-
Fix CVE-2019-14697. #877 (@faiq)
-
update client-go to 0.19.2 to support k8s 1.16-1.21
-
use the distroless image and run as nonroot user to address image CVEs #863 (@d2iq-dispatch)
- Bump kube-rbac-proxy to tackle vulnerabilities from CVE-14697
- fix: ignore metrics auth https://github.com/mesosphere/dex-controller/compare/v0.6.5...v0.6.6#diff-5437c8653258a2e2a070c91d87e2f7581d12f6c7f103b0d8c324a37307287b65R30
- chore: bump kube-rbac-proxy version https://github.com/mesosphere/dex-controller/compare/v0.6.5...v0.6.6#diff-4d1856f3f2123c349e94607208c95a821f2485405db0b97ce41e87336a0ea3a7R21 #869 (@d2iq-dispatch)
- Gatekeeper upgraded to 3.3.0 #928 (@alejandroEsc)
- bump jaeger-operator-2.19.0 #867 (@d2iq-dispatch)
-
bump kiali-operator-1.29.1 #892 (@d2iq-dispatch)
-
kiali: configure to use the same version for
kiali/kialii
that matches the operator. #887 (@dkoshkin)
-
Fixes bug in OpsPortal & Kommander UI where LDAP Root CA is malformed when saved
-
Updated UI to only ship with needed dependencies #976 (@d2iq-dispatch)
-
Fixes bug in OpsPortal & Kommander UI where LDAP Root CA is malformed when saved
-
Updated UI to only ship with needed dependencies #964 (@d2iq-dispatch)
-
fix(kommander-ui): disable addons on foundation disabled
-
feat(kommander-ui): add license delete mutation
-
feat(kommander-ui): replace license table with single license detail view
-
feat(kommander-ui): allow workspace namespace to be configurable #930 (@d2iq-dispatch)
-
fix(kommander): Fix empty non-Konvoy cluster Platform Services tab #902 (@d2iq-dispatch)
- prometheus(fix): Re-enable etcd prometheus rules #938 (@gracedo)
- prometheusadapter: fix an error were resources in reported by the Kubernetes dashboard and
kubectl top
reported double of the actual resources. #884 (@dkoshkin)
-
When upgrading from a release that used helm 2 to install, reloader cannot be cleanly upgraded due to selector changes. This adds a flag that causes reloader to be uninstalled before being upgraded. This should have no effect on running applications. #956 (@armandgrillet)
-
Bump from v0.0.79 to v0.0.80
-
Add custom annotation support in service account #893 (@d2iq-dispatch)
-
Ambassador
-
Cert-manager:
- v1 API
- Renaming our API group from certmanager.k8s.io to cert-manager.io
- Removal of the v1alpha API
- kubectl cert-manager status command to help with investigating issues
- Using new and stable Kubernetes APIs
- Improved logging
- ACME improvements
- kubectl cert-manager create certificaterequest for signing local certificates
- General Availability of JKS and PKCS#12 keystore support
- kubectl cert-manager CLI plugin allowing manual renewal and API version conversion
- ACME External Account Binding support
- Support for full set of x509 ‘subject’ parameters (#542, @jr0d)
- The Deployment selectors were changed, use
delete
upgrade-strategy
. - support being upgraded from v0.10 to v1.0.3. (#594, @jr0d), (#656, @jr0d)
-
Default StorageClass Protection
-
Dex
- Fix to enable dex-controller metrics collection (#621)
-
Elasticsearch:
- Fixes regression from helm/charts#17643 where the explicit selectors do match the previously implicit selectors.
- Fix plugin install initcontainer which would fail if plugin already exists. This happens when Node reboots and keeps emptyDir, or if elasticsearch image already contains plugin
- In private environments where we replicate all the images, the test image cannot be pulled due it misses imagePullSecrets (#497)
-
External-dns
-
Fluent-bit:
- bump the fluent-bit app version to 1.5.6
- aws: utils: fix mem leak in flb_imds_request
- fix double free when destroying connections if the endpoint in unavailable
- remove noisy error introduced in v1.5.5
- fix deletion of pending connections in the destroy_queue (#538)
- The Deployment selectors were changed, use
delete
upgrade-strategy
. (#574, @dkoshkin) - Upgrades fluent-bit to v1.5.7. See https://fluentbit.io/announcements/v1.5.7.
- Adds chart value
podLabels
. (#584) - configuration to unblock output buffer. (#589, @alejandroEsc)
- bump the fluent-bit app version to 1.5.6
-
Istio
- Bug Fixes
- Fixed HTTP match request without headers conflict
- Fixed Istio operator to watch multiple namespaces (Istio #26317)
- Fixed EDS cache when an endpoint appears after its service resource (Istio #26983)
- Fixed istioctl remove-from-mesh not removing init containers on CNI installations.
- Fixed istioctl add-to-mesh and remove-from-mesh commands from affecting OwnerReferences (Istio #26720)
- Fixed cleaning up of service information when the cluster secret is deleted
- Fixed egress gateway ports binding to 80⁄443 due to user permissions
- Fixed gateway listeners created with traffic direction outbound to be drained properly on exit
- Fixed headless services not updating listeners (Istio #26617)
- Fixed inaccurate endpointsPendingPodUpdate metric
- Fixed ingress SDS from not getting secret update (Istio #18912)
- Fixed ledger capacity size
- Fixed operator to update service monitor due to invalid permissions (Istio #26961)
- Fixed regression in gateway name resolution (Istio 26264)
- Fixed rotated certificates not being stored to /etc/istio-certs VolumeMount (Istio #26821)
- Fixed trust domain validation in transport socket level (Istio #26435)
- Improvements
- Added istioctl analyzer to detect when Destination Rules do not specify caCertificates (Istio #25652)
- Added missing telemetry.loadshedding.- options to mixer container arguments
- Improved specifying network for a cluster without meshNetworks also being configured
- Improved the cache readiness state with TTL (Istio #26418)
- Updated SDS timeout to fetch workload certificates to 0s
- Updated app_containers to use comma separated values for container specification
- Updated default protocol sniffing timeout to 5s (Istio #24379) (#516, @shaneutt)
- Bug Fixes
-
Kibana
-
Metallb
- Enable metrics collection (#623)
-
Prometheus
-
Istio:
-
The "kubernetes-service-monitor" service monitor has been removed. (#481, @gracedo)
-
Bumped Istio to v1.6.8:
- Fixed security issues:
- CVE-2020-12603: By sending a specially crafted packet, an attacker could cause Envoy to consume excessive amounts of memory when proxying HTTP/2 requests or responses.
- CVE-2020-12605: An attacker could cause Envoy to consume excessive amounts of memory when processing specially crafted HTTP/1.1 packets.
- CVE-2020-8663: An attacker could cause Envoy to exhaust file descriptors when accepting too many connections.
- CVE-2020-12604: An attacker could cause increased memory usage when processing specially crafted packets.
- CVE-2020-15104: When validating TLS certificates, Envoy incorrectly allows a wildcard DNS Subject Alternative Name to apply to multiple subdomains. For example, with a SAN of .example.com, Envoy incorrectly allows nested.subdomain.example.com, when it should only allow subdomain.example.com.
- CVE-2020-16844: Callers to TCP services that have a defined Authorization Policies with DENY actions using wildcard suffixes (e.g. *-some-suffix) for source principals or namespace fields will never be denied access.
- Other changes:
- Fixed return the proper source name after Mixer does a lookup by IP if multiple pods have the same IP.
- Improved the sidecar injection control based on revision at a per-pod level (Issue 24801)
- Improved istioctl validate to disallow unknown fields not included in the Open API specification (Issue 24860)
- Changed stsPort to sts_port in Envoy’s bootstrap file.
- Preserved existing WASM state schema for state objects to reference it later as needed.
- Added targetUri to stackdriver_grpc_service.
- Updated WASM state to log for Access Log Service.
- Increased default protocol detection timeout from 100 ms to 5 s (Issue 24379)
- Removed UDP port 53 from Istiod.
- Allowed setting status.sidecar.istio.io/port to zero (Issue 24722)
- Fixed EDS endpoint selection for subsets with no or empty label selector. (Issue 24969)
- Allowed k8s.overlays on BaseComponentSpec. (Issue 24476)
- Fixed istio-agent to create elliptical curve CSRs when ECC_SIGNATURE_ALGORITHM is set.
- Improved mapping of gRPC status codes into HTTP domain for telemetry.
- Fixed scaleTargetRef naming in HorizontalPodAutoscaler for Istiod (Issue 24809)
- Optimized performance in scenarios with large numbers of gateways. (Issue 25116)
- Fixed an issue where out of order events may cause the Istiod update queue to get stuck. This resulted in proxies with stale configuration.
- Fixed istioctl upgrade so that it no longer checks remote component versions when using --dry-run. (Issue 24865)
- Fixed long log messages for clusters with many gateways.
- Fixed outlier detection to only fire on user configured errors and not depend on success rate. (Issue 25220)
- Fixed demo profile to use port 15021 as the status port. (Issue #25626)
- Fixed Galley to properly handle errors from Kubernetes tombstones.
- Fixed an issue where manually enabling TLS/mTLS for communication between a sidecar and an egress gateway did not work. (Issue 23910)
- Fixed Bookinfo demo application to verify if a specified namespace exists and if not, use the default namespace.
- Added a label to the pilot_xds metric in order to give more information on data plane versions without scraping the data plane.
- Added CA_ADDR field to allow configuring the certificate authority address on the egress gateway configuration and fixed the istio-certs mount secret name.
- Updated Bookinfo demo application to latest versions of libraries.
- Updated Istio to disable auto mTLS when sending traffic to headless services without a sidecar.
- Fixed an issue which prevented endpoints not associated with pods from working. (Issue #25974) (#489, @shaneutt)
- Fixed security issues:
-
-
Traefik-forward-auth:
- Update traefik-foward-auth to 0.2.14
- Add an option to bypass tfa deployment (#456)
-
Fixed an upgrade issue for several addons which would cause them to not be properly targeted for upgrade (#492, @shaneutt)
- Azuredisk-csi-driver:
- Cert-manager:
Issuer
namespace setableCertificate
namespace setable (#378, @sebbrandt87)
- Dex-k8s-authenticator:
- Elasticsearch-curator:
- version 5.8.1 (#374, @sebbrandt87)
- Added value
cronjob.startingDeadlineSeconds
: Amount of time to try reschedule job if we can't run on time (#447)
- Elasticsearch-exporter:
- updated from 2.11 to 3.7.0
- Add a parameter for the elasticsearch-exporter: es.indices_settings as it is supported since version 1.0.4 (the elasticsearch-exporter chart is supporting the version 1.1.0)
- Update description for envFromSecret parameter in readme
- Feature flap the flag es.uri to allow fallback to env var ES_URI
- Allow setting environment variables with k8s secret information to support referencing already existing sensitive parameters.
- Add es.ssl.client.enabled value for better functionality readability
- Add option to disable client cert auth in Elasticsearch exporter
- Add the serviceMonitor targetLabels key as documented in the Prometheus Operator API
- Add log.level and log.format configs
- Add the ServiceMonitor metricRelabelings key as documented in the Prometheus Operator API
- Add sampleLimit configuration option (#449)
- updated from 2.11 to 3.7.0
- Fluent-bit:
- Three different elasticsearch indicies created
- kubernetes_cluster-- (for container logs)
- kubernetes_audit-- (for audit logs from kube-apiserver)
- kubernetes_host-- (for all systemd host logs)
- version 1.5.2
- Kernel messages forwarded (#375, @sebbrandt87)
- apply meaningful aliases to plugins and their metrics. (#432, @branden)
- Three different elasticsearch indicies created
- Istio:
- Traefik-foward-auth:
- update to 0.2.14
- Add an option to bypass tfa deployment (#456)
- update to 0.2.14
- Kibana:
- version 6.8.10 (#373, @sebbrandt87)
- Ops-portal:
- Fix: Unable to change ops-portal password (#379, @GoelDeepak)
- Prometheus:
- chore: bump chart to v9.3.1
- refactor!: (breaking change) version 9 of the helm chart removes the existing
additionalScrapeConfigsExternal
in favor ofadditionalScrapeConfigsSecret
. This change lets users specify the secret name and secret key to use for the additional scrape configuration of prometheus. - feat: add ingress configuration for Thanos sidecar, enabling external access from a centralized thanos querier running in another cluster
- feat: add scrape timeout config to service monitor to avoid timeouts on slow kubelets
- feat: add docker checksum option to improve security for deployed containers
- feat: add option to disable availability rules
- feat: enable scraping /metrics/resource for kubelet service
- feat: [prometheus] enable namespace overrides
- feat: [prometheus] allow additional volumes and volumeMounts
- feat: [alertmanager] add volume and volume mounts to spec
- feat: [alertmanager] add support for serviceAccount.annotations
- feat: [grafana] enable adding annotations to all default dashboard configmaps
- chore: bump prometheus to v2.18.2
- chore: bump alertmanager to v0.21.0
- chore: bump hyperkube to v1.16.12
- chore: bump grafana to v5.3.0
- fix: add missing grafana annotations to k8s-coredns dashboard
- fix: reduced CPU utilization and time lag for code_verb:apiserver_request_total:increase30d scrape
- fix: invalid image pull policy for the admission webhook patch
- fix: alert "KubeNodeUnreachable" no longer fires on an autoscaling scale-down event (#444, @samvantran)
- refactor!: (breaking change) version 9 of the helm chart removes the existing
- disable ServiceMonitors for kube-controller-manager and kube-scheduler. kubernetes has determined the ports that were used for these tests was insecure and has limited it to localhost only. This causes these specific tests to fail. The state of the controller-manager and scheduler pods are still tracked in general as pods. (#474, @dkoshkin)
- chore: bump chart to v9.3.1
- Prometheus
- Fix an issue that may cause Grafana's home dashboard to be empty. (#351, @branden)
- disable ServiceMonitors for kube-controller-manager and kube-scheduler. kubernetes has determined the ports that were used for these tests was insecure and has limited it to localhost only. This causes these specific tests to fail. The state of the controller-manager and scheduler pods are still tracked in general as pods. (#474, @dkoshkin)
- Improve Grafana dashboard names and tags for dashboards tied to addons (#352, @gracedo)
- Traefik
- traefik
- elasticsearch
- default data nodes has been increased to 4 (#327, @alejandroEsc)
- external-dns
- disable by default (#335, @GoelDeepak)
- Traefik: fix metrics access and reporting (#349, @gracedo)
- Prometheus: Improve Grafana dashboard names and tags for dashboards tied to addons (#352, @gracedo)
- [awsebscsiprovisioner] The manual steps to upgrade the snapshot APIs from v1alpha1 to v1beta1 is no longer required. It has been automated in the chart CRD install hook by default. If you do not want that default behavior of cleaning up v1alpha1 snapshot CRDs, you can set
cleanupVolumeSnapshotCRDV1alpha1
tofalse
and follow the instructions for upgrading to Kubernetes1.17
. (#273, @sebbrandt87) - [gcpdisk-csi-driver] The manual steps to upgrade the snapshot APIs from v1alpha1 to v1beta1 is no longer required. It has been automated in the chart CRD install hook by default. If you do not want that default behavior of cleaning up v1alpha1 snapshot CRDs, you can set
cleanupVolumeSnapshotCRDV1alpha1
tofalse
and follow the instructions for upgrading to Kubernetes1.17
. [azuredisk-csi-driver] The manual steps to upgrade the snapshot APIs from v1alpha1 to v1beta1 is no longer required. It has been automated in the chart CRD install hook by default. If you do not want that default behavior of cleaning up v1alpha1 snapshot CRDs, you can setsnapshot.cleanupVolumeSnapshotCRDV1alpha1
tofalse
and follow the instructions for upgrading to Kubernetes1.17
. (#279, @jieyu) - [prometheus-operator] Upgrade to version 0.38.1
- [traefik] fix an issue where
clusterhostname
can now be an ipaddress as well (#286, @GoelDeepak) - [dex-k8s-authenticator] Fix bug in init container that could remove custom CA certificate from main cluster login instructions (#291, @mhrabovcin)
- [traefik] Distribute pods across nodes and zones when possible. [traefik] Set a PodDisruptionBudget to ensure at least 1 pod is running at all times. (#292, @branden)
- Prometheus-alert-manager: increase memory and cpu limits due to OOM errors (#298, @hectorj2f)
- Traefik is now upgradeable again when the
initCertJobImage
field is modified. (#302, @makkes) - [traefik]:
- upgrade to 1.7.24
- mTLS available
- accessLogs.filters setable
- caServer setable for acme challenge (#304, @sebbrandt87)
- Traefik: access log is enabled by default (#305, @mhrabovcin)
- Opsportal: fix a typo in 'lables' that caused issues during upgrades. (#307, @dkoshkin)
- [prometheus]: Update prometheus-operator chart, which adds a grafana dashboard for monitoring autoscaler (#308, @gracedo)
- [dex-k8s-authenticator]:
- fix: render configure kubectl instructions with the cluster hostname.
- fix: add clippy js for clipboard support (#309, @samvantran)
- [prometheus] Increases default Prometheus server resources. (#310, @branden)
- ValuesRemap has been added for rewriting the forward authentication url in multiple addons. (#315, @jr0d)
- Konvoyconfig has a new field
caCertificate
to support custom certificate in managed cluster (#316, @GoelDeepak) - Istio addon upgraded to 1.6.3 (#317, @GoelDeepak)
- Opsportal: allow landing page deployment replica count to be configured (#319, @jieyu)
- [dashboard] Upgrades the Kubernetes dashboard to 2.0.3. [dashboard] Adds metrics visualizations to the Kubernetes dashboard UI. (#320, @branden)
- Traefik: revert changes to the service ports that broke Velero functionality. (#328, @dkoshkin)
- Traefik-foward-auth: fix a bug that might cause /_oauth callback to be redirected to other services (#334, @jieyu)
- Adds the Conductor service card to the cluster detail page of the UI. (#344, @natmegs)
- [kibana]: Fixes an issue causing an outdated version of Kibana to be deployed to GCP. (#249, @branden)
- [prometheus]
- [dex]: support specifying root CA for LDAP connectors in Dex controller. (#224, @jieyu)
- [velero]: bump velero to chart version 3.0.3, which includes velero-minio RELEASE.2020-04-10T03-34-42Z (#215, @jieyu)
- [dex-k8s-authenticator] added support for the konvoy credentials plugin (#193, @jr0d)
- [velero]: switch minio backend logging from plaintext to json (#216, @vespian)
- [dex-k8s-authenticator]: Now supports a kubectl credentials plugin for automatically managing identity tokens. Instructions for downloading the plugin and configuring kubectl can be found at
https://<cluster-ip>/token/plugin
. (#212, @jr0d) - [cert-manager]
usages
is no longer definable as part ofissuerRef
, instead it is a key on its own (#196, @sebbrandt87) - [elasticsearch] Fixes an issue that may cause the elasticsearch addon to fail to deploy. (#206, @branden)
- [Elasticsearch] revert the PVC size to default (30G) for data nodes (#203, @jieyu)
- [Prometheus] Upgrade prometheus-operator chart to v8.8.4 (#205, @joejulian)
- [awsebscsiprovisioner] Upgrade awsebscsiprovisioner chart to 0.3.5 and aws-ebs-csi-driver to 0.5.0. (#186, @sebbrandt87)
- [kube-oidc-proxy] allow using default system CA bundle. (#191, @jieyu)
- [Traefik] Upgrade Traefik to 1.7.23. This change fixes the ability to access the Kubernetes API server when the connection needs to be upgraded to SPDY, among other bug fixes. For more details, see mesosphere/charts#514. (#190, @joejulian)
- [dex-k8s-authenticator] allow to use system default CA (#189, @jieyu)
- [Istio] Disable Istio PodDisruptionBudget, the default settings and replica count of 1 prevents pods on nodes from being drained. (#183, @dkoshkin)
- [Velero] revert the velero refactor in stable-1.16-1.4.0 due to a data loss issue (#197, @jieyu)
- [Velero-minio] fix a data loss issue after upgrade (#200, @jieyu)
- [Dex] Add SAML connector support in dex controller allowing users to add SAML IDP using Kubernetes API. (#173, @jieyu)
- [Velero] switch to use minio helm chart (instead of operator) for backup storage. This allow users to install their own minio operator for general purpose object storage. (#174, @jieyu)
- [ElasticSearch, fluentbit] Create index template Create ElasticSearch Index Template. Require Fluentbit to deploy only after ElasticSearch deploys.
- fluent-bit
- Disable audit log collection It's been observed in production clusters that the audit log bloats the number of fields in an index. This causes resource limits to be filled and throttling to occur. We are disabling this collection pending further investigation.
- dex:
- improve the LDAP connector validation in Dex controller
- fix an issue in dex addon which disallowed adding local users
- use Dex controller v0.4.1, which includes the support for OIDC group claims
- upgrade Dex to v2.22.0, which supports groups claims for OIDC connectors
- dex-k8s-authenticator:
- allow scopes to be configured, and drop the
offline_access
scope as it is not used
- allow scopes to be configured, and drop the
- kube-oidc-proxy:
- enable token passthrough
- opsportal:
- set
opsportalRBAC.allowAllAuthenticated
to true - add RBAC support
- set
- traefik-forward-auth:
- enable RBAC and impersonation
- remove whitelisting
- kibana:
- upgrade to 6.8.2
- elasticsearch-curator:
- added and enabled curator to remove old indexes from elasticsearch to free up storage
Add support for kubernetes clusters on GCP Various chart bumps for stability, bug and security fixes.