, and extend operations (#56872, @davidz627)

  • Remove ScrubDNS interface from cloudprovider. (#56955, @feiskyer)

  • Fixed a garbage collection race condition where objects with ownerRefs pointing to cluster-scoped objects could be deleted incorrectly. (#57211, @liggitt)

  • api-server provides specific events when unable to repair a service cluster ip or node port (#54304, @frodenas)

  • delete useless params containerized (#56146, @jiulongzaitian)

  • dockershim now makes an Image's Labels available in the Info field of ImageStatusResponse (#58036, @shlevy)

  • Support GetLabelsForVolume in OpenStack Provider (#58871, @edisonxiang)

  • Add "nominatedNodeName" field to PodStatus. This field is set when a pod preempts other pods on the node. (#58990, @bsalamat)* Fix the PersistentVolumeLabel controller from initializing the PV labels when it's not the next pending initializer. (#56831, @jhorwit2)

  • Rename StorageProtection to StorageObjectInUseProtection (#59901, @NickrenREN)

  • Add support for cloud-controller-manager in local-up-cluster.sh (#57757, @dims)

  • GCE: A role and clusterrole will now be provided with GCE/GKE for allowing the cloud-provider to post warning events on all services and watching configmaps in the kube-system namespace. No user action is required. (#59686, @nicksardo)

  • Wait for kubedns to be ready when collecting the cluster IP. (#57337, @wwwtyro)

External Dependencies

  • The supported etcd server version is 3.1.12, as compared to 3.0.17 in v1.9 (#60988)
  • The validated docker versions are the same as for v1.9: 1.11.2 to 1.13.1 and 17.03.x (ref)
  • The Go version is go1.9.3, as compared to go1.9.2 in v1.9. (#59012)
  • The minimum supported go is the same as for v1.9: go1.9.1. (#55301)
  • CNI is the same as v1.9: v0.6.0 (#51250)
  • CSI is updated to 0.2.0 as compared to 0.1.0 in v1.9. (#60736)
  • The dashboard add-on has been updated to v1.8.3, as compared to 1.8.0 in v1.9. (#517326)
  • Heapster has is the same as v1.9: v1.5.0. It will be upgraded in v1.11. (ref)
  • Cluster Autoscaler has been updated to v1.2.0. (#60842, @mwielgus)
  • Updates kube-dns to v1.14.8 (#57918, @rramkumar1)
  • Influxdb is unchanged from v1.9: v1.3.3 (#53319)
  • Grafana is unchanged from v1.9: v4.4.3 (#53319)
  • CAdvisor is v0.29.1 (#60867)
  • fluentd-gcp-scaler is v0.3.0 (#61269)
  • Updated fluentd in fluentd-es-image to fluentd v1.1.0 (#58525, @monotek)
  • fluentd-elasticsearch is v2.0.4 (#58525)
  • Updated fluentd-gcp to v3.0.0. (#60722)
  • Ingress glbc is v1.0.0 (#61302)
  • OIDC authentication is coreos/go-oidc v2 (#58544)
  • Updated fluentd-gcp updated to v2.0.11. (#56927, @x13n)
  • Calico has been updated to v2.6.7 (#59130, @caseydavenport)

v1.10.0-rc.1

Documentation & Examples

Downloads for v1.10.0-rc.1

filename sha256 hash
kubernetes.tar.gz d7409a0bf36558b8328eefc01959920641f1fb2630fe3ac19b266fcea05a1646
kubernetes-src.tar.gz 4384bfe4151850e5d169b125c0cba51b7c2f00aa9972a6b4c22c44af74e8e3f8

Client Binaries

filename sha256 hash
kubernetes-client-darwin-386.tar.gz 1eb98b5d527ee9ed375f06df96c1158b9879880eb12d68a81e823d7a92e3866d
kubernetes-client-darwin-amd64.tar.gz be7e35e9698b84ace37e0ed54640c3958c0d9eea8bd413eb8b604ec02922321a
kubernetes-client-linux-386.tar.gz 825a80abdb1171e72c1660fb7854ed6e8290cb7cb54ebb88c3570b3f95e77a02
kubernetes-client-linux-amd64.tar.gz 97e22907c3f0780818b7124c50451ae78e930cd99ec8f96f188cdd080547e21b
kubernetes-client-linux-arm64.tar.gz d27674c7daec425f0fa72ca14695e7f13c81cfd08517ceb1f5ce1bb052b5b9b2
kubernetes-client-linux-arm.tar.gz e54f1fc7cf95981f54d68108ad0113396357ff0c7baaf6a76a635f0de21fb944
kubernetes-client-linux-ppc64le.tar.gz 7535a6668e6ca6888b22615439fae8c68d37d62f572b284755db87600050a6c6
kubernetes-client-linux-s390x.tar.gz 6a9f90e2ea5cb50b2691c45d327cca444ae9bfc41cba43ca22016679da940a71
kubernetes-client-windows-386.tar.gz cc5fef5e054588ad41870a379662d8429bd0f09500bcf4a67648bf6593d18aaf
kubernetes-client-windows-amd64.tar.gz a06033004c5cecc43494d95dd5d5e75f698cf8e4d358c229c5fef222c131b077

Server Binaries

filename sha256 hash
kubernetes-server-linux-amd64.tar.gz e844897e9a39ca14a449e077cb4e4f2dc6c7d5326b95a1e47bef3b6f9c6057f7
kubernetes-server-linux-arm64.tar.gz c15476626cd750a8f59c30c3389ada482995aea66b510c43732035d33e87e774
kubernetes-server-linux-arm.tar.gz 74a1ff7478d7ca5c4ccb2fb772ef13745a20cfb512e3e66f238abb98122cc4eb
kubernetes-server-linux-ppc64le.tar.gz 3b004717fe811352c15fe71f3122d2eaac7e0d1c4ff07d8810894c877b409c0f
kubernetes-server-linux-s390x.tar.gz b6ff40f13355b47e2c02c6c016ac334a3f5008769ed7b4377c617c2fc9e30b7a

Node Binaries

filename sha256 hash
kubernetes-node-linux-amd64.tar.gz a3a3e27c2b77fa46b7c9ff3b8bfdc672c2657e47fc4b1ca3d76cdc102ca27630
kubernetes-node-linux-arm64.tar.gz af172c9d71ba2d15e14354159ac34ca7fe112b7d2d2ba38325c467950aa04755
kubernetes-node-linux-arm.tar.gz fb904aa009c3309e92505ceff15863f83d9317af15cbf729bcbd198f5be3379f
kubernetes-node-linux-ppc64le.tar.gz 659f0091578e42b111417d45f708be2ac60447512e485dab7d2f4abaeee36f49
kubernetes-node-linux-s390x.tar.gz ce40dcc55ca299401ddf146b2622dd7f19532e95620bae63aea58a45a8020875
kubernetes-node-windows-amd64.tar.gz 0f8b5c551f58cdf298d41258483311cef66fe1b41093152a43120514a493b23d

Changelog since v1.10.0-beta.4

Other notable changes

  • Updates kubeadm default to use 1.10 (#61127, @timothysc)
  • Bump ingress-gce image in glbc.manifest to 1.0.0 (#61302, @rramkumar1)
  • Fix regression where kubelet --cpu-cfs-quota flag did not work when --cgroups-per-qos was enabled (#61294, @derekwaynecarr)
  • Fix bug allowing garbage collector to enter a broken state that could only be fixed by restarting the controller-manager. (#61201, @jennybuckley)
  • When TaintNodesByCondition enabled, added node.kubernetes.io/unschedulable:NoSchedule (#61161, @k82cn)
    • taint to the node if spec.Unschedulable is true.
    • When ScheduleDaemonSetPods enabled, node.kubernetes.io/unschedulable:NoSchedule
    • toleration is added automatically to DaemonSet Pods; so the unschedulable field of
    • a node is not respected by the DaemonSet controller.
  • Fixed kube-proxy to work correctly with iptables 1.6.2 and later. (#60978, @danwinship)
  • Audit logging with buffering enabled can increase apiserver memory usage (e.g. up to 200MB in 100-node cluster). The increase is bounded by the buffer size (configurable). Ref: issue #60500 (#61118, @shyamjvs)
  • Fix a bug in scheduler cache by using Pod UID as the cache key instead of namespace/name (#61069, @anfernee)

v1.10.0-beta.4

Documentation & Examples

Downloads for v1.10.0-beta.4

filename sha256 hash
kubernetes.tar.gz 69132f3edcf549c686055903e8ef007f0c92ec05a8ec1e3fea4d5b4dc4685580
kubernetes-src.tar.gz 60ba32e493c0a1449cdbd615d709e9d46780c91c88255e8e9f468c5e4e124576

Client Binaries

filename sha256 hash
kubernetes-client-darwin-386.tar.gz 80ef567c51aa705511ca20fbfcad2e85f1dc4fb750c0f58e0d82f4166359273f
kubernetes-client-darwin-amd64.tar.gz 925830f3c6c135adec206012ae94807b58b9438008ae87881e7a9d648ab993ec
kubernetes-client-linux-386.tar.gz 9e4f40325a27b79f16eb3254c6283d67e2fecd313535b300f9931800e4c495a4
kubernetes-client-linux-amd64.tar.gz 85ee9bfa519e49283ab711c73f52809f8fc43616cc2076dc060987e6f262ff95
kubernetes-client-linux-arm.tar.gz f0123581243a278052413e862208a797e78e7689c6dba0da08ab3200feedd66c
kubernetes-client-linux-arm64.tar.gz dd19b034e1798f5bb0b1c6230ef294ca8f3ef7944837c5d49dce4659bb284b8e
kubernetes-client-linux-ppc64le.tar.gz 84a46003fe0140f8ecec03befceed7a4d955f9f88abdced99ecee24bc675b113
kubernetes-client-linux-s390x.tar.gz c4ee2bf9f7ea66ab41b350220920644bee3eeceb13cfd19873843a9ab43b372d
kubernetes-client-windows-386.tar.gz 917e768179e82a33232281b9b6e555cee75cf6315bd3c60a1fce4717fbd0e538
kubernetes-client-windows-amd64.tar.gz 915f3cc888332b360701a4b20d1af384ec5388636f2c3e3868e36124ce8a96a8

Server Binaries

filename sha256 hash
kubernetes-server-linux-amd64.tar.gz 01b50da6bae8abe4e2c813381c3848ff615fc1d8164d11b163ac0819554ad7b4
kubernetes-server-linux-arm.tar.gz 0a1ebd399759a68972e6248b09ce46a76deef931e51c807e032fefc4210e3dde
kubernetes-server-linux-arm64.tar.gz b8298a06aed6cd1c624855fb4e2d7258e8f9201fbc5bfebc8190c24273e95d9b
kubernetes-server-linux-ppc64le.tar.gz b3b03dc71476f70c8a62cf5ac72fe0bfa433005778d39bfbc43fe225675f9986
kubernetes-server-linux-s390x.tar.gz 940bc9b4f73f32896f3c55d1b5824f931517689ec62b70600c8699e84bc725ee

Node Binaries

filename sha256 hash
kubernetes-node-linux-amd64.tar.gz bcc29195864e4e486a7e8194be06f3cf575203e012790ea6d70003349b108701
kubernetes-node-linux-arm.tar.gz 35ab99a6cd30c2ea6a1f2347d244fb8583bfd7ef1d54f89fbf9a3a3be14fb9e7
kubernetes-node-linux-arm64.tar.gz fcb611d964c7e1c546fbbb38c8b30b3e3bb54226540caa0b80930f53e321dd2e
kubernetes-node-linux-ppc64le.tar.gz 4de7b25cf712df27b6eec5232dc2891e07dbeb8c3699a145f777cc0629f1fe9c
kubernetes-node-linux-s390x.tar.gz 2f0b6a01c7c86209f031f47e1901bf3da82efef4db5b73b4e7d83be04b03c814
kubernetes-node-windows-amd64.tar.gz 619013157435d8da7f58bb339aa21d5a080c341aebe226934d1139d29cff72be

Changelog since v1.10.0-beta.3

Other notable changes

  • Fix a regression that prevented using subPath volume mounts with secret, configMap, projected, and downwardAPI volumes (#61080, @liggitt)
  • Upgrade the default etcd server version to 3.1.12 to pick up critical etcd "mvcc "unsynced" watcher restore operation" fix. (#60998, @jpbetz)
  • Fixed missing error checking that could cause kubelet to crash in a race condition. (#60962, @technicianted)

v1.10.0-beta.3

Documentation & Examples

Downloads for v1.10.0-beta.3

filename sha256 hash
kubernetes.tar.gz 65880d0bb77eeb83554bb0a6c78b6d3a25cd38ef7d714bbe2c73b203386618d6
kubernetes-src.tar.gz e9fbf8198fd80c92dd7e2ecf0cf6cefda06f9b89e7986ae141412f8732dae47c

Client Binaries

filename sha256 hash
kubernetes-client-darwin-386.tar.gz 50b1a41e70804f74b3e76d7603752d45dfd47011fd986d055462e1330330aa45
kubernetes-client-darwin-amd64.tar.gz 3658e70ae9761464df50c6cae8d57349648c80d16658892e42ea898ddab362bc
kubernetes-client-linux-386.tar.gz 00b8c048b201931ab1fb059df030e0bfc866f3c3ff464213aa6071ff261a3d33
kubernetes-client-linux-amd64.tar.gz 364d6439185399e72f96bea1bf2863deb2080f4bf6df721932ef14ec45b2d5fc
kubernetes-client-linux-arm.tar.gz 98670b2e965e118fb02901aa949cd1eb12d34ffd0bba7ff22014e9ad587556bc
kubernetes-client-linux-arm64.tar.gz 5f4febc543aa2f10c0c8aee9c9a8cb169b19b04486bda4cf1f72c80fa7a3a483
kubernetes-client-linux-ppc64le.tar.gz ff3d020e97e2ff4c1824db910f13945d70320fc3988cc24385708cab58d4065f
kubernetes-client-linux-s390x.tar.gz 508695afe6d3466488bc20cad31c184723cb238d1c311d2d1c4f9f1c9e981bd6
kubernetes-client-windows-386.tar.gz 9f6372cfb973d04a150e1388d96cb60e7fe6ccb9ba63a146ff2dee491c2e3f4e
kubernetes-client-windows-amd64.tar.gz 2c85f2f13dc535d3c777f186b7e6d9403d64ac18ae01d1e460a8979e62845e04

Server Binaries

filename sha256 hash
kubernetes-server-linux-amd64.tar.gz 4797ada6fd43e223d67840e815c1edb244a3b40a3a1b6ecfde7789119f2add3d
kubernetes-server-linux-arm.tar.gz fb2fdb4b2feb41adbbd33fe4b7abbe9780d91a288a64ff7acf85d5ef942d3960
kubernetes-server-linux-arm64.tar.gz bc1f35e1999beaac91b65050f70c8e539918b927937e88bfcfa34a0c26b96701
kubernetes-server-linux-ppc64le.tar.gz cce312f5af7dd182c8cc4ef35a768fef788a849a93a6f2f36e9d2991e721b362
kubernetes-server-linux-s390x.tar.gz 42edec36fa34a4cc4959af20a587fb05924ccc87c94b0f845953ba1ceec56bb7

Node Binaries

filename sha256 hash
kubernetes-node-linux-amd64.tar.gz e517986261e3789cada07d9063ae96ed9b17ffd80c1b220b6ae9c41238c07c08
kubernetes-node-linux-arm.tar.gz 9eb213248982816a855a7ff18c9421d5e987d5f1c472880a16bc6c477ce8da2a
kubernetes-node-linux-arm64.tar.gz e938dce3ec05cedcd6ab8e2b63224170db00e2c47e67685eb3cb4bad247ac8c0
kubernetes-node-linux-ppc64le.tar.gz bc9bf3d55f85d3b30f0a28fd79b7610ecdf019b8bc8d7f978da62ee0006c72eb
kubernetes-node-linux-s390x.tar.gz c5a1b18b8030ec86748e23d45f1de63783c2e95d67b0d6c2fcbcd545d205db8d
kubernetes-node-windows-amd64.tar.gz df4f4e8df8665ed08a9a3d9816e61c6c9f0ce50e4185b6c7a7f34135ad1f91d0

Changelog since v1.10.0-beta.2

Other notable changes

v1.10.0-beta.2

Documentation & Examples

Downloads for v1.10.0-beta.2

filename sha256 hash
kubernetes.tar.gz d07d77f16664cdb5ce86c87de36727577f48113efdb00f83283714ac1373d521
kubernetes-src.tar.gz c27b06e748e4c10f42472f51ddfef7e9546e4ec9d2ce9f7a9a3c5768de8d97bf

Client Binaries

filename sha256 hash
kubernetes-client-darwin-386.tar.gz d63168f9155f04e4b47fe96381f9aa06c3d498b6e6b71d1fb8c3ffeb0f3c6e4c
kubernetes-client-darwin-amd64.tar.gz f473cbe830c1bfb738b0a66f07b3cd858ba185232eba26fe776f90d8a27bd7c1
kubernetes-client-linux-386.tar.gz 2a0f74d30cdaf19ed7c3fde3528e98a8cd98fdb9dc6e6a501525e69895674d56
kubernetes-client-linux-amd64.tar.gz 69c18569717a97cb5e6bc22bebcf2f64969ba68b11685faaf2949c4ffbcd0b73
kubernetes-client-linux-arm.tar.gz 10e1d76a1ee6c0df9f9cce40d18c350a1e3e3665e6fe64d22e4433b6283d3fe2
kubernetes-client-linux-arm64.tar.gz 12f081b99770548c8ddd688ae6b417c196f8308bd5901abbed6f203e133411ae
kubernetes-client-linux-ppc64le.tar.gz 6e1a035b4857539c90324e00b150ae65aaf4f4524250c9ca7d77ad5936f0628e
kubernetes-client-linux-s390x.tar.gz 5a8e2b0d14e18a39f821b09a7d73fa5c085cf6c197aeb540a3fe289e04fcc0d9
kubernetes-client-windows-386.tar.gz 03fac6befb94b85fb90e0bb47596868b4da507d803806fad2a5fb4b85c98d87d
kubernetes-client-windows-amd64.tar.gz 3bf8dd42eb70735ebdbda4ec4ec54e9507410e2f97ab2f364b88c2f24fdf471c

Server Binaries

filename sha256 hash
kubernetes-server-linux-amd64.tar.gz 1278703060865281aa48b1366e3c4b0720d4eca623ba08cf852a4719a6680ec3
kubernetes-server-linux-arm.tar.gz b1e2b399bec8c25b7b6037203485d2d09b091afc51ffebf861d5bddb8bb076ac
kubernetes-server-linux-arm64.tar.gz 4c3d0ed44d6a19ae178034117891678ec373894b02f8d33627b37a36c2ea815b
kubernetes-server-linux-ppc64le.tar.gz 88a7b52030104a4c6fb1f8c5f79444ed853f381e1463fec7e4939a9998d92dff
kubernetes-server-linux-s390x.tar.gz 35981580c00bff0e3d92238f961e37dd505c08bcd4cafb11e274daa1eb8ced5f

Node Binaries

filename sha256 hash
kubernetes-node-linux-amd64.tar.gz ceedb0a322167bae33042407da5369e0b7889fbaa3568281500c921afcdbe310
kubernetes-node-linux-arm.tar.gz b84ab4c486bc8f00841fccce2aafe4dcef25606c8f3184bce2551ab6486c8f71
kubernetes-node-linux-arm64.tar.gz b79a41145c28358a64d7a689cd282cf8361fe87c410fbae1cdc8db76cfcf6e5b
kubernetes-node-linux-ppc64le.tar.gz afc00f67b9f6d4fc149d4426fc8bbf6083077e11a1d2330d70be7e765b6cb923
kubernetes-node-linux-s390x.tar.gz f6128bbccddfe8ce39762bacb5c13c6c68d76a4bf8d35e773560332eb05a2c86
kubernetes-node-windows-amd64.tar.gz b1dde1ed2582cd511236fec69ebd6ca30281b30cc37e0841c493f06924a466cf

Changelog since v1.10.0-beta.1

Action Required

  • ACTION REQUIRED: LocalStorageCapacityIsolation feature is beta and enabled by default. (#60159, @jingxu97)

Other notable changes

  • Upgrade the default etcd server version to 3.2.16 (#59836, @jpbetz)
  • Cluster Autoscaler 1.1.2 (#60842, @mwielgus)
  • ValidatingWebhooks and MutatingWebhooks will not be called on admission requests for ValidatingWebhookConfiguration and MutatingWebhookConfiguration objects in the admissionregistration.k8s.io group (#59840, @jennybuckley)
  • Kubeadm: CoreDNS supports migration of the kube-dns configuration to CoreDNS configuration when upgrading the service discovery from kube-dns to CoreDNS as part of Beta. (#58828, @rajansandeep)
  • Fix broken useManagedIdentityExtension for azure cloud provider (#60775, @feiskyer)
  • kubelet now notifies systemd that it has finished starting, if systemd is available and running. (#60654, @dcbw)
  • Do not count failed pods as unready in HPA controller (#60648, @bskiba)
  • fixed foreground deletion of podtemplates (#60683, @nilebox)
  • Conformance tests are added for the DaemonSet kinds in the apps/v1 group version. Deprecated versions of DaemonSet will not be tested for conformance, and conformance is only applicable to release 1.10 and later. (#60456, @kow3ns)
  • Log audit backend can now be configured to perform batching before writing events to disk. (#60237, @crassirostris)
  • Fixes potential deadlock when deleting CustomResourceDefinition for custom resources with finalizers (#60542, @liggitt)
  • fix azure file plugin failure issue on Windows after node restart (#60625, @andyzhangx)
  • Set Azure vmType to standard if it is not set in azure cloud config. (#60623, @feiskyer)
  • On cluster provision or upgrade, kubeadm generates an etcd specific CA for all etcd related certificates. (#60385, @stealthybox)
  • kube-scheduler: restores default leader election behavior. leader-elect command line parameter should "true" (#60524, @dims)
  • client-go: alpha support for exec-based credential providers (#59495, @ericchiang)

v1.10.0-beta.1

Documentation & Examples

Downloads for v1.10.0-beta.1

filename sha256 hash
kubernetes.tar.gz 428139d9877f5f94acc806cc4053b0a5f8eac2acc219f06efd0817807473dbc5
kubernetes-src.tar.gz 5bfdecdbb43d946ea965f22ec6b8a0fc7195197a523aefebc2b7b926d4252edf

Client Binaries

filename sha256 hash
kubernetes-client-darwin-386.tar.gz 8cc086e901fe699df5e0711438195e675e099848a72ba272b290d22abc107a93
kubernetes-client-darwin-amd64.tar.gz b2782b8f6dbfe3fa962b08606cbf3366b071b78c47794d2ef67f9d484b4af4e4
kubernetes-client-linux-386.tar.gz a4001ad2387ccb4557b15c560b0ea8ea4d7c7ed494375346e3f83c10eb9426ac
kubernetes-client-linux-amd64.tar.gz b95d354e80d9f00a883e5eeb8c2e0ceaacc0f3cc8c904cb2eca1e1b6d91462b2
kubernetes-client-linux-arm64.tar.gz 647d234c59bc1d6f8eea88624d85b09bbe1272d9e27e1f7963e03cc025530ed0
kubernetes-client-linux-arm.tar.gz 187da9ad060ac7d426811772f6c3d891a354945af6a7d8832ac7097e19d4b46d
kubernetes-client-linux-ppc64le.tar.gz 6112396b8f0e7b1401b374aa2ae6195849da7718572036b6f060a722a89dc319
kubernetes-client-linux-s390x.tar.gz 09789cf33d8eed610ad2eef7d3ae25a4b4a63ee5525e452f9094097a172a1ce9
kubernetes-client-windows-386.tar.gz 1e71bc9979c8915587cdea980dad36b0cafd502f972c051c2aa63c3bbfeceb14
kubernetes-client-windows-amd64.tar.gz 3c2978479c6f65f1cb5043ba182a0571480090298b7d62090d9bf11b043dd27d

Server Binaries

filename sha256 hash
kubernetes-server-linux-amd64.tar.gz d887411450bbc06e2f4a24ce3c478fe6844856a8707b3236c045d44ab93b27d2
kubernetes-server-linux-arm64.tar.gz 907f037eea90bf893520d3adeccdf29eda69eea32c564b08cecbedfd06471acd
kubernetes-server-linux-arm.tar.gz f2ac4ad4f831a970cb35c1d7194788850dff722e859a08a879c918db1233aaa7
kubernetes-server-linux-ppc64le.tar.gz 0bebb59217b491c5aa4b4b9dc740c0c8c5518872f6f86853cbe30493ea8539a5
kubernetes-server-linux-s390x.tar.gz 5f343764e04e3a8639dffe225cc6f8bc6f17e1584b2c68923708546f48d38f89

Node Binaries

filename sha256 hash
kubernetes-node-linux-amd64.tar.gz c4475c315d4ae27c30f80bc01d6ea8b0b8549ec6a60a5dc745cf11a0c4398c23
kubernetes-node-linux-arm64.tar.gz 4512a4c3e62cd26fb0d3f78bfc8de9a860e7d88e7c913c5df4c239536f89da42
kubernetes-node-linux-arm.tar.gz 1da407ad152b185f520f04215775a8fe176550a31a2bb79e3e82968734bdfb5c
kubernetes-node-linux-ppc64le.tar.gz f23f6f819e6d894f8ca7457f80ee4ede729fd35ac59e9c65ab031b56aa06d4a1
kubernetes-node-linux-s390x.tar.gz 205c789f52a4c666a63ac7944ffa8ee325cb97e788b748c262eae59b838a94ba
kubernetes-node-windows-amd64.tar.gz aa7675fd22d9ca671585f429f6981aa79798f1894025c3abe3a7154f3c94aae6

Changelog since v1.10.0-alpha.3

Action Required

  • [action required] Default Flexvolume plugin directory for COS images on GCE is changed to /home/kubernetes/flexvolume. (#58171, @verult)
  • action required: [GCP kube-up.sh] Some variables that were part of kube-env are no longer being set (ones only used for kubelet flags) and are being replaced by a more portable mechanism (kubelet configuration file). The individual variables in the kube-env metadata entry were never meant to be a stable interface and this release note only applies if you are depending on them. (#60020, @roberthbailey)
  • action required: Deprecate format-separated endpoints for OpenAPI spec. Please use single /openapi/v2 endpoint instead. (#59293, @roycaihw)
  • action required: kube-proxy: feature gates are now specified as a map when provided via a JSON or YAML KubeProxyConfiguration, rather than as a string of key-value pairs. (#57962, @xiangpengzhao)
  • Action Required: The boostrapped RBAC role and rolebinding for the cloud-provider service account is now deprecated. If you're currently using this service account, you must create and apply your own RBAC policy for new clusters. (#59949, @nicksardo)
  • ACTION REQUIRED: VolumeScheduling and LocalPersistentVolume features are beta and enabled by default. The PersistentVolume NodeAffinity alpha annotation is deprecated and will be removed in a future release. (#59391, @msau42)
  • action required: Deprecate the kubelet's cadvisor port. The default will change to 0 (disabled) in 1.12, and the cadvisor port will be removed entirely in 1.13. (#59827, @dashpole)
  • action required: The kubeletconfig API group has graduated from alpha to beta, and the name has changed to kubelet.config.k8s.io. Please use kubelet.config.k8s.io/v1beta1, as kubeletconfig/v1alpha1 is no longer available. (#53833, @mtaufen)
  • Action required: Default values differ between the Kubelet's componentconfig (config file) API and the Kubelet's command line. Be sure to review the default values when migrating to using a config file. (#59666, @mtaufen)
  • kube-apiserver: the experimental in-tree Keystone password authenticator has been removed in favor of extensions that enable use of Keystone tokens. (#59492, @dims)
  • The udpTimeoutMilliseconds field in the kube-proxy configuration file has been renamed to udpIdleTimeout. Action required: administrators need to update their files accordingly. (#57754, @ncdc)

Other notable changes

  • Enable IPVS feature gateway by default (#60540, @m1093782566)
  • dockershim now makes an Image's Labels available in the Info field of ImageStatusResponse (#58036, @shlevy)
  • kube-scheduler: Support extender managed extended resources in kube-scheduler (#60332, @yguo0905)
  • Fix the issue in kube-proxy iptables/ipvs mode to properly handle incorrect IP version. (#56880, @MrHohn)
  • WindowsContainerResources is set now for windows containers (#59333, @feiskyer)
  • GCE: support Cloud TPU API in cloud provider (#58029, @yguo0905)
  • The node authorizer now allows nodes to request service account tokens for the service accounts of pods running on them. (#55019, @mikedanese)
  • Fix StatefulSet to work with set-based selectors. (#59365, @ayushpateria)
  • New conformance tests added for the Garbage Collector (#60116, @jennybuckley)
  • Make NodePort IP addresses configurable (#58052, @m1093782566)
  • Implements MountDevice and UnmountDevice for the CSI Plugin, the functions will call through to NodeStageVolume/NodeUnstageVolume for CSI plugins. (#60115, @davidz627)
  • Fixes a bug where character devices are not recongized by the kubelet (#60440, @andrewsykim)
  • [fluentd-gcp addon] Switch to the image, provided by Stackdriver. (#59128, @bmoyles0117)
  • StatefulSet in apps/v1 is now included in Conformance Tests. (#60336, @enisoc)
  • K8s supports rbd-nbd for Ceph rbd volume mounts. (#58916, @ianchakeres)
  • AWS EBS volume plugin got block volume support (#58625, @screeley44)
  • Summary API will include pod CPU and Memory stats for CRI container runtime. (#60328, @Random-Liu)
  • dockertools: disable memory swap on Linux. (#59404, @ohmystack)
  • On AWS kubelet returns an error when started under conditions that do not allow it to work (AWS has not yet tagged the instance). (#60125, @vainu-arto)
  • Increase timeout of integration tests (#60458, @jennybuckley)
  • Fixes a case when Deployment with recreate strategy could get stuck on old failed Pod. (#60301, @tnozicka)
  • Buffered audit backend is introduced, to be used with other audit backends. (#60076, @crassirostris)
  • Update dashboard version to v1.8.3 (#57326, @floreks)
  • GCE PD volume plugin got block volume support (#58710, @screeley44)
  • force node name lowercase on static pod name generating (#59849, @yue9944882)
  • AWS Security Groups created for ELBs will now be tagged with the same additional tags as the ELB (i.e. the tags specified by the "service.beta.kubernetes.io/aws-load-balancer-additional-resource-tags" annotation.) (#58767, @2rs2ts)
  • Fixes an error when deleting an NLB in AWS - Fixes #57568 (#57569, @micahhausler)
  • fix device name change issue for azure disk (#60346, @andyzhangx)
  • On cluster provision or upgrade, kubeadm now generates certs and secures all connections to the etcd static-pod with mTLS. (#57415, @stealthybox)
  • Some field names in the Kubelet's now v1beta1 config API differ from the v1alpha1 API: PodManifestPath is renamed to StaticPodPath, ManifestURL is renamed to StaticPodURL, ManifestURLHeader is renamed to StaticPodURLHeader. (#60314, @mtaufen)
  • Adds BETA support for DNSConfig field in PodSpec and DNSPolicy=None. (#59771, @MrHohn)
  • kubeadm: Demote controlplane passthrough flags to alpha flags (#59882, @kris-nova)
  • DevicePlugins feature graduates to beta. (#60170, @jiayingz)
  • Additional changes to iptables kube-proxy backend to improve performance on clusters with very large numbers of services. (#60306, @danwinship)
  • CSI now allows credentials to be specified on CreateVolume/DeleteVolume, ControllerPublishVolume/ControllerUnpublishVolume, and NodePublishVolume/NodeUnpublishVolume operations (#60118, @sbezverk)
  • Disable mount propagation for windows containers. (#60275, @feiskyer)
  • Introduced --http2-max-streams-per-connection command line flag on api-servers and set default to 1000 for aggregated API servers. (#60054, @MikeSpreitzer)
  • APIserver backed by etcdv3 exports metric showing number of resources per kind (#59757, @gmarek)
  • The DaemonSet controller, its integration tests, and its e2e tests, have been updated to use the apps/v1 API. (#59883, @kow3ns)
  • Fix image file system stats for windows nodes (#59743, @feiskyer)
  • Custom resources can be listed with a set of grouped resources (category) by specifying the categories in the CustomResourceDefinition spec. Example: They can be used with kubectl get all, where all is a category. (#59561, @nikhita)
  • [fluentd-gcp addon] Fixed bug with reporting metrics in event-exporter (#60126, @serathius)
  • Critical pods to use priorityClasses. (#58835, @ravisantoshgudimetla)
  • --show-all (which only affected pods and only for human readable/non-API printers) is now defaulted to true and deprecated. It will be inert in 1.11 and removed in a future release. (#60210, @deads2k)
  • Removed some redundant rules created by the iptables proxier, to improve performance on systems with very many services. (#57461, @danwinship)
  • Disable per-cpu metrics by default for scalability. (#60106, @dashpole)
    • Fix inaccurate disk usage monitoring of overlayFs.
    • Retry docker connection on startup timeout to avoid permanent loss of metrics.
  • When the PodShareProcessNamespace alpha feature is enabled, setting pod.Spec.ShareProcessNamespace to true will cause a single process namespace to be shared between all containers in a pod. (#60181, @verb)
  • add spelling checking script (#59463, @dixudx)
  • Allows HorizontalPodAutoscaler to use global metrics not associated with any Kubernetes object (for example metrics from a hoster service running outside of Kubernetes cluster). (#60096, @MaciekPytel)
  • fix race condition issue when detaching azure disk (#60183, @andyzhangx)
  • Add kubectl create job command (#60084, @soltysh)
  • [Alpha] Kubelet now supports container log rotation for container runtime which implements CRI(container runtime interface). (#59898, @Random-Liu)
    • The feature can be enabled with feature gate CRIContainerLogRotation.
    • The flags --container-log-max-size and --container-log-max-files can be used to configure the rotation behavior.
  • Reorganized iptables rules to fix a performance regression on clusters with thousands of services. (#56164, @danwinship)
  • StorageOS volume plugin updated to support mount options and environments where the kubelet runs in a container and the device location should be specified. (#58816, @croomes)
  • Use consts as predicate name in handlers (#59952, @resouer)
  • /status and /scale subresources are added for custom resources. (#55168, @nikhita)
  • Allow kubectl env to specify which keys to import from a config map (#60040, @PhilipGough)
  • Set default enabled admission plugins NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,DefaultTolerationSeconds,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,ResourceQuota (#58684, @hzxuzhonghu)
  • Fix instanceID for vmss nodes. (#59857, @feiskyer)
  • Deprecate kubectl scale jobs (only jobs). (#60139, @soltysh)
  • Adds new flag --apiserver-advertise-dns-address which is used in node kubelet.confg to point to API server (#59288, @stevesloka)
  • Fix kube-proxy flags validation for --healthz-bind-address and --metrics-bind-address to allow specifying ip:port. (#54191, @MrHohn)
  • Increase allowed lag for ssh key sync loop in tunneler to allow for one failure (#60068, @wojtek-t)
  • Flags that can be set via the Kubelet's --config file are now deprecated in favor of the file. (#60148, @mtaufen)
  • PVC Protection alpha feature was renamed to Storage Protection. Storage Protection feature is beta. (#59052, @pospispa)
  • kube-apiserver: the root /proxy paths have been removed (deprecated since v1.2). Use the /proxy subresources on objects that support HTTP proxying. (#59884, @mikedanese)
  • Set an upper bound (5 minutes) on how long the Kubelet will wait before exiting when the client cert from disk is missing or invalid. This prevents the Kubelet from waiting forever without attempting to bootstrap a new client credentials. (#59316, @smarterclayton)
  • v1.Pod now has a field to configure whether a single process namespace should be shared between all containers in a pod. This feature is in alpha preview. (#58716, @verb)
  • Priority admission controller picks a global default with the lowest priority value if more than one such default PriorityClass exists. (#59991, @bsalamat)
  • Add ipset binary for IPVS to hyperkube docker image (#57648, @Fsero)
  • kube-apiserver: the OpenID Connect authenticator can now verify ID Tokens signed with JOSE algorithms other than RS256 through the --oidc-signing-algs flag. (#58544, @ericchiang)
  • Rename StorageProtection to StorageObjectInUseProtection (#59901, @NickrenREN)
  • kubeadm: add criSocket field to MasterConfiguration manifiest (#59057, @JordanFaust)
  • kubeadm: add criSocket field to NodeConfiguration manifiest (#59292, @JordanFaust)
  • The PodSecurityPolicy API has been moved to the policy/v1beta1 API group. The PodSecurityPolicy API in the extensions/v1beta1 API group is deprecated and will be removed in a future release. Authorizations for using pod security policy resources should change to reference the policy API group after upgrading to 1.11. (#54933, @php-coder)
  • Restores the ability of older clients to delete and scale jobs with initContainers (#59880, @liggitt)
  • Support for resource quota on extended resources (#57302, @lichuqiang)
  • Fix race causing apiserver crashes during etcd healthchecking (#60069, @wojtek-t)
  • If TaintNodesByCondition enabled, taint node when it under PID pressure (#60008, @k82cn)
  • Expose total usage of pods through the "pods" SystemContainer in the Kubelet Summary API (#57802, @dashpole)
  • Unauthorized requests will not match audit policy rules where users or groups are set. (#59398, @CaoShuFeng)
  • Making sure CSI E2E test runs on a local cluster (#60017, @sbezverk)
  • Addressing breaking changes introduced by new 0.2.0 release of CSI spec (#59209, @sbezverk)
  • GCE: A role and clusterrole will now be provided with GCE/GKE for allowing the cloud-provider to post warning events on all services and watching configmaps in the kube-system namespace. (#59686, @nicksardo)
  • Updated PID pressure node condition (#57136, @k82cn)
  • Add AWS cloud provider option to use an assumed IAM role (#59668, @brycecarman)
  • kubectl port-forward now supports specifying a service to port forward to: kubectl port-forward svc/myservice 8443:443 (#59809, @phsiao)
  • Fix kubelet PVC stale metrics (#59170, @cofyc)
  • Separate current ARM rate limiter into read/write (#59830, @khenidak)
    • Improve control over how ARM rate limiter is used within Azure cloud provider
  • The ConfigOK node condition has been renamed to KubeletConfigOk. (#59905, @mtaufen)
  • fluentd-gcp resources can be modified via a ScalingPolicy (#59657, @x13n)
  • Adding pkg/kubelet/apis/deviceplugin/v1beta1 API. (#59588, @jiayingz)
  • Fixes volume predicate handler for equiv class (#59335, @resouer)
  • Bugfix: vSphere Cloud Provider (VCP) does not need any special service account anymore. (#59440, @rohitjogvmw)
  • Fixing a bug in OpenStack cloud provider, where dual stack deployments (IPv4 and IPv6) did not work well when using kubenet as the network plugin. (#59749, @zioproto)
  • Get parent dir via canonical absolute path when trying to judge mount-point (#58433, @yue9944882)
  • Container runtime daemon (e.g. dockerd) logs in GCE cluster will be uploaded to stackdriver and elasticsearch with tag container-runtime (#59103, @Random-Liu)
  • Add AzureDisk support for vmss nodes (#59716, @feiskyer)
  • Fixed a race condition in k8s.io/client-go/tools/cache.SharedInformer that could violate the sequential delivery guarantee and cause panics on shutdown. (#59828, @krousey)
  • Avoid hook errors when effecting label changes on kubernetes-worker charm. (#59803, @wwwtyro)
  • kubectl port-forward now allows using resource name (e.g., deployment/www) to select a matching pod, as well as allows the use of --pod-running-timeout to wait till at least one pod is running. (#59705, @phsiao)
    • kubectl port-forward no longer support deprecated -p flag
  • Deprecate insecure HTTP port of kube-controller-manager and cloud-controller-manager. Use --secure-port and --bind-address instead. (#59582, @sttts)
  • Eviction thresholds set to 0% or 100% are now ignored. (#59681, @mtaufen)
  • [advanced audit] support subresources wildcard matching. (#55306, @hzxuzhonghu)
  • CronJobs can be accessed through cj alias (#59499, @soltysh)
  • fix typo in resource_allocation.go (#58275, @carmark)
  • fix the error prone account creation method of blob disk (#59739, @andyzhangx)
  • Add automatic etcd 3.2->3.1 and 3.1->3.0 minor version rollback support to gcr.io/google_container/etcd images. For HA clusters, all members must be stopped before performing a rollback. (#59298, @jpbetz)
  • kubeadm init can now omit the tainting of the master node if configured to do so in kubeadm.yaml. (#55479, @ijc)
  • Updated kubernetes-worker to request new security tokens when the aws cloud provider changes the registered node name. (#59730, @hyperbolic2346)
  • Controller-manager --service-sync-period flag is removed (was never used in the code). (#59359, @khenidak)
  • Pod priority can be specified ins PodSpec even when the feature is disabled, but it will be effective only when the feature is enabled. (#59291, @bsalamat)
  • kubeadm: Enable auditing behind a feature gate. (#59067, @chuckha)
  • Map correct vmset name for Azure internal load balancers (#59747, @feiskyer)
  • Add generic cache for Azure VMSS (#59652, @feiskyer)
  • kubeadm: New "imagePullPolicy" option in the init configuration file, that gets forwarded to kubelet static pods to control pull policy for etcd and control plane images. (#58960, @rosti)
  • fix the create azure file pvc failure if there is no storage account in current resource group (#56557, @andyzhangx)
  • Add generic cache for Azure VM/LB/NSG/RouteTable (#59520, @feiskyer)
  • The alpha KubeletConfiguration.ConfigTrialDuration field is no longer available. (#59628, @mtaufen)
  • Updates Calico version to v2.6.7 (Fixed a bug where Felix would crash when parsing a NetworkPolicy with a named port. See https://github.com/projectcalico/calico/releases/tag/v2.6.7) (#59130, @caseydavenport)
  • return error if New-SmbGlobalMapping failed when mounting azure file on Windows (#59540, @andyzhangx)
  • Disallow PriorityClass names with 'system-' prefix for user defined priority classes. (#59382, @bsalamat)
  • Fixed an issue where Portworx volume driver wasn't passing namespace and annotations to the Portworx Create API. (#59607, @harsh-px)
  • Enable apiserver metrics for custom resources. (#57682, @nikhita)
  • fix typo (#59619, @jianliao82)
    • incase -> in case
    • selction -> selection
  • Implement envelope service with gRPC, so that KMS providers can be pulled out from API server. (#55684, @wu-qiang)
  • Enable golint for pkg/scheduler and fix the golint errors in it. (#58437, @tossmilestone)
  • AWS: Make attach/detach operations faster. from 10-12s to 2-6s (#56974, @gnufied)
  • CRI starts using moutpoint as image filesystem identifier instead of UUID. (#59475, @Random-Liu)
  • DaemonSet, Deployment, ReplicaSet, and StatefulSet objects are now persisted in etcd in apps/v1 format (#58854, @liggitt)
  • 'none' can now be specified in KubeletConfiguration.EnforceNodeAllocatable (--enforce-node-allocatable) to explicitly disable enforcement. (#59515, @mtaufen)
  • vSphere Cloud Provider supports VMs provisioned on vSphere v1.6.5 (#59519, @abrarshivani)
  • Annotations is added to advanced audit api (#58806, @CaoShuFeng)
  • 2nd try at using a vanity GCR name (#57824, @thockin)
  • Node's providerID is following Azure resource ID format now when useInstanceMetadata is enabled (#59539, @feiskyer)
  • Block Volume Support: Local Volume Plugin update (#59303, @dhirajh)
  • [action-required] The Container Runtime Interface (CRI) version has increased from v1alpha1 to v1alpha2. Runtimes implementing the CRI will need to update to the new version, which configures container namespaces using an enumeration rather than booleans. (#58973, @verb)
  • Fix the bug where kubelet in the standalone mode would wait for the update from the apiserver source. (#59276, @roboll)
  • Add "keyring" parameter for Ceph RBD provisioner (#58287, @madddi)
  • Ensure euqiv hash calculation is per schedule (#59245, @resouer)
  • kube-scheduler: Use default predicates/prioritizers if they are unspecified in the policy config (#59363, @yguo0905)
  • Fixed charm issue where docker login would run prior to daemon options being set. (#59396, @kwmonroe)
  • Implementers of the cloud provider interface will note the addition of a context to this interface. Trivial code modification will be necessary for a cloud provider to continue to compile. (#59287, @cheftako)
  • /release-note-none (#58264, @WanLinghao)
  • Use a more reliable way to get total physical memory on windows nodes (#57124, @JiangtianLi)
  • Add xfsprogs to hyperkube container image. (#56937, @redbaron)
  • Ensure Azure public IP removed after service deleted (#59340, @feiskyer)
  • Improve messages user gets during and after volume resizing is done. (#58415, @gnufied)
  • Fix RBAC permissions for Stackdriver Metadata Agent. (#57455, @kawych)
  • Scheduler should be able to read from config file if configmap is not present. (#59386, @ravisantoshgudimetla)
  • MountPropagation feature is now beta. As consequence, all volume mounts in containers are now "rslave" on Linux by default. (#59252, @jsafrane)
  • Fix RBAC role for certificate controller to allow cleaning. (#59375, @mikedanese)
  • Volume metrics support for vSphere Cloud Provider (#59328, @divyenpatel)
  • Announcing the deprecation of the recycling reclaim policy. (#59063, @ayushpateria)
  • Intended for post-1.9 (#57872, @mlmhl)
  • The meta.k8s.io/v1alpha1 objects for retrieving tabular responses from the server (Table) or fetching just the ObjectMeta for an object (as PartialObjectMetadata) are now beta as part of meta.k8s.io/v1beta1. Clients may request alternate representations of normal Kubernetes objects by passing an Accept header like application/json;as=Table;g=meta.k8s.io;v=v1beta1 or application/json;as=PartialObjectMetadata;g=meta.k8s.io;v1=v1beta1. Older servers will ignore this representation or return an error if it is not available. Clients may request fallback to the normal object by adding a non-qualified mime-type to their Accept header like application/json - the server will then respond with either the alternate representation if it is supported or the fallback mime-type which is the normal object response. (#59059, @smarterclayton)
  • add PV size grow feature for azure file (#57017, @andyzhangx)
  • Upgrade default etcd server version to 3.2.14 (#58645, @jpbetz)
  • Add windows config to Kubelet CRI (#57076, @feiskyer)
  • Configurable etcd quota backend bytes in GCE (#59259, @wojtek-t)
  • Remove unmaintained kube-registry-proxy support from gce kube-up. (#58564, @mikedanese)
  • Allow expanding mounted volumes (#58794, @gnufied)
  • Upped the timeout for apiserver communication in the juju kubernetes-worker charm. (#59219, @hyperbolic2346)
  • kubeadm init: skip checking cri socket in preflight checks (#58802, @dixudx)
  • Add "nominatedNodeName" field to PodStatus. This field is set when a pod preempts other pods on the node. (#58990, @bsalamat)
  • Changes secret, configMap, downwardAPI and projected volumes to mount read-only, instead of allowing applications to write data and then reverting it automatically. Until version 1.11, setting the feature gate ReadOnlyAPIDataVolumes=false will preserve the old behavior. (#58720, @joelsmith)
  • Fixed issue with charm upgrades resulting in an error state. (#59064, @hyperbolic2346)
  • Ensure IP is set for Azure internal load balancer. (#59083, @feiskyer)
  • Postpone PV deletion when it is being bound to a PVC (#58743, @NickrenREN)
  • Add V1beta1 VolumeAttachment API, co-existing with Alpha API object (#58462, @NickrenREN)
  • When using client or server certificate rotation, the Kubelet will no longer wait until the initial rotation succeeds or fails before starting static pods. This makes running self-hosted masters with rotation more predictable. (#58930, @smarterclayton)

v1.10.0-alpha.3

Documentation & Examples

Downloads for v1.10.0-alpha.3

filename sha256 hash
kubernetes.tar.gz 246f0373ccb25a243a387527b32354b69fc2211c422e71479d22bfb3a829c8fb
kubernetes-src.tar.gz f9c60bb37fb7b363c9f66d8efd8aa5a36ea2093c61317c950719b3ddc86c5e10

Client Binaries

filename sha256 hash
kubernetes-client-darwin-386.tar.gz ca8dfd7fbd34478e7ba9bba3779fcca08f7efd4f218b0c8a7f52bbeea0f42cd7
kubernetes-client-darwin-amd64.tar.gz 713c35d99f44bd19d225d2c9f2d7c4f3976b5dd76e9a817b2aaf68ee0cb5a939
kubernetes-client-linux-386.tar.gz 7601e55e3bb0f0fc11611c68c4bc000c3cbbb7a09652c386e482a1671be7e2d6
kubernetes-client-linux-amd64.tar.gz 8a6c498531c1832176e22d622008a98bac6043f05dec96747649651531ed3fd7
kubernetes-client-linux-arm64.tar.gz 81561820fb5a000152e9d8d94882e0ed6228025ea7973ee98173b5fc89d62a42
kubernetes-client-linux-arm.tar.gz 6ce8c3ed253a10d78e62e000419653a29c411cd64910325b21ff3370cb0a89eb
kubernetes-client-linux-ppc64le.tar.gz a46b42c94040767f6bbf2ce10aef36d8dbe94c0069f866a848d69b2274f8f0bc
kubernetes-client-linux-s390x.tar.gz fa3e656b612277fc4c303aef95c60b58ed887e36431db23d26b536f226a23cf6
kubernetes-client-windows-386.tar.gz 832e12266495ac55cb54a999bc5ae41d42d160387b487d8b4ead577d96686b62
kubernetes-client-windows-amd64.tar.gz 7056a3eb5a8f9e8fa0326aa6e0bf97fc5b260447315f8ec7340be5747a16f5fd

Server Binaries

filename sha256 hash
kubernetes-server-linux-amd64.tar.gz dc8e2be2fcb6477249621fb5c813c853371a3bf8732c5cb3a6d6cab667cfa324
kubernetes-server-linux-arm64.tar.gz 399071ad9042a72bccd6e1aa322405c02b4a807c0b4f987d608c4c9c369979d6
kubernetes-server-linux-arm.tar.gz 7457ad16665e331fa9224a3d61690206723721197ad9760c3b488de9602293f5
kubernetes-server-linux-ppc64le.tar.gz ffcb728d879c0347bd751c9bccac3520bb057d203ba1acd55f8c727295282049
kubernetes-server-linux-s390x.tar.gz f942f6e15886a1fb0d91d04adf47677068c56070dff060f38c371c3ee3e99648

Node Binaries

filename sha256 hash
kubernetes-node-linux-amd64.tar.gz 81b22beb30be9d270016c7b35b86ea585f29c0c5f09128da9341f9f67c8865f9
kubernetes-node-linux-arm64.tar.gz d9020b99c145f44c519b1a95b55ed24e69d9c679a02352c7e05e86042daca9d1
kubernetes-node-linux-arm.tar.gz 1d10bee4ed62d70b318f5703b2cd8295a08e199f810d6b361f367907e3f01fb6
kubernetes-node-linux-ppc64le.tar.gz 67cd4dde212abda37e6f9e6dee1bb59db96e0727100ef0aa561c15562df0f3e1
kubernetes-node-linux-s390x.tar.gz 362b030e011ea6222b1f2dec62311d3971bcce4dba94997963e2a091efbf967b
kubernetes-node-windows-amd64.tar.gz e609a2b0410acbb64d3ee6d7f134d98723d82d05bdbead1eaafd3584d3e45c39

Changelog since v1.10.0-alpha.2

Other notable changes

  • Fixed issue with kubernetes-worker option allow-privileged not properly handling the value True with a capital T. (#59116, @hyperbolic2346)
  • Added anti-affinity to kube-dns pods (#57683, @vainu-arto)
  • cloudprovider/openstack: fix bug the tries to use octavia client to query flip (#59075, @jrperritt)
  • Windows containers now support experimental Hyper-V isolation by setting annotation experimental.windows.kubernetes.io/isolation-type=hyperv and feature gates HyperVContainer. Only one container per pod is supported yet. (#58751, @feiskyer)
  • crds is added as a shortname for CustomResourceDefinition i.e. kubectl get crds can now be used. (#59061, @nikhita)
  • Fix an issue where port forwarding doesn't forward local TCP6 ports to the pod (#57457, @vfreex)
  • YAMLDecoder Read now tracks rest of buffer on io.ErrShortBuffer (#58817, @karlhungus)
  • Prevent kubelet from getting wedged if initialization of modules returns an error. (#59020, @brendandburns)
  • Fixed a race condition inside kubernetes-worker that would result in a temporary error situation. (#59005, @hyperbolic2346)
  • [GCE] Apiserver uses InternalIP as the most preferred kubelet address type by default. (#59019, @MrHohn)
  • Deprecate insecure flags --insecure-bind-address, --insecure-port and remove --public-address-override. (#59018, @hzxuzhonghu)
  • Support GetLabelsForVolume in OpenStack Provider (#58871, @edisonxiang)
  • Build using go1.9.3. (#59012, @ixdy)
  • CRI: Add a call to reopen log file for a container. (#58899, @yujuhong)
  • The alpha KubeletConfigFile feature gate has been removed, because it was redundant with the Kubelet's --config flag. It is no longer necessary to set this gate to use the flag. The --config flag is still considered alpha. (#58978, @mtaufen)
  • kubectl scale can now scale any resource (kube, CRD, aggregate) conforming to the standard scale endpoint (#58298, @p0lyn0mial)
  • kube-apiserver flag --tls-ca-file has had no effect for some time. It is now deprecated and slated for removal in 1.11. If you are specifying this flag, you must remove it from your launch config before upgrading to 1.11. (#58968, @deads2k)
  • Fix regression in the CRI: do not add a default hostname on short image names (#58955, @runcom)
  • Get windows kernel version directly from registry (#58498, @feiskyer)
  • Remove deprecated --require-kubeconfig flag, remove default --kubeconfig value (#58367, @zhangxiaoyu-zidif)
  • Google Cloud Service Account email addresses can now be used in RBAC (#58141, @ahmetb)
    • Role bindings since the default scopes now include the "userinfo.email"
    • scope. This is a breaking change if the numeric uniqueIDs of the Google
    • service accounts were being used in RBAC role bindings. The behavior
    • can be overridden by explicitly specifying the scope values as
    • comma-separated string in the "users[*].config.scopes" field in the
    • KUBECONFIG file.
  • kube-apiserver is changed to use SSH tunnels for webhook iff the webhook is not directly routable from apiserver's network environment. (#58644, @yguo0905)
  • Updated priority of mirror pod according to PriorityClassName. (#58485, @k82cn)
  • Fixes a bug where kubelet crashes trying to free memory under memory pressure (#58574, @yastij)

v1.10.0-alpha.2

Documentation & Examples

Downloads for v1.10.0-alpha.2

filename sha256 hash
kubernetes.tar.gz 89efeb8b16c40e5074f092f51399995f0fe4a0312367a8f54bd227c3c6fcb629
kubernetes-src.tar.gz eefbbf435f1b7a0e416f4e6b2c936c49ce5d692994da8d235c5e25bc408eec57

Client Binaries

filename sha256 hash
kubernetes-client-darwin-386.tar.gz 878366200ddfb9128a133d7d377057c6f878b24357062cf5243c0f0aac26b292
kubernetes-client-darwin-amd64.tar.gz dc065b9ecfa513607eac6e7dd125b2c25c9a9e7c13d0b2b6e56586e17bbd6ae5
kubernetes-client-linux-386.tar.gz 93c2462051935d8f6bca6c72d09948963d47cd64426660f63e0cea7d37e24812
kubernetes-client-linux-amd64.tar.gz 0eef61285fad1f9ff8392c59986d3a41887abc642bcb5cb451c5a5300927e2c4
kubernetes-client-linux-arm64.tar.gz 6cf7913730a57b503beaf37f5c4d0f97789358983ed03654036f8b986b60cc62
kubernetes-client-linux-arm.tar.gz f03c3ecbf4c08d263f2daa8cbe838e20452d6650b80e9a74762c155c26a579b7
kubernetes-client-linux-ppc64le.tar.gz 25a2f93ebb721901d262adae4c0bdaa4cf1293793e9dff4507e031b85f46aff8
kubernetes-client-linux-s390x.tar.gz 3e0b9ef771f36edb61bd61ccb67996ed41793c01f8686509bf93e585ee882c94
kubernetes-client-windows-386.tar.gz 387e5e6b0535f4f5996c0732f1b591d80691acaec86e35482c7b90e00a1856f7
kubernetes-client-windows-amd64.tar.gz c10a72d40252707b732d33d03beec3c6380802d0a6e3214cbbf4af258fddf28c

Server Binaries

filename sha256 hash
kubernetes-server-linux-amd64.tar.gz 42c1e016e8b0c5cc36c7bf574abca18c63e16d719d35e19ddbcbcd5aaeabc46c
kubernetes-server-linux-arm64.tar.gz b7774c54344c75bf5c703d4ca271f0af6c230e86cbe40eafd9cbf98a4f4be6e9
kubernetes-server-linux-arm.tar.gz c11c8554506b64d6fd1a6e79bfc4e1e19f4f826b9ba98de81bc757901e8cdc43
kubernetes-server-linux-ppc64le.tar.gz 196bd957804b2a9049189d225e49bf78e52e9adef12c072128e4e85d35da438e
kubernetes-server-linux-s390x.tar.gz be12fbea28a6cb089734782fe11e6f90a30785b9ad1ec02bc08a59afeb95c173

Node Binaries

filename sha256 hash
kubernetes-node-linux-amd64.tar.gz a1feb239dfc473b49adf95d7d94e4a9c6c7d07416d4e935e3fc10175ffaa7163
kubernetes-node-linux-arm64.tar.gz 26583c0bd08313bdc0bdfba6745f3ccd0f117431d3a5e2623bb5015675d506b8
kubernetes-node-linux-arm.tar.gz 79c6299a5482467e3e85ee881f21edf5d491bc28c94e547d9297d1e1ad1b7458
kubernetes-node-linux-ppc64le.tar.gz 2732fd288f1eac44c599423ce28cbdb85b54a646970a3714be5ff86d1b14b5e2
kubernetes-node-linux-s390x.tar.gz 8d49432f0ff3baf55e71c29fb6ffc1673b2a45b9eae2e1906138b1409da53940
kubernetes-node-windows-amd64.tar.gz 15ff74edfa98cd1afadcc4e53dd592b1e2935fbab76ad731309d355ae23bdd09

Changelog since v1.10.0-alpha.1

Action Required

  • Bug fix: webhooks now do not skip cluster-scoped resources (#58185, @caesarxuchao)
    • Action required: Before upgrading your Kubernetes clusters, double check if you had configured webhooks for cluster-scoped objects (e.g., nodes, persistentVolume), these webhooks will start to take effect. Delete/modify the configs if that's not desirable.

Other notable changes

  • Fixing extra_sans option on master and load balancer. (#58843, @hyperbolic2346)
  • ConfigMap objects now support binary data via a new binaryData field. When using kubectl create configmap --from-file, files containing non-UTF8 data will be placed in this new field in order to preserve the non-UTF8 data. Use of this feature requires 1.10+ apiserver and kubelets. (#57938, @dims)
  • New alpha feature to limit the number of processes running in a pod. Cluster administrators will be able to place limits by using the new kubelet command line parameter --pod-max-pids. Note that since this is a alpha feature they will need to enable the "SupportPodPidsLimit" feature. (#57973, @dims)
  • Add storage-backend configuration option to kubernetes-master charm. (#58830, @wwwtyro)
  • use containing API group when resolving shortname from discovery (#58741, @dixudx)
  • Fix kubectl explain for resources not existing in default version of API group (#58753, @soltysh)
  • Ensure config has been created before attempting to launch ingress. (#58756, @wwwtyro)
  • Access to externally managed IP addresses via the kube-apiserver service proxy subresource is no longer allowed by default. This can be re-enabled via the ServiceProxyAllowExternalIPs feature gate, but will be disallowed completely in 1.11 (#57265, @brendandburns)
  • Added support for external cloud providers in kubeadm (#58259, @dims)
  • rktnetes has been deprecated in favor of rktlet. Please see https://github.com/kubernetes-incubator/rktlet for more information. (#58418, @yujuhong)
  • Fixes bug finding master replicas in GCE when running multiple Kubernetes clusters (#58561, @jesseshieh)
  • Update Calico version to v2.6.6 (#58482, @tmjd)
  • Promoting the apiregistration.k8s.io (aggregation) to GA (#58393, @deads2k)
  • Stability: Make Pod delete event handling of scheduler more robust. (#58712, @bsalamat)
  • Added support for network spaces in the kubeapi-load-balancer charm (#58708, @hyperbolic2346)
  • Added support for network spaces in the kubernetes-master charm (#58704, @hyperbolic2346)
  • update etcd unified version to 3.1.10 (#54242, @zouyee)
  • updates fluentd in fluentd-es-image to fluentd 1.1.0 (#58525, @monotek)
  • Support metrics API in kubectl top commands. (#56206, @brancz)
  • Added support for network spaces in the kubernetes-worker charm (#58523, @hyperbolic2346)
  • CustomResourceDefinitions: OpenAPI v3 validation schemas containing $refreferences are no longer permitted (valid references could not be constructed previously because property ids were not permitted either). Before upgrading, ensure CRD definitions do not include those $ref fields. (#58438, @carlory)
  • Openstack: register metadata.hostname as node name (#58502, @dixudx)
  • Added nginx and default backend images to kubernetes-worker config. (#58542, @hyperbolic2346)
  • --tls-min-version on kubelet and kube-apiserver allow for configuring minimum TLS versions (#58528, @deads2k)
  • Fixes an issue where the resourceVersion of an object in a DELETE watch event was not the resourceVersion of the delete itself, but of the last update to the object. This could disrupt the ability of clients clients to re-establish watches properly. (#58547, @liggitt)
  • Fixed crash in kubectl cp when path has multiple leading slashes (#58144, @tomerf)
  • kube-apiserver: requests to endpoints handled by unavailable extension API servers (as indicated by an Available condition of false in the registered APIService) now return 503 errors instead of 404 errors. (#58070, @weekface)
  • Correctly handle transient connection reset errors on GET requests from client library. (#58520, @porridge)
  • Authentication information for OpenStack cloud provider can now be specified as environment variables (#58300, @dims)
  • Bump GCE metadata proxy to v0.1.9 to pick up security fixes. (#58221, @ihmccreery)
  • kubeadm now supports CIDR notations in NO_PROXY environment variable (#53895, @kad)
  • kubeadm now accept --apiserver-extra-args, --controller-manager-extra-args and --scheduler-extra-args to override / specify additional flags for control plane components (#58080, @simonferquel)
  • Add --enable-admission-plugin --disable-admission-plugin flags and deprecate --admission-control. (#58123, @hzxuzhonghu)
    • Afterwards, don't care about the orders specified in the flags.
  • "ExternalTrafficLocalOnly" has been removed from feature gate. It has been a GA feature since v1.7. (#56948, @MrHohn)
  • GCP: allow a master to not include a metadata concealment firewall rule (if it's not running the metadata proxy). (#58104, @ihmccreery)
  • kube-apiserver: fixes loading of --admission-control-config-file containing AdmissionConfiguration apiserver.k8s.io/v1alpha1 config object (#58439, @liggitt)
  • Fix issue when using OpenStack config drive for node metadata (#57561, @dims)
  • Add FSType for CSI volume source to specify filesystems (#58209, @NickrenREN)
  • OpenStack cloudprovider: Ensure orphaned routes are removed. (#56258, @databus23)
  • Reduce Metrics Server memory requirement (#58391, @kawych)
  • Fix a bug affecting nested data volumes such as secret, configmap, etc. (#57422, @joelsmith)
  • kubectl now enforces required flags at a more fundamental level (#53631, @dixudx)
  • Remove alpha Initializers from kubadm admission control (#58428, @dixudx)
  • Enable ValidatingAdmissionWebhook and MutatingAdmissionWebhook in kubeadm from v1.9 (#58255, @dixudx)
  • Fixed encryption key and encryption provider rotation (#58375, @liggitt)
  • set fsGroup by securityContext.fsGroup in azure file (#58316, @andyzhangx)
  • Remove deprecated and unmaintained salt support. kubernetes-salt.tar.gz will no longer be published in the release tarball. (#58248, @mikedanese)
  • Detach and clear bad disk URI (#58345, @rootfs)
  • Allow version arg in kubeadm upgrade apply to be optional if config file already have version info (#53220, @medinatiger)
  • feat(fakeclient): push event on watched channel on add/update/delete (#57504, @yue9944882)
  • Custom resources can now be submitted to and received from the API server in application/yaml format, consistent with other API resources. (#58260, @liggitt)
  • remove spaces from kubectl describe hpa (#56331, @shiywang)
  • fluentd-gcp updated to version 2.0.14. (#58224, @zombiezen)
  • Instrument the Azure cloud provider for Prometheus monitoring. (#58204, @cosmincojocar)
  • -Add scheduler optimization options, short circuit all predicates if … (#56926, @wgliang)
  • Remove deprecated ContainerVM support from GCE kube-up. (#58247, @mikedanese)
  • Remove deprecated kube-push.sh functionality. (#58246, @mikedanese)
  • The getSubnetIDForLB() should return subnet id rather than net id. (#58208, @FengyunPan)
  • Avoid panic when failing to allocate a Cloud CIDR (aka GCE Alias IP Range). (#58186, @negz)
  • Handle Unhealthy devices (#57266, @vikaschoudhary16)
  • Expose Metrics Server metrics via /metric endpoint. (#57456, @kawych)
  • Remove deprecated container-linux support in gce kube-up.sh. (#58098, @mikedanese)
  • openstack cinder detach problem is fixed if nova is shutdowned (#56846, @zetaab)
  • Fixes a possible deadlock preventing quota from being recalculated (#58107, @ironcladlou)
  • fluentd-es addon: multiline stacktraces are now grouped into one entry automatically (#58063, @monotek)
  • GCE: Allows existing internal load balancers to continue using an outdated subnetwork (#57861, @nicksardo)
  • ignore images in used by running containers when GC (#57020, @dixudx)
  • Remove deprecated and unmaintained photon-controller kube-up.sh. (#58096, @mikedanese)
  • The kubelet flag to run docker containers with a process namespace that is shared between all containers in a pod is now deprecated and will be replaced by a new field in v1.Pod that configures this behavior. (#58093, @verb)
  • fix device name change issue for azure disk: add remount logic (#57953, @andyzhangx)
  • The Kubelet now explicitly registers all of its command-line flags with an internal flagset, which prevents flags from third party libraries from unintentionally leaking into the Kubelet's command-line API. Many unintentionally leaked flags are now marked deprecated, so that users have a chance to migrate away from them before they are removed. One previously leaked flag, --cloud-provider-gce-lb-src-cidrs, was entirely removed from the Kubelet's command-line API, because it is irrelevant to Kubelet operation. (#57613, @mtaufen)
  • Remove deprecated and unmaintained libvirt-coreos kube-up.sh. (#58023, @mikedanese)
  • Remove deprecated and unmaintained windows installer. (#58020, @mikedanese)
  • Remove deprecated and unmaintained openstack-heat kube-up.sh. (#58021, @mikedanese)
  • Fixes authentication problem faced during various vSphere operations. (#57978, @prashima)
  • fluentd-gcp updated to version 2.0.13. (#57789, @x13n)
  • Add support for cloud-controller-manager in local-up-cluster.sh (#57757, @dims)
  • Update CSI spec dependency to point to v0.1.0 tag (#57989, @NickrenREN)
  • Update kube-dns to Version 1.14.8 that includes only small changes to how Prometheus metrics are collected. (#57918, @rramkumar1)
  • Add proxy_read_timeout flag to kubeapi_load_balancer charm. (#57926, @wwwtyro)
  • Adding support for Block Volume type to rbd plugin. (#56651, @sbezverk)
  • Fixes a bug in Heapster deployment for google sink. (#57902, @kawych)
  • Forbid unnamed contexts in kubeconfigs. (#56769, @dixudx)
  • Upgrade to etcd client 3.2.13 and grpc 1.7.5 to improve HA etcd cluster stability. (#57480, @jpbetz)
  • Default scheduler code is moved out of the plugin directory. (#57852, @misterikkit)
    • plugin/pkg/scheduler -> pkg/scheduler
    • plugin/cmd/kube-scheduler -> cmd/kube-scheduler
  • Bump metadata proxy version to v0.1.7 to pick up security fix. (#57762, @ihmccreery)
  • HugePages feature is beta (#56939, @derekwaynecarr)
  • GCE: support passing kube-scheduler policy config via SCHEDULER_POLICY_CONFIG (#57425, @yguo0905)
  • Returns an error for non overcommitable resources if they don't have limit field set in container spec. (#57170, @jiayingz)
  • Update defaultbackend image to 1.4 and deployment apiVersion to apps/v1 (#57866, @zouyee)
  • kubeadm: set kube-apiserver advertise address using downward API (#56084, @andrewsykim)
  • CDK nginx ingress is now handled via a daemon set. (#57530, @hyperbolic2346)
  • The kubelet uses a new release 3.1 of the pause container with the Docker runtime. This version will clean up orphaned zombie processes that it inherits. (#57517, @verb)
  • Allow kubectl set image|env on a cronjob (#57742, @soltysh)
  • Move local PV negative scheduling tests to integration (#57570, @sbezverk)
  • fix azure disk not available issue when device name changed (#57549, @andyzhangx)
  • Only create Privileged PSP binding during e2e tests if RBAC is enabled. (#56382, @mikkeloscar)
  • RBAC: The system:kubelet-api-admin cluster role can be used to grant full access to the kubelet API (#57128, @liggitt)
  • Allow kubernetes components to react to SIGTERM signal and shutdown gracefully. (#57756, @mborsz)
  • ignore nonexistent ns net file error when deleting container network in case a retry (#57697, @dixudx)
  • check psp HostNetwork in DenyEscalatingExec admission controller. (#56839, @hzxuzhonghu)
  • The alpha --init-config-dir flag has been removed. Instead, use the --config flag to reference a kubelet configuration file directly. (#57624, @mtaufen)
  • Add cache for VM get operation in azure cloud provider (#57432, @karataliu)
  • Fix garbage collection when the controller-manager uses --leader-elect=false (#57340, @jmcmeek)
  • iSCSI sessions managed by kubernetes will now explicitly set startup.mode to 'manual' to (#57475, @stmcginnis)
    • prevent automatic login after node failure recovery. This is the default open-iscsi mode, so
    • this change will only impact users who have changed their startup.mode to be 'automatic'
    • in /etc/iscsi/iscsid.conf.
  • Configurable liveness probe initial delays for etcd and kube-apiserver in GCE (#57749, @wojtek-t)
  • Fixed garbage collection hang (#57503, @liggitt)
  • Fixes controller manager crash in certain vSphere cloud provider environment. (#57286, @rohitjogvmw)
  • Remove useInstanceMetadata parameter from Azure cloud provider. (#57647, @feiskyer)
  • Support multiple scale sets in Azure cloud provider. (#57543, @feiskyer)
  • GCE: Fixes ILB creation on automatic networks with manually created subnetworks. (#57351, @nicksardo)
  • Improve scheduler performance of MatchInterPodAffinity predicate. (#57476, @misterikkit)
  • Improve scheduler performance of MatchInterPodAffinity predicate. (#57477, @misterikkit)
  • Improve scheduler performance of MatchInterPodAffinity predicate. (#57478, @misterikkit)
  • Allow use resource ID to specify public IP address in azure_loadbalancer (#53557, @yolo3301)
  • Fixes a bug where if an error was returned that was not an autorest.DetailedError we would return "not found", nil which caused nodes to go to NotReady state. (#57484, @brendandburns)
  • Add the path '/version/' to the system:discovery cluster role. (#57368, @brendandburns)
  • Fixes issue creating docker secrets with kubectl 1.9 for accessing docker private registries. (#57463, @dims)
  • adding predicates ordering for the kubernetes scheduler. (#57168, @yastij)
  • Free up CPU and memory requested but unused by Metrics Server Pod Nanny. (#57252, @kawych)
  • The alpha Accelerators feature gate is deprecated and will be removed in v1.11. Please use device plugins instead. They can be enabled using the DevicePlugins feature gate. (#57384, @mindprince)
  • Fixed dynamic provisioning of GCE PDs to round to the next GB instead of GiB (#56600, @edisonxiang)
  • Separate loop and plugin control (#52371, @cheftako)
  • Use old dns-ip mechanism with older cdk-addons. (#57403, @wwwtyro)
  • Retry 'connection refused' errors when setting up clusters on GCE. (#57394, @mborsz)
  • Upgrade to etcd client 3.2.11 and grpc 1.7.5 to improve HA etcd cluster stability. (#57160, @jpbetz)
  • Added the ability to select pods in a chosen node to be drained, based on given pod label-selector (#56864, @juanvallejo)
  • Wait for kubedns to be ready when collecting the cluster IP. (#57337, @wwwtyro)
  • Use "k8s.gcr.io" for container images rather than "gcr.io/google_containers". This is just a redirect, for now, so should not impact anyone materially. (#54174, @thockin)
    • Documentation and tools should all convert to the new name. Users should take note of this in case they see this new name in the system.
  • Fix ipvs proxier nodeport eth* assumption (#56685, @m1093782566)

v1.10.0-alpha.1

Documentation & Examples

Downloads for v1.10.0-alpha.1

filename sha256 hash
kubernetes.tar.gz 403b90bfa32f7669b326045a629bd15941c533addcaf0c49d3c3c561da0542f2
kubernetes-src.tar.gz 266da065e9eddf19d36df5ad325f2f854101a0e712766148e87d998e789b80cf

Client Binaries

filename sha256 hash
kubernetes-client-darwin-386.tar.gz 5aaa8e294ae4060d34828239e37f37b45fa5a69508374be668965102848626be
kubernetes-client-darwin-amd64.tar.gz 40a8e3bab11b88a2bb8e748f0b29da806d89b55775508039abe9c38c5f4ab97d
kubernetes-client-linux-386.tar.gz e08dde0b561529f0b2bb39c141f4d7b1c943749ef7c1f9779facf5fb5b385d6a
kubernetes-client-linux-amd64.tar.gz 76a05d31acaab932ef45c67e1d6c9273933b8bc06dd5ce9bad3c7345d5267702
kubernetes-client-linux-arm64.tar.gz 4b833c9e80f3e4ac4958ea0ffb5ae564b31d2a524f6a14e58802937b2b936d73
kubernetes-client-linux-arm.tar.gz f1484ab75010a2258ed7717b1284d0c139d17e194ac9e391b8f1c0999eec3c2d
kubernetes-client-linux-ppc64le.tar.gz da884f09ec753925b2c1f27ea0a1f6c3da2056855fc88f47929bb3d6c2a09312
kubernetes-client-linux-s390x.tar.gz c486f760c6707fc92d1659d3cbe33d68c03190760b73ac215957ee52f9c19195
kubernetes-client-windows-386.tar.gz 514c550b7ff85ac33e6ed333bcc06461651fe4004d8b7c12ca67f5dc1d2198bf
kubernetes-client-windows-amd64.tar.gz ddad59222f6a8cb4e88c4330c2a967c4126cb22ac5e0d7126f9f65cca0fb9f45

Server Binaries

filename sha256 hash
kubernetes-server-linux-amd64.tar.gz 514efd798ce1d7fe4233127f3334a3238faad6c26372a2d457eff02cbe72d756
kubernetes-server-linux-arm64.tar.gz f71f75fb96221f65891fc3e04fd52ae4e5628da8b7b4fbedece3fab4cb650afa
kubernetes-server-linux-arm.tar.gz a9d8c2386813fd690e60623a6ee1968fe8f0a1a8e13bc5cc12b2caf8e8a862e1
kubernetes-server-linux-ppc64le.tar.gz 21336a5e40aead4e2ec7e744a99d72bf8cb552341f3141abf8f235beb250cd93
kubernetes-server-linux-s390x.tar.gz 257e44d38fef83f08990b6b9b5e985118e867c0c33f0e869f0900397b9d30498

Node Binaries

filename sha256 hash
kubernetes-node-linux-amd64.tar.gz 97bf1210f0595ebf496ca7b000c4367f8a459d97ef72459efc6d0e07a072398f
kubernetes-node-linux-arm64.tar.gz eebcd3c14fb4faeb82ab047a2152db528adc2d9f7b20eef6f5dc58202ebe3124
kubernetes-node-linux-arm.tar.gz 3d4428416c775a0a6463f623286bd2ecdf9240ce901e1fbae180dfb564c53ea1
kubernetes-node-linux-ppc64le.tar.gz 5cc96b24fad0ac1779a66f9b136d90e975b07bf619fea905e6c26ac5a4c41168
kubernetes-node-linux-s390x.tar.gz 134c13338edf4efcd511f4161742fbaa6dc232965d3d926c3de435e8a080fcbb
kubernetes-node-windows-amd64.tar.gz ae54bf2bbcb99cdcde959140460d0f83c0ecb187d060b594ae9c5349960ab055

Changelog since v1.9.0

Action Required

  • [action required] Remove the kubelet's --cloud-provider=auto-detect feature (#56287, @stewart-yu)

Other notable changes

  • Fix Heapster configuration and Metrics Server configuration to enable overriding default resource requirements. (#56965, @kawych)
  • YAMLDecoder Read now returns the number of bytes read (#57000, @sel)
  • Retry 'connection refused' errors when setting up clusters on GCE. (#57324, @mborsz)
  • Update kubeadm's minimum supported Kubernetes version in v1.10.x to v1.9.0 (#57233, @xiangpengzhao)
  • Graduate CPU Manager feature from alpha to beta. (#55977, @ConnorDoyle)
  • Drop hacks used for Mesos integration that was already removed from main kubernetes repository (#56754, @dims)
  • Compare correct file names for volume detach operation (#57053, @prashima)
  • Improved event generation in volume mount, attach, and extend operations (#56872, @davidz627)
  • GCE: bump COS image version to cos-stable-63-10032-71-0 (#57204, @yujuhong)
  • fluentd-gcp updated to version 2.0.11. (#56927, @x13n)
  • calico-node addon tolerates all NoExecute and NoSchedule taints by default. (#57122, @caseydavenport)
  • Support LoadBalancer for Azure Virtual Machine Scale Sets (#57131, @feiskyer)
  • Makes the kube-dns addon optional so that users can deploy their own DNS solution. (#57113, @wwwtyro)
  • Enabled log rotation for load balancer's api logs to prevent running out of disk space. (#56979, @hyperbolic2346)
  • Remove ScrubDNS interface from cloudprovider. (#56955, @feiskyer)
  • Fix etcd-version-monitor to backward compatibly support etcd 3.1 go-grpc-prometheus metrics format. (#56871, @jpbetz)
  • enable flexvolume on Windows node (#56921, @andyzhangx)
  • When using Role-Based Access Control, the "admin", "edit", and "view" roles now have the expected permissions on NetworkPolicy resources. (#56650, @danwinship)
  • Fix the PersistentVolumeLabel controller from initializing the PV labels when it's not the next pending initializer. (#56831, @jhorwit2)
  • kube-apiserver: The external hostname no longer use the cloud provider API to select a default. It can be set explicitly using --external-hostname, if needed. (#56812, @dims)
  • Use GiB unit for creating and resizing volumes for Glusterfs (#56581, @gnufied)
  • PersistentVolume flexVolume sources can now reference secrets in a namespace other than the PersistentVolumeClaim's namespace. (#56460, @liggitt)
  • Scheduler skips pods that use a PVC that either does not exist or is being deleted. (#55957, @jsafrane)
  • Fixed a garbage collection race condition where objects with ownerRefs pointing to cluster-scoped objects could be deleted incorrectly. (#57211, @liggitt)
  • Kubectl explain now prints out the Kind and API version of the resource being explained (#55689, @luksa)
  • api-server provides specific events when unable to repair a service cluster ip or node port (#54304, @frodenas)
  • Added docker-logins config to kubernetes-worker charm (#56217, @Cynerva)
  • delete useless params containerized (#56146, @jiulongzaitian)
  • add mount options support for azure disk (#56147, @andyzhangx)
  • Use structured generator for kubectl autoscale (#55913, @wackxu)
  • K8s supports cephfs fuse mount. (#55866, @zhangxiaoyu-zidif)
  • COS: Keep the docker network checkpoint (#54805, @yujuhong)
  • Fixed documentation typo in IPVS README. (#56578, @shift)