Changelog v1.75.0#628
Open
deckhouse-BOaTswain wants to merge 12 commits into
Open
Conversation
1f1ecfa to
fc8527e
Compare
3b35226 to
b71ca41
Compare
60b7d0c to
46d9faa
Compare
fc8527e to
bd74371
Compare
2a34884 to
818d5da
Compare
1d43597 to
0b9edcd
Compare
Signed-off-by: deckhouse-BOaTswain <89150800+deckhouse-boatswain@users.noreply.github.com>
Signed-off-by: Kirill Kramorov <kirill.kramorov@flant.com>
Signed-off-by: Kirill Kramorov <kirill.kramorov@flant.com>
Signed-off-by: Kirill Kramorov <kirill.kramorov@flant.com>
Member
|
/changelog |
Signed-off-by: Kirill Kramorov <kirill.kramorov@flant.com>
Member
|
/changelog |
Signed-off-by: Kirill Kramorov <kirill.kramorov@flant.com>
Member
|
/changelog |
Signed-off-by: Kirill Kramorov <kirill.kramorov@flant.com>
Member
|
/changelog |
Signed-off-by: Kirill Kramorov <kirill.kramorov@flant.com>
Member
|
/changelog |
Signed-off-by: Kirill Kramorov <kirill.kramorov@flant.com>
Member
|
/changelog |
2 similar comments
Member
|
/changelog |
Member
|
/changelog |
Signed-off-by: Kirill Kramorov <kirill.kramorov@flant.com>
Member
|
/changelog |
Signed-off-by: Kirill Kramorov <kirill.kramorov@flant.com>
Member
|
/changelog |
1 similar comment
Member
|
/changelog |
Signed-off-by: deckhouse-BOaTswain <89150800+deckhouse-boatswain@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Changelog v1.75.0
[MALFORMED]
Know before update
Certificate.Spec.PrivateKey.RotationPolicyis nowAlways.Certificateresource'srevisionHistoryLimitfield is now set to 1.path, was removed from thecertmanager_acme_client_request_countandcertmanager_acme_client_request_duration_secondsmetrics.Feature:
IssuerandClusterIssuerobjects. For configuring the built-in DKP CluserIssers (letsencryptandletsencrypt-staging) added settings in moduleConfig.on clusters where they were not enabled before. VPA may start applying in-place
updates instead of only eviction-based updates.
operator-trivybefore, a new alert namedVulnerableImagesDenialConfigNotMigratedmight start firing after update. In that case, you must manually movedenyVulnerableImagessection of settings fromadmission-policy-enginetooperator-trivymodule config. Alert message will provide necessary instructions on how to do so.Autois deprecated and will be removed in a future API version. Use explicit modes likeRecreate,Initial, orInPlaceOrRecreateinstead.Loki pods will now prefer in-place resource updates when supported by the cluster,
falling back to pod recreation only when required.
If you encounter unexpected converge plans or cluster bootstrap issues when using OpenTofu-based providers (such as dvp, dynamics, zvirt, or yandex), please report them to Deckhouse Technical Support.
Features
The minimum supported version of Kubernetes is now 1.31. All control plane components will restart.
Kubelet, api-server, controller-manager and scheduler will be restarted.
Breaking changes:
Certificate.Spec.PrivateKey.RotationPolicyis nowAlways.Certificateresource'srevisionHistoryLimitfield is now set to 1.path, was removed from thecertmanager_acme_client_request_countandcertmanager_acme_client_request_duration_secondsmetrics.Feature:
IssuerandClusterIssuerobjects. For configuring the built-in DKP CluserIssers (letsencryptandletsencrypt-staging) added settings in moduleConfig.Cilium agent's will be restarted.
Users can explicitly select the InPlaceOrRecreate VPA mode for Cilium pods via ModuleConfig.
Default behavior remains unchanged.
Cluster administrators now have detailed visibility into Kubernetes version updates through the new
d8-cluster-kubernetesConfigMap in thekube-systemnamespace.Kube-apiserver will be restarted due to changes in manifest.
Will restart all d8 pods on dkp release with this changes.
It evicts pods that violate TopologySpreadConstraints, enabling automatic rebalancing across availability zones after zone recovery.
Descheduler evicts pods with a larger restart count first it should make workload balancing in the cluster more stable.
Descheduler respects DRA resources. #16846
the instances will be restarted.
Users can explicitly configure the InPlaceOrRecreate VPA mode for Istio workloads in ModuleConfig.
Default VPA mode for Istio has been updated to InPlaceOrRecreate.
Istio version 1.19.7 has been removed because it is considered outdated. In this regard, errors may occur when updating the Deckhouse version. It is recommended to upgrade Istio from version 1.19.7 to version 1.21.6 before upgrading Deckhouse release.
The default VPA mode for Loki components is changed from Auto to InPlaceOrRecreate.
Loki pods will now prefer in-place resource updates when supported by the cluster,
falling back to pod recreation only when required.
unmanagedandskip-heritagefunctions for objects in ProjectTemplate. #17462Enabling swap for a NodeGroup will cause a kubelet restart on all nodes of that group.
.spec.kubelet.maxPodsdoesn't exceed the number of available Pod IP capacity per node. #16695customConfigswith automatic config/label naming. #16678low
no impact
These changes prevent unnecessary or destructive plan updates that could occur when data sources depend on changing labels and annotations. The behavior of other cloud providers is not affected.
If you encounter unexpected converge plans or cluster bootstrap issues when using OpenTofu-based providers (such as dvp, dynamics, zvirt, or yandex), please report them to Deckhouse Technical Support.
UserOperationhook for local Dex user operations (reset password, reset 2FA, lock/unlock) with status reporting. #15561Mode
Autois deprecated and will be removed in a future API version. Use explicit modes likeRecreate,Initial, orInPlaceOrRecreateinstead.Fixes
Workload Pods are no longer denied by unrelated SecurityPolicy checks (e.g. hostNetwork/hostPort) when corresponding policy fields are not explicitly set.
bb-package-fetchto prevent node failures during containerd major upgrades. #17047cloud-provider-azure. #18067additional_disks_hashesdefinition in static-node Terraform module. #17441In HA cluster mode hubble-ui and hubble-relay will be restarted
cloud-provider-azure. #18067additionalDisksin master InstanceClasses. #17352cloud-provider-gcp. #18095cloud-provider-huaweicloud. #18096cloud-provider-openstack. #18099cloud-provider-vcd. #18113To migrate, you must perform a
converge, which causes the master server to be recreated. If you are using only one master server with the manual address assignment via themainNetworkIPAddressesparameter, add two more IP addresses for the migration process.nat_instance_internal_address_calculated. #17341If the SDN module is used in the cluster, the Cilium agent pods will be restarted.
All current connections powered by EgressGateways will be terminated.
The MTU will be updated on all interfaces of all pods.
Cilium agents will be restarted during the update.
This update triggers a rolling update of the flannel pods.
CoreDNS pods will undergo a rolling restart.
All pods running kube-rbac-proxy will be restarted.
etcd will restart.
etcd will restart.
d8-namespaces ind8ms-prefixValidatingAdmissionPolicy. #17440--insecureflag being ignored in registry client operations. #17554Thresholds and targetThresholds are no longer implicitly defaulted.
If a resource is not specified in the Descheduler CR, it is treated as 100% and does not participate in eviction logic.
dvp provider.kubeconfigDataBase64preflight check. #16945convergeorconverge-migrationfails. #17943Pods of all ingress-nginx controller will be restarted.
All Ingress-NGINX controller pods will be restated.
All ingress-nginx controller pods will be restarted.
All pods of Ingress-NGINX controller of 1.10 and 1.12 versions will be restarted.
All ingress nginx controller pods will be restarted.
restart controllers
All pods running kube-rbac-proxy will be restarted.
All Ingress-NGINX controller pods will be restated.
All Ingress-NGINX controller pods will be restarted.
All Ingress-nginx controller pods will be restarted.
All Ingress-nginx controller pods will be restarted.
All ingress controller pods will restart.
The ingress nginx controllers' pods will be restated.
All ingress-nginx controller pods of the 1.12 version will be restarted.
All ingress-nginx controllers' pods will be restarted.
istio-cni-nodes will be restarted
pods in namespace d8-istio will be restarted
pods in namespace d8-istio will be restarted
istio module pods will be restarted
istio module pods will be restarted
module pods will be restarted
This update triggers a rolling update of the kube-proxy pods.
Changing the order of transformations only affects the operation of the log-shipper.
config module loki ↓
ModuleReleaseIsWaitingManualApproval,ModuleReleaseIsOutdated,ModuleReleaseIsBlockedByRequirements,ModuleIsInMaintenanceMode,D8ModuleOutdatedByMajorVersion) that never fired on 1.75.x clusters due to amoduleName→modulelabel mismatch introduced when addon-operator was bumped to v1.19.7 in v1.75.1. #20112This update triggers a rolling update of the network-policy-engine pods.
An additional service daemonset will be added.
/var/lib/kubelet/pod_status_manager_stateimmediately before kubelet restart. #17403Prevents kubelet startup panic caused by incompatible or corrupted.
Capacity values (CPU/memory) for DVPInstanceClass are now correctly extracted according to spec shape. Nested
virtualMachinefields are used and memory quantities likeGiare properly parsed.Ingress Nginx controller dashboards are fixed
Registry pods will be restarted.
Containerd will restart.
DexAuthenticator resources with IP addresses in domain fields will now be rejected at creation/update time with a clear error message. Previously, such resources were accepted but failed silently during Ingress creation.
On fresh clusters, Dex storage CRDs (e.g. OfflineSessions/RefreshToken) are now installed by the module,
preventing hook/informer startup failures due to absent
dex.coreos.comCRDs.user-authz-webhooklistener port (40443/TCP) for hostNetwork pods. #17656The
user-authz-webhookDaemonSet now explicitly declares its listener port and has a matchingSecurityPolicyException. This prevents Admission Policy Engine validation failures in-cluster.
A targeted
dmt lintexception is added for thehost-network-portsrule because it enforcesthe 4200–4299 range and does not take SecurityPolicyException into account.
Chore
Kubernetes control-plane components will restart, kubelet will restart
Kubernetes control-plane components will restart, kubelet will restart.
TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256, added fixed names forTLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256. #17777Cilium agents will be restarted.
If you have used certain features of
operator-trivybefore, a new alert namedVulnerableImagesDenialConfigNotMigratedmight start firing after update. In that case, you must manually movedenyVulnerableImagessection of settings fromadmission-policy-enginetooperator-trivymodule config. Alert message will provide necessary instructions on how to do so.The change does not affect existing clusters unless controllerVersion
1.14is selected.All Ingress-NGINX controller pods will be restarted.
All ingres-nginx controller pods will be restated.
If you have controllers running 1.9 the automatic upgrade will be blocked until the version is updated, upgrading to 1.10+ will cause the corresponding controllers to restart.
All instances will be restarted.
Control-plane components and kubelets will restart to pick up the new feature gates
on clusters where they were not enabled before. VPA may start applying in-place
updates instead of only eviction-based updates.
For more information, see the changelog and minor version release changes.