k8s for BOSH v1.19.0-build.1

Software Updates

• All core Kubernetes components have been updated to 1.19.0.

Usage

To use this in your BOSH deployments, add this to your manifest:

releases:
  - name:    k8s
    version: 1.19.0-build.1
    url:     https://github.com/jhunt/k8s-boshrelease/releases/download/v1.19.0-build.1/k8s-1.19.0-build.1.tgz
    sha1:    49cf881b5622250780e590a421044def28707682

k8s for BOSH v1.18.8-build.1

Software Updates

• All core Kubernetes components (including kube-proxy) have been updated to 1.18.8.
• containerd has been updated to 1.3.7
• etcd has been updated to 3.4.10

This release is primarily in response to CVE-2020-8559 (https://nvd.nist.gov/vuln/detail/CVE-2020-8559) and CVE-2020-8557 (https://nvd.nist.gov/vuln/detail/CVE-2020-8557).

Usage

To use this in your BOSH deployments, add this to your manifest:

releases:
  - name:    k8s
    version: 1.18.8-build.1
    url:     https://github.com/jhunt/k8s-boshrelease/releases/download/v1.18.8-build.1/k8s-1.18.8-build.1.tgz
    sha1:    fdbd44f5927c47547a58172016e0b3a3df7b363f

k8s for BOSH v1.18.5-build.1

Software Updates

• All core Kubernetes components (including kube-proxy) have been updated to 1.18.5.
• Kubernetes Dashboard (an optional component) has been updated to 2.0.3.
• Flannel CNI containers have been updated to 0.12.0
• CoreDNS has been updated to 1.7.0
• cert-manager has been updated to 0.15.1.
• The kube-proxy and coredns configurations have been brought up to spec with the latest upstream versions.

Aside: the release process has sprouted some new utilities for keeping embedded YAMLs and other packages / docker images up-to-date.

New Features

• This version of the Kubernetes BOSH release provides optional support for net-weave, as an alternative to Flannel, for your CNI pod networking needs. To use it, just change out your net-flannel job for net-weave, and make sure to let the runtime know what CNI plugin to use, by setting the cni property of runtime-runc.

• You can now specify OCI image registry "mirrors" for the containerd configuration inside of runtime-runc, to enable you to shadow upstream registries like Docker Hub (for on-premise security scanning, usually), or to provide alternate, cluster-wide authentication to shared private registries.

• You can now specify a bootstrap YAML spec, and BOSH will apply it in a post-deploy hook. This should help if you always set up a certain number of accounts, namespaces, deployments, etc., and don't want to have to do them out-of-band after BOSH is done standing up VMs.

Improvements

• Job templates now validate the provided CA to ensure that it hasn't expired. We ran into some issues in our lab with really old CredHub values that were expired, and got some really weird deployment behaviors (mostly timeouts waiting for etcd to hold an election, which it never would).
• The kubelet job's post-deploy now does more logging, to help with troubleshooting efforts.
• The k8s cluster initializers are now split into two waves, to enable bootstrapping parts of the cluster atop the container runtime.
• kubectl job drain scripts now work better, and can delete pods that use local data.

Bug Fixes

• Missing CNI version in Flannel CNI properties is no longer missing.
• The rollout waits for cert-manager now have timeouts on them, to ensure that we don't wait forever if something is structurally wrong with the k8s cluster.
• The cert-manager internal-ca ClusterIssuer should now work; we are populating the secret the way that cert-manager expects.

Usage

To use this in your BOSH deployments, add this to your manifest:

releases:
  - name:    k8s
    version: 1.18.5-build.1
    url:     https://github.com/jhunt/k8s-boshrelease/releases/download/v1.18.5-build.1/k8s-1.18.5-build.1.tgz
    sha1:    37b0b6332484349f154587dc953f77505dea4368

k8s for BOSH v1.18.2-build.1

This release upgrades Kubernetes from v1.18.0 to 1.18.2.

Notably:

• all kube* components upgraded to 1.18.0
• containerd remains at 1.3.4
• crictl remains at 1.18.0
• cni-plugins remains at 0.8.6
• runc remains at 1.0.0-rc10
• etcd remains at 3.4.7

Usage

To use this in your BOSH deployments, add this to your manifest:

releases:
  - name:    k8s
    version: 1.18.2-build.1
    url:     https://github.com/jhunt/k8s-boshrelease/releases/download/v1.18.2-build.1/k8s-1.18.2-build.1.tgz
    sha1:    74634f95f4839d83bd313d31afc8a1c64177d957

k8s for BOSH v1.18.0-build.2

This release does not upgrade any core software.

Improvements

• Operators can now provide trusted certificates to append to the system bundles (depending on stemcell OS), above and beyond those configured in the deploying BOSH director.

• Kubernetes cert-manager can now be automagically installed, along with a VM-trusted internal-ca ClusterIssuer that gets deployed to the cert-manager namespace. This is optional, and you can use BOSH config-server to generate the internal CA certificate if you have no opinions on the matter.

Bug Fixes

• Debugging output for the kubelet job's drain script is now captured under /var/vcap/sys/log
• The drain script for the kubelet job now ignores daemonsets, which was causing issues for things like net-flannel and other daemon-bound pods.
• Kubelet nodes are now uncordoned in a post-start, to put them back into service after a drained rolling update.

Usage

To use this in your BOSH deployments, add this to your manifest:

releases:
  - name:    k8s
    version: 1.18.0-build.2
    url:     https://github.com/jhunt/k8s-boshrelease/releases/download/v1.18.0-build.2/k8s-1.18.0-build.2.tgz
    sha1:    df21a35a1f613296a1751df424b7fe86ad25f456

k8s for BOSH v1.18.0-build.1

This release upgrades Kubernetes from v1.17.x to 1.18.0

Notably:

• all kube* components upgraded to 1.18.0
• containerd upgraded from 1.3.2 to 1.3.4
• crictl upgraded from v1.17.0 to 1.18.0
• cni-plugins upgraded from 0.8.5 to 0.8.6
• runc stays at 1.0.0-rc10
• etcd upgraded from 3.3.14 to 3.4.7

Improvements

• The kubelet job now has a (BOSH) drain script that causes a kubectl drain to evict off pods and cordon the node as it is being taken down for upgrade / replacement. This smooths out the upgrade process and leads to fewer "Unknown" pods post-upgrade / post-scale-out.

• Node labels are now handled properly, allowing master and worker roles to show up in kubectl get nodes output (by applying node-role.kubernetes.io/master: '' and node-role.kubernetes.io/worker: '' labels, respectively).

Usage

To use this in your BOSH deployments, add this to your manifest:

releases:
  - name:    k8s
    version: 1.18.0-build.1
    url:     https://github.com/jhunt/k8s-boshrelease/releases/download/v1.18.0-build.1/k8s-1.18.0-build.1.tgz
    sha1:    6e9fe1498861c376cf3adeda98021041311752ab

k8s for BOSH v1.17.5

This release upgrades Kubernetes from v1.17.2 to 1.17.5.

Notably:

• all kube* components upgraded to 1.17.5

Usage

To use this in your BOSH deployments, add this to your manifest:

releases:
  - name:    k8s
    version: 1.17.5
    url:     https://github.com/jhunt/k8s-boshrelease/releases/download/v1.17.5/k8s-1.17.5.tgz
    sha1:    1c37447152b7de557939258f2e1f3ddd530f0926

k8s for BOSH v1.17.2-build.1

This release upgrades Kubernetes from v1.16.2 to 1.17.2.

Notably:

• all kube* components upgraded to 1.17.2
• containerd upgraded from 1.2.6 to 1.3.2
• crictl upgraded from v1.14.0 to 1.17.0
• cni-plugins upgraded from 0.8.1 to 0.8.5
• runc upgraded from 1.0.0-rc8 to 1.0.0-rc10
• etcd upgraded from 3.3.13 to 3.3.14

Improvements

• Improved Pod / Service / Node IP handling. Mostly this is an improvement to default network ranges, taking advantage of the isolated nature of "most" overlays to provide sane and uniform defaults.

• Node naming is now handled more uniformly in the helper scripts, to ensure that cloud provider implementations can participate more equally.

• The kubeconfigs generated by the jumpbox job's envrc script now namespace the user credentials and context name so that operators can merge that config into their other config and not drown in a bunch of "default" contexts owned by "admin" users, all different.

• The Kubernetes CA certificate is now added to the system bundle, to help kubelet trust the Eirini OCI registry.

• The kube-proxy mode (previously hard-coded to "ipvs") is now configurable, and defaults to "iptables" to make life easier on folks trying to spin this BOSH release to run Kubecf and Eirini.

Bug Fixes

• The ipvs package is no longer compiled with -j$N flags (an attempt to take advantage of parallelism)

New Platforms

• The nfs job now supports the CentOS 7 stemcell, by supplying RPMs for the NFS kernel-y bits. If you use CentOS stemcells, I'd love to hear from you and how this works out for you.

Miscellaneous

• The AWS Cloud Provider is now documented, in docs/iaas/aws.md

• Sample PVC / StorageClass resource definition for AWS are now shipped in extra/aws-pvc.yml and extra/aws-sc.yml, respectively.

• A sample nginx deployment is now provided, for people who want to test the viability of their new k8s cluster. It can be found in extra/nginx.yml

Usage

To use this in your BOSH deployments, add this to your manifest:

releases:
  - name:    k8s
    version: 1.17.2-build.1
    url:     https://github.com/jhunt/k8s-boshrelease/releases/download/v1.17.2-build.1/k8s-1.17.2-build.1.tgz
    sha1:    891e6e0a64fcf98162b226a6b977fd470e6a0fdb

k8s for BOSH v1.16.2-build.2

This is a bug-fix release that focuses on augmenting the capabilities of the existing 1.16.2-based Kubernetes BOSH release, without updating any core Kubernetes components, images, or software (from 1.16.2).

Bug Fixes

• Prodernetes and Hugernetes configurations, where the kubelets are not always accompanied by a control node, now have the correct access to remove their node record from the cluster in response to a changed providerID. This bug did not affect Tinynetes or Labernetes.

Improvements

• Those of you who enjoy building your software from scratch will be pleased to find out that bosh create-release now works, even though we have no src/ files to speak of.

Usage

To use this in your BOSH deployments, add this to your manifest:

releases:
  - name:    k8s
    version: 1.16.2-build.2
    url:     https://github.com/jhunt/k8s-boshrelease/releases/download/v1.16.2-build.2/k8s-1.16.2-build.2.tgz
    sha1:    49e102f4b48125d83d020bb4163895ec4d6d0ea8

k8s for BOSH v1.16.2-build.1

Update to Kubernetes v1.16.2

Kubernetes components (kube-apiserver, kube-controller-manager,
kube-proxy, kube-scheduler, kubectl, kubelet).

This release removes the node-role label, so your worker nodes may not
be marked properly unless you relabel them explicitly via `kubectl'

Kubernetes v1.16.x has officially moved DaemonSets into the app/v1
version namespace. Whee!

Usage

To use this in your BOSH deployments, add this to your manifest:

releases:
  - name:    k8s
    version: 1.16.2-build.1
    url:     https://github.com/jhunt/k8s-boshrelease/releases/download/v1.16.2-build.1/k8s-1.16.2-build.1.tgz
    sha1:    63751be6624a40a5c8ed59e30217e38d49475495