Kubernetes v1.5.0 release

Update on 2016.12.14:

Due to a serious security problem, kubernetes v1.5.0 is not recommanded. Kubernetes v1.5.1 has just released, so we should upgrade to v1.5.1 directly.

The --anonymous-auth= flag in v1.5.0 is true by default (which may result in any users being able to access kubernetes API), but v1.5.1 turns it to false.

Kubernetes v1.5.0

  • StatefulSets (ex-PetSets)
    • StatefulSets are beta now (fixes and stabilization)
  • Improved Federation Support
    • New command: kubefed
    • DaemonSets
    • Deployments
    • ConfigMaps
  • Simplified Cluster Deployment
    • Improvements to kubeadm
    • HA Setup for Master
  • Node Robustness and Extensibility
    • Windows Server Container support
    • CRI for pluggable container runtimes
    • kubelet API supports authentication and authorization


Features for this release were tracked via the use of the kubernetes/features issues repo. Each Feature issue is owned by a Special Interest Group from kubernetes/community

  • API Machinery
  • Apps
    • [stable] When replica sets cannot create pods, they will now report detail via the API about the underlying reason (kubernetes/features#120)
    • [stable] kubectl apply is now able to delete resources you no longer need with --prune (kubernetes/features#128)
    • [beta] Deployments that cannot make progress in rolling out the newest version will now indicate via the API they are blocked (docs) (kubernetes/features#122)
    • [beta] StatefulSets allow workloads that require persistent identity or per-instance storage to be created and managed on Kubernetes. (docs) (kubernetes/features#137)
    • [beta] In order to preserve safety guarantees the cluster no longer force deletes pods on un-responsive nodes and users are now warned if they try to force delete pods via the CLI. (docs) (kubernetes/features#119)
  • Auth
  • AWS
  • Cluster Lifecycle
    • [alpha] Improved UX and usability for the kubeadm binary that makes it easy to get a new cluster running. (docs) (kubernetes/features#11)
  • Cluster Ops
    • [alpha] Added ability to create/remove clusters w/highly available (replicated) masters on GCE using kube-up/kube-down scripts. (docs) (kubernetes/features#48)
  • Federation
  • Network
    • [stable] Services can reference another service by DNS name, rather than being hosted in pods (kubernetes/features#33)
    • [beta] Opt in source ip preservation for Services with Type NodePort or LoadBalancer (docs) (kubernetes/features#27)
    • [stable] Enable DNS Horizontal Autoscaling with beta ConfigMap parameters support (docs)
  • Node
    • [alpha] Added ability to preserve access to host userns when userns remapping is enabled in container runtime (kubernetes/features#127)
    • [alpha] Introducing the v1alpha1 CRI API to allow pluggable container runtimes; an experimental docker-CRI integration is ready for testing and feedback. (docs) (kubernetes/features#54)
    • [alpha] Kubelet launches container in a per pod cgroup hiearchy based on quality of service tier (kubernetes/features#126)
    • [beta] Kubelet integrates with memcg notification API to detect when a hard eviction threshold is crossed (kubernetes/features#125)
    • [beta] Introducing the beta version containerized node conformance test gcr.io/google_containers/node-test:0.2 for users to verify node setup. (docs) (kubernetes/features#84)
  • Scheduling
  • UI
  • Windows

Known Issues

Populated via v1.5.0 known issues / FAQ accumulator

Notable Changes to Existing Behavior

  • Node controller no longer force-deletes pods from the api-server. ([#35235](https://github.com/kubernetes/kubernetes/pull/35235), [@foxish](https://github.com/foxish))

    • For StatefulSet (previously PetSet), this change means creation of replacement pods is blocked until old pods are definitely not running (indicated either by the kubelet returning from partitioned state, deletion of the Node object, deletion of the instance in the cloud provider, or force deletion of the pod from the api-server). This helps prevent “split brain” scenarios in clustered applications by ensuring that unreachable pods will not be presumed dead unless some “fencing” operation has provided one of the above indications.
    • For all other existing controllers except StatefulSet, this has no effect on the ability of the controller to replace pods because the controllers do not reuse pod names (they use generate-name).
    • User-written controllers that reuse names of pod objects should evaluate this change.
    • When deleting an object with kubectl delete ... --grace-period=0, the client will begin a graceful deletion and wait until the resource is fully deleted. To force deletion immediately, use the --force flag. This prevents users from accidentally allowing two Stateful Set pods to share the same persistent volume which could lead to data corruption [#37263](https://github.com/kubernetes/kubernetes/pull/37263)
  • Allow anonymous API server access, decorate authenticated users with system:authenticated group ([#32386](https://github.com/kubernetes/kubernetes/pull/32386), [@liggitt](https://github.com/liggitt))

    • kube-apiserver learned the ‘–anonymous-auth’ flag, which defaults to true. When enabled, requests to the secure port that are not rejected by other configured authentication methods are treated as anonymous requests, and given a username of ‘system:anonymous’ and a group of ‘system:unauthenticated’.
    • Authenticated users are decorated with a ‘system:authenticated’ group.
    • NOTE: anonymous access is enabled by default. If you rely on authentication alone to authorize access, change to use an authorization mode other than AlwaysAllow, or or set ‘–anonymous-auth=false’.
  • kubectl get -o jsonpath=… will now throw an error if the path is to a field not present in the json, even if the path is for a field valid for the type. This is a change from the pre-1.5 behavior, which would return the default value for some fields even if they were not present in the json. ([#37991](https://github.com/kubernetes/kubernetes/issues/37991), [@pwittrock](http://github.com/pwittrock))

  • The strategicmerge patchMergeKey for VolumeMounts was changed from “name” to “mountPath”. This was necessary because the name field refers to the name of the Volume, and is not a unique key for the VolumeMount. Multiple VolumeMounts will have the same Volume name if mounting the same volume more than once. The “mountPath” is verified to be unique and can act as the mergekey. ([#35071](https://github.coma/kubernetes/kubernetes/pull/35071), [@pwittrock](http://github.com/pwittrock))


Action Required Before Upgrading

External Dependency Version Information

Continuous integration builds have used the following versions of external dependencies, however, this is not a strong recommendation and users should consult an appropriate installation or upgrade guide before deciding what versions of etcd, docker or rkt to use.

Related Articles

comments powered by Disqus