-
Api-Machinery
-
NullArea
-
NullIssue
- Graduate the admission and admissionregistration (webhook part) API to v1beta1 (#56004, @caesarxuchao)
- action required: Deprecated flags
--portal-net
andservice-node-ports
of kube-apiserver are removed. (#52547, @xiangpengzhao)
-
-
-
Auth
-
NullArea
-
NullIssue
- RBAC objects are now stored in etcd in v1 format. After completing an upgrade to 1.9, RBAC objects (Roles, RoleBindings, ClusterRoles, ClusterRoleBindings) should be migrated to ensure all persisted objects are written in
v1
format, prior tov1alpha1
support being removed in a future release. (#52950, @liggitt)
- RBAC objects are now stored in etcd in v1 format. After completing an upgrade to 1.9, RBAC objects (Roles, RoleBindings, ClusterRoles, ClusterRoleBindings) should be migrated to ensure all persisted objects are written in
-
unable to deploy privileged pod after 1.8 upgrade unless I set allowPrivilegeEscalation true (#53437)
- PodSecurityPolicy: Fixes a compatibility issue that caused policies that previously allowed privileged pods to start forbidding them, due to an incorrect default value for
allowPrivilegeEscalation
. PodSecurityPolicy objects defined using a 1.8.0 client or server that intended to setallowPrivilegeEscalation
tofalse
must be reapplied after upgrading to 1.8.1. (#53443, @liggitt)
- PodSecurityPolicy: Fixes a compatibility issue that caused policies that previously allowed privileged pods to start forbidding them, due to an incorrect default value for
-
-
-
NullSig
-
NullArea
-
NullIssue
- kubeadm join: Error out if CA pinning isn't used or opted out of (#55468, @yuexiao-wang)
- update podtolerations admission to mutate and validate separately (#55251, @deads2k)
-
-
-
Storage
-
NullArea
-
Volume topology aware scheduling binding changes (#54435)
-
NullIssue
- action required: The
storage.k8s.io/v1beta1
API andvolume.beta.kubernetes.io/storage-class
annotation are deprecated. They will be removed in a future release. Please use v1 API and fieldv1.PersistentVolumeClaim.Spec.StorageClassName
/v1.PersistentVolume.Spec.StorageClassName
instead. (#53580, @xiangpengzhao)
- action required: The
-
-
-
Api-Machinery
-
Admission-Control
-
NullIssue
- Added mutation supports to admission webhooks. (#54892, @caesarxuchao)
- the generic admission webhook is now available in the generic apiserver (#54513, @deads2k)
-
Authentication for webhook admission to heterogenous authentication domains (#54404)
-
ExternalAdmissionHookConfiguration cannot choose URL (#53826)
-
-
Api
-
Api & Apiserver
-
Apiserver
-
NullIssue
- Fix a bug that prevents client-go metrics from being registered in prometheus in multiple components. (#53434, @crassirostris)
-
-
Audit
-
Shutdown http handlers before shutting down audit backend (#50781)
- Implement graceful shutdown of the kube-apiserver by waiting for open connections to finish before exiting. Moreover, the audit backend will stop dropping events on shutdown. (#53695, @hzxuzhonghu)
-
[audit] Always retry sending to webhook (#52909)
- Webhook always retries connection reset error. (#53947, @crassirostris)
-
-
Custom-Resources
-
Getting CRD Validation to Beta (#53829)
- Promote validation for custom resources defined through CRD to beta (#54647, @colemickens)
-
sample-controller example repository (#52752)
-
Unable to use a fieldSelector with custom resources (#51046)
-
CRD and TPR doesn't support watching one single instance (#49424)
-
-
Etcd
-
Update to etcd 3.1.X (#49386)
- etcd: update version to 3.1.10 (#49393, @hongchaodeng)
-
-
Hw-Accelerators
-
Ipv6
-
NullArea
-
PersistentVolumeSource should be read-only (#54562)
- Validate that PersistentVolumeSource is not changed during PV Update (#54761, @ianchakeres)
-
[apps/v1] Change DefaultGarbageCollectionPolicy for workload controllers (#55027)
-
Collect metrics on admission rejections (#55030)
-
kube-apiserver "no --service-cluster-ip-range specified" and "Defaulting to 10.0.0.0/24". (#52695)
- Fixed a bug which is causes kube-apiserver to not run without specifying service-cluster-ip-range (#52870, @jennybuckley)
-
apiserver proxy feature does not rewrite Location header on redirects (#51790)
-
kubectl attach: client-go does not respect CIDRs in NO_PROXY (#54407)
-
should prevent the deletion of a PVC that is referenced by an active pod (#45143)
-
client-gen tag shortcomings when newline is omitted (#53893)
-
controller-manager crash loops if gc controller doesn't have access to extension apis (#55022)
- API discovery failures no longer crash the kube controller manager via the garbage collector. (#55259, @ironcladlou)
-
Update gRPC library to pick up data race fix (#53124)
- update gRPC to v1.6.0 to pick up data race fix grpc/grpc-go#1316 (#53128, @dixudx)
-
Enhance the codegen script within the staging sample apiserver to work with multiple groups and versions (#48714)
-
"kubectl explain" should be able to explain "apiservices" and "customresourcedefinition" (#49465)
-
kubectl set
commands on ReplicaSet and DaemonSet occasionally return version registration errors (#53040) -
apiserver uses wrong CommonName to verify service certificates for aggregated API Server when External admission controller is enabled (#56385)
-
NullIssue
- ReplicationController now shares its underlying controller implementation with ReplicaSet to reduce the maintenance burden going forward. However, they are still separate resources and there should be no externally visible effects from this change. (#49429, @enisoc)
- Google KMS integration was removed from in-tree in favor of a out-of-process extension point that will be used for all KMS providers. (#54759, @sakshamsharma)
kubectl get
will by default fetch large lists of resources in chunks of up to 500 items rather than requesting all resources up front from the server. This reduces the perceived latency of managing large clusters since the server returns the first set of results to the client much more quickly. A new flag--chunk-size=SIZE
may be used to alter the number of items or disable this feature when0
is passed. This is a beta feature. (#53768, @smarterclayton)- Add events.k8s.io api group with v1beta1 API containing redesigned Event type. (#49112, @gmarek)
- kubectl apply use openapi to calculate diff be default. It will fall back to use baked-in types when openapi is not available. (#51321, @mengqiy)
- The
GenericAdmissionWebhook
is renamed asValidatingAdmissionWebhook
. Please update you apiserver configuration file to use the new name to pass to the apiserver's--admission-control
flag. (#55988, @caesarxuchao) - Admission response alt (#55829, @cheftako)
- The apiserver sends external versioned object to the admission webhooks now. Please update the webhooks to expect admissionReview.spec.object.raw to be serialized external versions of objects. (#55127, @caesarxuchao)
- apiserver: --etcd-quorum-read now defaults to true, to ensure correct operation with HA etcd clusters (#53717, @liggitt)
- API chunking via the
limit
andcontinue
request parameters is promoted to beta in this release. Client libraries using the Informer or ListWatch types will automatically opt in to chunking. (#52949, @smarterclayton) - DaemonSet, Deployment, ReplicaSet, and StatefulSet have been promoted to GA and are available in the apps/v1 group version. (#53679, @kow3ns)
-
conversion-gen --extra-peer-dirs references k8s.io/kubernetes types (#54301)
-
-
-
Apps
-
Api
-
Batch & Workload-Api/Job
-
NullArea
-
NullIssue
- StatefulSet controller will create a label for each Pod in a StatefulSet. The label is named statefulset.kubernetes.io/pod-name and it is equal to the name of the Pod. This allows users to create a Service per Pod to expose a connection to individual Pods. (#55329, @kow3ns)
- ReplicationController now shares its underlying controller implementation with ReplicaSet to reduce the maintenance burden going forward. However, they are still separate resources and there should be no externally visible effects from this change. (#49429, @enisoc)
- DaemonSet status now has a new field named "conditions", making it consistent with other workloads controllers. (#55272, @janetkuo)
- DaemonSet, Deployment, ReplicaSet, and StatefulSet have been promoted to GA and are available in the apps/v1 group version. (#53679, @kow3ns)
- Add API version apps/v1, and bump DaemonSet to apps/v1 (#53278, @janetkuo)
-
Remove CreatedByAnnotation in v1.9, in favor of ControllerRef (#50720)
- The
kubernetes.io/created-by
annotation is no longer added to controller-created objects. Use themetadata.ownerReferences
item that hascontroller
set totrue
to determine which controller, if any, owns an object. (#54445, @crimsonfaith91)
- The
-
kubectl scale implementation for core workload controllers (#49504)
-
[apps/v1] Change DefaultGarbageCollectionPolicy for workload controllers (#55027)
-
-
-
Architecture
-
Api
-
NullArea
-
NullIssue
- Google KMS integration was removed from in-tree in favor of a out-of-process extension point that will be used for all KMS providers. (#54759, @sakshamsharma)
-
-
-
Auth
-
Admission-Control
-
Audit
-
[audit] Always retry sending to webhook (#52909)
- Webhook always retries connection reset error. (#53947, @crassirostris)
-
[audit] Figure out timestamps in event objects (#52160)
- add RequestReceivedTimestamp and StageTimestamp to audit event (#52981, @CaoShuFeng)
-
-
Kubeadm
-
Kubeadm & Kubelet
-
TLS-bootstrapped kubelet loses client certs after reboot, node stays on NotReady status (#53288)
-
-
NullArea
-
[PodSecurityPolicy] Optimize getMatchingPolicies (#55521)
- Improved PodSecurityPolicy admission latency, but validation errors are no longer limited to only errors from authorized policies. (#55643, @tallclair)
-
OIDC username prefix option is not working (#56169)
- kube-apiserver: fixed --oidc-username-prefix and --oidc-group-prefix flags which previously weren't correctly enabled (#56175, @ericchiang)
-
RFE: Bootstrap Checkpointing - Modify manifest behavior slightly for self hosting. (#49236)
- Initial basic bootstrap-checkpoint support (#50984, @timothysc)
-
Proposal: support unequivocal DENY in union authorizer (#51862)
- Add support for the webhook authorizer to make a Deny decision that short-circuits the union authorizer and immediately returns Deny. (#53273, @mikedanese)
-
Split PSP defaulting and validation (#36184)
-
Certificate Signing Request cleaner to GC CSRs (#51550)
-
Reconciliation adds duplicated subjects on server start (#53296)
-
NullIssue
- RBAC ClusterRoles can now select other roles to aggregate (#54005, @deads2k)
- Audit policy files without apiVersion and kind are treated as invalid. (#54267, @ericchiang)
- kubeadm: Add an experimental mode to deploy CoreDNS instead of KubeDNS (#52501, @rajansandeep)
- Google KMS integration was removed from in-tree in favor of a out-of-process extension point that will be used for all KMS providers. (#54759, @sakshamsharma)
- RBAC: The default
admin
andedit
roles now include read/write permissions and theview
role includes read permissions onpoddisruptionbudget.policy
resources. (#52654, @liggitt) - Pod Security Policy can now manage access to specific FlexVolume drivers (#53179, @wanghaoran1988)
- Implement kubelet side file system resizing. Also implement GCE PD resizing (#55815, @gnufied)
- The RBAC bootstrapping policy now allows authenticated users to create selfsubjectrulesreviews. (#56095, @ericchiang)
- Defaulting of controller-manager options for --cluster-signing-cert-file and --cluster-signing-key-file is deprecated and will be removed in a later release. (#54495, @mikedanese)
- Resolves forbidden error when accessing replicasets and daemonsets via the apps API group (#54309, @liggitt)
-
-
Platform/Gce
-
NullIssue
- Add support for PodSecurityPolicy on GCE:
ENABLE_POD_SECURITY_POLICY=true
enables the admission controller, and installs policies for default addons. (#52367, @tallclair)
- Add support for PodSecurityPolicy on GCE:
-
-
Security
-
Bring PodSecurityPolicy to usable state (#23217)
-
-
-
Autoscaling
-
NullArea
-
HPA is still using replicationcontrollers.extensions/scale (#38810)
- RBAC PolicyRules now allow resource=
*/<subresource>
to coverany-resource/<subresource>
. For example,*/scale
coversreplicationcontroller/scale
. (#53722, @deads2k) - Introduces a polymorphic scale client, allowing HorizontalPodAutoscalers to properly function on scalable resources in any API group. (#53743, @DirectXMan12)
- RBAC PolicyRules now allow resource=
-
NullIssue
-
kubectl scale implementation for core workload controllers (#49504)
-
Update HPA tolerance to be a flag (#18155)
- Control HPA tolerance through the
horizontal-pod-autoscaler-tolerance
flag. (#52275, @mattjmcnaughton)
- Control HPA tolerance through the
-
HPA scaling above spec.maxReplicas (#53670)
- Address a bug which allowed the horizontal pod autoscaler to allocate
desiredReplicas
>maxReplicas
in certain instances. (#53690, @mattjmcnaughton)
- Address a bug which allowed the horizontal pod autoscaler to allocate
-
-
-
Aws
-
NullArea
-
Adding tag annotations on service manifest for ELB does not trigger update on AWS (#54642)
- Ensure additional resource tags are set/updated AWS load balancers (#55731, @georgebuckerfield)
-
Taint a AWS node if a volume is stuck in "attaching" state for too long (#55502)
-
AWS makes high number of redundant AttachVolume and DeleteVolume calls (#55014)
-
AWS error messages printed on 2 lines (#49813)
-
NullIssue
- Add support for resizing EBS disks (#56118, @gnufied)
- It is now possible to override the healthcheck parameters for AWS ELBs via annotations on the corresponding service. The new annotations are
healthy-threshold
,unhealthy-threshold
,timeout
,interval
(all prefixed withservice.beta.kubernetes.io/aws-load-balancer-healthcheck-
) (#56024, @dimpavloff) - Support AWS ECR credentials in China (#50108, @zzq889)
-
Enable AWS Network Load Balancer for Services of type LoadBalancer (#52173)
- Add Amazon NLB support (#53400, @micahhausler)
-
-
-
Azure
-
NullArea
-
there are lots of warning message due to GetMountRefs func in windows (#54670)
- fix warning messages due to GetMountRefs func not implemented in windows (#52401, @andyzhangx)
-
Azure loadbalancer should reconcile security groups properly. (not just by name, but also by other properties) (#55733)
- Kubernetes update Azure nsg rules based on not just difference in Name, but also in Protocol, SourcePortRange, DestinationPortRange, SourceAddressPrefix, DestinationAddressPrefix, Access, and Direction. (#55752, @kevinkim9264)
-
wrong controller-master detection (#54570)
- fix azure disk storage account init issue (#55927, @andyzhangx)
-
Azure disk dose not work as expected (#55776)
- fix azure disk storage account init issue (#55927, @andyzhangx)
-
Azure data disk should provision storage account on on-demand (#50883)
- fix azure disk storage account init issue (#55927, @andyzhangx)
-
[Azure] Support setting the DNS name label for public IPs created by ingress controllers (#44775)
-
there is azure file mount limit issue on windows due to using drive letter (#54668)
- fix azure file mount limit issue on windows due to using drive letter (#53629, @andyzhangx)
-
Azure disk: storage class should support the sku if the storage accout support it (#55774)
- add GRS, RAGRS storage account type support for azure disk (#55931, @andyzhangx)
-
NullIssue
- Restrict Azure NSG rules to allow external access only to load balancer IP (#54177, @itowlson)
- Upgraded Azure SDK to v11.1.1. (#54971, @itowlson)
- allow windows mount path (#51240, @andyzhangx)
- Azure cloudprovider: Fix controller manager crash issue on a manually created k8s cluster. (#53694, @andyzhangx)
-
Panic in azure_dd/azure_mounter.go when syncing pod (#54149)
- fix azure pv crash due to volumeSource.ReadOnly value nil (#54607, @andyzhangx)
-
azure_dd: managed disks don't pass "FormatAndMount" (#50150)
- fix azure disk mount failure on coreos and some other distros (#54334, @andyzhangx)
-
-
Platform/Azure
-
azure_file volumes should allow setting of dir_mode and file_mode (#37005)
- support mount options in azure file (#54674, @andyzhangx)
-
-
-
Cli
-
Federation
-
NullIssue
- Development of Kubernetes Federation has moved to github.com/kubernetes/federation. This move out of tree also means that Federation will begin releasing separately from Kubernetes. The impact of this is Federation-specific behavior will no longer be included in kubectl, kubefed will no longer be released as part of Kubernetes, and the Federation servers will no longer be included in the hyperkube binary and image. (#53816, @marun)
-
-
Kubectl
-
Unable to use kubectl get with a fieldSelector (#14129)
-
kubectl scale should use the scale subresource (#29698)
-
NullIssue
- kubectl cp command supports coping remote file into local directory (#46762, @bruceauyeung)
-
Kubectl: Replace usages of swagger with open API (#44589)
-
-
NullArea
-
kubectl set
commands on ReplicaSet and DaemonSet occasionally return version registration errors (#53040) -
NullIssue
- "kubectl cp" updated to honor destination names (#51215, @juanvallejo)
- Added --dry-run option to
kubectl drain
(#52440, @juanvallejo) - outputs
<none>
for columns specified by-o custom-columns
but not found in object (#51750, @jianhuiz) - kubectl apply use openapi to calculate diff be default. It will fall back to use baked-in types when openapi is not available. (#51321, @mengqiy)
- kubectl create pdb will no longer set the min-available field by default. (#53047, @yuexiao-wang)
- DaemonSet, Deployment, ReplicaSet, and StatefulSet have been promoted to GA and are available in the apps/v1 group version. (#53679, @kow3ns)
kubectl get
will by default fetch large lists of resources in chunks of up to 500 items rather than requesting all resources up front from the server. This reduces the perceived latency of managing large clusters since the server returns the first set of results to the client much more quickly. A new flag--chunk-size=SIZE
may be used to alter the number of items or disable this feature when0
is passed. This is a beta feature. (#53768, @smarterclayton)- add
--raw
tokubectl create
to POST using the normal transport (#54245, @deads2k)
-
Add create priorityclass sub command (#54857)
-
kubectl scale implementation for core workload controllers (#49504)
-
"kubectl explain" should be able to explain "apiservices" and "customresourcedefinition" (#49465)
-
-
Usability
-
-
Cluster-Lifecycle
-
Apiserver & Cloudprovider & Platform/Gce
-
NullIssue
- kube-apiserver:
--ssh-user
and--ssh-keyfile
are now deprecated and will be removed in a future release. Users of SSH tunnel functionality used in Google Container Engine for the Master -> Cluster communication should plan to transition to alternate methods for bridging master and node networks. (#54433, @dims)
- kube-apiserver:
-
-
Cloudprovider
-
NullIssue
- hyperkube: add cloud-controller-manager (#54197, @colemickens)
-
Expose concurrent-service-syncs flag on the CCM like it is for the KCM (#55560)
-
cloud controller manager does not support configmap resource locks (#55124)
-
Remove --cloud-provider=auto-detect (#50986)
-
-
Etcd
-
Update to etcd 3.1.X (#49386)
- etcd: update version to 3.1.10 (#49393, @hongchaodeng)
-
-
Hw-Accelerators
-
NullIssue
- GCE nodes with NVIDIA GPUs attached now expose
nvidia.com/gpu
as a resource instead ofalpha.kubernetes.io/nvidia-gpu
. (#54826, @mindprince)
- GCE nodes with NVIDIA GPUs attached now expose
-
-
Ipv6
-
Kubeadm
-
kubeadm 1.8.0 init fails with "/var/lib/kubelet is not empty" (#53356)
-
CertificateManager blocks kubelet start if auto-approval is not enabled (#53237)
-
NullIssue
- Implement individual control for kubeadm preflight checks (#56072, @kad)
- kubeadm now produces error during preflight checks if swap is enabled. Users, who can setup kubelet to run in unsupported environment with enabled swap, will be able to skip that preflight check. (#55399, @kad)
- kubeadm health checks can also be skipped with
--ignore-checks-errors
(#56130, @anguslees)
-
-
Kubeadm & Kubelet
-
TLS-bootstrapped kubelet loses client certs after reboot, node stays on NotReady status (#53288)
-
-
Kubelet-Api
-
NullArea
-
RFE: Bootstrap Checkpointing - Modify manifest behavior slightly for self hosting. (#49236)
- Initial basic bootstrap-checkpoint support (#50984, @timothysc)
-
Refactor kube-scheduler configuration (#52428)
- The kube-scheduler command now supports a
--config
flag which is the location of a file containing a serialized scheduler configuration. Most other kube-scheduler flags are now deprecated. (#52562, @ironcladlou)
- The kube-scheduler command now supports a
-
Creation of gitRepo volume is broken in 1.8.0+ (#54129)
-
Update to Go 1.9 (#49484)
-
NullIssue
- kubeadm: Add CoreDNS support for kubeadm "upgrade" and "alpha phases addons". (#55952, @rajansandeep)
- Kubeadm now supports for Kubelet Dynamic Configuration. (#55803, @xiangpengzhao)
- Base images bumped to Debian Stretch (9) (#52744, @rphillips)
- kubeadm init: fix a bug that prevented the --token-ttl flag and tokenTTL configuration value from working as expected for infinite (0) values. (#54640, @mattmoyer)
- Feature gates now check minimum versions (#54539, @jamiehannaford)
- Load kernel modules automatically inside a kube-proxy pod (#52003, @vfreex)
- kubeadm: added
--print-join-command
flag forkubeadm token create
. (#56185, @mattmoyer) - Adding etcd version display to kubeadm upgrade plan subcommand (#56156, @sbezverk)
- Adds to kubeadm upgrade apply, a new --etcd-upgrade keyword. When this keyword is specified, etcd's static pod gets upgraded to the etcd version officially recommended for a target kubernetes release. (#55010, @sbezverk)
- kubeadm: Add an experimental mode to deploy CoreDNS instead of KubeDNS (#52501, @rajansandeep)
-
-
-
Contributor-Experience
-
Federation (Deprecated - Do Not Use)
-
Gcp
-
Apiserver & Cloudprovider & Platform/Gce
-
NullIssue
- kube-apiserver:
--ssh-user
and--ssh-keyfile
are now deprecated and will be removed in a future release. Users of SSH tunnel functionality used in Google Container Engine for the Master -> Cluster communication should plan to transition to alternate methods for bridging master and node networks. (#54433, @dims)
- kube-apiserver:
-
-
Platform/Gce
-
GCE should allow users to configure with what service account their nodes are created (#53603)
- Allow GCE users to configure the service account made available on their nodes (#52868, @ihmccreery)
-
-
-
Instrumentation
-
Audit
-
[audit] Always retry sending to webhook (#52909)
- Webhook always retries connection reset error. (#53947, @crassirostris)
-
NullIssue
- Adjust batching audit webhook default parameters: increase queue size, batch size, and initial backoff. Add throttling to the batching audit webhook. Default rate limit is 10 QPS. (#53417, @crassirostris)
-
-
Hw-Accelerators
-
NullIssue
- Kubelet now exposes metrics for NVIDIA GPUs attached to the containers. (#55188, @mindprince)
-
-
Logging
-
NullIssue
- [fluentd-gcp addon] Fixes fluentd deployment on GCP when custom resources are set. (#55950, @crassirostris)
- [fluentd-gcp addon] Fluentd now runs in its own network, not in the host one. (#54395, @crassirostris)
-
-
NullArea
-
Collect metrics on admission rejections (#55030)
-
Bring all prom-to-sd container to the same image version (#54583)
-
NullIssue
- Fix a typo in prometheus-to-sd configuration, that drops some stackdriver metrics. (#56473, @loburm)
- [fluentd-elasticsearch addon] Elasticsearch and Kibana are updated to version 5.6.4 (#55400, @mrahbar)
- A new field is added to CRI container log format to support splitting a long log line into multiple lines. (#55922, @Random-Liu)
- fluentd now supports CRI log format. (#54777, @Random-Liu)
-
-
-
Multicluster
-
Federation
-
NullIssue
- Development of Kubernetes Federation has moved to github.com/kubernetes/federation. This move out of tree also means that Federation will begin releasing separately from Kubernetes. The impact of this is Federation-specific behavior will no longer be included in kubectl, kubefed will no longer be released as part of Kubernetes, and the Federation servers will no longer be included in the hyperkube binary and image. (#53816, @marun)
-
Enable
kubefed init
supportImagePullSecrets
andimagePullPolicy
(#50718) -
Get clusters --show-labels does not work in a federation context (#53729)
-
-
-
Network
-
Controller-Manager
-
Ipv6
-
Ipvs
-
Need to install ipset in debian-iptables docker image (#56116)
- install ipset in debian-iptables docker image (#56115, @m1093782566)
-
IPVS kube-proxy will flush all existing ipvs rules in its startup (#55857)
- Add cleanup-ipvs flag for kube-proxy (#56036, @m1093782566)
-
-
Ipvs & Kube-Proxy
-
Try ipset in kube-proxy (#54203)
- Using ipset doing SNAT and packet filtering in IPVS kube-proxy (#54219, @m1093782566)
-
Failed to access NodePort if kube-proxy running in ipvs mode (#53393)
- Using ipset doing SNAT and packet filtering in IPVS kube-proxy (#54219, @m1093782566)
-
-
Kube-Proxy
-
NullArea
-
Add CoreDNS in kube-up (#56439)
- Add CoreDNS as an optional addon in kube-up (#55728, @rajansandeep)
-
Calico add-on: calico/node pod can take a long time to be restarted (#55013)
-
Service controller retries on doNotRetry service update failure (#54183)
-
apiserver proxy feature does not rewrite Location header on redirects (#51790)
-
[kubelet] ignore keyword "options" define in /etc/resolv.conf, only look for nameserver and search (#42542)
-
NullIssue
- Fixes bad conversion in host port chain name generating func which leads to some unreachable host ports. (#55153, @chenchun)
- kubeadm: Add an experimental mode to deploy CoreDNS instead of KubeDNS (#52501, @rajansandeep)
- Fix IPVS availability check (#51874, @vfreex)
- Enhanced the network policy describer. (#46951, @aanm)
- Load kernel modules automatically inside a kube-proxy pod (#52003, @vfreex)
- Improve resilience by annotating kube-dns addon with podAntiAffinity to prefer scheduling on different nodes. (#52193, @StevenACoffman)
- Add DNSConfig field to PodSpec and support "None" mode for DNSPolicy (Alpha). (#55848, @MrHohn)
-
Support annotations for AWS ELB Security Policies (#43744)
- Added service annotation for AWS ELB SSL policy (#54507, @micahhausler)
-
kube-proxy: session affinity stops working when ESIPP=Local (#55429)
-
zero-value settings for kube-proxy being overwritten by default values (#50787)
-
-
Platform/Gce
-
NullIssue
- GCE: Bump GLBC version to 0.9.7. (#53625, @nikhiljindal)
-
GCE: ILB sync fails for legacy networks and auto networks with unusual subnet names (#53409)
- GCE: Fixes ILB sync on legacy networks and auto networks with unique subnet names (#53410, @nicksardo)
-
GCE: Ignore resource not found errors when deleting LB resources (#53411)
- GCE: Fix issue deleting internal load balancers when the firewall resource may not exist. (#53450, @nicksardo)
-
-
-
Node
-
Cloudprovider
-
Hw-Accelerators
-
Ipv6
-
Kubeadm
-
Kubelet & Kubelet-Api
-
NullIssue
- The EvictionHard, EvictionSoft, EvictionSoftGracePeriod, EvictionMinimumReclaim, SystemReserved, and KubeReserved fields in the KubeletConfiguration object (kubeletconfig/v1alpha1) are now of type map[string]string, which facilitates writing JSON and YAML files. (#54823, @mtaufen)
- Relative paths in the Kubelet's local config files (--init-config-dir) will be resolved relative to the location of the containing files. (#55648, @mtaufen)
- It is now possible to set multiple manifest url headers via the Kubelet's --manifest-url-header flag. Multiple headers for the same key will be added in the order provided. The ManifestURLHeader field in KubeletConfiguration object (kubeletconfig/v1alpha1) is now a map[string][]string, which facilitates writing JSON and YAML files. (#54643, @mtaufen)
-
-
Kubelet & Security
-
Kubelet-Api
-
Specifying feature gates as a string of key-value pairs in ComponentConfig structures is awkward (#53024)
-
NullIssue
-
-
NullArea
-
CRI: Debug API (#53757)
- Verbose option is added to each status function in CRI. Container runtime could return extra information in status response for debugging. (#53965, @Random-Liu)
-
Error when using journald log driver and FallbackToLogsOnError (#52502)
- Get fallback termination msg from docker when using journald log driver (#52503, @joelsmith)
-
kubelet cannot show Docker-CE version correctly (#54039)
-
FailedSync event from kubelet provides no value (#53900)
- kubelet provides more specific events when unable to sync pod (#53857, @derekwaynecarr)
-
Extra CRI call during processing cpu set (#53304)
-
Consume ImageFS stats from StatsProvider in ImageGCManager (#53083)
-
[Failing Test] [k8s.io] Summary API when querying /stats/summary should report resource usage through the stats api (#55909)
-
Cut and vendor cAdvisor v0.28.1 for the 1.9 release. (#55628)
-
Pods moving from Succeeded to Pending (#54499)
-
Hyperkube doesn't support --experimental-dockershim for kubelet (#54424)
-
Local pods stay around after node deletion (#48213)
-
Should be able to specific
unconfined
AppArmor profile (#52370) -
Reduce cpumanager default logging verbosity (#54804)
-
Remove the backward compatibility code for kubelet 1.2 in NodeController. (#48995)
-
Deprecate --network-plugin-dir for kubelet (#46410)
- Remove the --network-plugin-dir flag. (#53564, @supereagle)
-
Zone labels are removed every kubelet restart in 1.8 (#54070)
-
NullIssue
- Add pod-level CPU and memory stats from pod cgroup information (#55969, @jingxu97)
- Load kernel modules automatically inside a kube-proxy pod (#52003, @vfreex)
- RBAC: The default
admin
andedit
roles now include read/write permissions and theview
role includes read permissions onpoddisruptionbudget.policy
resources. (#52654, @liggitt) - Remove docker dependency during kubelet start up (#54405, @resouer)
- Fix overlay2 container disk metrics for Docker and CRI-O (#54827, @dashpole)
- Metrics were added to network plugin to report latency of CNI operations (#53446, @sjenning)
- Fix stats summary network value when multiple network interfaces are available. (#52144, @andyxning)
- Kubelet can provide full summary api support except container log stats for CRI container runtime now. (#55810, @abhi)
- Add pod-level local ephemeral storage metric in Summary API. Pod-level ephemeral storage reports the total filesystem usage for the containers and emptyDir volumes in the measured Pod. (#55447, @jingxu97)
- A new field is added to CRI container log format to support splitting a long log line into multiple lines. (#55922, @Random-Liu)
- Kubelet supports running mount utilities and final mount in a container instead running them on the host. (#53440, @jsafrane)
- Fix the bug that query Kubelet's stats summary with CRI stats enabled results in error. (#53107, @Random-Liu)
- BugFix: Exited containers are not Garbage Collected by the kubelet while the pod is running (#53167, @dashpole)
- Base images bumped to Debian Stretch (9) (#52744, @rphillips)
- fluentd now supports CRI log format. (#54777, @Random-Liu)
- Add Windows support to the system verification check (#53730, @bsteciuk)
- fix a bug where disk pressure could trigger prematurely when using overlay2 (#53684, @dashpole)
- Don't remove extended resource capacities that are not registered with kubelet from node status. (#53353, @jiayingz)
-
RFE: Bootstrap Checkpointing - Modify manifest behavior slightly for self hosting. (#49236)
- Initial basic bootstrap-checkpoint support (#50984, @timothysc)
-
Better handling of device plugin resource deletion (#53395)
-
[feature] for GPU and hugepages, default must match defaultRequest in LimitRange if both are specified (#54917)
- validate if default and defaultRequest match when creating LimitRange for GPU and hugepages. (#54919, @tianshapjq)
-
Make CRI logs parsing to a library (#55136)
-
Creation of gitRepo volume is broken in 1.8.0+ (#54129)
-
Large kubemark performance tests failing with timeout during ns deletion (#53327)
-
-
Platform/Gce
-
Remove compute-rw scope from GCE nodes (#8074)
- gce: remove compute-rw, see what breaks (#53266, @mikedanese)
-
-
-
NullSig
-
Admission-Control
-
Admission-Control & Security
-
Audit
-
NullIssue
- [advanced audit]add a policy wide omitStage (#54634, @CaoShuFeng)
-
-
NullArea
-
NullIssue
- The dynamic admission webhook now supports a URL in addition to a service reference, to accommodate out-of-cluster webhooks. (#54889, @lavalamp)
- not calculate new priority when user update other spec of a pod (#55221, @CaoShuFeng)
- Fix iptables FORWARD policy for Docker 1.13 in kubernetes-worker charm (#54796, @Cynerva)
- Add PodDisruptionBudget to scheduler cache. (#53914, @bsalamat)
- Log when node is successfully initialized by Cloud Controller Manager (#53517, @andrewsykim)
- Upgrading the kubernetes-master units now results in staged upgrades just like the kubernetes-worker nodes. Use the upgrade action in order to continue the upgrade process on each unit such as
juju run-action kubernetes-master/0 upgrade
(#55990, @hyperbolic2346) - Addon manager supports HA masters. (#55466, @x13n)
- In PodTolerationRestriction admisson plugin, if namespace level tolerations are empty, now they override cluster level tolerations. (#54812, @aveshagarwal)
- Improve explanation of ReplicaSet (#53403, @rcorre)
- kubeadm: Fix a bug on some OSes where the kubelet tried to mount a volume path that is non-existent and on a read-only filesystem (#55320, @andrewrynhard)
- Avoid unnecessary spam in kube-controller-manager log if --cluster-cidr is not specified and --allocate-node-cidrs is false. (#54934, @akosiaris)
- GCI mounter is moved from the manifests tarball to the server tarball. (#47497, @mikedanese)
- Ignore extended resources that are not registered with kubelet during container resource allocation. (#53547, @jiayingz)
- PodSecurityPolicies for addons (#55509, @tallclair)
- Correct wording of kubeadm upgrade response for missing ConfigMap. (#53337, @jmhardison)
- Support completion for --clusterrole of kubectl create clusterrolebinding (#48267, @superbrothers)
- GCE: provide an option to disable docker's live-restore on COS/ubuntu (#55260, @yujuhong)
- secret data containing Docker registry auth objects is now generated using the config.json format (#53916, @juanvallejo)
- Add support for RBAC support to Kubernetes via Juju (#53820, @ktsakalozos)
- Kubelet evictions take pod priority into account (#53542, @dashpole)
- Add --etcd-compaction-interval to apiserver for controlling request of compaction to etcd3 from apiserver. (#51765, @mitake)
- Bugfix: master startup script on GCP no longer fails randomly due to concurrent iptables invocations. (#55945, @x13n)
- Add extra-args configs for scheduler and controller-manager to kubernetes-master charm (#55185, @Cynerva)
- Fix clustered datastore name to be absolute. (#54438, @pshahzeb)
- Enable Priority admission control in kubeadm. (#53175, @andrewsykim)
- If you are using the cloud provider API to determine the external host address of the apiserver, set --external-hostname explicitly instead. The cloud provider detection has been deprecated and will be removed in the future (#54516, @dims)
- Added support for SAN entries in the master node certificate via juju kubernetes-master config. (#54234, @hyperbolic2346)
kubectl get
will now use OpenAPI schema extensions by default to select columns for custom types. (#53483, @apelisse)- Fix kubeadm reset crictl command (#55717, @runcom)
- kubeadm: Add support for adding a Windows node (#53553, @bsteciuk)
- Update AWS SDK to 1.12.7 (#53561, @justinsb)
- Optimize Repeated registration of AlgorithmProvider when ApplyFeatureGates (#54047, @kuramal)
- Upgrade fluentd-elasticsearch addon to Elasticsearch/Kibana 5.6.2 (#53307, @aknuds1)
- The output of kubectl config get-contexts is now sorted alphabetically by the context name. (#46946, @kellycampbell)
- kubeadm: reset: use crictl to reset containers (#54721, @runcom)
- kubeadm: use the CRI for preflights checks (#55055, @runcom)
- Added extra_sans config option to kubeapi-load-balancer charm. This allows the user to specify extra SAN entries on the certificate generated for the load balancer. (#54947, @hyperbolic2346)
- Fix metrics API group name in audit configuration (#53493, @piosz)
- default fail-swap-on to false for kubelet on kubernetes-worker charm (#53386, @wwwtyro)
- Adding vishh as an reviewer/approver for hack directory (#54007, @vishh)
- If a non-absolute mountPath is passed to the kubelet, prefix it with the appropriate root path. (#55665, @brendandburns)
- Update kube-dns 1.14.7 (#54443, @bowei)
- Horizontal pod autoscaler uses REST clients through the kube-aggregator instead of the legacy client through the API server proxy. (#53205, @kawych)
- The minimum supported go version bumps to 1.9.1. (#55301, @xiangpengzhao)
- Add a new feature gate for enabling an alpha annotation which, if present, excludes the annotated node from being added to a service load balancers. (#54644, @brendandburns)
- Metadata concealment on GCE is now controlled by the
ENABLE_METADATA_CONCEALMENT
env var. See cluster/gce/config-default.sh for more info. (#54150, @ihmccreery) - Remove the LbaasV1 of OpenStack cloud provider, currently only support LbaasV2. (#52717, @FengyunPan)
- Fixes a performance issue (#51899) identified in large-scale clusters when deleting thousands of pods simultaneously across hundreds of nodes, by actively removing containers of deleted pods, rather than waiting for periodic garbage collection and batching resulting pod API deletion requests. (#53233, @dashpole)
- Fix code-generators to produce correct code when GroupName, PackageName and/or GoName differ. (#55614, @sttts)
- Allow HPA to read custom metrics. (#54854, @kawych)
- Fix permissions for Metrics Server. (#53330, @kawych)
- [fluentd-elasticsearch addon] Elasticsearch service name can be overridden via env variable ELASTICSEARCH_SERVICE_NAME (#54215, @mrahbar)
- Change
kubeadm create token
to default to the group that almost everyone will want to use. The group is system:bootstrappers:kubeadm:default-node-token and is the group that kubeadm sets up, via an RBAC binding, for auto-approval (system:certificates.k8s.io:certificatesigningrequests:nodeclient). (#53512, @jbeda) - Add --no-negcache flag to kube-dns to prevent caching of NXDOMAIN responses. (#53604, @cblecker)
- Deprecation: The flag
etcd-quorum-read
of kube-apiserver is deprecated and the ability to switch off quorum read will be removed in a future release. (#53795, @xiangpengzhao) - kubeadm: Strip bootstrap tokens from the
kubeadm-config
ConfigMap (#53559, @fabriziopandini) - Added integration test for TaintNodeByCondition. (#53184, @k82cn)
- Added namespaceSelector to externalAdmissionWebhook configuration to allow applying webhooks only to objects in the namespaces that have matching labels. (#54727, @caesarxuchao)
- Add masquerading rules by default to GCE/GKE (#55178, @dnardo)
- [cluster-monitoring addon] Update monitoring-influxdb-grafana to latest version (#53319, @kairen)
- Increase waiting time (120s) for docker startup in health-monitor.sh (#54099, @dchen1107)
- update podtolerations admission to mutate and validate separately (#55251, @deads2k)
- Add limitrange/resourcequota/downward_api e2e tests for local ephemeral storage (#52523, @NickrenREN)
- Update fluentd-gcp DaemonSet (#54175, @tallclair)
- Allow for configuring etcd hostname in the manifest (#54403, @wojtek-t)
- Use multi-arch busybox image for e2e (#54034, @dixudx)
- Addon manager supports HA masters. (#55782, @x13n)
- Add extra-args configs to kubernetes-worker charm (#55334, @Cynerva)
- Log error of failed healthz check (#53048, @mrIncompetent)
- Fix
kubeadm upgrade plan
for offline operation: ignore errors when trying to fetch latest versions from dl.k8s.io (#54016, @praseodym) - Support completion for kubectl config rename-context (#48340, @superbrothers)
- Removes Priority Admission Controller from kubeadm since it's alpha. (#55237, @andrewsykim)
-
-
-
Openstack
-
NullArea
-
NullIssue
- OpenStack cloud provider supports Cinder v3 API. (#52910, @FengyunPan)
- Octavia v2 now supported as a LB provider (#55393, @jamiehannaford)
- Make OpenStack LBaaS v2 Provider configurable (#54176, @gonzolino)
- Support autoprobing node-security-group for openstack cloud provider, Support multiple Security Groups for cluster's nodes. (#50836, @FengyunPan)
-
OpenStack Cinder version detection fails (and is incorrect) (#50461)
- Using OpenStack service catalog to do version detection (#53115, @FengyunPan)
-
-
-
Release
-
Scalability
-
Etcd
-
Update to etcd 3.1.X (#49386)
- etcd: update version to 3.1.10 (#49393, @hongchaodeng)
-
-
NullArea
-
NullIssue
- ReplicationController now shares its underlying controller implementation with ReplicaSet to reduce the maintenance burden going forward. However, they are still separate resources and there should be no externally visible effects from this change. (#49429, @enisoc)
- apiserver: --etcd-quorum-read now defaults to true, to ensure correct operation with HA etcd clusters (#53717, @liggitt)
- API chunking via the
limit
andcontinue
request parameters is promoted to beta in this release. Client libraries using the Informer or ListWatch types will automatically opt in to chunking. (#52949, @smarterclayton)
-
Update to Go 1.9 (#49484)
-
Large kubemark performance tests failing with timeout during ns deletion (#53327)
-
[PodSecurityPolicy] Optimize getMatchingPolicies (#55521)
- Improved PodSecurityPolicy admission latency, but validation errors are no longer limited to only errors from authorized policies. (#55643, @tallclair)
-
-
-
Scheduling
-
Hw-Accelerators
-
NullIssue
- Add ExtendedResourceToleration admission controller. This facilitates creation of dedicated nodes with extended resources. If operators want to create dedicated nodes with extended resources (like GPUs, FPGAs etc.), they are expected to taint the node with extended resource name as the key. This admission controller, if enabled, automatically adds tolerations for such taints to pods requesting extended resources, so users don't have to manually add these tolerations. (#55839, @mindprince)
- GCE nodes with NVIDIA GPUs attached now expose
nvidia.com/gpu
as a resource instead ofalpha.kubernetes.io/nvidia-gpu
. (#54826, @mindprince)
-
-
NullArea
-
Support PodDisruptionBudget during preemption (#53913)
-
Fix starvation problem in pod preemption (#54501)
-
Refactor kube-scheduler configuration (#52428)
- The kube-scheduler command now supports a
--config
flag which is the location of a file containing a serialized scheduler configuration. Most other kube-scheduler flags are now deprecated. (#52562, @ironcladlou)
- The kube-scheduler command now supports a
-
Large kubemark performance tests failing with timeout during ns deletion (#53327)
-
Scheduler should handle pod updates during scheduling more gracefully (#52914)
-
"notReady" toleration should be "not-ready" (#51246)
-
Remove support for opaque integer resources (deprecated in v1.8) (#55102)
- Remove opaque integer resources (OIR) support (deprecated in v1.8.) (#55103, @ConnorDoyle)
-
Consider moving TaintNodeUnreachable out of alpha (#54198)
-
NullIssue
- move getMaxVols function to predicates.go and add some NewVolumeCountPredicate funcs (#51783, @jiulongzaitian)
- Apply algorithm in scheduler by feature gates. (#52723, @k82cn)
- RBAC: The default
admin
andedit
roles now include read/write permissions and theview
role includes read permissions onpoddisruptionbudget.policy
resources. (#52654, @liggitt) - Add a new scheduling queue that helps schedule the highest priority pending pod first. (#55109, @bsalamat)
- add hostIP and protocol to the original hostport predicates procedure in scheduler. (#52421, @WIZARD-CXY)
- Object count quotas supported on all standard resources using
count/<resource>.<group>
syntax (#54320, @derekwaynecarr)
-
Scheduler dies with "Schedulercache is corrupted" (#50916)
-
-
-
Service-Catalog
-
NullArea
-
PodPreset Feature Tests Consistently Causing ci-kubernetes-e2e-gci-gce-alpha-features to Fail (#53079)
- Skip podpreset test if the alpha feature setttings/v1alpha1 is disabled (#53080, @jennybuckley)
-
-
-
Storage
-
NullArea
-
PVCs using
standard
StorageClass create PDs in disks in wrong zone in multi-zone GKE clusters (#50115)- Fix a bug in GCE multizonal clusters where PersistentVolumes were sometimes created in zones without nodes. (#52322, @davidz627)
-
Taint a AWS node if a volume is stuck in "attaching" state for too long (#55502)
-
Add support for verifying attached but desired to be detached PVCs (#52573)
-
Zero capacity PVs cause pods to fail and zero capacity PVCs create zero capacity PVs (#55553)
- Validate positive capacity for PVs and PVCs. (#55532, @ianchakeres)
-
ScaleIO - credentials could be accessed by non-admin users (#53619)
- ScaleIO persistent volumes now support referencing a secret in a namespace other than the bound persistent volume claim's namespace; this is controlled during provisioning with the
secretNamespace
storage class parameter; StoragePool and ProtectionDomain attributes no longer defaults to the valuedefault
(#54013, @vladimirvivien)
- ScaleIO persistent volumes now support referencing a secret in a namespace other than the bound persistent volume claim's namespace; this is controlled during provisioning with the
-
Recycle always failed on non x86 platform (#53942)
-
NullIssue
- Implement kubelet side file system resizing. Also implement GCE PD resizing (#55815, @gnufied)
- Implement volume resize for cinder (#51498, @NickrenREN)
- Block volumes Support: CRI, volumemanager and operationexecutor changes (#51494, @mtanino)
- iSCSI Persistent Volume Sources can now reference CHAP Secrets in namespaces other than the namespace of the bound Persistent Volume Claim (#51530, @rootfs)
- Add resize support for ceph RBD (#52767, @NickrenREN)
- Add support for resizing EBS disks (#56118, @gnufied)
- Block volumes Support: FC plugin update (#51493, @mtanino)
- Updating vsphere cloud provider to support k8s cluster spread across multiple vCenters (#55845, @rohitjogvmw)
- Kubelet supports running mount utilities and final mount in a container instead running them on the host. (#53440, @jsafrane)
- allow windows mount path (#51240, @andyzhangx)
- RBD Persistent Volume Sources can now reference User's Secret in namespaces other than the namespace of the bound Persistent Volume Claim (#54302, @sbezverk)
- Pod Security Policy can now manage access to specific FlexVolume drivers (#53179, @wanghaoran1988)
-
should prevent the deletion of a PVC that is referenced by an active pod (#45143)
-
PersistentVolumeSource should be read-only (#54562)
- Validate that PersistentVolumeSource is not changed during PV Update (#54761, @ianchakeres)
-
Multi Attach PVC errors and events are too noisy (#53214)
-
wrong controller-master detection (#54570)
- fix azure disk storage account init issue (#55927, @andyzhangx)
-
Remove ScaleIO dependency on drv_cfg binary for containerization (#54954)
- ScaleIO driver completely removes dependency on drv_cfg binary so a Kubernetes cluster can easily run a containerized kubelet. (#54956, @vladimirvivien)
-
-
Platform/Gce
-
Remove compute-rw scope from GCE nodes (#8074)
- gce: remove compute-rw, see what breaks (#53266, @mikedanese)
-
-
-
Testing
-
Federation
-
NullIssue
- Development of Kubernetes Federation has moved to github.com/kubernetes/federation. This move out of tree also means that Federation will begin releasing separately from Kubernetes. The impact of this is Federation-specific behavior will no longer be included in kubectl, kubefed will no longer be released as part of Kubernetes, and the Federation servers will no longer be included in the hyperkube binary and image. (#53816, @marun)
-
-
Hw-Accelerators
-
NullIssue
- Kubelet now exposes metrics for NVIDIA GPUs attached to the containers. (#55188, @mindprince)
-
-
NullArea
-
Update to Go 1.9 (#49484)
-
NullIssue
- Fix to prevent downward api change break on older versions (#53673, @timothysc)
- API chunking via the
limit
andcontinue
request parameters is promoted to beta in this release. Client libraries using the Informer or ListWatch types will automatically opt in to chunking. (#52949, @smarterclayton)
-
-
-
Windows
-
NullArea
-
wrong controller-master detection (#54570)
- fix azure disk storage account init issue (#55927, @andyzhangx)
-
there is azure file mount limit issue on windows due to using drive letter (#54668)
- fix azure file mount limit issue on windows due to using drive letter (#53629, @andyzhangx)
-
there are lots of warning message due to GetMountRefs func in windows (#54670)
- fix warning messages due to GetMountRefs func not implemented in windows (#52401, @andyzhangx)
-
NullIssue
- allow windows mount path (#51240, @andyzhangx)
-
-