copyright | lastupdated | ||
---|---|---|---|
|
2018-09-25 |
{:new_window: target="_blank"} {:shortdesc: .shortdesc} {:screen: .screen} {:pre: .pre} {:table: .aria-labeledby="caption"} {:codeblock: .codeblock} {:tip: .tip} {:download: .download}
{: #changelog}
View information of version changes for major, minor, and patch updates that are available for your {{site.data.keyword.containerlong}} Kubernetes clusters. Changes include updates to Kubernetes and {{site.data.keyword.Bluemix_notm}} Provider components. {:shortdesc}
IBM applies patch-level updates to your master automatically, but you must update your worker nodes patch. For both master and worker nodes, you must apply major and minor updates. Check monthly for available updates. As updates become available, you are notified when you view information about the master and worker nodes in the GUI or CLI, such as with the following commands: ibmcloud ks clusters
, cluster-get
, workers
, or worker-get
.
For a summary of migration actions, see Kubernetes versions. {: tip}
For information about changes since the previous version, see the following changelogs.
- Version 1.11 changelog.
- Version 1.10 changelog.
- Version 1.9 changelog.
- Archive of changelogs for deprecated or unsupported versions.
{: #111_changelog}
Review the following changes.
{: #1113_1521}
Component | Previous | Current | Description |
---|---|---|---|
{{site.data.keyword.Bluemix_notm}} Provider | v1.11.2-71 | v1.11.3-91 | Updated to support Kubernetes 1.11.3 release. |
IBM file storage classes | N/A | N/A | Removed `mountOptions` in the IBM file storage classes to use the default that is provided by the worker node. Also, now when you update the cluster master, the default IBM file storage class remains `ibmc-file-bronze`. If you want to change the default storage class, run `kubectl patch storageclass -p '{"metadata": {"annotations":{"storageclass.kubernetes.io/is-default-class":"true"}}}'` and replace `` with the name of the storage class. |
Kubernetes | v1.11.2 | v1.11.3 | See the [Kubernetes release notes ![External link icon](../icons/launch-glyph.svg "External link icon")](https://github.com/kubernetes/kubernetes/releases/tag/v1.11.3). |
Kubernetes DNS autoscaler | 1.1.2-r2 | 1.2.0 | See the [Kubernetes DNS autoscaler release notes ![External link icon](../icons/launch-glyph.svg "External link icon")](https://github.com/kubernetes-incubator/cluster-proportional-autoscaler/releases/tag/1.2.0). |
Log rotate | N/A | N/A | Switched to use `systemd` timers instead of `cronjobs` to prevent `logrotate` from failing on worker nodes that are not reloaded or updated within 90 days. **Note**: In all earlier versions for this minor release, the primary disk fills up after the cron job fails because the logs are not rotated. The cron job fails after the worker node is active for 90 days without being updated or reloaded. If the logs fill up the entire primary disk, the worker node enters a failed state. The worker node can be fixed by using the `ibmcloud ks worker-reload` [command](cs_cli_reference.html#cs_worker_reload) or the `ibmcloud ks worker-update` [command](cs_cli_reference.html#cs_worker_update). |
Root password expiration | N/A | N/A | Root passwords for the worker nodes expire after 90 days for compliance reasons. If your automation tooling needs to log in to the worker node as root or relies on cron jobs that run as root, you can disable the password expiration by logging into the worker node and running `chage -M -1 root`. **Note**: If you have security compliance requirements that prevent running as root or removing password expiration, do not disable the expiration. Instead, you can [update](cs_cli_reference.html#cs_worker_update) or [reload](cs_cli_reference.html#cs_worker_reload) your worker nodes at least every 90 days. |
Worker node runtime components (`kubelet`, `kube-proxy`, `containerd`) | N/A | N/A | Removed dependencies of runtime components on the primary disk. This enhancement prevents worker nodes from failing when the primary disk is filled up. |
Systemd | N/A | N/A | Periodically clean transient mount units to prevent them from becoming unbounded. This action addresses [Kubernetes issue 57345 ![External link icon](../icons/launch-glyph.svg "External link icon")](kubernetes/kubernetes#57345). |
{: #1112_1516}
Component | Previous | Current | Description |
---|---|---|---|
Calico | v3.1.3 | v3.2.1 | See the [Calico release notes ![External link icon](../icons/launch-glyph.svg "External link icon")](https://docs.projectcalico.org/v3.2/releases/#v321). |
containerd | 1.1.2 | 1.1.3 | See the [`containerd` release notes ![External link icon](../icons/launch-glyph.svg "External link icon")](https://github.com/containerd/containerd/releases/tag/v1.1.3). |
{{site.data.keyword.Bluemix_notm}} Provider | v1.11.2-60 | v1.11.2-71 | Changed the cloud provider configuration to better handle updates for load balancer services with `externalTrafficPolicy` set to `local`. |
IBM file storage plug-in configuration | N/A | N/A | Removed the default NFS version from the mount options in the IBM-provided file storage classes. The host's operating system now negotiates the NFS version with the IBM Cloud infrastructure (SoftLayer) NFS server. To manually set a specific NFS version, or to change the NFS version of your PV that was negotiated by the host's operating system, see [Changing the default NFS version](cs_storage_file.html#nfs_version_class). |
{: #1112_1514}
Component | Previous | Current | Description |
---|---|---|---|
`systemd` | 229 | 230 | Updated `systemd` to fix `cgroup` leak. |
Kernel | 4.4.0-127 | 4.4.0-133 | Updated worker node images with kernel update for [CVE-2018-3620,CVE-2018-3646 ![External link icon](../icons/launch-glyph.svg "External link icon")](https://usn.ubuntu.com/3741-1/). |
{: #1112_1513}
Component | Previous | Current | Description |
---|---|---|---|
containerd | N/A | 1.1.2 | `containerd` replaces Docker as the new container runtime for Kubernetes. See the [`containerd` release notes ![External link icon](../icons/launch-glyph.svg "External link icon")](https://github.com/containerd/containerd/releases/tag/v1.1.2). For actions that you must take, see [Migrating to `containerd` as the container runtime](cs_versions.html#containerd). |
Docker | N/A | N/A | `containerd` replaces Docker as the new container runtime for Kubernetes, to enhance performance. For actions that you must take, see [Migrating to `containerd` as the container runtime](cs_versions.html#containerd). |
etcd | v3.2.14 | v3.2.18 | See the [etcd release notes ![External link icon](../icons/launch-glyph.svg "External link icon")](https://github.com/coreos/etcd/releases/v3.2.18). |
{{site.data.keyword.Bluemix_notm}} Provider | v1.10.5-118 | v1.11.2-60 | Updated to support Kubernetes 1.11 release. In addition, load balancer pods now use the new `ibm-app-cluster-critical` pod priority class. |
IBM file storage plug-in | 334 | 338 | Updated `incubator` version to 1.8. File storage is provisioned to the specific zone that you select. You cannot update an existing (static) PV instance labels, unless you are using a multizone cluster and need to [add the region the zone labels](cs_storage_basics.html#multizone). |
Kubernetes | v1.10.5 | v1.11.2 | See the [Kubernetes release notes ![External link icon](../icons/launch-glyph.svg "External link icon")](https://github.com/kubernetes/kubernetes/releases/tag/v1.11.2). |
Kubernetes configuration | N/A | N/A | Updated the OpenID Connect configuration for the cluster's Kubernetes API server to support {{site.data.keyword.Bluemix_notm}} Identity Access and Management (IAM) access groups. Added `Priority` to the `--enable-admission-plugins` option for the cluster's Kubernetes API server and configured the cluster to support pod priority. For more information, see:
|
Kubernetes Heapster | v1.5.2 | v.1.5.4 | Increased resource limits for the `heapster-nanny` container. See the [Kubernetes Heapster release notes ![External link icon](../icons/launch-glyph.svg "External link icon")](https://github.com/kubernetes/heapster/releases/tag/v1.5.4). |
Logging configuration | N/A | N/A | The container log directory is now `/var/log/pods/` instead of the previous `/var/lib/docker/containers/`. |
{: #110_changelog}
Review the following changes.
{: #1107_1521}
Component | Previous | Current | Description |
---|---|---|---|
Log rotate | N/A | N/A | Switched to use `systemd` timers instead of `cronjobs` to prevent `logrotate` from failing on worker nodes that are not reloaded or updated within 90 days. **Note**: In all earlier versions for this minor release, the primary disk fills up after the cron job fails because the logs are not rotated. The cron job fails after the worker node is active for 90 days without being updated or reloaded. If the logs fill up the entire primary disk, the worker node enters a failed state. The worker node can be fixed by using the `ibmcloud ks worker-reload` [command](cs_cli_reference.html#cs_worker_reload) or the `ibmcloud ks worker-update` [command](cs_cli_reference.html#cs_worker_update). |
Worker node runtime components (`kubelet`, `kube-proxy`, `docker`) | N/A | N/A | Removed dependencies of runtime components on the primary disk. This enhancement prevents worker nodes from failing when the primary disk is filled up. |
Root password expiration | N/A | N/A | Root passwords for the worker nodes expire after 90 days for compliance reasons. If your automation tooling needs to log in to the worker node as root or relies on cron jobs that run as root, you can disable the password expiration by logging into the worker node and running `chage -M -1 root`. **Note**: If you have security compliance requirements that prevent running as root or removing password expiration, do not disable the expiration. Instead, you can [update](cs_cli_reference.html#cs_worker_update) or [reload](cs_cli_reference.html#cs_worker_reload) your worker nodes at least every 90 days. |
Systemd | N/A | N/A | Periodically clean transient mount units to prevent them from becoming unbounded. This action addresses [Kubernetes issue 57345 ![External link icon](../icons/launch-glyph.svg "External link icon")](kubernetes/kubernetes#57345). |
{: #1107_1520}
Calico | v3.1.3 | v3.2.1 | See the Calico [release notes ![External link icon](../icons/launch-glyph.svg "External link icon")](https://docs.projectcalico.org/v3.2/releases/#v321). |
{{site.data.keyword.Bluemix_notm}} Provider | v1.10.5-118 | v1.10.7-146 | Updated to support Kubernetes 1.10.7 release. In addition, changed the cloud provider configuration to better handle updates for load balancer services with `externalTrafficPolicy` set to `local`. |
IBM file storage plug-in | 334 | 338 | Updated incubator version to 1.8. File storage is provisioned to the specific zone that you select. You cannot update an existing (static) PV instance's labels, unless you are using a multizone cluster and need to add the region and zone labels. Removed the default NFS version from the mount options in the IBM-provided file storage classes. The host's operating system now negotiates the NFS version with the IBM Cloud infrastructure (SoftLayer) NFS server. To manually set a specific NFS version, or to change the NFS version of your PV that was negotiated by the host's operating system, see [Changing the default NFS version](cs_storage_file.html#nfs_version_class). |
Kubernetes | v1.10.5 | v1.10.7 | See the Kubernetes [release notes ![External link icon](../icons/launch-glyph.svg "External link icon")](https://github.com/kubernetes/kubernetes/releases/tag/v1.10.7). |
Kubernetes Heapster configuration | N/A | N/A | Increased resource limits for the `heapster-nanny` container. |
{: #1105_1519}
Component | Previous | Current | Description |
---|---|---|---|
`systemd` | 229 | 230 | Updated `systemd` to fix `cgroup` leak. |
Kernel | 4.4.0-127 | 4.4.0-133 | Updated worker node images with kernel update for [CVE-2018-3620,CVE-2018-3646 ![External link icon](../icons/launch-glyph.svg "External link icon")](https://usn.ubuntu.com/3741-1/). |
{: #1105_1518}
Component | Previous | Current | Description |
---|---|---|---|
Ubuntu packages | N/A | N/A | Updates to installed Ubuntu packages. |
{: #1105_1517}
Component | Previous | Current | Description |
---|---|---|---|
Calico | v3.1.1 | v3.1.3 | See the Calico [release notes ![External link icon](../icons/launch-glyph.svg "External link icon")](https://docs.projectcalico.org/v3.1/releases/#v313). |
{{site.data.keyword.Bluemix_notm}} Provider | v1.10.3-85 | v1.10.5-118 | Updated to support Kubernetes 1.10.5 release. In addition, LoadBalancer service `create failure` events now include any portable subnet errors. |
IBM file storage plug-in | 320 | 334 | Increased the timeout for persistent volume creation from 15 to 30 minutes. Changed the default billing type to `hourly`. Added mount options to the pre-defined storage classes. In the NFS file storage instance in your IBM Cloud infrastructure (SoftLayer) account, changed the **Notes** field to JSON format and added the Kubernetes namespace that the PV is deployed to. To support multizone clusters, added zone and region labels to persistent volumes. |
Kubernetes | v1.10.3 | v1.10.5 | See the Kubernetes [release notes ![External link icon](../icons/launch-glyph.svg "External link icon")](https://github.com/kubernetes/kubernetes/releases/tag/v1.10.5). |
Kernel | N/A | N/A | Minor improvements to worker node network settings for high performance networking workloads. |
OpenVPN client | N/A | N/A | The OpenVPN client `vpn` deployment that runs in the `kube-system` namespace is now managed by the Kubernetes `addon-manager`. |
{: #1103_1514}
Component | Previous | Current | Description |
---|---|---|---|
Kernel | N/A | N/A | Optimized `sysctl` for high performance networking workloads. |
{: #1103_1513}
Component | Previous | Current | Description |
---|---|---|---|
Docker | N/A | N/A | For non-encrypted machine types, the secondary disk is cleaned by getting a fresh file system when you reload or update the worker node. |
{: #1103_1512}
Component | Previous | Current | Description |
---|---|---|---|
Kubernetes | v1.10.1 | v1.10.3 | See the Kubernetes [release notes ![External link icon](../icons/launch-glyph.svg "External link icon")](https://github.com/kubernetes/kubernetes/releases/tag/v1.10.3). |
Kubernetes Configuration | N/A | N/A | Added `PodSecurityPolicy` to the `--enable-admission-plugins` option for the cluster's Kubernetes API server and configured the cluster to support pod security policies. For more information, see [Configuring pod security policies](cs_psp.html). |
Kubelet Configuration | N/A | N/A | Enabled the `--authentication-token-webhook` option to support API bearer and service account tokens for authenticating to the `kubelet` HTTPS endpoint. |
{{site.data.keyword.Bluemix_notm}} Provider | v1.10.1-52 | v1.10.3-85 | Updated to support Kubernetes 1.10.3 release. |
OpenVPN client | N/A | N/A | Added `livenessProbe` to the OpenVPN client `vpn` deployment that runs in the `kube-system` namespace. |
Kernel update | 4.4.0-116 | 4.4.0-127 | New worker node images with kernel update for [CVE-2018-3639 ![External link icon](../icons/launch-glyph.svg "External link icon")](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3639). |
{: #1101_1510}
Component | Previous | Current | Description |
---|---|---|---|
Kubelet | N/A | N/A | Fix to address a bug that occurred if you used the block storage plug-in. |
{: #1101_1509}
Component | Previous | Current | Description |
---|---|---|---|
Kubelet | N/A | N/A | The data that you store in the `kubelet` root directory is now saved on the larger, secondary disk of your worker node machine. |
{: #1101_1508}
Component | Previous | Current | Description |
---|---|---|---|
Calico | v2.6.5 | v3.1.1 | See the Calico [release notes ![External link icon](../icons/launch-glyph.svg "External link icon")](https://docs.projectcalico.org/v3.1/releases/#v311). |
Kubernetes Heapster | v1.5.0 | v1.5.2 | See the Kubernetes Heapster [release notes ![External link icon](../icons/launch-glyph.svg "External link icon")](https://github.com/kubernetes/heapster/releases/tag/v1.5.2). |
Kubernetes | v1.9.7 | v1.10.1 | See the Kubernetes [release notes ![External link icon](../icons/launch-glyph.svg "External link icon")](https://github.com/kubernetes/kubernetes/releases/tag/v1.10.1). |
Kubernetes Configuration | N/A | N/A | Added StorageObjectInUseProtection to the --enable-admission-plugins option for the cluster's Kubernetes API server. |
Kubernetes DNS | 1.14.8 | 1.14.10 | See the Kubernetes DNS [release notes ![External link icon](../icons/launch-glyph.svg "External link icon")](https://github.com/kubernetes/dns/releases/tag/1.14.10). |
{{site.data.keyword.Bluemix_notm}} Provider | v1.9.7-102 | v1.10.1-52 | Updated to support Kubernetes 1.10 release. |
GPU support | N/A | N/A | Support for [graphics processing unit (GPU) container workloads](cs_app.html#gpu_app) is now available for scheduling and execution. For a list of available GPU machine types, see [Hardware for worker nodes](cs_clusters_planning.html#shared_dedicated_node). For more information, see the Kubernetes documentation to [Schedule GPUs ![External link icon](../icons/launch-glyph.svg "External link icon")](https://kubernetes.io/docs/tasks/manage-gpus/scheduling-gpus/). |
{: #19_changelog}
Review the following changes.
{: #1910_1524}
Component | Previous | Current | Description |
---|---|---|---|
Log rotate | N/A | N/A | Switched to use `systemd` timers instead of `cronjobs` to prevent `logrotate` from failing on worker nodes that are not reloaded or updated within 90 days. **Note**: In all earlier versions for this minor release, the primary disk fills up after the cron job fails because the logs are not rotated. The cron job fails after the worker node is active for 90 days without being updated or reloaded. If the logs fill up the entire primary disk, the worker node enters a failed state. The worker node can be fixed by using the `ibmcloud ks worker-reload` [command](cs_cli_reference.html#cs_worker_reload) or the `ibmcloud ks worker-update` [command](cs_cli_reference.html#cs_worker_update). |
Worker node runtime components (`kubelet`, `kube-proxy`, `docker`) | N/A | N/A | Removed dependencies of runtime components on the primary disk. This enhancement prevents worker nodes from failing when the primary disk is filled up. |
Root password expiration | N/A | N/A | Root passwords for the worker nodes expire after 90 days for compliance reasons. If your automation tooling needs to log in to the worker node as root or relies on cron jobs that run as root, you can disable the password expiration by logging into the worker node and running `chage -M -1 root`. **Note**: If you have security compliance requirements that prevent running as root or removing password expiration, do not disable the expiration. Instead, you can [update](cs_cli_reference.html#cs_worker_update) or [reload](cs_cli_reference.html#cs_worker_reload) your worker nodes at least every 90 days. |
Systemd | N/A | N/A | Periodically clean transient mount units to prevent them from becoming unbounded. This action addresses [Kubernetes issue 57345 ![External link icon](../icons/launch-glyph.svg "External link icon")](kubernetes/kubernetes#57345). |
{: #1910_1523}
{{site.data.keyword.Bluemix_notm}} Provider | v1.9.9-167 | v1.9.10-192 | Updated to support Kubernetes 1.9.10 release. In addition, changed the cloud provider configuration to better handle updates for load balancer services with `externalTrafficPolicy` set to `local`. |
IBM file storage plug-in | 334 | 338 | Updated incubator version to 1.8. File storage is provisioned to the specific zone that you select. You cannot update an existing (static) PV instance's labels, unless you are using a multizone cluster and need to add the region and zone labels. Removed the default NFS version from the mount options in the IBM-provided file storage classes. The host's operating system now negotiates the NFS version with the IBM Cloud infrastructure (SoftLayer) NFS server. To manually set a specific NFS version, or to change the NFS version of your PV that was negotiated by the host's operating system, see [Changing the default NFS version](cs_storage_file.html#nfs_version_class). |
Kubernetes | v1.9.9 | v1.9.10 | See the Kubernetes [release notes ![External link icon](../icons/launch-glyph.svg "External link icon")](https://github.com/kubernetes/kubernetes/releases/tag/v1.9.10). |
Kubernetes Heapster configuration | N/A | N/A | Increased resource limits for the `heapster-nanny` container. |
{: #199_1522}
Component | Previous | Current | Description |
---|---|---|---|
`systemd` | 229 | 230 | Updated `systemd` to fix `cgroup` leak. |
Kernel | 4.4.0-127 | 4.4.0-133 | Updated worker node images with kernel update for [CVE-2018-3620,CVE-2018-3646 ![External link icon](../icons/launch-glyph.svg "External link icon")](https://usn.ubuntu.com/3741-1/). |
{: #199_1521}
Component | Previous | Current | Description |
---|---|---|---|
Ubuntu packages | N/A | N/A | Updates to installed Ubuntu packages. |
{: #199_1520}
Component | Previous | Current | Description |
---|---|---|---|
{{site.data.keyword.Bluemix_notm}} Provider | v1.9.8-141 | v1.9.9-167 | Updated to support Kubernetes 1.9.9 release. In addition, LoadBalancer service `create failure` events now include any portable subnet errors. |
IBM file storage plug-in | 320 | 334 | Increased the timeout for persistent volume creation from 15 to 30 minutes. Changed the default billing type to `hourly`. Added mount options to the pre-defined storage classes. In the NFS file storage instance in your IBM Cloud infrastructure (SoftLayer) account, changed the **Notes** field to JSON format and added the Kubernetes namespace that the PV is deployed to. To support multizone clusters, added zone and region labels to persistent volumes. |
Kubernetes | v1.9.8 | v1.9.9 | See the Kubernetes [release notes ![External link icon](../icons/launch-glyph.svg "External link icon")](https://github.com/kubernetes/kubernetes/releases/tag/v1.9.9). |
Kernel | N/A | N/A | Minor improvements to worker node network settings for high performance networking workloads. |
OpenVPN client | N/A | N/A | The OpenVPN client `vpn` deployment that runs in the `kube-system` namespace is now managed by the Kubernetes `addon-manager`. |
{: #198_1517}
Component | Previous | Current | Description |
---|---|---|---|
Kernel | N/A | N/A | Optimized `sysctl` for high performance networking workloads. |
{: #198_1516}
Component | Previous | Current | Description |
---|---|---|---|
Docker | N/A | N/A | For non-encrypted machine types, the secondary disk is cleaned by getting a fresh file system when you reload or update the worker node. |
{: #198_1515}
Component | Previous | Current | Description |
---|---|---|---|
Kubernetes | v1.9.7 | v1.9.8 | See the [Kubernetes release notes![External link icon](../icons/launch-glyph.svg "External link icon")](https://github.com/kubernetes/kubernetes/releases/tag/v1.9.8). |
Kubernetes Configuration | N/A | N/A | Added PodSecurityPolicy to the --admission-control option for the cluster's Kubernetes API server and configured the cluster to support pod security policies. For more information, see [Configuring pod security policies](cs_psp.html). |
IBM Cloud Provider | v1.9.7-102 | v1.9.8-141 | Updated to support Kubernetes 1.9.8 release. |
OpenVPN client | N/A | N/A | Added livenessProbe to the OpenVPN client vpn deployment that runs in the kube-system namespace. |
{: #197_1513}
Component | Previous | Current | Description |
---|---|---|---|
Kernel update | 4.4.0-116 | 4.4.0-127 | New worker node images with kernel update for [CVE-2018-3639 ![External link icon](../icons/launch-glyph.svg "External link icon")](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3639). |
{: #197_1512}
Component | Previous | Current | Description |
---|---|---|---|
Kubelet | N/A | N/A | Fix to address a bug that occurred if you used the block storage plug-in. |
{: #197_1511}
Component | Previous | Current | Description |
---|---|---|---|
Kubelet | N/A | N/A | The data that you store in the `kubelet` root directory is now saved on the larger, secondary disk of your worker node machine. |
{: #197_1510}
Component | Previous | Current | Description |
---|---|---|---|
Kubernetes | v1.9.3 | v1.9.7 | See the [Kubernetes release notes![External link icon](../icons/launch-glyph.svg "External link icon")](https://github.com/kubernetes/kubernetes/releases/tag/v1.9.7). This release addresses [CVE-2017-1002101 ![External link icon](../icons/launch-glyph.svg "External link icon")](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1002101) and [CVE-2017-1002102 ![External link icon](../icons/launch-glyph.svg "External link icon")](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1002102) vulnerabilities. Note: Now `secret`, `configMap`, `downwardAPI`, and projected volumes are mounted as read-only. Previously, apps could write data to these volumes, but the system could automatically revert the data. If your apps rely on the previous insecure behavior, modify them accordingly. |
Kubernetes configuration | N/A | N/A | Added `admissionregistration.k8s.io/v1alpha1=true` to the `--runtime-config` option for the cluster's Kubernetes API server. |
{{site.data.keyword.Bluemix_notm}} Provider | v1.9.3-71 | v1.9.7-102 | `NodePort` and `LoadBalancer` services now support [preserving the client source IP](cs_loadbalancer.html#node_affinity_tolerations) by setting `service.spec.externalTrafficPolicy` to `Local`. |
Fix [edge node](cs_edge.html#edge) toleration setup for older clusters. |
{: #changelog_archive}
Unsupported Kubernetes versions:
{: #18_changelog}
Review the following changes.
{: #1815_1521}
Component | Previous | Current | Description |
---|---|---|---|
Log rotate | N/A | N/A | Switched to use `systemd` timers instead of `cronjobs` to prevent `logrotate` from failing on worker nodes that are not reloaded or updated within 90 days. **Note**: In all earlier versions for this minor release, the primary disk fills up after the cron job fails because the logs are not rotated. The cron job fails after the worker node is active for 90 days without being updated or reloaded. If the logs fill up the entire primary disk, the worker node enters a failed state. The worker node can be fixed by using the `ibmcloud ks worker-reload` [command](cs_cli_reference.html#cs_worker_reload) or the `ibmcloud ks worker-update` [command](cs_cli_reference.html#cs_worker_update). |
Worker node runtime components (`kubelet`, `kube-proxy`, `docker`) | N/A | N/A | Removed dependencies of runtime components on the primary disk. This enhancement prevents worker nodes from failing when the primary disk is filled up. |
Root password expiration | N/A | N/A | Root passwords for the worker nodes expire after 90 days for compliance reasons. If your automation tooling needs to log in to the worker node as root or relies on cron jobs that run as root, you can disable the password expiration by logging into the worker node and running `chage -M -1 root`. **Note**: If you have security compliance requirements that prevent running as root or removing password expiration, do not disable the expiration. Instead, you can [update](cs_cli_reference.html#cs_worker_update) or [reload](cs_cli_reference.html#cs_worker_reload) your worker nodes at least every 90 days. |
Systemd | N/A | N/A | Periodically clean transient mount units to prevent them from becoming unbounded. This action addresses [Kubernetes issue 57345 ![External link icon](../icons/launch-glyph.svg "External link icon")](kubernetes/kubernetes#57345). |
{: #1815_1520}
Component | Previous | Current | Description |
---|---|---|---|
`systemd` | 229 | 230 | Updated `systemd` to fix `cgroup` leak. |
Kernel | 4.4.0-127 | 4.4.0-133 | Updated worker node images with kernel update for [CVE-2018-3620,CVE-2018-3646 ![External link icon](../icons/launch-glyph.svg "External link icon")](https://usn.ubuntu.com/3741-1/). |
{: #1815_1519}
Component | Previous | Current | Description |
---|---|---|---|
Ubuntu packages | N/A | N/A | Updates to installed Ubuntu packages. |
{: #1815_1518}
Component | Previous | Current | Description |
---|---|---|---|
{{site.data.keyword.Bluemix_notm}} Provider | v1.8.13-176 | v1.8.15-204 | Updated to support Kubernetes 1.8.15 release. In addition, LoadBalancer service `create failure` events now include any portable subnet errors. |
IBM file storage plug-in | 320 | 334 | Increased the timeout for persistent volume creation from 15 to 30 minutes. Changed the default billing type to `hourly`. Added mount options to the pre-defined storage classes. In the NFS file storage instance in your IBM Cloud infrastructure (SoftLayer) account, changed the **Notes** field to JSON format and added the Kubernetes namespace that the PV is deployed to. To support multizone clusters, added zone and region labels to persistent volumes. |
Kubernetes | v1.8.13 | v1.8.15 | See the Kubernetes [release notes ![External link icon](../icons/launch-glyph.svg "External link icon")](https://github.com/kubernetes/kubernetes/releases/tag/v1.8.15). |
Kernel | N/A | N/A | Minor improvements to worker node network settings for high performance networking workloads. |
OpenVPN client | N/A | N/A | The OpenVPN client `vpn` deployment that runs in the `kube-system` namespace is now managed by the Kubernetes `addon-manager`. |
{: #1813_1516}
Component | Previous | Current | Description |
---|---|---|---|
Kernel | N/A | N/A | Optimized `sysctl` for high performance networking workloads. |
{: #1813_1515}
Component | Previous | Current | Description |
---|---|---|---|
Docker | N/A | N/A | For non-encrypted machine types, the secondary disk is cleaned by getting a fresh file system when you reload or update the worker node. |
{: #1813_1514}
Component | Previous | Current | Description |
---|---|---|---|
Kubernetes | v1.8.11 | v1.8.13 | See the [Kubernetes release notes![External link icon](../icons/launch-glyph.svg "External link icon")](https://github.com/kubernetes/kubernetes/releases/tag/v1.8.13). |
Kubernetes Configuration | N/A | N/A | Added PodSecurityPolicy to the --admission-control option for the cluster's Kubernetes API server and configured the cluster to support pod security policies. For more information, see [Configuring pod security policies](cs_psp.html). |
IBM Cloud Provider | v1.8.11-126 | v1.8.13-176 | Updated to support Kubernetes 1.8.13 release. |
OpenVPN client | N/A | N/A | Added livenessProbe to the OpenVPN client vpn deployment that runs in the kube-system namespace. |
{: #1811_1512}
Component | Previous | Current | Description |
---|---|---|---|
Kernel update | 4.4.0-116 | 4.4.0-127 | New worker node images with kernel update for [CVE-2018-3639 ![External link icon](../icons/launch-glyph.svg "External link icon")](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3639). |
{: #1811_1511}
Component | Previous | Current | Description |
---|---|---|---|
Kubelet | N/A | N/A | Fix to address a bug that occurred if you used the block storage plug-in. |
{: #1811_1510}
Component | Previous | Current | Description |
---|---|---|---|
Kubelet | N/A | N/A | The data that you store in the `kubelet` root directory is now saved on the larger, secondary disk of your worker node machine. |
{: #1811_1509}
Component | Previous | Current | Description |
---|---|---|---|
Kubernetes | v1.8.8 | v1.8.11 | See the [Kubernetes release notes![External link icon](../icons/launch-glyph.svg "External link icon")](https://github.com/kubernetes/kubernetes/releases/tag/v1.8.11). This release addresses [CVE-2017-1002101 ![External link icon](../icons/launch-glyph.svg "External link icon")](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1002101) and [CVE-2017-1002102 ![External link icon](../icons/launch-glyph.svg "External link icon")](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1002102) vulnerabilities. Note: Now `secret`, `configMap`, `downwardAPI`, and projected volumes are mounted as read-only. Previously, apps could write data to these volumes, but the system could automatically revert the data. If your apps rely on the previous insecure behavior, modify them accordingly. |
Pause container image | 3.0 | 3.1 | Removes inherited orphaned zombie processes. |
{{site.data.keyword.Bluemix_notm}} Provider | v1.8.8-86 | v1.8.11-126 | `NodePort` and `LoadBalancer` services now support [preserving the client source IP](cs_loadbalancer.html#node_affinity_tolerations) by setting `service.spec.externalTrafficPolicy` to `Local`. |
Fix [edge node](cs_edge.html#edge) toleration setup for older clusters. |
{: #17_changelog}
Review the following changes.
{: #1716_1514}
Component | Previous | Current | Description |
---|---|---|---|
Kernel update | 4.4.0-116 | 4.4.0-127 | New worker node images with kernel update for [CVE-2018-3639 ![External link icon](../icons/launch-glyph.svg "External link icon")](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3639). |
{: #1716_1513}
Component | Previous | Current | Description |
---|---|---|---|
Kubelet | N/A | N/A | Fix to address a bug that occurred if you used the block storage plug-in. |
{: #1716_1512}
Component | Previous | Current | Description |
---|---|---|---|
Kubelet | N/A | N/A | The data that you store in the `kubelet` root directory is now saved on the larger, secondary disk of your worker node machine. |
{: #1716_1511}
Component | Previous | Current | Description |
---|---|---|---|
Kubernetes | v1.7.4 | v1.7.16 | See the [Kubernetes release notes![External link icon](../icons/launch-glyph.svg "External link icon")](https://github.com/kubernetes/kubernetes/releases/tag/v1.7.16). This release addresses [CVE-2017-1002101 ![External link icon](../icons/launch-glyph.svg "External link icon")](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1002101) and [CVE-2017-1002102 ![External link icon](../icons/launch-glyph.svg "External link icon")](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1002102) vulnerabilities. Note: Now `secret`, `configMap`, `downwardAPI`, and projected volumes are mounted as read-only. Previously, apps could write data to these volumes, but the system could automatically revert the data. If your apps rely on the previous insecure behavior, modify them accordingly. |
{{site.data.keyword.Bluemix_notm}} Provider | v1.7.4-133 | v1.7.16-17 | `NodePort` and `LoadBalancer` services now support [preserving the client source IP](cs_loadbalancer.html#node_affinity_tolerations) by setting `service.spec.externalTrafficPolicy` to `Local`. |
Fix [edge node](cs_edge.html#edge) toleration setup for older clusters. |