Kubernetes v1.5.0 release

Update on 2016.12.14:

Due to a serious security problem, kubernetes v1.5.0 is not recommanded. Kubernetes v1.5.1 has just released, so we should upgrade to v1.5.1 directly.

The --anonymous-auth= flag in v1.5.0 is true by default (which may result in any users being able to access kubernetes API), but v1.5.1 turns it to false.

Kubernetes v1.5.0

  • StatefulSets (ex-PetSets)
    • StatefulSets are beta now (fixes and stabilization)
  • Improved Federation Support
    • New command: kubefed
    • DaemonSets
    • Deployments
    • ConfigMaps
  • Simplified Cluster Deployment
    • Improvements to kubeadm
    • HA Setup for Master
  • Node Robustness and Extensibility
    • Windows Server Container support
    • CRI for pluggable container runtimes
    • kubelet API supports authentication and authorization

Features

Features for this release were tracked via the use of the kubernetes/features issues repo. Each Feature issue is owned by a Special Interest Group from kubernetes/community

  • API Machinery
  • Apps
    • [stable] When replica sets cannot create pods, they will now report detail via the API about the underlying reason (kubernetes/features#120)
    • [stable] kubectl apply is now able to delete resources you no longer need with --prune (kubernetes/features#128)
    • [beta] Deployments that cannot make progress in rolling out the newest version will now indicate via the API they are blocked (docs) (kubernetes/features#122)
    • [beta] StatefulSets allow workloads that require persistent identity or per-instance storage to be created and managed on Kubernetes. (docs) (kubernetes/features#137)
    • [beta] In order to preserve safety guarantees the cluster no longer force deletes pods on un-responsive nodes and users are now warned if they try to force delete pods via the CLI. (docs) (kubernetes/features#119)
  • Auth
  • AWS
  • Cluster Lifecycle
    • [alpha] Improved UX and usability for the kubeadm binary that makes it easy to get a new cluster running. (docs) (kubernetes/features#11)
  • Cluster Ops
    • [alpha] Added ability to create/remove clusters w/highly available (replicated) masters on GCE using kube-up/kube-down scripts. (docs) (kubernetes/features#48)
  • Federation
  • Network
    • [stable] Services can reference another service by DNS name, rather than being hosted in pods (kubernetes/features#33)
    • [beta] Opt in source ip preservation for Services with Type NodePort or LoadBalancer (docs) (kubernetes/features#27)
    • [stable] Enable DNS Horizontal Autoscaling with beta ConfigMap parameters support (docs)
  • Node
    • [alpha] Added ability to preserve access to host userns when userns remapping is enabled in container runtime (kubernetes/features#127)
    • [alpha] Introducing the v1alpha1 CRI API to allow pluggable container runtimes; an experimental docker-CRI integration is ready for testing and feedback. (docs) (kubernetes/features#54)
    • [alpha] Kubelet launches container in a per pod cgroup hiearchy based on quality of service tier (kubernetes/features#126)
    • [beta] Kubelet integrates with memcg notification API to detect when a hard eviction threshold is crossed (kubernetes/features#125)
    • [beta] Introducing the beta version containerized node conformance test gcr.io/google_containers/node-test:0.2 for users to verify node setup. (docs) (kubernetes/features#84)
  • Scheduling
  • UI
  • Windows

Known Issues

Populated via v1.5.0 known issues / FAQ accumulator

  • CRI known issues and
    limitations
  • getDeviceNameFromMount() function doesn’t return the volume path correctly when the volume path contains spaces #37712
  • Federation alpha features do not have feature gates defined and
    are hence enabled by default. This will be fixed in a future release.
    #38593
  • Federation control plane can be upgraded by updating the image
    fields in the Deployment specs of the control plane components.
    However, federation control plane upgrades were not tested in this
    release 38537

Notable Changes to Existing Behavior

  • Node controller no longer force-deletes pods from the api-server. (#35235, @foxish)
    • For StatefulSet (previously PetSet), this change means creation of
      replacement pods is blocked until old pods are definitely not running
      (indicated either by the kubelet returning from partitioned state,
      deletion of the Node object, deletion of the instance in the cloud provider,
      or force deletion of the pod from the api-server).
      This helps prevent “split brain” scenarios in clustered applications by
      ensuring that unreachable pods will not be presumed dead unless some
      “fencing” operation has provided one of the above indications.
    • For all other existing controllers except StatefulSet, this has no effect on
      the ability of the controller to replace pods because the controllers do not
      reuse pod names (they use generate-name).
    • User-written controllers that reuse names of pod objects should evaluate this change.
    • When deleting an object with kubectl delete ... --grace-period=0, the client will
      begin a graceful deletion and wait until the resource is fully deleted. To force
      deletion immediately, use the --force flag. This prevents users from accidentally
      allowing two Stateful Set pods to share the same persistent volume which could lead to data
      corruption #37263
  • Allow anonymous API server access, decorate authenticated users with system:authenticated group (#32386, @liggitt)

    • kube-apiserver learned the ‘—anonymous-auth’ flag, which defaults to true. When enabled, requests to the secure port that are not rejected by other configured authentication methods are treated as anonymous requests, and given a username of ‘system:anonymous’ and a group of ‘system:unauthenticated’.
    • Authenticated users are decorated with a ‘system:authenticated’ group.
    • NOTE: anonymous access is enabled by default. If you rely on authentication alone to authorize access, change to use an authorization mode other than AlwaysAllow, or or set ‘—anonymous-auth=false’.
  • kubectl get -o jsonpath=… will now throw an error if the path is to a field not present in the json, even if the path is for a field valid for the type. This is a change from the pre-1.5 behavior, which would return the default value for some fields even if they were not present in the json. (#37991, @pwittrock)

  • The strategicmerge patchMergeKey for VolumeMounts was changed from “name” to “mountPath”. This was necessary because the name field refers to the name of the Volume, and is not a unique key for the VolumeMount. Multiple VolumeMounts will have the same Volume name if mounting the same volume more than once. The “mountPath” is verified to be unique and can act as the mergekey. (#35071, @pwittrock)

Deprecations

  • extensions/v1beta1.Jobs is deprecated, use batch/v1.Job instead (#36355, @soltysh)
  • The kubelet —reconcile-cdir flag is deprecated because it has no function anymore. (#35523, @luxas)
  • Notice of deprecation for recycler #36760

Action Required Before Upgrading

  • batch/v2alpha1.ScheduledJob has been renamed, use batch/v2alpha1.CronJob instead (#36021, @soltysh)
  • PetSet has been renamed to StatefulSet.
    If you have existing PetSets, you must perform extra migration steps both
    before and after upgrading to convert them to StatefulSets. (docs) (#35663, @janetkuo)
  • If you are upgrading your Cluster Federation components from v1.4.x, please update your federation-apiserver and federation-controller-manager manifests to the new version (#30601, @madhusudancs)
  • The deprecated kubelet —configure-cbr0 flag has been removed, and with that the “classic” networking mode as well. If you depend on this mode, please investigate whether the other network plugins kubenet or cni meet your needs. (#34906, @luxas)
  • New client-go structure, refer to kubernetes/client-go for versioning policy (#34989, @caesarxuchao)
  • The deprecated kube-scheduler —bind-pods-qps and —bind-pods burst flags have been removed, use —kube-api-qps and —kube-api-burst instead (#34471, @timothysc)
  • If you used the PodDisruptionBudget feature in 1.4 (i.e. created PodDisruptionBudget objects), then BEFORE upgrading from 1.4 to 1.5, you must delete all PodDisruptionBudget objects (policy/v1alpha1/PodDisruptionBudget) that you have created. It is not possible to delete these objects after you upgrade, and their presence will prevent you from using the beta PodDisruptionBudget feature in 1.5 (which uses policy/v1beta1/PodDisruptionBudget). If you have already upgraded, you will need to downgrade the master to 1.4 to delete the policy/v1alpha1/PodDisruptionBudget objects.

External Dependency Version Information

Continuous integration builds have used the following versions of external dependencies, however, this is not a strong recommendation and users should consult an appropriate installation or upgrade guide before deciding what versions of etcd, docker or rkt to use.

Feisky wechat
微信公众号订阅