v2.8.3 - Security Patch (CVE-2019-5736)

[SECURITY] Docker patches for CVE-2019-5736 (#4223)

This updates docker 18.06 and 18.09 with the two patches released
yesterday to address the new runc exploit. Details here:
https://kubernetes.io/blog/2019/02/11/runc-and-cve-2019-5736/

v2.8.2

This release includes the following changes.

• Added Kubernetes version 1.12.5

v2.8.1

This release includes the following changes.

Changes

• Added Kubernetes version 1.12.4

Fixes

• Stop if RBAC and anonymous-auth are not enabled when insecure port is disabled failed when running on non-masters.
• Remove kube-ipvs0 now works on cluster reset.
• Clear IPVS virtual server table now only runs on kubernetes nodes and masters.
• Move node-cidr-mask-size to ControllerManagerextraArgs
• Fixup line breaks for kubeadm SANs
• Fix apiServerCertSANs in kubeadm config file

v2.8.0

This release includes the following changes.

Deprecation / Removal

• None kubeadm deployment mode (kubeadm_enabled: false) is now deprecated and will be removed in 2.9
• Vault has been removed

Major changes:

• Kubeadm as default deployment mode
• Download CNI binaries instead of copying from containers
• Add support for setting custom node taints
• Kubernetes apiserver insecure port disabled by default
• Updated Docker and etcd versions
• Added priority class to all deployments (also for non-kubeadm deployments)
• Support multiple local volume provisioner StorageClasses
• Static tokens and basic auth now works with Kubeadm deployment mode (was broken in 2.7)
• Cloud Provider deployments with kubeadm now works

Applications

• Metrics Server is now added as an addon
• Add support to set tolerations for ingress-nginx

Network

• Added support for Kube-Router (Thanks to @jjo)
• Added support for Multus (Thanks to @Kusanagi9999)
• Fix DNS loop when resolvconf_mode is set to host_resolvconf
• Kube Proxy mode now defaults to ipvs
• DNS Autoscaler now works for both KubeDNS and CoreDNS (see notes)
• DNS Mode now defaults to coredns

Component versions:

• Kubernetes 1.12.3
• Etcd 3.2.24
• Docker 18.06
• Rkt 1.21.0
• Cri-O 1.11.5
• Calico 3.1.3
• Cilium 1.3.0
• Contiv 1.2.1
• Flannel 0.10.0
• Kube-Router 0.2.1
• Multus 3.1-autoconf
• Weave 2.5.0
• KubeDNS 1.14.13
• CoreDNS 1.2.6
• Helm 2.11.0

Notes

• Renamed variable kubedns_min_replicas to dns_min_replicas

v2.7.0

This release includes the following changes.

!!! Update (16-10-2018 @woopstar)

• etcd setup fails with Ansible 2.7. Either use Ansible 2.6 or apply the PR from #3486

Major changes:

• Added kubernetes audit support
• Added kubernetes Dynamic Kubelet Configuration support
• Added ARM support
• Added Cri-o support, Only on centos based OS
• Added Cloud provider support for OCI (Oracle Cloud Infrastructure)(experimental)
• Added Nvidia GPU support(experimental)
• Added a deployment document for offline environment
• Support for AWS cloud-config
• Ubuntu18.04 support
• Fedora 28 support
• Working on initial support for workloads on Windows
• Remove EFK from kubernetes-apps roles #3352
• Heketi/GlusterFS support
• MetalLB as load balancer for on-premise deployments support
• Adding pod priority for all the components (Priority Classes)
• kube_basic_auth and kube_token_auth now works with kubeadm deployments
• kubeadm deployment has been updated to be in sync with non-kubeadm deployments
• kubelet_node_custom_flags variable has been added to set kubelet flags only on nodes

Component versions:

• Kubernetes 1.11.3
• Etcd 3.2.18
• Flannel 0.10.0
• Cilium 1.2.0
• Contiv 1.2.1
• Weave 2.4.1
• Calico 3.1.3
• Docker 17.03
• Rkt 1.21.0
• Cri-O 1.11.5
• KubeDNS 1.14.13
• CoreDNS 1.2.2
• Helm 2.9.1

Known issues

• Deploy calico failed when using cri-o runtime #3275
• CoreDNS DNS loop when resolvconf_mode is set to host_resolvconf #3390
• Remove file download when docker engine is used #3302
• Cloud Provider deployments with kubeadm do not work yet #3766

Notes

We will we be deprecating the non-kubeadm deployment soon and switch towards using only kubeadm deployments as the new default.

v2.6.0

This release includes the following changes.

Major changes:

• Refactored vault to use hashivault module
• OpenSUSE support

Component versions:

• Kubernetes 1.10.4
• Etcd 3.2.18
• Flannel 0.10.0
• Cilium 1.1.2
• contiv 1.1.7
• Weave 2.4.0
• Calico 2.6.8
• Docker 17.03
• Kube-dns 1.14.10
• Coredns 1.1.2
• Helm 2.9.1

v2.5.0

This release includes the following changes.

Major changes:

• Switched to Google's hyperkube docker container (was CoreOS) due to glusterfs support
• New addon: ingress-nginx
• New addon: registry
• Added support for ipvs kube-proxy mode
• Added remove-node.yml playbook (taint and remove node from cluster)
• Credentials are now stored in inventory directory
• Added experimental support for OpenSuse
• Added experimental CoreDNS support
• Added experimental support for Cilium as network provider
• Deprecated kubespray-cli

Component versions:

• Kubernetes 1.9.5
• Etcd 3.2.4
• Flannel 0.10.0
• Cilium 1.0.0-rc8
• contiv 1.1.7
• Weave 2.2.1
• Calico 2.6.8
• Docker 17.03
• Istio 0.2.6
• Kube-dns 1.14.8
• Coredns 1.1.0
• Helm 2.8.1

v2.4.0

This release includes the following changes.

Major changes:

• Add flexibility for alt_names for certificates
• Support for local_volume_provisioner

Component versions:

• Kubernetes 1.9.2
• Flannel 0.9.1
• Weave 2.1.3
• Calico 2.6.2
• helm 2.7.2
• kube-dns 1.14.8

v2.3.0

This release includes the following changes.

Major changes:

• Full RBAC support
• New addon: istio
• etcd scaling
• All network plugins are deployed with CNI as daemonsets
• Experimental kubeadm support
• Container and file downloads are consolidated

Component versions:

• Kubernetes v1.8.1
• Docker 1.13.1
• etcd v3.2.4
• Rkt v1.21.0 (optional)
• Calico v2.5.0
• Weave 2.0.4
• Flannel v0.8.0

Security

• RBAC is enabled and may affect upgrades.

Known issues

• CoreOS with Canal on GCE does not work. It works fine on any other platform.
• Vault deployment mode does not work with kubeadm (but can still be used for etcd certificates).

Action items for users upgrading to v2.3.0

• If you switch to kubeadm deployment mode, all pods in kube-system namespace will get restarted. All other pods will have their service account tokens reset because of the necessary certificate regeneration. Delete the relevant secret for the ServiceAccount and restart the pods to restore functionality.

Additional notes

• Kubeadm can be enabled by setting kubeadm_enabled: true. Both new and existing clusters can be switched to kubeadm mode.

v2.2.0

This release includes the following changes.

Major changes:

• RBAC support for core components (optional add-ons are not included)
• Reintroduced Vault support
• Masters are now marked unschedulable via taints
• Flannel is now setup with CNI

Component versions:

• Kubernetes v1.7.3
• Docker 1.13.1
• etcd v3.2.4
• Rkt v1.21.0 (optional)
• Calico v2.4.1
• Weave 2.0.1
• Flannel v0.8.0

Security

• It is now possible to enable RBAC upon upgrade.