v1.12.3

• Kubernetes v1.12.3
• Add enable_reporting variable (default "false") to provide upstreams with usage data (#345)
• Change kube-apiserver --kubelet-preferred-address-types to InternalIP,ExternalIP,Hostname
• Update Calico from v3.3.0 to v3.3.1
  • Disable Felix usage reporting by default (#345)
• Improve flannel manifests
  • Rename kube-flannel DaemonSet to flannel and kube-flannel-cfg ConfigMap to flannel-config
  • Drop unused mounts and add a CPU resource request
• Update CoreDNS from v1.2.4 to v1.2.6
  • Enable CoreDNS loop and loadbalance plugins (#340)
• Fix pod-checkpointer log noise and checkpointable pods detection (#346)
• Use kubernetes-incubator/bootkube v0.14.0
• Recommend switching from ~/.terraformrc to the Terraform third-party plugins directory ~/.terraform.d/plugins/.
  • Allows pinning terraform-provider-ct and terraform-provider-matchbox versions
  • Improves safety of later plugin version migrations

Azure

• Use eviction policy Delete for Low priority virtual machine scale set workers (#343)
  • Fix issue where Azure defaults to Deallocate eviction policy, which required manually restarting deallocated instances. Delete policy aligns Azure with AWS and GCP behavior.
  • Require terraform-provider-azurerm v1.19+ (action required)

Bare-Metal

• Add Kubelet /etc/iscsi and iscsadm mounts on bare-metal for iSCSI (#103)

Addons

• Update nginx-ingress from v0.20.0 to v0.21.0
• Update Prometheus from v2.4.3 to v2.5.0
• Update Grafana from v5.3.2 to v5.3.4

v1.12.2

v1.12.2

• Kubernetes v1.12.2
• Update CoreDNS from 1.2.2 to 1.2.4
• Update Calico from v3.2.3 to v3.3.0
• Disable Kubelet read-only port (#324)
• Fix CoreDNS AntiAffinity spec to prefer spreading replicas
• Ignore controller node user-data changes (#335)
  • Once all managed clusters use v1.12.2, it is possible to update terraform-provider-ct

AWS

• Add disk_iops variable for EBS volume IOPS (#314)

Azure

• Use new azurerm_network_interface_backend_address_pool_association (#332)
  • Require terraform-provider-azurerm v1.17+ (action required)
• Add primary field to ip_configuration needed by v1.17+ (#331)

DigitalOcean

• Add AAAA DNS records resolving to worker nodes (#333)
  • Hosting IPv6 apps requires editing nginx-ingress with hostNetwork: true

Google Cloud

• Add an IPv6 address and IPv6 forwarding rules for load balancing IPv6 Ingress (#334)
  • Add ingress_static_ipv6 output variable for use in AAAA DNS records
  • Allow serving IPv6 applications via Kubernetes Ingress

Addons

• Configure Heapster to scrape Kubelets with bearer token auth (#323)
• Update Grafana from v5.3.1 to v5.3.2

v1.12.1

• Kubernetes v1.12.1
• Update etcd from v3.3.9 to v3.3.10
• Update CoreDNS from 1.1.3 to 1.2.2
• Update Calico from v3.2.1 to v3.2.3
• Raise scheduler and controller-manager replicas to the larger of 2 or number of controller nodes (#312)
  • Single-controller clusters continue to run 2 replicas as before
• Raise default CoreDNS replicas to the larger of 2 or the number of controller nodes (#313)
  • Add AntiAffinity preferred rule to favor spreading CoreDNS pods
• Annotate control plane and addon containers to use the Docker runtime seccomp profile (#319)
  • Override Kubernetes default behavior that starts containers with seccomp=unconfined

Azure

• Remove admin_password field (disabled) since it is now optional
  • Require terraform-provider-azurerm v1.16+ (action required)

Bare-Metal

• Add support for cached_install mode with Flatcar Linux (#315)

DigitalOcean

• Require terraform-provider-digitalocean v1.0+ (action required)

Addons

• Update nginx-ingress from v0.19.0 to v0.20.0
• Update Prometheus from v2.3.2 to v2.4.3
• Update Grafana from v5.2.4 to v5.3.1

v1.11.3

• Kubernetes v1.11.3
• Introduce Typhoon for Azure as alpha (#288)
  • Special thanks @justaugustus for an earlier variant
• Update Calico from v3.1.3 to v3.2.1 (#278)

AWS

• Remove firewall rule allowing ICMP packets to nodes (#285)

Bare-Metal

• Remove controller_networkds and worker_networkds variables. Use Container Linux Config snippets #277

Google Cloud

• Fix firewall to allow etcd client port 2379 traffic between controller nodes (#287)
  • kube-apiservers were only able to connect to their node's local etcd peer. While master node outages were tolerated, reaching a healthy peer took longer than necessary in some cases
  • Reduce time needed to bootstrap the cluster
• Remove firewall rule allowing workers to access Nginx Ingress health check (#284)
  • Nginx Ingress addon no longer uses hostNetwork, Prometheus scrapes via CNI network

Addons

• Update nginx-ingress from 0.17.1 to 0.19.0
• Update kube-state-metrics from v1.3.1 to v1.4.0
• Update Grafana from 5.2.2 to 5.2.4

v1.11.2

• Kubernetes v1.11.2
• Update etcd from v3.3.8 to v3.3.9
• Use kubernetes-incubator/bootkube v0.13.0
• Fix Fedora Atomic modules' Kubelet version (#270)

Bare-Metal

• Introduce Container Linux Config snippets on bare-metal
  • Validate and additively merge custom Container Linux Configs during terraform plan
  • Define files, systemd units, dropins, networkd configs, mounts, users, and more
  • Require terraform-provider-ct plugin v0.2.1 (action required!)

Addons

• Update nginx-ingress from 0.16.2 to 0.17.1
• Add nginx-ingress manifests for bare-metal
• Update Grafana from 5.2.1 to 5.2.2
• Update heapster from v1.5.3 to v1.5.4

v1.11.1

• Kubernetes v1.11.1
  • Defaults now enable the pod Priority admission controller

Addons

• Update Prometheus from v2.3.1 to v2.3.2

Errata

• Fedora Atomic modules shipped with Kubelet v1.11.0, instead of v1.11.1. Fixed in #270.

v1.11.0

• Kubernetes v1.11.0
• Force apiserver to stop listening on 127.0.0.1:8080
• Replace kube-dns with CoreDNS (#261)
  • Edit the coredns ConfigMap to customize
  • CoreDNS doesn't use a resizer. For large clusters, scaling may be required.

AWS

• Update from Fedora Atomic 27 to 28 (#258)

Bare-Metal

• Update from Fedora Atomic 27 to 28 (#263)

Google

• Promote Google Cloud to stable
• Update from Fedora Atomic 27 to 28 (#259)
• Remove ingress_static_ip module output. Use ingress_static_ipv4.
• Remove controllers_ipv4_public module output.

Addons

• Update nginx-ingress from 0.15.0 to 0.16.2
• Update Grafana from 5.1.4 to 5.2.1
• Update heapster from v1.5.2 to v1.5.3

v1.10.5

• Kubernetes v1.10.5
• Update etcd from v3.3.6 to v3.3.8 (#243, #247)

AWS

• Switch kube-apiserver port from 443 to 6443 (#248)
• Combine apiserver and ingress NLBs (#249)
  • Reduce cost by ~$18/month per cluster. Typhoon AWS clusters now use one network load balancer.
  • Ingress addon users may keep using CNAME records to the ingress_dns_name module output (few million RPS)
  • Ingress users with heavy traffic (many million RPS) should create a separate NLB(s)
• Worker pools no longer include an extraneous load balancer. Remove worker module's ingress_dns_name output
• Disable detailed (paid) monitoring on worker nodes (#251)
  • Favor Prometheus for cloud-agnostic metrics, aggregation, and alerting
• Add worker_target_group_http and worker_target_group_https module outputs to allow custom load balancing
• Add target_group_http and target_group_https worker module outputs to allow custom load balancing

Bare-Metal

• Switch kube-apiserver port from 443 to 6443 (#248)
  • Users who exposed kube-apiserver on a WAN via their router/load-balancer will need to adjust its configuration (e.g. DNAT 6443). Most apiservers are on a LAN (internal, VPN-only, etc) so if you didn't specially configure network gear for 443, no change is needed. (possible action required)
• Fix possible deadlock when provisioning clusters larger than 10 nodes (#244)

DigitalOcean

• Switch kube-apiserver port from 443 to 6443 (#248)
  • Update firewall rules and generated kubeconfig's

Google Cloud

• Use global HTTP and TCP proxy load balancing for Kubernetes Ingress (#252)
  • Switch Ingress from regional network load balancers to global HTTP/TCP Proxy load balancing
  • Reduce cost by ~$19/month per cluster. Google bills the first 5 global and regional forwarding rules separately. Typhoon clusters now use 3 global and 0 regional forwarding rules.
• Worker pools no longer include an extraneous load balancer. Remove worker module's ingress_static_ip output
• Allow using nginx-ingress addon on Fedora Atomic clusters (#200)
• Add worker_instance_group module output to allow custom global load balancing
• Add instance_group worker module output to allow custom global load balancing
• Deprecate ingress_static_ip module output. Add ingress_static_ipv4 module output instead.
• Deprecate controllers_ipv4_public module output

Addons

• Update CLUO from v0.6.0 to v0.7.0 (#242)
• Update Prometheus from v2.3.0 to v2.3.1
• Update Grafana from 5.1.3 to 5.1.4
• Drop hostNetwork from nginx-ingress addon
  • Both flannel and Calico support host port via portmap
  • Allows writing NetworkPolicies that reference ingress pods in from or to. HostNetwork pods were difficult to write network policy for since they could circumvent the CNI network to communicate with pods on the same node.

v1.10.4

• Kubernetes v1.10.4
• Update etcd from v3.3.5 to v3.3.6
• Update Calico from v3.1.2 to v3.1.3

Addons

• Update Prometheus from v2.2.1 to v2.3.0
• Add Prometheus liveness and readiness probes
• Annotate Grafana service so Prometheus scrapes metrics
• Label namespaces to ease writing Network Policies

v1.10.3

• Kubernetes v1.10.3
• Add Flatcar Linux (Container Linux derivative) as an option for AWS and bare-metal (thanks @kinvolk folks)
• Allow bearer token authentication to the Kubelet (#216)
  • Require Webhook authorization to the Kubelet
  • Switch apiserver X509 client cert org to satisfy new authorization requirement
• Require Terraform v0.11.x and drop support for v0.10.x (migration guide)
• Update etcd from v3.3.4 to v3.3.5 (#213)
• Update Calico from v3.1.1 to v3.1.2

AWS

• Allow Flatcar Linux by setting os_image to flatcar-stable (default), flatcar-beta, flatcar-alpha (#211)
• Replace os_channel variable with os_image to align naming across clouds
  • Please change values stable, beta, or alpha to coreos-stable, coreos-beta, coreos-alpha (action required!)
• Allow preemptible workers via spot instances (#202)
  • Add worker_price to allow worker spot instances. Default to empty string for the worker autoscaling group to use regular on-demand instances
  • Add spot_price to internal workers module for spot worker pools

Bare-Metal

• Allow Flatcar Linux by setting os_channel to flatcar-stable, flatcar-beta, flatcar-alpha (#220)
• Replace container_linux_channel variable with os_channel
  • Please change values stable, beta, or alpha to coreos-stable, coreos-beta, coreos-alpha (action required!)
• Replace container_linux_version variable with os_version
• Add network_ip_autodetection_method variable for Calico host IPv4 address detection
  • Use Calico's default "first-found" to support single NIC and bonded NIC nodes
  • Allow alternative methods for multi NIC nodes, like can-reach=IP or interface=REGEX
• Deprecate container_linux_oem variable

DigitalOcean

• Update Fedora Atomic module to use Fedora Atomic 28 (#225)
  • Fedora Atomic 27 images disappeared from DigitalOcean and forced this early update

Addons

• Fix Prometheus data directory location (#203)
• Configure Prometheus to scrape Kubelets directly with bearer token auth instead of proxying through the apiserver (#217)
  • Security improvement: Drop RBAC permission from nodes/proxy to nodes/metrics
  • Scale: Remove per-node proxied scrape load from the apiserver
• Update Grafana from v5.04 to v5.1.3 (#208)
  • Disable Grafana Google Analytics by default (#214)
• Update nginx-ingress from 0.14.0 to 0.15.0
• Annotate nginx-ingress service so Prometheus auto-discovers and scrapes service endpoints (#222)