-
NullIssue
- Graduate the admission and admissionregistration (webhook part) API to v1beta1 (#56004, @caesarxuchao)
- action required: Deprecated flags
--portal-net
andservice-node-ports
of kube-apiserver are removed. (#52547, @xiangpengzhao)
-
unable to deploy privileged pod after 1.8 upgrade unless I set allowPrivilegeEscalation true (#53437)
- PodSecurityPolicy: Fixes a compatibility issue that caused policies that previously allowed privileged pods to start forbidding them, due to an incorrect default value for
allowPrivilegeEscalation
. PodSecurityPolicy objects defined using a 1.8.0 client or server that intended to setallowPrivilegeEscalation
tofalse
must be reapplied after upgrading to 1.8.1. (#53443, @liggitt)
- PodSecurityPolicy: Fixes a compatibility issue that caused policies that previously allowed privileged pods to start forbidding them, due to an incorrect default value for
-
NullIssue
- RBAC objects are now stored in etcd in v1 format. After completing an upgrade to 1.9, RBAC objects (Roles, RoleBindings, ClusterRoles, ClusterRoleBindings) should be migrated to ensure all persisted objects are written in
v1
format, prior tov1alpha1
support being removed in a future release. (#52950, @liggitt)
- RBAC objects are now stored in etcd in v1 format. After completing an upgrade to 1.9, RBAC objects (Roles, RoleBindings, ClusterRoles, ClusterRoleBindings) should be migrated to ensure all persisted objects are written in
-
NullIssue
- update podtolerations admission to mutate and validate separately (#55251, @deads2k)
- kubeadm join: Error out if CA pinning isn't used or opted out of (#55468, @yuexiao-wang)
-
Volume topology aware scheduling binding changes (#54435)
-
NullIssue
- action required: The
storage.k8s.io/v1beta1
API andvolume.beta.kubernetes.io/storage-class
annotation are deprecated. They will be removed in a future release. Please use v1 API and fieldv1.PersistentVolumeClaim.Spec.StorageClassName
/v1.PersistentVolume.Spec.StorageClassName
instead. (#53580, @xiangpengzhao)
- action required: The
-
NullIssue
- Added mutation supports to admission webhooks. (#54892, @caesarxuchao)
- the generic admission webhook is now available in the generic apiserver (#54513, @deads2k)
-
Authentication for webhook admission to heterogenous authentication domains (#54404)
-
ExternalAdmissionHookConfiguration cannot choose URL (#53826)
-
Eliminate Phase and Conditions from the API (#7856)
-
Reported subresource discovery is incorrect (#54684)
-
NullIssue
- Fix a bug that prevents client-go metrics from being registered in prometheus in multiple components. (#53434, @crassirostris)
-
Shutdown http handlers before shutting down audit backend (#50781)
- Implement graceful shutdown of the kube-apiserver by waiting for open connections to finish before exiting. Moreover, the audit backend will stop dropping events on shutdown. (#53695, @hzxuzhonghu)
-
[audit] Always retry sending to webhook (#52909)
- Webhook always retries connection reset error. (#53947, @crassirostris)
-
Getting CRD Validation to Beta (#53829)
- Promote validation for custom resources defined through CRD to beta (#54647, @colemickens)
-
sample-controller example repository (#52752)
-
Unable to use a fieldSelector with custom resources (#51046)
-
CRD and TPR doesn't support watching one single instance (#49424)
-
Update to etcd 3.1.X (#49386)
- etcd: update version to 3.1.10 (#49393, @hongchaodeng)
-
should prevent the deletion of a PVC that is referenced by an active pod (#45143)
-
kube-apiserver "no --service-cluster-ip-range specified" and "Defaulting to 10.0.0.0/24". (#52695)
- Fixed a bug which is causes kube-apiserver to not run without specifying service-cluster-ip-range (#52870, @jennybuckley)
-
kubectl attach: client-go does not respect CIDRs in NO_PROXY (#54407)
-
Enhance the codegen script within the staging sample apiserver to work with multiple groups and versions (#48714)
-
NullIssue
- Admission response alt (#55829, @cheftako)
- Google KMS integration was removed from in-tree in favor of a out-of-process extension point that will be used for all KMS providers. (#54759, @sakshamsharma)
- DaemonSet, Deployment, ReplicaSet, and StatefulSet have been promoted to GA and are available in the apps/v1 group version. (#53679, @kow3ns)
kubectl get
will by default fetch large lists of resources in chunks of up to 500 items rather than requesting all resources up front from the server. This reduces the perceived latency of managing large clusters since the server returns the first set of results to the client much more quickly. A new flag--chunk-size=SIZE
may be used to alter the number of items or disable this feature when0
is passed. This is a beta feature. (#53768, @smarterclayton)- apiserver: --etcd-quorum-read now defaults to true, to ensure correct operation with HA etcd clusters (#53717, @liggitt)
- API chunking via the
limit
andcontinue
request parameters is promoted to beta in this release. Client libraries using the Informer or ListWatch types will automatically opt in to chunking. (#52949, @smarterclayton) - Add events.k8s.io api group with v1beta1 API containing redesigned Event type. (#49112, @gmarek)
- kubectl apply use openapi to calculate diff be default. It will fall back to use baked-in types when openapi is not available. (#51321, @mengqiy)
- The
GenericAdmissionWebhook
is renamed asValidatingAdmissionWebhook
. Please update you apiserver configuration file to use the new name to pass to the apiserver's--admission-control
flag. (#55988, @caesarxuchao) - The apiserver sends external versioned object to the admission webhooks now. Please update the webhooks to expect admissionReview.spec.object.raw to be serialized external versions of objects. (#55127, @caesarxuchao)
- ReplicationController now shares its underlying controller implementation with ReplicaSet to reduce the maintenance burden going forward. However, they are still separate resources and there should be no externally visible effects from this change. (#49429, @enisoc)
-
[apps/v1] Change DefaultGarbageCollectionPolicy for workload controllers (#55027)
-
Collect metrics on admission rejections (#55030)
-
controller-manager crash loops if gc controller doesn't have access to extension apis (#55022)
- API discovery failures no longer crash the kube controller manager via the garbage collector. (#55259, @ironcladlou)
-
conversion-gen --extra-peer-dirs references k8s.io/kubernetes types (#54301)
-
"kubectl explain" should be able to explain "apiservices" and "customresourcedefinition" (#49465)
-
client-gen tag shortcomings when newline is omitted (#53893)
-
PersistentVolumeSource should be read-only (#54562)
- Validate that PersistentVolumeSource is not changed during PV Update (#54761, @ianchakeres)
-
apiserver proxy feature does not rewrite Location header on redirects (#51790)
-
Update gRPC library to pick up data race fix (#53124)
- update gRPC to v1.6.0 to pick up data race fix grpc/grpc-go#1316 (#53128, @dixudx)
-
kubectl set
commands on ReplicaSet and DaemonSet occasionally return version registration errors (#53040) -
apiserver uses wrong CommonName to verify service certificates for aggregated API Server when External admission controller is enabled (#56385)
-
Eliminate Phase and Conditions from the API (#7856)
-
Implement scale endpoint for jobs (#38756)
-
Remove CreatedByAnnotation in v1.9, in favor of ControllerRef (#50720)
- The
kubernetes.io/created-by
annotation is no longer added to controller-created objects. Use themetadata.ownerReferences
item that hascontroller
set totrue
to determine which controller, if any, owns an object. (#54445, @crimsonfaith91)
- The
-
kubectl scale implementation for core workload controllers (#49504)
-
[apps/v1] Change DefaultGarbageCollectionPolicy for workload controllers (#55027)
-
NullIssue
- StatefulSet controller will create a label for each Pod in a StatefulSet. The label is named statefulset.kubernetes.io/pod-name and it is equal to the name of the Pod. This allows users to create a Service per Pod to expose a connection to individual Pods. (#55329, @kow3ns)
- ReplicationController now shares its underlying controller implementation with ReplicaSet to reduce the maintenance burden going forward. However, they are still separate resources and there should be no externally visible effects from this change. (#49429, @enisoc)
- DaemonSet status now has a new field named "conditions", making it consistent with other workloads controllers. (#55272, @janetkuo)
- DaemonSet, Deployment, ReplicaSet, and StatefulSet have been promoted to GA and are available in the apps/v1 group version. (#53679, @kow3ns)
- Add API version apps/v1, and bump DaemonSet to apps/v1 (#53278, @janetkuo)
-
Eliminate Phase and Conditions from the API (#7856)
-
NullIssue
- Google KMS integration was removed from in-tree in favor of a out-of-process extension point that will be used for all KMS providers. (#54759, @sakshamsharma)
-
Authentication for webhook admission to heterogenous authentication domains (#54404)
-
[audit] Figure out timestamps in event objects (#52160)
- add RequestReceivedTimestamp and StageTimestamp to audit event (#52981, @CaoShuFeng)
-
[audit] Always retry sending to webhook (#52909)
- Webhook always retries connection reset error. (#53947, @crassirostris)
-
CertificateManager blocks kubelet start if auto-approval is not enabled (#53237)
-
TLS-bootstrapped kubelet loses client certs after reboot, node stays on NotReady status (#53288)
-
NullIssue
- Implement kubelet side file system resizing. Also implement GCE PD resizing (#55815, @gnufied)
- kubeadm: Add an experimental mode to deploy CoreDNS instead of KubeDNS (#52501, @rajansandeep)
- Google KMS integration was removed from in-tree in favor of a out-of-process extension point that will be used for all KMS providers. (#54759, @sakshamsharma)
- Pod Security Policy can now manage access to specific FlexVolume drivers (#53179, @wanghaoran1988)
- The RBAC bootstrapping policy now allows authenticated users to create selfsubjectrulesreviews. (#56095, @ericchiang)
- Defaulting of controller-manager options for --cluster-signing-cert-file and --cluster-signing-key-file is deprecated and will be removed in a later release. (#54495, @mikedanese)
- RBAC ClusterRoles can now select other roles to aggregate (#54005, @deads2k)
- Audit policy files without apiVersion and kind are treated as invalid. (#54267, @ericchiang)
- Resolves forbidden error when accessing replicasets and daemonsets via the apps API group (#54309, @liggitt)
- RBAC: The default
admin
andedit
roles now include read/write permissions and theview
role includes read permissions onpoddisruptionbudget.policy
resources. (#52654, @liggitt)
-
[PodSecurityPolicy] Optimize getMatchingPolicies (#55521)
- Improved PodSecurityPolicy admission latency, but validation errors are no longer limited to only errors from authorized policies. (#55643, @tallclair)
-
OIDC username prefix option is not working (#56169)
- kube-apiserver: fixed --oidc-username-prefix and --oidc-group-prefix flags which previously weren't correctly enabled (#56175, @ericchiang)
-
RFE: Bootstrap Checkpointing - Modify manifest behavior slightly for self hosting. (#49236)
- Initial basic bootstrap-checkpoint support (#50984, @timothysc)
-
Proposal: support unequivocal DENY in union authorizer (#51862)
- Add support for the webhook authorizer to make a Deny decision that short-circuits the union authorizer and immediately returns Deny. (#53273, @mikedanese)
-
Split PSP defaulting and validation (#36184)
-
Certificate Signing Request cleaner to GC CSRs (#51550)
-
Reconciliation adds duplicated subjects on server start (#53296)
-
NullIssue
- Add support for PodSecurityPolicy on GCE:
ENABLE_POD_SECURITY_POLICY=true
enables the admission controller, and installs policies for default addons. (#52367, @tallclair)
- Add support for PodSecurityPolicy on GCE:
-
Bring PodSecurityPolicy to usable state (#23217)
-
HPA is still using replicationcontrollers.extensions/scale (#38810)
- Introduces a polymorphic scale client, allowing HorizontalPodAutoscalers to properly function on scalable resources in any API group. (#53743, @DirectXMan12)
- RBAC PolicyRules now allow resource=
*/<subresource>
to coverany-resource/<subresource>
. For example,*/scale
coversreplicationcontroller/scale
. (#53722, @deads2k)
-
NullIssue
-
kubectl scale implementation for core workload controllers (#49504)
-
Update HPA tolerance to be a flag (#18155)
- Control HPA tolerance through the
horizontal-pod-autoscaler-tolerance
flag. (#52275, @mattjmcnaughton)
- Control HPA tolerance through the
-
HPA scaling above spec.maxReplicas (#53670)
- Address a bug which allowed the horizontal pod autoscaler to allocate
desiredReplicas
>maxReplicas
in certain instances. (#53690, @mattjmcnaughton)
- Address a bug which allowed the horizontal pod autoscaler to allocate
-
Taint a AWS node if a volume is stuck in "attaching" state for too long (#55502)
-
AWS makes high number of redundant AttachVolume and DeleteVolume calls (#55014)
-
AWS error messages printed on 2 lines (#49813)
-
Detach is broken from stopped nodes in AWS (#55892)
-
NullIssue
- Add support for resizing EBS disks (#56118, @gnufied)
- It is now possible to override the healthcheck parameters for AWS ELBs via annotations on the corresponding service. The new annotations are
healthy-threshold
,unhealthy-threshold
,timeout
,interval
(all prefixed withservice.beta.kubernetes.io/aws-load-balancer-healthcheck-
) (#56024, @dimpavloff) - Support AWS ECR credentials in China (#50108, @zzq889)
-
Enable AWS Network Load Balancer for Services of type LoadBalancer (#52173)
- Add Amazon NLB support (#53400, @micahhausler)
-
Adding tag annotations on service manifest for ELB does not trigger update on AWS (#54642)
- Ensure additional resource tags are set/updated AWS load balancers (#55731, @georgebuckerfield)
-
Azure data disk should provision storage account on on-demand (#50883)
- fix azure disk storage account init issue (#55927, @andyzhangx)
-
[Azure] Support setting the DNS name label for public IPs created by ingress controllers (#44775)
-
there are lots of warning message due to GetMountRefs func in windows (#54670)
- fix warning messages due to GetMountRefs func not implemented in windows (#52401, @andyzhangx)
-
Panic in azure_dd/azure_mounter.go when syncing pod (#54149)
- fix azure pv crash due to volumeSource.ReadOnly value nil (#54607, @andyzhangx)
-
azure_dd: managed disks don't pass "FormatAndMount" (#50150)
- fix azure disk mount failure on coreos and some other distros (#54334, @andyzhangx)
-
Azure disk: storage class should support the sku if the storage accout support it (#55774)
- add GRS, RAGRS storage account type support for azure disk (#55931, @andyzhangx)
-
wrong controller-master detection (#54570)
- fix azure disk storage account init issue (#55927, @andyzhangx)
-
Azure disk dose not work as expected (#55776)
- fix azure disk storage account init issue (#55927, @andyzhangx)
-
NullIssue
- Restrict Azure NSG rules to allow external access only to load balancer IP (#54177, @itowlson)
- Upgraded Azure SDK to v11.1.1. (#54971, @itowlson)
- allow windows mount path (#51240, @andyzhangx)
- Azure cloudprovider: Fix controller manager crash issue on a manually created k8s cluster. (#53694, @andyzhangx)
-
there is azure file mount limit issue on windows due to using drive letter (#54668)
- fix azure file mount limit issue on windows due to using drive letter (#53629, @andyzhangx)
-
Azure loadbalancer should reconcile security groups properly. (not just by name, but also by other properties) (#55733)
- Kubernetes update Azure nsg rules based on not just difference in Name, but also in Protocol, SourcePortRange, DestinationPortRange, SourceAddressPrefix, DestinationAddressPrefix, Access, and Direction. (#55752, @kevinkim9264)
-
azure_file volumes should allow setting of dir_mode and file_mode (#37005)
- support mount options in azure file (#54674, @andyzhangx)
-
NullIssue
- Development of Kubernetes Federation has moved to github.com/kubernetes/federation. This move out of tree also means that Federation will begin releasing separately from Kubernetes. The impact of this is Federation-specific behavior will no longer be included in kubectl, kubefed will no longer be released as part of Kubernetes, and the Federation servers will no longer be included in the hyperkube binary and image. (#53816, @marun)
-
NullIssue
- kubectl cp command supports coping remote file into local directory (#46762, @bruceauyeung)
-
Kubectl: Replace usages of swagger with open API (#44589)
-
Unable to use kubectl get with a fieldSelector (#14129)
-
kubectl scale should use the scale subresource (#29698)
-
NullIssue
- Added --dry-run option to
kubectl drain
(#52440, @juanvallejo) - outputs
<none>
for columns specified by-o custom-columns
but not found in object (#51750, @jianhuiz) - kubectl apply use openapi to calculate diff be default. It will fall back to use baked-in types when openapi is not available. (#51321, @mengqiy)
- kubectl create pdb will no longer set the min-available field by default. (#53047, @yuexiao-wang)
- DaemonSet, Deployment, ReplicaSet, and StatefulSet have been promoted to GA and are available in the apps/v1 group version. (#53679, @kow3ns)
kubectl get
will by default fetch large lists of resources in chunks of up to 500 items rather than requesting all resources up front from the server. This reduces the perceived latency of managing large clusters since the server returns the first set of results to the client much more quickly. A new flag--chunk-size=SIZE
may be used to alter the number of items or disable this feature when0
is passed. This is a beta feature. (#53768, @smarterclayton)- add
--raw
tokubectl create
to POST using the normal transport (#54245, @deads2k) - "kubectl cp" updated to honor destination names (#51215, @juanvallejo)
- Added --dry-run option to
-
Add create priorityclass sub command (#54857)
-
kubectl scale implementation for core workload controllers (#49504)
-
"kubectl explain" should be able to explain "apiservices" and "customresourcedefinition" (#49465)
-
kubectl set
commands on ReplicaSet and DaemonSet occasionally return version registration errors (#53040)
-
top pod and top node output is unstable ordered (#53513)
-
NullIssue
- kube-apiserver:
--ssh-user
and--ssh-keyfile
are now deprecated and will be removed in a future release. Users of SSH tunnel functionality used in Google Container Engine for the Master -> Cluster communication should plan to transition to alternate methods for bridging master and node networks. (#54433, @dims)
- kube-apiserver:
-
NullIssue
- hyperkube: add cloud-controller-manager (#54197, @colemickens)
-
Expose concurrent-service-syncs flag on the CCM like it is for the KCM (#55560)
-
cloud controller manager does not support configmap resource locks (#55124)
-
Remove --cloud-provider=auto-detect (#50986)
-
Update to etcd 3.1.X (#49386)
- etcd: update version to 3.1.10 (#49393, @hongchaodeng)
-
NullIssue
- GCE nodes with NVIDIA GPUs attached now expose
nvidia.com/gpu
as a resource instead ofalpha.kubernetes.io/nvidia-gpu
. (#54826, @mindprince)
- GCE nodes with NVIDIA GPUs attached now expose
-
Add kubeadm config for setting kube-proxy BindAddress (#50927)
-
Use CNI v0.6.x in Kubernetes v1.9.0 (#49480)
-
CertificateManager blocks kubelet start if auto-approval is not enabled (#53237)
-
NullIssue
- kubeadm health checks can also be skipped with
--ignore-checks-errors
(#56130, @anguslees) - Implement individual control for kubeadm preflight checks (#56072, @kad)
- kubeadm now produces error during preflight checks if swap is enabled. Users, who can setup kubelet to run in unsupported environment with enabled swap, will be able to skip that preflight check. (#55399, @kad)
- kubeadm health checks can also be skipped with
-
kubeadm 1.8.0 init fails with "/var/lib/kubelet is not empty" (#53356)
-
TLS-bootstrapped kubelet loses client certs after reboot, node stays on NotReady status (#53288)
-
Specifying feature gates as a string of key-value pairs in ComponentConfig structures is awkward (#53024)
-
NullIssue
- kubeadm: added
--print-join-command
flag forkubeadm token create
. (#56185, @mattmoyer) - Adding etcd version display to kubeadm upgrade plan subcommand (#56156, @sbezverk)
- Adds to kubeadm upgrade apply, a new --etcd-upgrade keyword. When this keyword is specified, etcd's static pod gets upgraded to the etcd version officially recommended for a target kubernetes release. (#55010, @sbezverk)
- Kubeadm now supports for Kubelet Dynamic Configuration. (#55803, @xiangpengzhao)
- Base images bumped to Debian Stretch (9) (#52744, @rphillips)
- kubeadm: Add an experimental mode to deploy CoreDNS instead of KubeDNS (#52501, @rajansandeep)
- kubeadm: Add CoreDNS support for kubeadm "upgrade" and "alpha phases addons". (#55952, @rajansandeep)
- kubeadm init: fix a bug that prevented the --token-ttl flag and tokenTTL configuration value from working as expected for infinite (0) values. (#54640, @mattmoyer)
- Feature gates now check minimum versions (#54539, @jamiehannaford)
- Load kernel modules automatically inside a kube-proxy pod (#52003, @vfreex)
-
RFE: Bootstrap Checkpointing - Modify manifest behavior slightly for self hosting. (#49236)
- Initial basic bootstrap-checkpoint support (#50984, @timothysc)
-
Refactor kube-scheduler configuration (#52428)
- The kube-scheduler command now supports a
--config
flag which is the location of a file containing a serialized scheduler configuration. Most other kube-scheduler flags are now deprecated. (#52562, @ironcladlou)
- The kube-scheduler command now supports a
-
Creation of gitRepo volume is broken in 1.8.0+ (#54129)
-
Update to Go 1.9 (#49484)
-
NullIssue
-
Enable
kubefed init
support nodeSelector (#50716)
-
NullIssue
- kube-apiserver:
--ssh-user
and--ssh-keyfile
are now deprecated and will be removed in a future release. Users of SSH tunnel functionality used in Google Container Engine for the Master -> Cluster communication should plan to transition to alternate methods for bridging master and node networks. (#54433, @dims)
- kube-apiserver:
-
GCE should allow users to configure with what service account their nodes are created (#53603)
- Allow GCE users to configure the service account made available on their nodes (#52868, @ihmccreery)
-
NullIssue
- Adjust batching audit webhook default parameters: increase queue size, batch size, and initial backoff. Add throttling to the batching audit webhook. Default rate limit is 10 QPS. (#53417, @crassirostris)
-
[audit] Always retry sending to webhook (#52909)
- Webhook always retries connection reset error. (#53947, @crassirostris)
-
NullIssue
- Kubelet now exposes metrics for NVIDIA GPUs attached to the containers. (#55188, @mindprince)
-
NullIssue
- [fluentd-gcp addon] Fixes fluentd deployment on GCP when custom resources are set. (#55950, @crassirostris)
- [fluentd-gcp addon] Fluentd now runs in its own network, not in the host one. (#54395, @crassirostris)
-
NullIssue
- Fix a typo in prometheus-to-sd configuration, that drops some stackdriver metrics. (#56473, @loburm)
- [fluentd-elasticsearch addon] Elasticsearch and Kibana are updated to version 5.6.4 (#55400, @mrahbar)
- A new field is added to CRI container log format to support splitting a long log line into multiple lines. (#55922, @Random-Liu)
- fluentd now supports CRI log format. (#54777, @Random-Liu)
-
Collect metrics on admission rejections (#55030)
-
Bring all prom-to-sd container to the same image version (#54583)
-
NullIssue
- Development of Kubernetes Federation has moved to github.com/kubernetes/federation. This move out of tree also means that Federation will begin releasing separately from Kubernetes. The impact of this is Federation-specific behavior will no longer be included in kubectl, kubefed will no longer be released as part of Kubernetes, and the Federation servers will no longer be included in the hyperkube binary and image. (#53816, @marun)
-
Enable
kubefed init
supportImagePullSecrets
andimagePullPolicy
(#50718) -
Get clusters --show-labels does not work in a federation context (#53729)
-
Pod in graceful termination should not be on the ready address list of related Endpoints objects (#54723)
-
Need to install ipset in debian-iptables docker image (#56116)
- install ipset in debian-iptables docker image (#56115, @m1093782566)
-
IPVS kube-proxy will flush all existing ipvs rules in its startup (#55857)
- Add cleanup-ipvs flag for kube-proxy (#56036, @m1093782566)
-
Try ipset in kube-proxy (#54203)
- Using ipset doing SNAT and packet filtering in IPVS kube-proxy (#54219, @m1093782566)
-
Failed to access NodePort if kube-proxy running in ipvs mode (#53393)
- Using ipset doing SNAT and packet filtering in IPVS kube-proxy (#54219, @m1093782566)
-
Handle nodes with iptables FORWARD DROP better (#39823)
-
Support annotations for AWS ELB Security Policies (#43744)
- Added service annotation for AWS ELB SSL policy (#54507, @micahhausler)
-
zero-value settings for kube-proxy being overwritten by default values (#50787)
-
Calico add-on: calico/node pod can take a long time to be restarted (#55013)
-
Add CoreDNS in kube-up (#56439)
- Add CoreDNS as an optional addon in kube-up (#55728, @rajansandeep)
-
NullIssue
- Fixes bad conversion in host port chain name generating func which leads to some unreachable host ports. (#55153, @chenchun)
- kubeadm: Add an experimental mode to deploy CoreDNS instead of KubeDNS (#52501, @rajansandeep)
- Fix IPVS availability check (#51874, @vfreex)
- Enhanced the network policy describer. (#46951, @aanm)
- Load kernel modules automatically inside a kube-proxy pod (#52003, @vfreex)
- Improve resilience by annotating kube-dns addon with podAntiAffinity to prefer scheduling on different nodes. (#52193, @StevenACoffman)
- Add DNSConfig field to PodSpec and support "None" mode for DNSPolicy (Alpha). (#55848, @MrHohn)
-
kube-proxy: session affinity stops working when ESIPP=Local (#55429)
-
[kubelet] ignore keyword "options" define in /etc/resolv.conf, only look for nameserver and search (#42542)
-
Service controller retries on doNotRetry service update failure (#54183)
-
apiserver proxy feature does not rewrite Location header on redirects (#51790)
-
NullIssue
- GCE: Bump GLBC version to 0.9.7. (#53625, @nikhiljindal)
-
GCE: ILB sync fails for legacy networks and auto networks with unusual subnet names (#53409)
- GCE: Fixes ILB sync on legacy networks and auto networks with unique subnet names (#53410, @nicksardo)
-
GCE: Ignore resource not found errors when deleting LB resources (#53411)
- GCE: Fix issue deleting internal load balancers when the firewall resource may not exist. (#53450, @nicksardo)
-
Remove --cloud-provider=auto-detect (#50986)
-
NullIssue
-
CertificateManager blocks kubelet start if auto-approval is not enabled (#53237)
-
NullIssue
- The EvictionHard, EvictionSoft, EvictionSoftGracePeriod, EvictionMinimumReclaim, SystemReserved, and KubeReserved fields in the KubeletConfiguration object (kubeletconfig/v1alpha1) are now of type map[string]string, which facilitates writing JSON and YAML files. (#54823, @mtaufen)
- Relative paths in the Kubelet's local config files (--init-config-dir) will be resolved relative to the location of the containing files. (#55648, @mtaufen)
- It is now possible to set multiple manifest url headers via the Kubelet's --manifest-url-header flag. Multiple headers for the same key will be added in the order provided. The ManifestURLHeader field in KubeletConfiguration object (kubeletconfig/v1alpha1) is now a map[string][]string, which facilitates writing JSON and YAML files. (#54643, @mtaufen)
-
Dockershim doesn't consider seccomp profile root? (#55359)
-
NullIssue
-
Specifying feature gates as a string of key-value pairs in ComponentConfig structures is awkward (#53024)
-
Local pods stay around after node deletion (#48213)
-
Extra CRI call during processing cpu set (#53304)
-
Cut and vendor cAdvisor v0.28.1 for the 1.9 release. (#55628)
-
Better handling of device plugin resource deletion (#53395)
-
Pods moving from Succeeded to Pending (#54499)
-
Remove the backward compatibility code for kubelet 1.2 in NodeController. (#48995)
-
Deprecate --network-plugin-dir for kubelet (#46410)
- Remove the --network-plugin-dir flag. (#53564, @supereagle)
-
FailedSync event from kubelet provides no value (#53900)
- kubelet provides more specific events when unable to sync pod (#53857, @derekwaynecarr)
-
Should be able to specific
unconfined
AppArmor profile (#52370) -
Consume ImageFS stats from StatsProvider in ImageGCManager (#53083)
-
RFE: Bootstrap Checkpointing - Modify manifest behavior slightly for self hosting. (#49236)
- Initial basic bootstrap-checkpoint support (#50984, @timothysc)
-
Reduce cpumanager default logging verbosity (#54804)
-
Hyperkube doesn't support --experimental-dockershim for kubelet (#54424)
-
CRI: Debug API (#53757)
- Verbose option is added to each status function in CRI. Container runtime could return extra information in status response for debugging. (#53965, @Random-Liu)
-
Zone labels are removed every kubelet restart in 1.8 (#54070)
-
NullIssue
- Fix overlay2 container disk metrics for Docker and CRI-O (#54827, @dashpole)
- BugFix: Exited containers are not Garbage Collected by the kubelet while the pod is running (#53167, @dashpole)
- Add pod-level CPU and memory stats from pod cgroup information (#55969, @jingxu97)
- Add pod-level local ephemeral storage metric in Summary API. Pod-level ephemeral storage reports the total filesystem usage for the containers and emptyDir volumes in the measured Pod. (#55447, @jingxu97)
- Kubelet supports running mount utilities and final mount in a container instead running them on the host. (#53440, @jsafrane)
- Remove docker dependency during kubelet start up (#54405, @resouer)
- Add Windows support to the system verification check (#53730, @bsteciuk)
- Don't remove extended resource capacities that are not registered with kubelet from node status. (#53353, @jiayingz)
- RBAC: The default
admin
andedit
roles now include read/write permissions and theview
role includes read permissions onpoddisruptionbudget.policy
resources. (#52654, @liggitt) - Fix stats summary network value when multiple network interfaces are available. (#52144, @andyxning)
- A new field is added to CRI container log format to support splitting a long log line into multiple lines. (#55922, @Random-Liu)
- Kubelet can provide full summary api support except container log stats for CRI container runtime now. (#55810, @abhi)
- Base images bumped to Debian Stretch (9) (#52744, @rphillips)
- fluentd now supports CRI log format. (#54777, @Random-Liu)
- Load kernel modules automatically inside a kube-proxy pod (#52003, @vfreex)
- fix a bug where disk pressure could trigger prematurely when using overlay2 (#53684, @dashpole)
- Metrics were added to network plugin to report latency of CNI operations (#53446, @sjenning)
- Fix the bug that query Kubelet's stats summary with CRI stats enabled results in error. (#53107, @Random-Liu)
-
kubelet cannot show Docker-CE version correctly (#54039)
-
Large kubemark performance tests failing with timeout during ns deletion (#53327)
-
[Failing Test] [k8s.io] Summary API when querying /stats/summary should report resource usage through the stats api (#55909)
-
[feature] for GPU and hugepages, default must match defaultRequest in LimitRange if both are specified (#54917)
- validate if default and defaultRequest match when creating LimitRange for GPU and hugepages. (#54919, @tianshapjq)
-
Make CRI logs parsing to a library (#55136)
-
Creation of gitRepo volume is broken in 1.8.0+ (#54129)
-
Error when using journald log driver and FallbackToLogsOnError (#52502)
- Get fallback termination msg from docker when using journald log driver (#52503, @joelsmith)
-
Remove compute-rw scope from GCE nodes (#8074)
- gce: remove compute-rw, see what breaks (#53266, @mikedanese)
-
NullIssue
-
NullIssue
-
NullIssue
- [advanced audit]add a policy wide omitStage (#54634, @CaoShuFeng)
-
NullIssue
- The dynamic admission webhook now supports a URL in addition to a service reference, to accommodate out-of-cluster webhooks. (#54889, @lavalamp)
- not calculate new priority when user update other spec of a pod (#55221, @CaoShuFeng)
- The minimum supported go version bumps to 1.9.1. (#55301, @xiangpengzhao)
- update podtolerations admission to mutate and validate separately (#55251, @deads2k)
- Removes Priority Admission Controller from kubeadm since it's alpha. (#55237, @andrewsykim)
- Add a new feature gate for enabling an alpha annotation which, if present, excludes the annotated node from being added to a service load balancers. (#54644, @brendandburns)
- Add PodDisruptionBudget to scheduler cache. (#53914, @bsalamat)
- Bugfix: master startup script on GCP no longer fails randomly due to concurrent iptables invocations. (#55945, @x13n)
- Log when node is successfully initialized by Cloud Controller Manager (#53517, @andrewsykim)
- kubeadm: Add support for adding a Windows node (#53553, @bsteciuk)
- Added integration test for TaintNodeByCondition. (#53184, @k82cn)
- If a non-absolute mountPath is passed to the kubelet, prefix it with the appropriate root path. (#55665, @brendandburns)
- Added support for SAN entries in the master node certificate via juju kubernetes-master config. (#54234, @hyperbolic2346)
- Add --etcd-compaction-interval to apiserver for controlling request of compaction to etcd3 from apiserver. (#51765, @mitake)
- [cluster-monitoring addon] Update monitoring-influxdb-grafana to latest version (#53319, @kairen)
- Fix
kubeadm upgrade plan
for offline operation: ignore errors when trying to fetch latest versions from dl.k8s.io (#54016, @praseodym) - Update AWS SDK to 1.12.7 (#53561, @justinsb)
- Optimize Repeated registration of AlgorithmProvider when ApplyFeatureGates (#54047, @kuramal)
- Remove the LbaasV1 of OpenStack cloud provider, currently only support LbaasV2. (#52717, @FengyunPan)
- Change
kubeadm create token
to default to the group that almost everyone will want to use. The group is system:bootstrappers:kubeadm:default-node-token and is the group that kubeadm sets up, via an RBAC binding, for auto-approval (system:certificates.k8s.io:certificatesigningrequests:nodeclient). (#53512, @jbeda) - Fixes a performance issue (#51899) identified in large-scale clusters when deleting thousands of pods simultaneously across hundreds of nodes, by actively removing containers of deleted pods, rather than waiting for periodic garbage collection and batching resulting pod API deletion requests. (#53233, @dashpole)
- Avoid unnecessary spam in kube-controller-manager log if --cluster-cidr is not specified and --allocate-node-cidrs is false. (#54934, @akosiaris)
- kubeadm: use the CRI for preflights checks (#55055, @runcom)
- Fix clustered datastore name to be absolute. (#54438, @pshahzeb)
- Add --no-negcache flag to kube-dns to prevent caching of NXDOMAIN responses. (#53604, @cblecker)
- Kubelet evictions take pod priority into account (#53542, @dashpole)
- Improve explanation of ReplicaSet (#53403, @rcorre)
- default fail-swap-on to false for kubelet on kubernetes-worker charm (#53386, @wwwtyro)
- Fix kubeadm reset crictl command (#55717, @runcom)
- GCE: provide an option to disable docker's live-restore on COS/ubuntu (#55260, @yujuhong)
- Addon manager supports HA masters. (#55466, @x13n)
- Fix code-generators to produce correct code when GroupName, PackageName and/or GoName differ. (#55614, @sttts)
- Metadata concealment on GCE is now controlled by the
ENABLE_METADATA_CONCEALMENT
env var. See cluster/gce/config-default.sh for more info. (#54150, @ihmccreery) - Update kube-dns 1.14.7 (#54443, @bowei)
- Deprecation: The flag
etcd-quorum-read
of kube-apiserver is deprecated and the ability to switch off quorum read will be removed in a future release. (#53795, @xiangpengzhao) - Add extra-args configs for scheduler and controller-manager to kubernetes-master charm (#55185, @Cynerva)
- The output of kubectl config get-contexts is now sorted alphabetically by the context name. (#46946, @kellycampbell)
- Add extra-args configs to kubernetes-worker charm (#55334, @Cynerva)
- Add masquerading rules by default to GCE/GKE (#55178, @dnardo)
- Log error of failed healthz check (#53048, @mrIncompetent)
- Update fluentd-gcp DaemonSet (#54175, @tallclair)
- kubeadm: Strip bootstrap tokens from the
kubeadm-config
ConfigMap (#53559, @fabriziopandini) - Horizontal pod autoscaler uses REST clients through the kube-aggregator instead of the legacy client through the API server proxy. (#53205, @kawych)
- Correct wording of kubeadm upgrade response for missing ConfigMap. (#53337, @jmhardison)
- Fix metrics API group name in audit configuration (#53493, @piosz)
- [fluentd-elasticsearch addon] Elasticsearch service name can be overridden via env variable ELASTICSEARCH_SERVICE_NAME (#54215, @mrahbar)
- Allow HPA to read custom metrics. (#54854, @kawych)
- In PodTolerationRestriction admisson plugin, if namespace level tolerations are empty, now they override cluster level tolerations. (#54812, @aveshagarwal)
- secret data containing Docker registry auth objects is now generated using the config.json format (#53916, @juanvallejo)
- Adding vishh as an reviewer/approver for hack directory (#54007, @vishh)
- Use multi-arch busybox image for e2e (#54034, @dixudx)
- Addon manager supports HA masters. (#55782, @x13n)
- If you are using the cloud provider API to determine the external host address of the apiserver, set --external-hostname explicitly instead. The cloud provider detection has been deprecated and will be removed in the future (#54516, @dims)
- Increase waiting time (120s) for docker startup in health-monitor.sh (#54099, @dchen1107)
- kubeadm: Fix a bug on some OSes where the kubelet tried to mount a volume path that is non-existent and on a read-only filesystem (#55320, @andrewrynhard)
- GCI mounter is moved from the manifests tarball to the server tarball. (#47497, @mikedanese)
- kubeadm: reset: use crictl to reset containers (#54721, @runcom)
kubectl get
will now use OpenAPI schema extensions by default to select columns for custom types. (#53483, @apelisse)- PodSecurityPolicies for addons (#55509, @tallclair)
- Support completion for kubectl config rename-context (#48340, @superbrothers)
- Add limitrange/resourcequota/downward_api e2e tests for local ephemeral storage (#52523, @NickrenREN)
- Fix iptables FORWARD policy for Docker 1.13 in kubernetes-worker charm (#54796, @Cynerva)
- Allow for configuring etcd hostname in the manifest (#54403, @wojtek-t)
- Enable Priority admission control in kubeadm. (#53175, @andrewsykim)
- Ignore extended resources that are not registered with kubelet during container resource allocation. (#53547, @jiayingz)
- Upgrading the kubernetes-master units now results in staged upgrades just like the kubernetes-worker nodes. Use the upgrade action in order to continue the upgrade process on each unit such as
juju run-action kubernetes-master/0 upgrade
(#55990, @hyperbolic2346) - Added extra_sans config option to kubeapi-load-balancer charm. This allows the user to specify extra SAN entries on the certificate generated for the load balancer. (#54947, @hyperbolic2346)
- Add support for RBAC support to Kubernetes via Juju (#53820, @ktsakalozos)
- Support completion for --clusterrole of kubectl create clusterrolebinding (#48267, @superbrothers)
- Fix permissions for Metrics Server. (#53330, @kawych)
- Upgrade fluentd-elasticsearch addon to Elasticsearch/Kibana 5.6.2 (#53307, @aknuds1)
- Added namespaceSelector to externalAdmissionWebhook configuration to allow applying webhooks only to objects in the namespaces that have matching labels. (#54727, @caesarxuchao)
-
OpenStack Cinder version detection fails (and is incorrect) (#50461)
- Using OpenStack service catalog to do version detection (#53115, @FengyunPan)
-
NullIssue
- Make OpenStack LBaaS v2 Provider configurable (#54176, @gonzolino)
- Support autoprobing node-security-group for openstack cloud provider, Support multiple Security Groups for cluster's nodes. (#50836, @FengyunPan)
- OpenStack cloud provider supports Cinder v3 API. (#52910, @FengyunPan)
- Octavia v2 now supported as a LB provider (#55393, @jamiehannaford)
-
NullIssue
-
Update to Go 1.9 (#49484)
-
Update to etcd 3.1.X (#49386)
- etcd: update version to 3.1.10 (#49393, @hongchaodeng)
-
[PodSecurityPolicy] Optimize getMatchingPolicies (#55521)
- Improved PodSecurityPolicy admission latency, but validation errors are no longer limited to only errors from authorized policies. (#55643, @tallclair)
-
NullIssue
- ReplicationController now shares its underlying controller implementation with ReplicaSet to reduce the maintenance burden going forward. However, they are still separate resources and there should be no externally visible effects from this change. (#49429, @enisoc)
- apiserver: --etcd-quorum-read now defaults to true, to ensure correct operation with HA etcd clusters (#53717, @liggitt)
- API chunking via the
limit
andcontinue
request parameters is promoted to beta in this release. Client libraries using the Informer or ListWatch types will automatically opt in to chunking. (#52949, @smarterclayton)
-
Update to Go 1.9 (#49484)
-
Large kubemark performance tests failing with timeout during ns deletion (#53327)
-
NullIssue
- Add ExtendedResourceToleration admission controller. This facilitates creation of dedicated nodes with extended resources. If operators want to create dedicated nodes with extended resources (like GPUs, FPGAs etc.), they are expected to taint the node with extended resource name as the key. This admission controller, if enabled, automatically adds tolerations for such taints to pods requesting extended resources, so users don't have to manually add these tolerations. (#55839, @mindprince)
- GCE nodes with NVIDIA GPUs attached now expose
nvidia.com/gpu
as a resource instead ofalpha.kubernetes.io/nvidia-gpu
. (#54826, @mindprince)
-
Consider moving TaintNodeUnreachable out of alpha (#54198)
-
Scheduler should handle pod updates during scheduling more gracefully (#52914)
-
Large kubemark performance tests failing with timeout during ns deletion (#53327)
-
Support PodDisruptionBudget during preemption (#53913)
-
Fix starvation problem in pod preemption (#54501)
-
Scheduler dies with "Schedulercache is corrupted" (#50916)
-
Refactor kube-scheduler configuration (#52428)
- The kube-scheduler command now supports a
--config
flag which is the location of a file containing a serialized scheduler configuration. Most other kube-scheduler flags are now deprecated. (#52562, @ironcladlou)
- The kube-scheduler command now supports a
-
"notReady" toleration should be "not-ready" (#51246)
-
NullIssue
- Add a new scheduling queue that helps schedule the highest priority pending pod first. (#55109, @bsalamat)
- add hostIP and protocol to the original hostport predicates procedure in scheduler. (#52421, @WIZARD-CXY)
- Object count quotas supported on all standard resources using
count/<resource>.<group>
syntax (#54320, @derekwaynecarr) - move getMaxVols function to predicates.go and add some NewVolumeCountPredicate funcs (#51783, @jiulongzaitian)
- Apply algorithm in scheduler by feature gates. (#52723, @k82cn)
- RBAC: The default
admin
andedit
roles now include read/write permissions and theview
role includes read permissions onpoddisruptionbudget.policy
resources. (#52654, @liggitt) - A new priority function
ResourceLimitsPriorityMap
(disabled by default and behind alpha feature gate and not part of the scheduler's default priority functions list) that assigns a lowest possible score of 1 to a node that satisfies one or both of input pod's cpu and memory limits, mainly to break ties between nodes with same scores. (#55906, @aveshagarwal)
-
Remove support for opaque integer resources (deprecated in v1.8) (#55102)
- Remove opaque integer resources (OIR) support (deprecated in v1.8.) (#55103, @ConnorDoyle)
-
PodPreset Feature Tests Consistently Causing ci-kubernetes-e2e-gci-gce-alpha-features to Fail (#53079)
- Skip podpreset test if the alpha feature setttings/v1alpha1 is disabled (#53080, @jennybuckley)
-
Taint a AWS node if a volume is stuck in "attaching" state for too long (#55502)
-
Remove ScaleIO dependency on drv_cfg binary for containerization (#54954)
- ScaleIO driver completely removes dependency on drv_cfg binary so a Kubernetes cluster can easily run a containerized kubelet. (#54956, @vladimirvivien)
-
Detach is broken from stopped nodes in AWS (#55892)
-
should prevent the deletion of a PVC that is referenced by an active pod (#45143)
-
wrong controller-master detection (#54570)
- fix azure disk storage account init issue (#55927, @andyzhangx)
-
Add support for verifying attached but desired to be detached PVCs (#52573)
-
Zero capacity PVs cause pods to fail and zero capacity PVCs create zero capacity PVs (#55553)
- Validate positive capacity for PVs and PVCs. (#55532, @ianchakeres)
-
PersistentVolumeSource should be read-only (#54562)
- Validate that PersistentVolumeSource is not changed during PV Update (#54761, @ianchakeres)
-
ScaleIO - credentials could be accessed by non-admin users (#53619)
- ScaleIO persistent volumes now support referencing a secret in a namespace other than the bound persistent volume claim's namespace; this is controlled during provisioning with the
secretNamespace
storage class parameter; StoragePool and ProtectionDomain attributes no longer defaults to the valuedefault
(#54013, @vladimirvivien)
- ScaleIO persistent volumes now support referencing a secret in a namespace other than the bound persistent volume claim's namespace; this is controlled during provisioning with the
-
Recycle always failed on non x86 platform (#53942)
-
NullIssue
- Pod Security Policy can now manage access to specific FlexVolume drivers (#53179, @wanghaoran1988)
- Add resize support for ceph RBD (#52767, @NickrenREN)
- Implement kubelet side file system resizing. Also implement GCE PD resizing (#55815, @gnufied)
- Block volumes Support: CRI, volumemanager and operationexecutor changes (#51494, @mtanino)
- RBD Persistent Volume Sources can now reference User's Secret in namespaces other than the namespace of the bound Persistent Volume Claim (#54302, @sbezverk)
- Add support for resizing EBS disks (#56118, @gnufied)
- Implement volume resize for cinder (#51498, @NickrenREN)
- Block volumes Support: FC plugin update (#51493, @mtanino)
- Updating vsphere cloud provider to support k8s cluster spread across multiple vCenters (#55845, @rohitjogvmw)
- iSCSI Persistent Volume Sources can now reference CHAP Secrets in namespaces other than the namespace of the bound Persistent Volume Claim (#51530, @rootfs)
- Kubelet supports running mount utilities and final mount in a container instead running them on the host. (#53440, @jsafrane)
- allow windows mount path (#51240, @andyzhangx)
-
PVCs using
standard
StorageClass create PDs in disks in wrong zone in multi-zone GKE clusters (#50115)- Fix a bug in GCE multizonal clusters where PersistentVolumes were sometimes created in zones without nodes. (#52322, @davidz627)
-
Multi Attach PVC errors and events are too noisy (#53214)
-
Remove compute-rw scope from GCE nodes (#8074)
- gce: remove compute-rw, see what breaks (#53266, @mikedanese)
-
NullIssue
- Development of Kubernetes Federation has moved to github.com/kubernetes/federation. This move out of tree also means that Federation will begin releasing separately from Kubernetes. The impact of this is Federation-specific behavior will no longer be included in kubectl, kubefed will no longer be released as part of Kubernetes, and the Federation servers will no longer be included in the hyperkube binary and image. (#53816, @marun)
-
NullIssue
- Kubelet now exposes metrics for NVIDIA GPUs attached to the containers. (#55188, @mindprince)
-
Update to Go 1.9 (#49484)
-
NullIssue
- Fix to prevent downward api change break on older versions (#53673, @timothysc)
- API chunking via the
limit
andcontinue
request parameters is promoted to beta in this release. Client libraries using the Informer or ListWatch types will automatically opt in to chunking. (#52949, @smarterclayton)
-
wrong controller-master detection (#54570)
- fix azure disk storage account init issue (#55927, @andyzhangx)
-
there is azure file mount limit issue on windows due to using drive letter (#54668)
- fix azure file mount limit issue on windows due to using drive letter (#53629, @andyzhangx)
-
there are lots of warning message due to GetMountRefs func in windows (#54670)
- fix warning messages due to GetMountRefs func not implemented in windows (#52401, @andyzhangx)
-
NullIssue
- allow windows mount path (#51240, @andyzhangx)