v0.14.1

Changelog since v0.14.0

Security release of Kubernetes v1.15.3, v1.14.6, v1.13.10 - CVE-2019-9512 and CVE-2019-9514

Component versions

Kubernetes: v1.14.6
Etcd: v3.2.26

Other changes

• #1708: kubernetes v1.14.5(Thanks to @davidmccormick)
• #1712: v0.14.x: bump kubernetes to v1.14.6(Thanks to @davidmccormick)

v0.13.1

Changelog since v0.13.0

Security release of Kubernetes v1.15.3, v1.14.6, v1.13.10 - CVE-2019-9512 and CVE-2019-9514

Component versions

Kubernetes: v1.13.10
Etcd: v3.2.26

Other changes

• #1707: kubernetes v1.13.9(Thanks to @davidmccormick)
• #1713: v0.13.x: bump kubernetes to v1.13.10(Thanks to @davidmccormick)

v0.14.0

Kube-aws is a community project and I am happy to announce this release; many thanks to everyone that contributed features, fixed bugs, helped us test and raised issues! 🎉 🙏

Components

Kubernetes: 1.14.3
Etcd: 3.2.26

Important Upgrade Notes

Most contributions to this release were simultaneously made to our v0.13.x release, please consult the release notes for https://github.com/kubernetes-incubator/kube-aws/releases/tag/v0.13.0 before using this release.
Do not attempt to upgrade an existing cluster 0.12.x (or earlier) directly to v0.14.0 because the changes to node labelling require that v0.13.x is deployed first. When migrating existing v0.13.x clusters we strongly encourage you to test the upgrade in your test environments first. You might find that enabling the upgradeHelper plugin might help you successfully migrate if you are experiencing issues.

Changelog since v0.13.0

Features

• TLSBootstrapping is now also used for the kubelet certificate provision on the controller nodes as well as the worker nodes.
• The NodeRestriction admission controller is now enabled by default.
• Kube-aws kube-system components use the node.kubernetes.io/role labels.

v0.13.0

Kube-aws is a community project and I am happy to announce this release; many thanks to everyone that contributed features, fixed bugs, that helped us test this release and raised issues! 🎉 🙏
With the v0.13.0 release of kube-aws we have decided to better align our release numbers so it will deploy kubernetes v1.13 (if you need to deploy Kubernetes 1.12 it is possible using our v0.12.x branch and selecting your own kubernetesVersion)
This release brings a number of changes related to the security and the stability of our kubernetes clusters and new features.

Components

Kubernetes: 1.13.7
Etcd: 3.2.26

Important Upgrade Notes

• kube-aws is a convenience tool and it can not replace the need for knowledge of both Kubernetes and AWS - should you experience issues deploying this release then please perform your own debugging before raising a support issue, or post a message in the kube-aws slack channel.
• It is expected that you should be able to upgrade from existing kube-aws v0.12.x clusters to v0.13.0 release. If you are migrating existing clusters then we strongly encourage you to test the upgrade in your test environments first. You might find that enabling the upgradeHelper plugin might help you successfully migrate if you are experiencing issues.
• If you use the Experimental Kiam feature you must regenerate your kiam credentials when upgrading to this release (you probably won't want to re-generate ALL of the certificates on an existing cluster though). We are now targeting Kiam release 3.2 which requires additional SANs on the server certificatekiam-server and localhost. Failure the update the certs will result in kiam-server and kiam-agents stuck in CrashLoopBackOff.
• A number of Experimental Features are no longer available and will need to be removed from your cluster.yaml files.
  • TLSBootstrap - is now active by default.
  • PodPriority - is now active by default.
  • PodSecurityPolicy - is now active by default (see warning below)
  • NodeAuthorizer - is now active by default.
  • PersistentVolumeClaimResize - is now active by default.
  • DenyEscalatingExec - is deprecated and has been removed (please use PodSecurityPolicy)
• Two new admission controllers EventRateLimit and ExtendedResourceToleration are now included and enabled by default.
• If you do not have any existing PodSecurityPolicies in your cluster, kube-aws creates a permissive policy and binds it to all service accounts, authenticated users and nodes. Please create your own policies and then remove the permissive bindings by removing the ClusterRoleBinding kube-aws:permissive-psp-cluster-wide.
  Warning! If you do have any existing PodSecurityPolicies you must ensure that they cover/allow all the workloads/pods that you want to run in your cluster, because once upgraded, no pods without a policy are allowed in the cluster!
• If you have any scripts which connect to the kube-apiserver on port 8080, the insecure port 8080 is no longer available and you will need to change them to use certificate based authentication via port 443.
• This release removes the legacy experimental autoscaler feature. You must now use the updated autoscaler plugin for enabling and configuring this functionality (see cluster.yaml)
• For users of their own plugins, where you define systemd units using contents: -> content: it is replaced by just content: (also you can now use templating and source functionality the same as you do with resources and manifests).

Other Core Changes

• The kube-apiserver no longer listens on the insecure port localhost:8080. All kube-aws services and scripts now communicate via the secure port (443) and use the admin certificate to authenticate.
• The kubelets have authentication switched on and employ Webhook authorization to protect their services. We have added a number of RBAC objects to ensure scripts (such as cfn-signal) still have unauthenticated access to a kubelets /healthz endpoint. A number of kubelet settings are now set via a configuration file /etc/kubernetes/config/kubelet.yaml rather than by command-line switches.
• We have removed heapster and enabled metrics-server by default.
• We have moved to using CoreDNS instead of KubeDNS (but you can still select to use KubeDNS if you wish)
• install-kube-system has undergone a refactoring which improves performance and adds flexibility in removing deprecated services. The apply-kube-aws-plugins service has been rolled into the install-kube-system and no longer exists.
• A number of internal cluster components have seen version upgrades: -
  • Calico/Typha v3.6.1
  • Flannel v0.11.0
  • Cluster AutoScaler v1.13.4
  • Cluster Proportional Autoscaler 1.5.0
  • CoreDNS 1.5.0
  • KubeDNS 1.15.2
  • Kiam 3.2
  • DNSMasqMetrics 1.15.2
  • Helm/Tiller v2.13.1
  • Metrics Server v0.3.2
  • Addon Resizer 2.1

Features

• #1480: Check stack existence via DescribeStacks(Thanks to @c-knowles)
• #1484: feat: add CF stackNameOverride in cluster.yaml(Thanks to @koen92)
• #1490: refactoring kube-aws / experimental IAM-based kubelet auth
• #1497: IAM Role name length checks need to account for StrictName usage...(Thanks to @davidmccormick)
• #1499: Change StackExists behaviour(Thanks to @davidmccormick)
• #1512: CA self-genereted cert: add the cn flag(Thanks to @sonant)
• #1514: 'AvailabilityZone' nodepool rolling strategy(Thanks to @davidmccormick)
• #1515: bug: Nodepool stack needs to use the nodepool logical name(Thanks to @davidmccormick)
• #1517: Etcd 3.3.10, compaction and defrag(Thanks to @davidmccormick)
• #1521: Move IAMRoleWorker definition from network stack to node pool stack(Thanks to @ktateish)
• #1527: Master: Add DnsMasq (node local resolver) command-line arguments/options(Thanks to @davidmccormick)
• #1531: feat: support for AWS mixed instances(Thanks to @koen92)
• #1539: Make dashboard replicas configurable(Thanks to @kylehodgetts)
• #1541: Adding the ability to set arbitrary feature gates to controller components(Thanks to @omar-nahhas)
• #1549: feat: Allow users to provide existing private keys(Thanks to @dominicgunn)
• #1555: Revert etcd upgrade(Thanks to @omar-nahhas)
• #1557: Make cluster-autoscaler resource request/limit configurable(Thanks to @Luke-Humphreys)
• #1564: Allowing adding arbitrary flags to kubernetes core components through plugins(Thanks to @omar-nahhas)
• #1571: Capture failures in decrypting assets(Thanks to @sgolightly)
• #1573: BUGFIX: kubeletOptions not applied on controller nodes.(Thanks to @omar-nahhas)
• #1575: Allow plugins to add CFN tags and outputs(Thanks to @Luke-Humphreys)
• #1576: Cluster-autoscaler plugin(Thanks to @Luke-Humphreys)
• #1582: Remove LaunchTemplateName from the LaunchTemplate(Thanks to @paalkr)
• #1583: Etcd Subnets not honoured on stack render.(Thanks to @dominicgunn)
• #1585: Enable detailed monitoring(Thanks to @paalkr)
• #1586: Custom APIServer SANs(Thanks to @dominicgunn)
• #1589: Release Prep to v0.13.x branch(Thanks to @davidmccormick)
• #1618: V0.13.x autoscaler work(Thanks to @davidmccormick)
• #1625: [v0.13.x] Configurable CoreDNS TTL(Thanks to @dominicgunn)
• #1629: Merge in EventRateLimit to Experimental feature(Thanks to @davidmccormick)
• #1631: adding in priority value in podSpec for controller, scheduler and apiserver(Thanks to @erleene)
• #1636: [v0.13.x] - Expose CoreDNS to Prometheus(Thanks to @dominicgunn)
• #1642: v0.13.x: A migration helper to disable core controller services when needed(Thanks to @davidmccormick)
• #1657: 0.13.x Etcd version (#1646)(Thanks to @davidmccormick)
• #1661: v0.13.x: Plugin enhancement - allow embedding templates within templates(Thanks to @davidmccormick)
• #1664: v0.13.x-Reserve resources for calico typha (#1607)(Thanks to @zonzamas)
• #1667: Etcd cannot depend on resources in another stack(Thanks to @koen92)
• #1672: [v0.13.x] - Allow an AntiAffinty tolerant to help ensure even spread of DNS pods(Thanks to @dominicgunn)

Improvements

• #1536: Master: Bump default Kubernetes Dashboard version and add AllowSkipLogin option(Thanks to @kylehodgetts)
• #1567: Removing all references to the already removed kube-aws up/update commands(Thanks to @omar-nahhas)
• #1605: Etcd Upgrade(Thanks to @davidmccormick)
• #1612: Tag instances with their etcd or kubernetes version(Thanks to @davidmccormick)
• #1622: bump kubernetes version to 1.13.7(Thanks to @davidmccormick)

Bug fixes

• #1495: Fix typos: additioanl->additional, creaes->creates(Thanks to @mooncak)
• #1505: Minor fixes in documentation(Thanks to @PabloCastellano)
• #1516: Fix for using StrictName to define a specific Controller Role Name(Thanks to @davidmccormick)
• #1522: Fix for kubelet startup on nodes when using TLS bootstrapping(Thanks to @davidmccormick)
• #1523: Fixes typo initizlie -> initialize(Thanks to @rbmrclo)
• #1526: Fix to escape % character in systemd config for raid0Mounts(Thanks to @cndbain)
• #1530: fix: Partial upgrades with stack name overrides(Thanks to @koen92)
• #1540: Fixing indentation error(Thanks to @omar-nahhas)
• #1596: NAT Gateway tagging #1063(Thanks to @vsamidurai)
• #1598: Issue when kube-aws manages/creates subnets(Thanks to @davidmccormick)
• #1599: Allow setting Kiam version <3.0(Thanks to @davidmccormick)
• #1624: fix version string(Thanks to @davidmccormick)
• #1651: [v0.13.x] Fix trailing slash in Taint templating.(Thanks to @dominicgunn)
• #1655: [v0.13.x] Fix formatting with cluster-autoscaler(Thanks to @dominicgunn)
• #1674: v0.13.x: fixes for rendering plugin systemd units(Thanks to @davidmccormick)

Documentation

• #1489: Fix some typos(Thanks to @AdamDang)
• #1560: Bring quickstart docs upto date (as of 2019)(Thanks to @kylehodgetts)

Other changes

• #1553: Fixing adding c...

v0.12.5

Changelog since v0.12.4

Component versions

Kubernetes: v1.11.3
Etcd: v3.2.13

Features

• #1692: v0.12.x: Change kiam-server 443 port name(Thanks to @cebernardi)

v0.14.0-rc.3

This is a Beta release candidate and is NOT considered ready for deploying/upgrading ANY kubernetes clusters that you care about! Please do try out this version on your test clusters and help us to identify bugs!

Changelog since v0.14.0-rc.2

Component versions

Kubernetes: v1.14.3
Etcd: v3.2.26

Actions required

This release removes the legacy experimental autoscaler feature. You must now use the updated plugin for enabling and configuring this feature (see cluster.yaml)
For users of their own plugins, where you define systemd units using contents: -> content: it is replaced by just content: (also you can now use templating and source functionality the same as you so with resources and manifests).

Features

• #1619: v0.14.x autoscaler work(Thanks to @davidmccormick)
• #1626: [v0.14.x] Configurable CoreDNS TTL(Thanks to @dominicgunn)
• #1630: Make the EventRateLimit alpha admission controller experimental and e…(Thanks to @davidmccormick)
• #1635: [v0.14.x] - Expose CoreDNS to Prometheus(Thanks to @dominicgunn)
• #1643: v0.14.x: A migration helper to disable core controller services when needed(Thanks to @davidmccormick)
• #1658: 0.14.x Etcd version (#1646)(Thanks to @davidmccormick)
• #1663: v0.14.x: Plugin enhancement - allow embedding templates within templates(Thanks to @davidmccormick)
• #1670: Cannot depend on resources in another stack(Thanks to @koen92)
• #1673: [v0.14.x] - Allow an AntiAffinty tolerant to help ensure even spread of DNS pods(Thanks to @dominicgunn)

Improvements

• #1623: bump kubernetes to v1.14.3(Thanks to @davidmccormick)

Bug fixes

• #1649: [v0.14.x] Fix trailing slash in Taint templating.(Thanks to @dominicgunn)
• #1654: [v0.14.x] Fix formatting with cluster-autoscaler(Thanks to @dominicgunn)
• #1676: v0.14.x: fixes for rendering plugin systemd units(Thanks to @davidmccormick)

v0.13.0-rc.3

This is a Beta release candidate and is NOT considered ready for deploying/upgrading ANY kubernetes clusters that you care about! Please do try out this version on your test clusters and help us to identify bugs!

Changelog since v0.13.0-rc.2

Component versions

Kubernetes: v1.13.7
Etcd: v3.2.26

Actions required

This release removes the legacy experimental autoscaler feature. You must now use the updated plugin for enabling and configuring this feature (see cluster.yaml)
For users of their own plugins, where you define systemd units using contents: -> content: it is replaced by just content: (also you can now use templating and source functionality the same as you so with resources and manifests).

Features

• #1618: V0.13.x autoscaler work(Thanks to @davidmccormick)
• #1625: [v0.13.x] Configurable CoreDNS TTL(Thanks to @dominicgunn)
• #1629: Merge in EventRateLimit to Experimental feature(Thanks to @davidmccormick)
• #1631: adding in priority value in podSpec for controller, scheduler and apiserver(Thanks to @erleene)
• #1636: [v0.13.x] - Expose CoreDNS to Prometheus(Thanks to @dominicgunn)
• #1642: v0.13.x: A migration helper to disable core controller services when needed(Thanks to @davidmccormick)
• #1657: 0.13.x Etcd version (#1646)(Thanks to @davidmccormick)
• #1661: v0.13.x: Plugin enhancement - allow embedding templates within templates(Thanks to @davidmccormick)
• #1664: v0.13.x-Reserve resources for calico typha (#1607)(Thanks to @zonzamas)
• #1667: Etcd cannot depend on resources in another stack(Thanks to @koen92)
• #1672: [v0.13.x] - Allow an AntiAffinty tolerant to help ensure even spread of DNS pods(Thanks to @dominicgunn)

Improvements

• #1622: bump kubernetes version to 1.13.7(Thanks to @davidmccormick)

Bug fixes

• #1624: fix version string(Thanks to @davidmccormick)
• #1651: [v0.13.x] Fix trailing slash in Taint templating.(Thanks to @dominicgunn)
• #1655: [v0.13.x] Fix formatting with cluster-autoscaler(Thanks to @dominicgunn)
• #1674: v0.13.x: fixes for rendering plugin systemd units(Thanks to @davidmccormick)

v0.12.4

Changelog since v0.12.3

Component versions

Kubernetes: v1.11.3
Etcd: v3.2.13

Features

• #1640: v0.12.x: A migration helper to disable core controller services when needed(Thanks to @davidmccormick)
• #1677: Correct IAM Role Namechecking in v0.12.x branch(Thanks to @davidmccormick)

v0.11.6

Changelog since v0.11.5

Component versions

Kubernetes: v1.10.5
Etcd: v3.2.13

Features

• #1639: v0.11.x: A migration helper to disable core controller services when needed(Thanks to @davidmccormick)

v0.14.0-rc.2

This is a Beta release candidate and is NOT considered ready for deploying/upgrading ANY kubernetes clusters that you care about! Please do try out this version on your test clusters and help us to identify bugs!

Components

Kubernetes: 1.14.2
Etcd: 3.2.26

Important Upgrade Notes

This release builds on our v0.13.x release, please make consult the features and notes for https://github.com/kubernetes-incubator/kube-aws/releases/tag/v0.13.0-rc.1 before using this release.

Do not attempt to upgrade an existing 0.12.x cluster directly to v0.14.0-rc.x unless you are comfortable with downtime! For existing clusters, please migrate through a v0.13.x release before updating to this release.

Changelog since v0.14.0-rc.1

• #1596: NAT Gateway tagging #1063(Thanks to @vsamidurai)
• #1598: Issue when kube-aws manages/creates subnets(Thanks to @davidmccormick)
• #1599: Allow setting Kiam version <3.0(Thanks to @davidmccormick)
• #1605: Etcd Upgrade(Thanks to @davidmccormick)
• #1612: Tag instances with their etcd or kubernetes version(Thanks to @davidmccormick)