v1.27.X

v1.27.X - 图1Upgrade Notice

Before upgrading from earlier releases, be sure to read the Kubernetes Urgent Upgrade Notes.

VersionRelease dateKubernetesKineSQLiteEtcdContainerdRuncFlannelMetrics-serverTraefikCoreDNSHelm-controllerLocal-path-provisioner
v1.27.16+k3s1Jul 31 2024v1.27.16v0.11.113.44.0v3.5.13-k3s1v1.7.17-k3s2.27v1.1.12v0.25.4v0.7.0v2.10.7v1.10.1v0.15.10v0.0.28
v1.27.15+k3s2Jul 03 2024v1.27.15v0.11.93.44.0v3.5.13-k3s1v1.7.17-k3s2.27v1.1.12v0.25.4v0.7.0v2.10.7v1.10.1v0.15.10v0.0.27
v1.27.15+k3s1Jun 25 2024v1.27.15v0.11.93.44.0v3.5.13-k3s1v1.7.17-k3s2.27v1.1.12v0.25.2v0.7.0v2.10.7v1.10.1v0.15.10v0.0.27
v1.27.14+k3s1May 22 2024v1.27.14v0.11.73.44.0v3.5.9-k3s1v1.7.15-k3s1.27v1.1.12-k3s1v0.24.2v0.7.0v2.10.7v1.10.1v0.15.9v0.0.26
v1.27.13+k3s1Apr 25 2024v1.27.13v0.11.73.44.0v3.5.9-k3s1v1.7.15-k3s1.27v1.1.12v0.24.2v0.7.0v2.10.7v1.10.1v0.15.9v0.0.26
v1.27.12+k3s1Mar 25 2024v1.27.12v0.11.43.44.0v3.5.9-k3s1v1.7.11-k3s2.27v1.1.12-k3s1v0.24.2v0.7.0v2.10.5v1.10.1v0.15.9v0.0.26
v1.27.11+k3s1Feb 29 2024v1.27.11v0.11.43.44.0v3.5.9-k3s1v1.7.11-k3s2.27v1.1.12-k3s1v0.24.2v0.6.3v2.10.5v1.10.1v0.15.8v0.0.26
v1.27.10+k3s2Feb 06 2024v1.27.10v0.11.03.42.0v3.5.9-k3s1v1.7.11-k3s2.27v1.1.12-k3s1v0.22.2v0.6.3v2.10.5v1.10.1v0.15.8v0.0.24
v1.27.9+k3s1Dec 27 2023v1.27.9v0.11.03.42.0v3.5.9-k3s1v1.7.11-k3s2.27v1.1.10v0.22.2v0.6.3v2.10.5v1.10.1v0.15.4v0.0.24
v1.27.8+k3s2Dec 07 2023v1.27.8v0.11.03.42.0v3.5.9-k3s1v1.7.7-k3s1.27v1.1.8v0.22.2v0.6.3v2.10.5v1.10.1v0.15.4v0.0.24
v1.27.7+k3s2Nov 08 2023v1.27.7v0.10.33.42.0v3.5.9-k3s1v1.7.7-k3s1.27v1.1.8v0.22.2v0.6.3v2.10.5v1.10.1v0.15.4v0.0.24
v1.27.7+k3s1Oct 30 2023v1.27.7v0.10.33.42.0v3.5.9-k3s1v1.7.7-k3s1.27v1.1.8v0.22.2v0.6.3v2.10.5v1.10.1v0.15.4v0.0.24
v1.27.6+k3s1Sep 20 2023v1.27.6v0.10.33.42.0v3.5.9-k3s1v1.7.6-k3s1.27v1.1.8v0.22.2v0.6.3v2.9.10v1.10.1v0.15.4v0.0.24
v1.27.5+k3s1Sep 05 2023v1.27.5v0.10.23.42.0v3.5.9-k3s1v1.7.3-k3s1v1.1.8v0.22.2v0.6.3v2.9.10v1.10.1v0.15.4v0.0.24
v1.27.4+k3s1Jul 27 2023v1.27.4v0.10.13.39.2v3.5.7-k3s1v1.7.1-k3s1v1.1.7v0.22.0v0.6.3v2.9.10v1.10.1v0.15.2v0.0.24
v1.27.3+k3s1Jun 26 2023v1.27.3v0.10.13.39.2v3.5.7-k3s1v1.7.1-k3s1v1.1.7v0.22.0v0.6.3v2.9.10v1.10.1v0.15.0v0.0.24
v1.27.2+k3s1May 26 2023v1.27.2v0.10.13.39.2v3.5.7-k3s1v1.7.1-k3s1v1.1.7v0.21.4v0.6.2v2.9.10v1.10.1v0.14.0v0.0.24
v1.27.1+k3s1Apr 27 2023v1.27.1v0.9.93.39.2v3.5.7-k3s1v1.6.19-k3s1v1.1.5v0.21.4v0.6.2v2.9.4v1.10.1v0.13.3v0.0.24

Release v1.27.16+k3s1

This release updates Kubernetes to v1.27.16, and fixes a number of issues.

For more details on what’s new, see the Kubernetes release notes.

Changes since v1.27.15+k3s2:

  • Backports for 2024-07 release cycle (#10500)
    • Bump k3s-root to v0.14.0
    • Bump github.com/hashicorp/go-retryablehttp from 0.7.4 to 0.7.7
    • Bump Local Path Provisioner version
    • Ensure remotedialer kubelet connections use kubelet bind address
    • Chore: Bump Trivy version
    • Add etcd s3 config secret implementation
  • July Test Backports (#10510)
  • Update to v1.27.16-k3s1 and Go 1.22.5 (#10542)
  • Fix issues loading data-dir value from env vars or dropping config files (#10599)

Release v1.27.15+k3s2

This release updates Kubernetes to v1.27.15, and fixes a number of issues.

For more details on what’s new, see the Kubernetes release notes.

Changes since v1.27.15+k3s1:

  • Update flannel to v0.25.4 and fixed issue with IPv6 mask (#10429)

Release v1.27.15+k3s1

This release updates Kubernetes to v1.27.15, and fixes a number of issues.

For more details on what’s new, see the Kubernetes release notes.

Changes since v1.27.14+k3s1:

  • Replace deprecated ruby function (#10089)
  • Fix bug when using tailscale config by file (#10143)
  • Bump flannel version to v0.25.2 (#10222)
  • Update kube-router version to v2.1.2 (#10183)
  • Improve tailscale test & add extra log in e2e tests (#10214)
  • Backports for 2024-06 release cycle (#10259)
    • Add WithSkipMissing to not fail import on missing blobs
    • Use fixed stream server bind address for cri-dockerd
    • Switch stargz over to cri registry config_path
    • Bump to containerd v1.7.17, etcd v3.5.13
    • Bump spegel version
    • Fix issue with externalTrafficPolicy: Local for single-stack services on dual-stack nodes
    • ServiceLB now sets the priorityClassName on svclb pods to system-node-critical by default. This can be overridden on a per-service basis via the svccontroller.k3s.cattle.io/priorityclassname annotation.
    • Bump minio-go to v7.0.70
    • Bump kine to v0.11.9 to fix pagination
    • Update valid resolv conf
    • Add missing kernel config check
    • Symlinked sub-directories are now respected when scanning Auto-Deploying Manifests (AddOns)
    • Fix bug: allow helm controller set owner reference
    • Bump klipper-helm image for tls secret support
    • Fix issue with k3s-etcd informers not starting
    • --Enable-pprof can now be set on agents to enable the debug/pprof endpoints. When set, agents will listen on the supervisor port.
    • --Supervisor-metrics can now be set on servers to enable serving internal metrics on the supervisor endpoint; when set agents will listen on the supervisor port.
    • Fix netpol crash when node remains tainted uninitialized
    • The embedded load-balancer will now fall back to trying all servers with health-checks ignored, if all servers have been marked unavailable due to failed health checks.
  • More backports for 2024-06 release cycle (#10290)
  • Add snapshot retention etcd-s3-folder fix (#10314)
  • Add test for isValidResolvConf (#10302) (#10332)
  • Fix race condition panic in loadbalancer.nextServer (#10324)
  • Fix typo, use rancher/permissions (#10297)
  • Update Kubernetes to v1.27.15 (#10346)
    • Update Kubernetes to v1.27.15
  • Fix agent supervisor port using apiserver port instead (#10356)
  • Fix issue that allowed multiple simultaneous snapshots to be allowed (#10378)

Release v1.27.14+k3s1

This release updates Kubernetes to v1.27.14, and fixes a number of issues.

For more details on what’s new, see the Kubernetes release notes.

Changes since v1.27.13+k3s1:

  • Bump E2E opensuse leap to 15.6, fix btrfs test (#10096)
  • Windows changes (#10113)
  • Update to v1.27.14-k3s1 and Go 1.21.9 (#10103)

Release v1.27.13+k3s1

This release updates Kubernetes to v1.27.13, and fixes a number of issues.

For more details on what’s new, see the Kubernetes release notes.

Changes since v1.27.12+k3s1:

  • Add a new error when kine is with disable apiserver or disable etcd (#9803)
  • Remove old pinned dependencies (#9828)
  • Transition from deprecated pointer library to ptr (#9825)
  • Golang caching and E2E ubuntu 23.10 (#9822)
  • Add tls for kine (#9850)
  • Bump spegel to v0.0.20-k3s1 (#9881)
  • Backports for 2024-04 release cycle (#9912)
    • Send error response if member list cannot be retrieved
    • The k3s stub cloud provider now respects the kubelet’s requested provider-id, instance type, and topology labels
    • Fix error when image has already been pulled
    • Add /etc/passwd and /etc/group to k3s docker image
    • Fix etcd snapshot reconcile for agentless servers
    • Add health-check support to loadbalancer
    • Add certificate expiry check, events, and metrics
    • Add workaround for containerd hosts.toml bug when passing config for default registry endpoint
    • Add supervisor cert/key to rotate list
    • The embedded containerd has been bumped to v1.7.15
    • The embedded cri-dockerd has been bumped to v0.3.12
    • The k3s etcd-snapshot command has been reworked for improved consistency. All snapshots operations are now performed by the server process, with the CLI acting as a client to initiate and report results. As a side effect, the CLI is now less noisy when managing snapshots.
    • Improve etcd load-balancer startup behavior
    • Actually fix agent certificate rotation
    • Traefik has been bumped to v2.10.7.
    • Traefik pod annotations are now set properly in the default chart values.
    • The system-default-registry value now supports RFC2732 IPv6 literals.
    • The local-path provisioner now defaults to creating local volumes, instead of hostPath.
  • Allow LPP to read helper logs (#9939)
  • Update kube-router to v2.1.0 (#9943)
  • Update to v1.27.13-k3s1 and Go 1.21.9 (#9958)
  • Fix on-demand snapshots timing out; not honoring folder (#9995)
  • Make /db/info available anonymously from localhost (#10003)

Release v1.27.12+k3s1

This release updates Kubernetes to v1.27.12, and fixes a number of issues.

For more details on what’s new, see the Kubernetes release notes.

Changes since v1.27.11+k3s1:

  • Add an integration test for flannel-backend=none (#9609)
  • Install and Unit test backports (#9642)
  • Update klipper-lb image version (#9606)
  • Adjust first node-ip based on configured clusterCIDR (#9632)
  • Improve tailscale e2e test (#9654)
  • Backports for 2024-03 release cycle (#9670)
    • Fix: use correct wasm shims names
    • The embedded flannel cni-plugin binary is now built and versioned separate from the rest of the cni plugins and the embedded flannel controller.
    • Bump spegel to v0.0.18-k3s3
    • Adds wildcard registry support
    • Fixes issue with excessive CPU utilization while waiting for containerd to start
    • Add env var to allow spegel mirroring of latest tag
    • Tweak netpol node wait logs
    • Fix coredns NodeHosts on dual-stack clusters
    • Bump helm-controller/klipper-helm versions
    • Fix snapshot prune
    • Fix issue with etcd node name missing hostname
    • Rootless mode should also bind service nodePort to host for LoadBalancer type, matching UX of rootful mode.
    • To enable raw output for the check-config subcommand, you may now set NO_COLOR=1
    • Fix additional corner cases in registries handling
    • Bump metrics-server to v0.7.0
    • K3s will now warn and suppress duplicate entries in the mirror endpoint list for a registry. Containerd does not support listing the same endpoint multiple times as a mirror for a single upstream registry.
  • Docker and E2E Test Backports (#9708)
  • Fix wildcard entry upstream fallback (#9734)
  • Update to v1.27.12-k3s1 and Go 1.21.8 (#9745)

Release v1.27.11+k3s1

This release updates Kubernetes to v1.27.11, and fixes a number of issues.

For more details on what’s new, see the Kubernetes release notes.

Changes since v1.27.10+k3s2:

  • Chore: bump Local Path Provisioner version (#9427)
  • Bump cri-dockerd to fix compat with Docker Engine 25 (#9291)
  • Auto Dependency Bump (#9420)
  • Runtimes refactor using exec.LookPath (#9430)
    • Directories containing runtimes need to be included in the $PATH environment variable for effective runtime detection.
  • Changed how lastHeartBeatTime works in the etcd condition (#9425)
  • Allow executors to define containerd and docker behavior (#9253)
  • Update Kube-router to v2.0.1 (#9405)
  • Backports for 2024-02 release cycle (#9463)
  • Bump flannel version + remove multiclustercidr (#9407)
  • Enable longer http timeout requests (#9445)
  • Test_UnitApplyContainerdQoSClassConfigFileIfPresent (#9441)
  • Support PR testing installs (#9470)
  • Update Kubernetes to v1.27.11 (#9491)
  • Fix drone publish for arm (#9509)
  • Remove failing Drone step (#9515)
  • Restore original order of agent startup functions (#9546)
  • Fix netpol startup when flannel is disabled (#9579)

Release v1.27.10+k3s2

This release updates Kubernetes to v1.27.10, and fixes a number of issues.

For more details on what’s new, see the Kubernetes release notes.

Important Notes

Addresses the runc CVE: CVE-2024-21626 by updating runc to v1.1.12.

Changes since v1.27.9+k3s1:

  • Add a retry around updating a secrets-encrypt node annotations (#9124)
  • Added support for env *_PROXY variables for agent loadbalancer (#9117)
  • Wait for taint to be gone in the node before starting the netpol controller (#9176)
  • Etcd condition (#9182)
  • Backports for 2024-01 (#9211)
  • Move proxy dialer out of init() and fix crash (#9220)
  • Pin opa version for missing dependency chain (#9217)
  • Etcd node is nil (#9229)
  • Update to v1.27.10 and Go 1.20.13 (#9261)
  • Use ipFamilyPolicy: RequireDualStack for dual-stack kube-dns (#9270)
  • Backports for 2024-01 k3s2 (#9337)
    • Bump runc to v1.1.12 and helm-controller to v0.15.7
    • Fix handling of bare hostname or IP as endpoint address in registries.yaml
  • Bump helm-controller to fix issue with ChartContent (#9347)

Release v1.27.9+k3s1

This release updates Kubernetes to v1.27.9, and fixes a number of issues.

For more details on what’s new, see the Kubernetes release notes.

Changes since v1.27.8+k3s2:

  • Bump containerd/runc to v1.7.10-k3s1/v1.1.10 (#8963)
  • Fix overlapping address range (#9018)
  • Runtimes backport (#9013)
    • Added runtime classes for wasm/nvidia/crun
    • Added default runtime flag for containerd
  • Bump containerd to v1.7.11 (#9041)
  • Update to v1.27.9-k3s1 (#9078)

Release v1.27.8+k3s2

This release updates Kubernetes to v1.27.8, and fixes a number of issues.

For more details on what’s new, see the Kubernetes release notes.

Changes since v1.27.7+k3s2:

  • Etcd status condition (#8821)
  • Add warning for removal of multiclustercidr flag (#8759)
  • Backports for 2023-11 release (#8878)
    • New timezone info in Docker image allows the use of spec.timeZone in CronJobs
    • Bumped kine to v0.11.0 to resolve issues with postgres and NATS, fix performance of watch channels under heavy load, and improve compatibility with the reference implementation.
    • Containerd may now be configured to use rdt or blockio configuration by defining rdt_config.yaml or blockio_config.yaml files.
    • Add agent flag disable-apiserver-lb, agent will not start load balance proxy.
    • Improved ingress IP ordering from ServiceLB
    • Disable helm CRD installation for disable-helm-controller
    • Omit snapshot list configmap entries for snapshots without extra metadata
    • Add jitter to client config retry to avoid hammering servers when they are starting up
  • Handle nil pointer when runtime core is not ready in etcd (#8887)
  • Improve dualStack log (#8828)
  • Bump dynamiclistener; reduce snapshot controller log spew (#8902)
    • Bumped dynamiclistener to address a race condition that could cause a server to fail to sync its certificates into the Kubernetes secret
    • Reduced etcd snapshot log spam during initial cluster startup
  • Remove depends_on for e2e step; fix cert rotate e2e (#8907)
  • Fix etcd snapshot S3 issues (#8937)
    • Don’t apply S3 retention if S3 client failed to initialize
    • Don’t request metadata when listing S3 snapshots
    • Print key instead of file path in snapshot metadata log message
  • Update to v1.27.8 and Go to 1.20.11 (#8921)
  • Remove s390x (#8999)

Release v1.27.7+k3s2

This release updates Kubernetes to v1.27.7, and fixes a number of issues.

For more details on what’s new, see the Kubernetes release notes.

Changes since v1.27.7+k3s1:

  • Fix SystemdCgroup in templates_linux.go (#8765)
    • Fixed an issue with identifying additional container runtimes
  • Update traefik chart to v25.0.0 (#8775)
  • Update traefik to fix registry value (#8789)

Release v1.27.7+k3s1

This release updates Kubernetes to v1.27.7, and fixes a number of issues.

For more details on what’s new, see the Kubernetes release notes.

Changes since v1.27.6+k3s1:

  • Fix error reporting (#8411)
  • Add context to flannel errors (#8419)
  • Include the interface name in the error message (#8435)
  • Update kube-router (#8443)
  • Add extraArgs to tailscale (#8464)
  • Added error when cluster reset while using server flag (#8455)
    • The user will receive a error when —cluster-reset with the —server flag
  • Cluster reset from non bootstrap nodes (#8451)
  • Take IPFamily precedence based on order (#8504)
  • Fix spellcheck problem (#8509)
  • Network defaults are duplicated, remove one (#8551)
  • Advertise address integration test (#8516)
  • System agent push tags fix (#8569)
  • Fixed tailscale node IP dualstack mode in case of IPv4 only node (#8558)
  • Server Token Rotation (#8576)
    • Users can now rotate the server token using k3s token rotate -t <OLD_TOKEN> --new-token <NEW_TOKEN>. After command succeeds, all server nodes must be restarted with the new token.
  • E2E Domain Drone Cleanup (#8582)
  • Clear remove annotations on cluster reset (#8587)
    • Fixed an issue that could cause k3s to attempt to remove members from the etcd cluster immediately following a cluster-reset/restore, if they were queued for removal at the time the snapshot was taken.
  • Use IPv6 in case is the first configured IP with dualstack (#8597)
  • Backports for 2023-10 release (#8615)
  • Update kube-router package in build script (#8634)
  • Add etcd-only/control-plane-only server test and fix control-plane-only server crash (#8642)
  • Use version.Program not K3s in token rotate logs (#8656)
  • Windows agent support (#8650)
  • Fix CloudDualStackNodeIPs feature-gate inconsistency (#8669)
  • Add —image-service-endpoint flag (#8279) (#8662)
    • Add --image-service-endpoint flag to specify an external image service socket.
  • Backport etcd fixes (#8690)
    • Re-enable etcd endpoint auto-sync
    • Manually requeue configmap reconcile when no nodes have reconciled snapshots
  • Update to v1.27.7 and Go to v1.20.10 (#8681)
  • Fix s3 snapshot restore (#8733)

Release v1.27.6+k3s1

This release updates Kubernetes to v1.27.6, and fixes a number of issues.

For more details on what’s new, see the Kubernetes release notes.

Changes since v1.27.5+k3s1:

  • Bump kine to v0.10.3 (#8324)
  • Update to v1.27.6 and Go to 1.20.8 (#8356)
    • Bump embedded containerd to v1.7.6
    • Bump embedded stargz-snapshotter plugin to latest
    • Fixed intermittent drone CI failures due to race conditions in test environment setup scripts
    • Fixed CI failures due to changes to api discovery changes in Kubernetes 1.28

Release v1.27.5+k3s1

This release updates Kubernetes to v1.27.5, and fixes a number of issues.

v1.27.X - 图2Important

This release includes support for remediating CVE-2023-32187, a potential Denial of Service attack vector on K3s servers. See https://github.com/k3s-io/k3s/security/advisories/GHSA-m4hf-6vgr-75r2 for more information, including mandatory steps necessary to harden clusters against this vulnerability.

For more details on what’s new, see the Kubernetes release notes.

Changes since v1.27.4+k3s1:

  • Update cni plugins version to v1.3.0 (#8056)
    • Upgraded cni-plugins to v1.3.0
  • Update flannel to v0.22.1 (#8057)
    • Update flannel to v0.22.1
  • ADR on secrets encryption v3 (#7938)
  • Unit test for MustFindString (#8013)
  • Add support for using base template in etc/containerd/config.toml.tmpl (#7991)
    • User-provided containerd config templates may now use {{ template "base" . }} to include the default K3s template content. This makes it easier to maintain user configuration if the only need is to add additional sections to the file.
  • Make apiserver egress args conditional on egress-selector-mode (#7972)
    • K3s no longer enables the apiserver’s enable-aggregator-routing flag when the egress proxy is not being used to route connections to in-cluster endpoints.
  • Security bump to docker/distribution (#8047)
  • Fix coreos multiple installs (#8083)
  • Update stable channel to v1.27.4+k3s1 (#8067)
  • Fix tailscale bug with ip modes (#8077)
  • Consolidate CopyFile functions (#8079)
  • E2E: Support GOCOVER for more tests + fixes (#8080)
  • Fix typo in terraform/README.md (#8090)
  • Add FilterCN function to prevent SAN Stuffing (#8085)
    • K3s’s external apiserver listener now declines to add to its certificate any subject names not associated with the kubernetes apiserver service, server nodes, or values of the —tls-san option. This prevents the certificate’s SAN list from being filled with unwanted entries.
  • Bump docker/docker to master commit; cri-dockerd to 0.3.4 (#8092)
    • Bump docker/docker module version to fix issues with cri-dockerd caused by recent releases of golang rejecting invalid host headers sent by the docker client.
  • Bump versions for etcd, containerd, runc (#8109)
    • Updated the embedded containerd to v1.7.3+k3s1
    • Updated the embedded runc to v1.1.8
    • Updated the embedded etcd to v3.5.9+k3s1
  • Etcd snapshots retention when node name changes (#8099)
  • Bump kine to v0.10.2 (#8125)
    • Updated kine to v0.10.2
  • Remove terraform package (#8136)
  • Fix etcd-snapshot delete when etcd-s3 is true (#8110)
  • Add —disable-cloud-controller and —disable-kube-proxy test (#8018)
  • Use go list -m instead of grep to look up versions (#8138)
  • Use VERSION_K8S in tests instead of grep go.mod (#8147)
  • Fix for Kubeflag Integration test (#8154)
  • Fix for cluster-reset backup from s3 when etcd snapshots are disabled (#8155)
  • Run integration test CI in parallel (#8156)
  • Bump Trivy version (#8150)
  • Bump Trivy version (#8178)
  • Fixed the etcd retention to delete orphaned snapshots based on the date (#8177)
  • Bump dynamiclistener (#8193)
    • Bumped dynamiclistener to address an issue that could cause the apiserver/supervisor listener on 6443 to stop serving requests on etcd-only nodes.
    • The K3s external apiserver/supervisor listener on 6443 now sends a complete certificate chain in the TLS handshake.
  • Bump helm-controller/klipper-helm versions (#8204)
    • The version of helm used by the bundled helm controller’s job image has been updated to v3.12.3
  • E2E: Add test for k3s token (#8184)
  • Move flannel to 0.22.2 (#8219)
    • Move flannel to v0.22.2
  • Update to v1.27.5 (#8236)
  • Add new CLI flag to enable TLS SAN CN filtering (#8257)
    • Added a new --tls-san-security option. This flag defaults to false, but can be set to true to disable automatically adding SANs to the server’s TLS certificate to satisfy any hostname requested by a client.
  • Add RWMutex to address controller (#8273)

Release v1.27.4+k3s1

This release updates Kubernetes to v1.27.4, and fixes a number of issues.
​ For more details on what’s new, see the Kubernetes release notes. ​

Changes since v1.27.3+k3s1:

  • Pkg imported more than once (#7803)
  • Faster K3s Binary Build Option (#7805)
  • Update stable channel to v1.27.3+k3s1 (#7827)
  • Adding cli to custom klipper helm image (#7682)
    • The default helm-controller job image can now be overridden with the —helm-job-image CLI flag
  • Check if we are on ipv4, ipv6 or dualStack when doing tailscale (#7838)
  • Remove file_windows.go (#7845)
  • Add a k3s data directory location specified by the cli (#7791)
  • Fix e2e startup flaky test (#7839)
  • Allow k3s to customize apiServerPort on helm-controller (#7834)
  • Fall back to basic/bearer auth when node identity auth is rejected (#7836)
    • Resolved an issue that caused agents joined with kubeadm-style bootstrap tokens to fail to rejoin the cluster when their node object is deleted.
  • Fix code spell check (#7858)
  • Add e2e s3 test (#7833)
  • Warn that v1.28 will deprecate reencrypt/prepare (#7848)
  • Support setting control server URL for Tailscale (#7807)
    • Support connecting tailscale to a separate server (e.g. headscale)
  • Improve for K3s release Docs (#7864)
  • Fix rootless node password location (#7887)
  • Bump google.golang.org/grpc from 1.51.0 to 1.53.0 in /tests/terraform (#7879)
  • Add retry for clone step (#7862)
  • Generation of certificates and keys for etcd gated if etcd is disabled. (#6998)
  • Don’t use zgrep in check-config if apparmor profile is enforced (#7939)
  • Fix image_scan.sh script and download trivy version (#7950)
  • Revert “Warn that v1.28 will deprecate reencrypt/prepare” (#7977)
  • Adjust default kubeconfig file permissions (#7978)
  • Fix update go version command on release documentation (#8028)
  • Update to v1.27.4 (#8014)

Release v1.27.3+k3s1

This release updates Kubernetes to v1.27.3, and fixes a number of issues.

For more details on what’s new, see the Kubernetes release notes.

Changes since v1.27.2+k3s1:

  • Update flannel version (#7628)
    • Update flannel to v0.22.0
  • Add el9 selinux rpm (#7635)
  • Update channels (#7634)
  • Allow coredns override extensions (#7583)
    • The coredns-custom ConfigMap now allows for *.override sections to be included in the .:53 default server block.
  • Bump klipper-lb to v0.4.4 (#7617)
    • Bumped klipper-lb image to v0.4.4 to resolve an issue that prevented access to ServiceLB ports from localhost when the Service ExternalTrafficPolicy was set to Local.
  • Bump metrics-server to v0.6.3 and update tls-cipher-suites (#7564)
    • The bundled metrics-server has been bumped to v0.6.3, and now uses only secure TLS ciphers by default.
  • Do not use the admin kubeconfig for the supervisor and core controllers (#7616)
    • The K3s core controllers (supervisor, deploy, and helm) no longer use the admin kubeconfig. This makes it easier to determine from access and audit logs which actions are performed by the system, and which are performed by an administrative user.
  • Bump golang:alpine image version (#7619)
  • Make LB image configurable when compiling k3s (#7626)
  • Bump vagrant libvirt with fix for plugin installs (#7605)
  • Add format command on Makefile (#7437)
  • Use el8 rpm for fedora 38 and 39 (#7664)
  • Check variant before version to decide rpm target and packager closes #7666 (#7667)
  • Test Coverage Reports for E2E tests (#7526)
  • Soft-fail on node password verification if the secret cannot be created (#7655)
    • K3s now allows nodes to join the cluster even if the node password secret cannot be created at the time the node joins. The secret create will be retried in the background. This resolves a potential deadlock created by fail-closed validating webhooks that block secret creation, where the webhook is unavailable until new nodes join the cluster to run the webhook pod.
  • Enable containerd aufs/devmapper/zfs snapshotter plugins (#7661)
    • The bundled containerd’s aufs/devmapper/zfs snapshotter plugins have been restored. These were unintentionally omitted when moving containerd back into the k3s multicall binary in the previous release.
  • Bump docker go.mod (#7681)
  • Shortcircuit commands with version or help flags (#7683)
    • Non root users can now call k3s --help and k3s --version commands without running into permission errors over the default config file.
  • Bump Trivy version (#7672)
  • E2E: Capture coverage of K3s subcommands (#7686)
  • Integrate tailscale into k3s (#7352)
    • Integration of tailscale VPN into k3s
  • Add private registry e2e test (#7653)
  • E2E: Remove unnecessary daemonset addition/deletion (#7696)
  • Add issue template for OS validation (#7695)
  • Fix spelling check (#7740)
  • Remove useless libvirt config (#7745)
  • Bump helm-controller to v0.15.0 for create-namespace support (#7716)
    • The embedded helm controller has been bumped to v0.15.0, and now supports creating the chart’s target namespace if it does not exist.
  • Fix error logging in tailscale (#7776)
  • Add commands to remove advertised routes of tailscale in k3s-killall.sh (#7777)
  • Update Kubernetes to v1.27.3 (#7790)

Release v1.27.2+k3s1

This release updates Kubernetes to v1.27.2, and fixes a number of issues.

For more details on what’s new, see the Kubernetes release notes.

Changes since v1.27.1+k3s1:

  • Ensure that klog verbosity is set to the same level as logrus (#7303)
  • Create CRDs with schema (#7308)
    • Fixed an issue where Addon, HelmChart, and HelmChartConfig CRDs were created without structural schema, allowing the creation of custom resources of these types with invalid content.
  • Bump k3s-root for aarch64 page size fix (#7364)
    • K3s once again supports aarch64 nodes with page size > 4k
  • Bump Runc and Containerd (#7339)
  • Add integration tests for etc-snapshot server flags and refactor /tests/integration/integration.go/K3sStartServer (#7300)
  • Bump traefik to v2.9.10 / chart 21.2.0 (#7324)
    • The packaged Traefik version has been bumped to v2.9.10 / chart 21.2.0
  • Add longhorn storage test (#6445)
  • Improve error message when CLI wrapper Exec fails (#7373)
    • K3s now prints a more meaningful error when attempting to run from a filesystem mounted noexec.
  • Fix issues with --disable-agent and --egress-selector-mode=pod|cluster (#7331)
    • Servers started with the (experimental) —disable-agent flag no longer attempt to run the tunnel authorizer agent component.
    • Fixed an regression that prevented the pod and cluster egress-selector modes from working properly.
  • Retry cluster join on “too many learners” error (#7351)
    • K3s now retries the cluster join operation when receiving a “too many learners” error from etcd. This most frequently occurred when attempting to add multiple servers at the same time.
  • Fix MemberList error handling and incorrect etcd-arg passthrough (#7371)
    • K3s now correctly passes through etcd-args to the temporary etcd that is used to extract cluster bootstrap data when restarting managed etcd nodes.
    • K3s now properly handles errors obtaining the current etcd cluster member list when a new server is joining the managed etcd cluster.
  • Bump Trivy version (#7383)
  • Handle multiple arguments with StringSlice flags (#7380)
  • Add v1.27 channel (#7387)
  • Enable FindString to search dotD config files (#7323)
  • Migrate netutil methods into /util/net.go (#7422)
  • Local-storage: Fix permission (#7217)
  • Bump cni plugins to v1.2.0-k3s1 (#7425)
    • The bundled CNI plugins have been upgraded to v1.2.0-k3s1. The bandwidth and firewall plugins are now included in the bundle.
  • Add dependabot label and reviewer (#7423)
  • E2E: Startup test cleanup + RunCommand Enhancement (#7388)
  • Fail to validate server tokens that use bootstrap id/secret format (#7389)
    • K3s now exits with a proper error message when the server token uses a bootstrap token id.secret format.
  • Fix token startup test (#7442)
  • Bump kine to v0.10.1 (#7414)
    • The embedded kine version has been bumped to v0.10.1. This replaces the legacy lib/pq postgres driver with pgx.
  • Add kube-* server flags integration tests (#7416)
  • Add support for -cover + integration test code coverage (#7415)
  • Bump kube-router version to fix a bug when a port name is used (#7454)
  • Consistently use constant-time comparison of password hashes instead of bare password strings (#7455)
  • Bump containerd to v1.7.0 and move back into multicall binary (#7418)
    • The embedded containerd version has been bumped to v1.7.0-k3s1, and has been reintegrated into the main k3s binary for a significant savings in release artifact size.
  • Adding PITS and Getdeck Beiboot as adopters thanks to Schille and Miw… (#7524)
  • Bump helm-controller version for repo auth/ca support (#7525)
    • The embedded Helm controller now supports authenticating to chart repositories via credentials stored in a Secret, as well as passing repo CAs via ConfigMap.
  • Bump containerd/runc to v1.7.1-k3s1/v1.1.7 (#7533)
    • The bundled containerd and runc versions have been bumped to v1.7.1-k3s1/v1.1.7
  • Wrap error stating that it is coming from netpol (#7539)
  • Add Rotation certification Check, remove func to restart agents (#7097)
  • Bump alpine from 3.17 to 3.18 in /package (#7550)
  • Bump alpine from 3.17 to 3.18 in /conformance (#7551)
  • Add ‘-all’ flag to apply to inactive systemd units (#7567)
  • Update to v1.27.2-k3s1 (#7575)
  • Fix iptables rules clean during upgrade (#7591)
  • Pin emicklei/go-restful to v3.9.0 (#7597)
  • Add el9 selinux rpm (#7443)
  • Revert “Add el9 selinux rpm (#7443)” (#7608)

Release v1.27.1+k3s1

This release is K3S’s first in the v1.27 line. This release updates Kubernetes to v1.27.1.

Before upgrading from earlier releases, be sure to read the Kubernetes Urgent Upgrade Notes.

Changes since v1.26.4+k3s1:

  • Kubernetes 1.27.1 (#7271)
  • V1.27.1 CLI Deprecation (#7311)
    • --flannel-backed=wireguard has been completely replaced with --flannel-backend=wireguard-native
    • The k3s etcd-snapshot command will now print a help message, to save a snapshot use: k3s etcd-snapshot save
    • The following flags will now cause fatal errors (with full removal coming in v1.28.0):
      • --flannel-backed=ipsec: replaced with --flannel-backend=wireguard-native see docs for more info.
      • Supplying multiple --flannel-backend values is no longer valid. Use --flannel-conf instead.
  • Changed command -v redirection for iptables bin check (#7315)
  • Update channel server for april 2023 (#7327)
  • Bump cri-dockerd (#7347)
  • Cleanup help messages (#7369)