v0.13.0

KUBERNETES SECURITY 🔐

• CIS Kubernetes (PRs #2066, #2098, #2125 @JunSun17)
• Kubernetes PodSecurity option enabled (PRs #2048, #2145 @pidah)
• AAD Admin Group Object ID flag (PR #2111 @pidah)
• --authorization-mode=Node only if secure kubelet (PR #2138 @jackfrancis)
• Add default audit policy (PR #2189 @pidah)

FEATURES: 🌈

• New Kubernetes versions
  • v1.9.3 (PR #2242 @CecileRobertMichon @JiangtianLi)
  • v1.9.2 (PR #2092 @CecileRobertMichon @JiangtianLi)
  • v1.8.8 (PR #2243 @CecileRobertMichon @JiangtianLi)
  • v1.8.7 (PR #2068 @jackfrancis @JiangtianLi)
• Clear containers (PRs #1945, #2067 @jessfraz)
• --feature-gates for kubelet and apiserver (PRs #2032, #2081 @stuartleeks)
• Upgrade docker-engine to 1.13.* for k8s >= v1.7 (PR #2144 @jackfrancis)
• Allow 1 core master node VM sizes (PR #2173 @dtzar)
• Update prometheus-grafana addon (PR #2183 @martell)
• ServiceNodeExclusion in controller-manager for k8s >= 1.9 (PR #2180 @bnookala)
• Add VM SKUs for DC/OS master and agent (PR #2184 @yakman2020)
• Enabling Azure CNI for Windows Kubernetes (experimental) (PRs #2174, #2237, #2244 @saiyan86)
• Enabled preprovisioning on windows DC/OS agents (PR #2228 @yakman2020)
• Enable cloud controller manager support for Kubernetes 1.9 (PR #2233 @karataliu)
• Kubernetes Tiller Addon: configuration to set max-history (PR #2217 @ultimateboy)

BUGS FIXED: 🐞

• Windows RS3 hot fix for k8s (PR #2230 @JiangtianLi)
• Fix issue with apiserver when using AADProfile (PR #2047 @tesharp)
• Custom OSDiskSizeGB for Windows Kubernetes (PR #2097 @JiangtianLi)
• Multiple resource types for EncryptionConfig (Kubernetes)(PR #2104 @jackfrancis)
• TLS etcd backward compatibility upgrade fix (PR #2118 @CecileRobertMichon)
• only create cert files on master (PR #2120 @CecileRobertMichon)
• Enable iptables forward for kubernetes (PR #2139 @feiskyer)
• Mount in /var/lib/cni from the host (PR #2165 @brendanburns)
• Protect etcd tls from race conditions (PR #2160 @CecileRobertMichon)
• Kubernetes version validation for managed clusters (PR #2194 @dmitsh)
• --bind-address typo in apiserver (PR #2192 @stephenlawrence)
• Additional cloud-init deployment resiliency (PRs #2196, #2203, #2211, #2220, #2214, #2221, #2229, #2245, #2241 @jackfrancis, @CecileRobertMichon)
• Fix DC/OS release version (PR #2197 @jonas)
• kubelet --cluster-dns user override (PR #2078 @tesharp)
• Remove Agent NICs dependency on Master NICs during upgrade. (PR #2213 @JunSun17)
• Return nil error on successful deployment (PR #2218 @dmitsh)
• Fixed version checking for managed clusters (PR #2226 @dmitsh)
• Keyvault etcd certs (PR #2155 @CecileRobertMichon)
• fix --auto-suffix when dnsPrefix is defined in apimodel json file (PR #2239 @serbrech)
• Aggregated API uses secure etcd endpoint/certs (PR #2252 @pidah)
• Add single quotes around sp secret (PR #2255 @CecileRobertMichon)
• Fixes to non-RBAC clusters (PRs #2253, #2267 @jackfrancis)

DEV IMPROVEMENTS/CHORES: 🔧

• Improving IP address assignment for master nodes with Azure CNI (PR #1966 @tamilmani1989)
• Upgrade Azure CNI to 1.0.1 (PR #2064 @jackfrancis)
• Deployment error details during upgrade (PR #1995 @dmitsh)
• azureconst for francecentral (PR #2164 @serbrech)
• validation error if custom VNET + Windows (PR #2168 @jackfrancis)
• replaced apierror with armerror (PR #2205 @dmitsh)
• Remove debug binary (PR #2235 @ultimateboy)
• set addon enabled value if nil (PR #2254 @jackfrancis)
• latest ubuntu image (PR #2259 @jackfrancis)
• freshen go-dev image (PR #2261 @jackfrancis)
• keep DeploymentOperationsListResult in DeploymentError (PR #2266 @dmitsh)
• Upgrade Kubernetes components
  • latest dashboard for v1.8 and v1.9 clusters (#2070 @jackfrancis)
  • latest kube-dns for v1.8 and v1.9 k8s clusters (#2073 @jackfrancis)
  • latest heapster for v1.8 and v1.9 clusters (#2072 @jackfrancis)
  • latest pause image for v1.8 and v1.9 k8s clusters (#2074 @jackfrancis)
• CSE provisioning script in foreground on agent nodes (PR #2113 @dmitsh)
• Docs updates!
  • PR #2128 @JiangtianLi
  • PR #2147 @JiangtianLi
  • PR #2171 @diwakar-s-maurya
  • PR #2170 @serbrech
  • Update ApiServerConfig customization/override example (PR #2201 @pidah)
  • PR #2208 @ckbhatt
  • PR #2236 @pweil
• CI/E2E maintenance/improvements!
  • Add HPA autoscale test to E2E (PR #2096 @jackfrancis)
  • E2E debugging (PRs #2126, #2190, #2207, #2210, #2224 @jackfrancis)
  • PR #2154 @CecileRobertMichon
  • PR #2156 @jackfrancis
  • PR #2206 @jackfrancis
  • PR #2204 @jackfrancis
  • PR #2240 @jackfrancis

v0.12.5

CHANGES since v0.12.4: 🌈🐞🔧

This patch release adds retries and resilience to etcd provisioning implementation.

v0.11.1

CHANGES since v0.11.0: 🌈🐞🔧

This patch release includes a fix to persistently mount /var/lib/cni for Kubernetes hosts.

v0.12.4

CHANGES since v0.12.3: 🌈🐞🔧

This patch release fixes backward compatibility for upgrade.

v0.12.3

CHANGES since v0.12.2: 🌈🐞🔧

This patch release introduces Kubernetes v1.8.7.

v0.12.2

This patch fixes JSON validation errors during template generation for Kubernetes.

CHANGES since v0.12.1: 🌈🐞🔧

• Restore KubernetesConfig properties (PR #2106, @jackfrancis)

v0.12.1

This patch fixes a Kubernetes regression in heapster behavior due to recently disabled read-only kubelet port.

CHANGES since v0.12.0: 🌈🐞🔧

• re-enable read-only port on kubelet (Kubernetes) (PR #2091, @jackfrancis)

v0.12.0

Secure Kubernetes

This is the first minor release that includes "breaking" security hardening additions. Specifically, we are now shipping etcd v3 w/ TLS communications enforced between both client/server (k8s cluster and etcd API, and between etcd peer nodes themselves. This is an important cluster security story, but its current implementation does not provide automatic backwards-compatible cluster operations for clusters deployed with prior versions of acs-engine. In practice this means upgrade operations against preëxisting clusters will not work with v0.12.0.

Also, etcdctl commands requiring auth (e.g., etcdctl cluster-health) now require sudo privileges to properly establish communications with the protected private key.

On that note we'll be calling out security-related items going forward!

Generic Kubernetes Configuration Interfaces

This release introduces generic configuration interfaces for Kubernetes cluster deployments for the kubelet, controller-manager, and apiserver run-time components. These conveniences (1) allow for more explicit configuration declarations, where appropriate, and more importantly (2) enable user-provided configuration values for the various Kubernetes components without changing acs-engine code (where acs-engine itself does not enforce an opinionated requirement).

This change also includes some breaking changes for existing kubernetesConfig property usage patterns using the vlabs api model paradigm:

• HardEvictionThreshold, NodeStatusUpdateFrequency, and NonMasqueradeCidr properties have been moved to the new kubernetesConfig.kubeletConfig configuration object. E.g.:

"kubernetesConfig": {
    <...>
    "kubeletConfig": {
        "--eviction-hard": "memory.available<250Mi,nodefs.available<20%,nodefs.inodesFree<10%",
        "--node-status-update-frequency": "1m",
        "--non-masquerade-cidr": "10.0.0.0/8"
    }
    <...>
}

• CtrlMgrNodeMonitorGracePeriod, CtrlMgrPodEvictionTimeout, and CtrlMgrRouteReconciliationPeriod properties have been moved to the new kubernetesConfig.controllerManagerConfig configuration object. E.g.:

"kubernetesConfig": {
    <...>
    "controllerManagerConfig": {
          "--node-monitor-grace-period": "40s",
          "--pod-eviction-timeout": "5m0s",
          "--route-reconciliation-period": "10s"
    }
    <...>
}

KUBERNETES SECURITY 🔐

• etcd v3 w/ TLS (PRs #1934, #1929, #1958 @CecileRobertMichon)
• secure communication between API server and kubelet (PR #1978 @pidah)
• etcd encryption at rest (PR #1973 @pidah)
• add DenyEscalatingExec admission controller (PR #1961 @pidah)
• https dashboard (v1.9 only) (PR #1947 @karataliu)
• disable profiling (PRs #1940, #1941 @brendanburns)
• disable read-only port & don't keep terminated pod volumes (PR #1942 @brendanburns)
• add CIS-recommended security options (PR #1989 @JunSun17)

FEATURES: 🌈

• Kubernetes v1.9.0 and v1.9.1 support (PRs #1893, #2006 @jackfrancis)
• Kubernetes v1.8.6 support (PR #1979 @jackfrancis)
• Kubernetes v1.7.12 support (PR #1983 @jackfrancis)
• Generic Kubernetes configuration interfaces for kubelet, apiserver, controller-manager, and cloud-controller-manager (PRs #1854, #1960, #2012, #2017, #2030, #2033, #2034 @jackfrancis)
• Enable AAD groups (PR #2037 @mirthy)
• Updated kube-addon-manager to v6.5 (PR #1982 @jackfrancis)
• custom bootstrap URLs for DC/OS (PR #1952 @yakman2020)
• custom Windows image for DC/OS (PR #2004 @yakman2020)
• Prometheus-grafana extension on k8s agent nodes (PR #1959 @ritazh)
• enable RBAC by default for Kubernetes clusters (PR #1962 @jackfrancis)
• persist journald logs on Kubernetes nodes (PR #1956 @feiskyer)
• enable default flexvolume plugin directory on Windows (Kubernetes) (PRs #1967, #1991 @andy)
• enable hostport functionality in Kubernetes (PR #1999 @jackfrancis)
• enable upgrade to v1.9 (PR #1997 @dmitsh)
• update to 16.04.201801050 Ubuntu image (PR #2031 @jackfrancis)

BUGS FIXED: 🐞

• Kubernetes addons cleanup follow-up (PR #1965, @JunSun17)
• Add timeout to Kubernetes upgrade (PR #1986 @JackQuincy)
• Handle nil service (PR #1990 @CecileRobertMichon)
• Handle scale operations where len of vms is < 1 (PR #2059 @CecileRobertMichon)

DEV IMPROVEMENTS/CHORES: 🔧

• Simplify Kubernetes addons template implementation (PR #1946 @JunSun17)
• Rationalize vendor/ directory (PR #2040 @ultimateboy)
• Maintain Windows k8s image build script (PRs #1963, #1981, #1994 @JiangtianLi)
• Update GCR URLs (PRs #1964, #2042 @mboersma)
• Update az constants (PR #1984 @jackfrancis)
• Rationalize common utils libs (PR #2010, @feiskyer)
• Update translation files (PR #2026 @JiangtianLi)
• Windows prefix for DC/OS hostnames (PR #2023 @yakman2020)
• Docs updates!
  • PR #1951 @jackfrancis
  • PR #1933 @jackfrancis
  • PR #2041 @jackfrancis
• CI/E2E maintenance/improvements!
  • PR #1921 @jchauncey
  • PR #1953 @jackfrancis
  • PR #2001 @jackfrancis
  • PR #2009 @jackfrancis
  • PR #2011 @jchauncey

v0.11.0

Native Azure Kubernetes Networking

Today we are announcing General Availability of the Azure CNI Networking plugin for Kubernetes clusters. New clusters created via acs-engine will now use Azure CNI by default. Azure CNI natively attaches your containers to an Azure Virtual Network.

FEATURES: 🌈

• Azure CNI is the default Kubernetes networking implementation (PRs #1887, #1928, #1932 @jackfrancis)
• Configurable docker-engine version PR #1874 @jackfrancis)
• Default plugin directory for Kubernetes to enable flexvolume (PR #1909 @andyzhangx)
• ACI Connecter is not virtual-kubelet (PR #1927 @sozercan)
  • https://github.com/virtual-kubelet/virtual-kubelet

BUGS FIXED: 🐞

• race condition in prometheus/grafana Kubernetes extension deployment (PR #1889, @tstringer)
• etcd download fix for China cloud (PR #1894 @pengzhisun)

DEV IMPROVEMENTS/CHORES: 🔧

• Simplify Kubernetes artifacts organization (PR #1890, @JunSun17)
• Typos (PR #1898 @zqingqing1)
• Rationalize vendor/ directory (PR #1912 #1943 @jackfrancis)
• Error handling (PRs #1924 #1926 @zqingqing1 @dmitsh)
• Docs updates!
  • PR #1888 @UncleTawnos
  • PR #1899 @JiangtianLi
  • PR #1920 @bucksteamy
• CI/E2E maintenance/improvements!
  • PR #1904 @dmitsh
  • PR #1905 @zqingqing1
  • PR #1923 @jackfrancis

v0.10.0

FEATURES: 🌈:

• New Kubernetes release support!
  • v1.8.4
  • v1.6.13
• support for CoreOS Kubernetes clusters (PR #1632, @richardjortega @CecileRobertMichon)
• rescheduler Kubernetes addon (PR #1780 @CecileRobertMichon)
• adds cloud controller manager support for Kubernetes 1.8 (PR #1584 @karataliu)
• Prometheus/Grafana Kubernetes extension (PR #1837 @ritazh)
• updated etcd v2 support to v2.3.8 (Kubernetes) (PR #1855 @jackfrancis)
• updated calico support to 2.6.3 (PR #1853 @dtzar)
• updated ubuntu image to 16.04.201711211 (PR #1862 @jackfrancis)
• ACI connector Kubernetes addon (PR #1844 @sozercan)
• configurable --eviction-hard kubelet runtime configuration (Kubernetes) (PR #1843, @pidah)

BUGS FIXED: 🐞

• Improvements to Kubernetes cluster upgrade
  • PR #1776 @dmitsh
  • PR #1802 @dmitsh
  • PR #1814 @dmitsh
  • PR #1816 @dmitsh
  • PR #1824 @dmitsh
  • PR #1842 @amanohar
  • PR #1852 @dmitsh
  • PR #1858 @dmitsh
• rationalize azure managed disk StorageClass implementation (Kubernetes) (PRs #1817 #1845 @andyzhangx)
• pin to known-working docker version for Swarm clusters (PR #1848 @CecileRobertMichon)
• not enforcing Azure CNI CIDR validations for non-Azure CNI clusters (Kubernetes) (PR #1863 @jackfrancis)
• fix DCOS customNodeLabels for 1.10 clusters (PR #1868 @julienlau)
• undesired HTML escaping during JSON serialization (PR #1876 @jackfrancis)

DEV IMPROVEMENTS/CHORES: 🔧

• Improved deployment error output (PR #1801 @JackQuincy)
• Docs updates!
  • PR #1808 @agabert
  • PR #1846 @pidah
  • PR #1856 @wbuchwalter
  • PR #1873 @wbuchwalter
• Updated Windows Kubernetes v1.8 build script (PR #1866 @JiangtianLi)