Release notes for kops 1.11 series

Significant changes

• kops will attempt to remove NLBs (also known as ELB v2) that are tagged as created by the cluster. Please double-check the preview from kops delete cluster before allowing deletion.

• JSON & YAML field names in the kops objects are case-sensitive. This was a regression across the kubernetes API libraries as observed kubernetes#64612. Please double-check that you are using the correct field names if you are constructing YAML / JSON outside of kops.

• The default image on AWS for kubernetes 1.11 is now based on debian stretch, instead of debian jessie. This has better support for NVME.

New features

• Support for kubernetes 1.11
• Support using existing/shared AWS Security Groups
• Support for more AWS instance types (r5, r5d, z1d, t3, f1.4xlarge, p3dn.24xlarge)
• Addon updates (weave, dashboard, heapster, cluster-autoscaler, canal, coredns, cilium, aws-vpc-cni, lyft-vpc-cni, calico, kopeio-networking)
• Allow users to opt-in to etcd-manager
• More secure default settings when running kubernetes >= 1.11 (e.g. kubelet anonymous auth disabled)
• Improved GCE & OpenStack support, experimental support for SpotInst

Required Actions

None known at this time

Full change list since 1.10.0 release

• Move alpha channels to stable and update alpha @mikesplain #5493
• Update stable channel to recommend latest kubernetes @justinsb #5500
• Put new kops versions into channels @justinsb #5501
• Add authentication-token-webhook-cache-ttl flag to kubelet config @ihoegen #5508
• Add ssh user to kops toolbox dump @justinsb #5511
• makefile: tweaks to push & run targets @justinsb #5515
• kops set: fix example @justinsb #5516
• Docker installation from tar.gz @justinsb #5517
• Add new instance types r5, r5d, z1d @rekcah78 #5529
• add wider tolerations to the kube-router daemonset @zivagolee #5525
• Some tweaks around IAM additional policies @justinsb #5536
• Add HACK_UPDATE_EXPECTED_IN_PLACE for cloudformation output @justinsb #5535
• Fix typo in comment @justinsb #5534
• Check errors when parsing JSON on IAM policies @justinsb #5533
• amazon-vpc-routed-eni cloudprovider check @mikesplain #5540
• Add error handling for failed deletion of tempfiles @justinsb #5543
• Validate IAM additionalPolicies @justinsb #5541
• Add missing error handling when reading stdin @justinsb #5542
• Add error handling (logging) when we fail to close a file @justinsb #5544
• Fix api-gen-docs dependencies @mikesplain #5507
• Parallel bazel crossbuild kops @mikesplain #5523
• Load client-auth plugins @ripta #5513
• one word change to docs grammar tense issue ran -> run @ms4720 #5546
• Spell Fix: Fixing spelling of “Kubernetes” in doc @Rajat-0 #5550
• Remove GetAsgForInstance IAM permission @justinsb #5566
• Don’t set kube-proxy cluster-cidr with aws-vpc-cni @spikecurtis #5579
• Move CloudProviderID consts into a block #5590
• Fix cpu unit measurement @asosso #5589
• Node Authorizer Prometheus Metrics @gambol99 #5599
• Add AWS IAM permission to check for volume resize @KashifSaadat #5597
• Add amazon.com image owner alias and Amazon Linux 2 documentation @Pharb #5577
• make dep-ensure checks that mercurial is installed @justinsb #5600
• Ability to configure --node-cidr-mask-size into kube-controller-manager @robermorales #5596
• fix typo @fqsghostcloud #5604
• Update install.md @fqsghostcloud #5603
• Don’t assume that we only have one subnet per AZ @justinsb #5601
• Fix additional security groups changes on api lb @mikesplain #5602
• fix name of demo-app-v2 @fqsghostcloud #5605
• Enable weave network encryption for k8s 1.6 @Andrey9kin #5595
• Bump Weave Net to v2.4.0 #5552
• Create ExperimentalClusterDNS feature flag @justinsb #5610
• weave: bump version for 2.3.0 @justinsb #5618
• Validate that require-kubeconfig is not passed after 1.10 @justinsb #5621
• Docs for policy to do cross account state store in s3 @geojaz #5622
• DigitalOcean: don’t try to set SSE @justinsb #5625
• Remove _kubernetes_master tag @justinsb #5623
• Update CoreDNS deployment @rajansandeep #5608
• Add DEBUGGABLE option to Makefile to compile debuggable bins #5636
• Add changelog to release notes for 1.10 @justinsb #5639
• Update README.md @wangxy518 #5638
• Fix build: prevent verify-misspelling failing on releases @Mikulas #5643
• Update readme compatibility matrix for 1.10 @mikesplain #5484
• Bump channels for 1.10.0 @mikesplain #5645
• Upgrade DigitalOcean CCM to v0.1.7 @andrewsykim #5651
• add kube-proxy hostname override @andrewsykim #5649
• Create getting started with OpenStack doc #5637
• Update route53api.go @wangxy518 #5648
• AWS VPC Daemonset Correctly Tolerate Node Taints @benjigoldberg #5654
• Added // restore // guide to single-to-multi-master.md @vlaza #5580
• Update alpha channel with images for foreshadow @justinsb #5657
• Basic validation for imagetype for NVME enabled instances @geojaz #5660
• Apply cloud labels into ELB @wingyplus #5593
• Cherry-pick release 1.10.0 commit @justinsb #5665
• Promote kubernetes versions from alpha -> stable @justinsb #5663
• Fix codegen make target #5662
• Push latest k8s versions to alpha channel @justinsb #5666
• Added myself to SECURITY_CONTACTS @geojaz #5674
• Fixes go vet complain in package upup/pkg/fi/cloudup/awstasks @wingyplus #5669
• Update machine_types.go to support T3 family @wanghanlin #5681
• Change vendored weave mesh to use hash keys by default @justinsb #5693
• Add etcd volumeSize docs @mikesplain #5692
• Fix a typo: ectd->etcd @AdamDang #5698
• add flag +ExperimentalClusterDNS in docs @rekcah78 #5708
• Adding kubernetes/dashboard v1.10.0 for K8S >=1.10.0 @schweizerbolzonello #5702
• updated image versions and deployment instructions for the nginx-ingress addon @kanolato #5711
• Update CoreDNS version and manifest @rajansandeep #5727
• Vendor servergroup module from gophercloud #5678
• Make chrisz100 a reviewer for kops @chrisz100 #5716
• OpenStack: enable cluster state deletion #5731
• OpenStack: vendor schedulerhints #5732
• lifecycle tests: check no legacy tags on shared resources @justinsb #4797
• Refactor tables package to be more reusable @justinsb #5565
• Fix suspendprocess @mikesplain #5503
• Fixes go vet complains @wingyplus #5686
• correct 8 spell errors @sunlintong #5740
• correct spell errors in ‘docs/cluster_spec.md’ @sunlintong #5739
• --output json added to aws @kulik0v #5742
• Use appropriate log level for KOPS_STATE_S3_ACL debug message @davidarcher #5726
• Update k8s-ec2-srcdst to v0.2.2 @willthames #5746
• Add elasticloadbalancing:DeregisterTargets permission to master policy @kellycampbell #5752
• Typo fix: bellow -> below @mirake #5764
• Update README.md @geojaz #5769
• Machine type generator @mikesplain #5553
• let aws command output json @zouguangxian #5471
• Explicitly install conntrack @johanneswuerbach #5745
• Don’t unset AWS_PROFILE in Makefile @justinsb #5784
• machine-type generator: go vet fixes @justinsb #5787
• typo fixes in stable for ci verify jobs @chrisz100 #5737
• Fix interactive rolling update silently ignored @Mikulas #5642
• Add Docker 18.06.1 for Debian Stretch @granular-ryanbonham #5758
• Update iaminstanceprofile.go @wangxy518 #5641
• Recognize ubuntu images in sshUser dumping @justinsb #5796
• Added documentation for Api server LB Certificate @fernandocarletti #5793
• Move verify-spelling to script, install from vendor @justinsb #5785
• Protect against panic when networking is not set @justinsb #5801
• Cni toleration for tainted nodes @jhohertz #5804
• Fix bazel cross platform @mikesplain #5799
• Addon update heapster @recollir #5199
• Amazon VPC CNI: Kubernetes 1.8+ Manifests @ripta #5290
• Add useRawManifest hook option to install manifest as a hook unmodified @geekofalltrades #5106
• Add rdrgmnzs as a reviewer to owners file. @rdrgmnzs #5813
• Support for deletion of aws resources albs nlbs during delete @nareshku #5635
• dns-controller: allow configuring DNS update interval #5759
• Avoid using which, CoreOS doesn’t always have it @justinsb #5795
• Start release notes for 1.11 @justinsb #5815
• Generate live project documentation using mkdocs and gh-pages @aledbf,@justinsb #5085
• Fix a typo in usage of server.go @AdamDang #5811
• Bazel Rules go 0.14 @mikesplain #5481
• Update gazelle for concurrent PR changes @justinsb #5819
• Add test for etcd-manager output @justinsb #5547
• Delete nodes from k8s api during rolling-update @justinsb #5794
• Update golang version to 1.10.3, for k8s 1.11 @justinsb #5817
• Prune some broken files out of vendor @justinsb #5821
• Field names are case-sensitive again @justinsb #5828
• Run dep to add missing new aws dependencies for elbv2 @justinsb #5822
• Tweak machine_types generator to match our existing values @justinsb #5783
• Fixes spurious LoadBalancer change when using ACM Certificate @rifelpet #5814
• Revert “Apply cloud labels into ELB” @gambol99 #5834
• Fix markdown typo @coryflucas #5838
• Node Authorizer Fixes @gambol99 #5841
• Update HPA docs @jsenon #5842
• Add clarity to AWS IAM Authenticator documentation @rifelpet #5843
• ECU fixes and add f1.4xlarge @mikesplain #5844
• Update to k8s 1.11 libraries, fix code @justinsb #5823
• Fix minor typo. @bheesham #5849
• copy path on kops-server-build @mahuihuang #5719
• cluster-autoscaler.yaml for 1.10 @koooge #5741
• Controller Manager Flag @gambol99 #5855
• Allow using existing/shared Security Groups @rdrgmnzs #5744
• etcd: introduce field to specify whether we are using etcd-manager or legacy mode @justinsb #5820
• Follow on for #5744 @justinsb #5862
• Remove last vestiges of _vendor directory @justinsb #5865
• Stop cloudformation output switching to literal quotes @justinsb #5857
• doc: Trivial spelling change @karlmutch #5861
• Node mode controllers @gambol99 #5867
• Node Authorizer Fixes @gambol99 #5868
• Fix broken url in CONTRIBUTING.md @posquit0 #5853
• doc: fix minor typo in the terraform doc @a8m #5860
• Mirror secrets using API @justinsb #5858
• Fix mis-typing in documentation @posquit0 #5859
• Generate much smaller keys in integration tests @justinsb #5869
• Don’t override name of ELB API SecurityGroup @justinsb #5863
• Fix a few typos. @rdrgmnzs #5872
• Fix mis-typings in docs @posquit0 #5879
• Fix mis-typings in documentation. @posquit0 #5878
• Add no_masq_local to weave network options. @arturo-c #5812
• propagate error when initializing digitalocean provider @andrewsykim #5894
• Fixed duplicate info #5425
• Small typo fix @AdamDang #5721
• Grammar mistakes @yjl-lgx,@justinsb #4687
• add support for max-mutating-requests-inflight parameter @captainkerk #5832
• Fix mis-typings in docs @posquit0 #5887
• Fix some typos @mirake #5882
• Fix typos issues @mooncak #5885
• Fix typos issues in upup files @mooncak #5886
• Fix mis-typings in docs @posquit0 #5888
• Fix broken link to etcd 2 documentation @mbode #5889
• Update create-cluster arg help @justinsb #5896
• fix network.md @fqsghostcloud #5900
• fix install.md @fqsghostcloud #5901
• Removed misleading comment about metav1 @justinsb #5898
• add targetRamMb to kubeAPIServer spec @captainkerk #5890
• Fix mis-typing in CLI command documentations @posquit0 #5854
• alpha-channel: Use stretch by default for k8s 1.11 on AWS @justinsb #5897
• Fix cloudmock to pass govet @justinsb #4949
• Update Weave Net to version 2.4.1 @bboreham #5845
• fix typo: remove duplicate words @SataQiu #5883
• Add default S3 encryption example @RulerOf #5884
• fix service name @fqsghostcloud #5899
• Canal Manifest Fix (Kubernetes >= v1.12.0) @gambol99 #5910
• Update weave bootstrapchannelbuilder version @justinsb #5903
• fix some typos @SataQiu #5909
• Google Cloud Storage md5 decoding fix @justinsb #5906
• If don’t use formatted output,fix logging calls @mikeweiwei #5911
• Promote kubernetes versions from alpha to stable @justinsb #5913
• alpha channel: update with latest kubernetes versions @justinsb #5914
• Recognize shasum format for hashes @justinsb #5893
• fix typo in comment @rdrgmnzs #5915
• Optimize kops get cluster with a cluster name @justinsb #5920
• Service Address Check @gambol99 #5923
• s3: lazy-evaluate encryption policy @justinsb #5921
• Fixed node-authorizer systemd Unit paths @liviudm #5918
• fix some typos @SataQiu #5924
• Disable RBAC Addon’s in Node Mode @gambol99 #5925
• added possible state store vendors to documentation @chrisz100 #5931
• Fix documents issue @mooncak #5943
• Canal v3 @gambol99 #5927
• fix small typos in security.md @AdamDang #5942
• Fix typos in files @mooncak #5944
• New integration: Spotinst @liranp #5922
• Ensure we parse k8s versions through 1.16 @justinsb #5948
• IPVS Options @gambol99 #5935
• Promote AMIs from alpha -> stable @justinsb #5947
• Mark release 1.11.0-alpha.1 @justinsb #5949
• add EnableNodeAuthorization in the list of experimental features @rekcah78 #5953
• Fix broken url in documentation @posquit0 #5957
• Delete duplicate ‘be’. @xichengliudui #5963
• Fix grammatical error in the warning message @AdamDang #5951
• Add suggested alias for bazelrc import location @justinsb #5966
• Fix the typos @SataQiu #5972
• Switch CI to bazel @justinsb #5974
• Fix nsenter mounter in protokube @justinsb #5970
• Use hostPID: true with etcd-manager @justinsb #5969
• terraform: Fix resource formatting for IPv6 CIDRs @a8m #5979
• Correct Spelling of “kubernetesVersion” @johannes-gehrs #5928
• Add support for cn-northwest-1c. @leeeboo #5956
• Remove excess Spaces @xichengliudui #5981
• More CNI toleration for tainted nodes. @jhohertz #5946
• Fixed issue when specifying ACM cert and no load balancer is defined @Raffo #5971
• fix typo in comments @TinySong #6001
• Clarify license statement for nvidia-bootstrap hook @swinslow #6006
• fixed MIN_NODES missing closing bracket @victortrac #5996
• fix typo in log @TinySong #6002
• Mount etc-hosts in calico-kube-controller @shrinandj #5950
• Bump CoreDNS version to 1.2.4 and update manifest @rajansandeep #5985
• cilium: Fix Prometheus serve addr flag @rochacon #5987
• Add stdin input for secrets @ihoegen #5993
• Separate subnet utils into a standalone package @errordeveloper #6004
• Fixed missing closing bracket around MIN_NODES @vivekgarg20 #5870
• Update v0.19.0.yaml @wangxy518 #5997
• Change the wrong function name and wrong word @xichengliudui #6018
• Prune some license files that dep added @justinsb #6019
• Fix s3 encryption role @rhyas #6039
• Fix indentation for monitoring-standalone addon @KashifSaadat #6032
• Canal v3.3.0 for Kubernetes v1.12+ @KashifSaadat #6037
• Correct the table format in upgrade_from_kubeup.md @AdamDang #6023
• Update Weave Net to version 2.5.0 @bboreham #6043
• Change “if” -> “if and only if” to make more clear @mooncak #6041
• Spotinst: Attempt to find a Security Group even without a VPC ID @liranp #6030
• fix some typos @SataQiu #6013
• Fix blog link @hintss #6022
• Bump kopeio-networking to latest version @justinsb #6010
• Spotinst: Do not log unmatched groups as warning messages @liranp #6025

• 5700: Add command line flag for disabling Subnet ELB tags @seanson #5875

• Remove unnecessary code @xichengliudui #6053

• Fix some typos @mooncak #6048
• Fix some typos in files @mooncak #6064
• Detail Calico BGP route reflector requirements @Vlaaaaaaad #6047
• coredns should not be running on master by default @bhegazy #5917
• Document etcd volume options + fail fast if ratio is too high @Vlaaaaaaad #6035
• Spotinst: Skip the creation of LoadBalancerAttachment tasks if Spotinst is enabled @liranp #6015
• Calico v3 upgrade @tmjd #5102
• Update Calico to v3.3.1 @caseydavenport #6077
• delete some code @xichengliudui #6078
• Adding describe launch config to autoscaler permissions @brosander #5929
• Remove trailing comma from k8s-1.7-v3.yaml.template @Smirl #6086
• Updating image and docs for metrics-server add-on @Cryptophobia #5873
• Updates to roadmap for 1.11 and 1.12 and new upcoming features section (WIP) @geojaz #5824
• Update amazon-vpc-routed-eni to v1.2.1 @adammw #5905
• Request AWS ASGs in batches @KierranM #6056
• Typo fix: Deploy -> Deploying @JoeWrightss #6087
• Use a single command in Linux install instructions @jbowes #6084
• autoscaler setup: Use set -e to stop execution if errors are encountered @eherot #6089
• Typo fix “api server” -> “API server” @JoeWrightss #6092
• increase docker-healthcheck respose timeout @tatobi #5644
• Bump version of amazon-vpc-cni in bootstrapchannelbuilder @justinsb #6094
• Fix typo in CRD: singuar @justinsb #6095
• add SSL certificate ARN to Terraform output @j00p34 #6082
• Add flag to disable Basic Auth. @fernandocarletti #5586
• Update machine types @justinsb #6096
• Implemented Nvidia DevicePlugin GPU Support on AWS @dcwangmit01 #5502
• Setting the manifest directory when it is required by kubelet @mmerrill3 #5939
• Update CoreDNS version to 1.2.6 @rajansandeep #6101
• Fix typos: dnsmaq -> dnsmasq, mutiple -> multiple @SataQiu #6108
• Document how to create a custom addon @thrawny #6100
• [monitoring-standalone] Add kubernetes 1.7 version @tuannvm #5902
• Cni ipvlan vpc k8s support @polarbizzle #4762
• Node Authorizer Recovery Middleware @gambol99 #6105
• Fix log warning info @gaozhenhai #6111
• Set a dateformat on logrotate configs on CoreOS @ripta #6059
• Mention about possible state store vendors in error message @nak3 #6114
• kops set: support for enableEtcdTLS and enableTLSAuth @justinsb #6113
• feat(cmd/kops/create_cluster): default to kubelet.anonymousAuth false on k8s versions >=1.10 @jaredallard #6091
• Create separate certificate for etcd peer authentication @justinsb #6112
• Set MaxPods when using Amazon VPC CNI Plugin @sethpollack,@ripta #6058
• Automated cherry pick of #6128: Update amazon cni to 1.3.0 @mikesplain #6132
• Automated cherry pick of #6156: Fix Calico upgrade job to use the correct version @tmjd #6159
• Automated cherry pick of #6129: feat: bump controller version to 1.0.18 @liranp #6143
• Automated cherry pick of #6175: Fix for when node and master use the same SG. @rdrgmnzs #6176
• Add a1 and c5n instance types @justinsb #6117
• Automated cherry pick of #6144: Workspace updates for bazel @mikesplain #6220
• ExperimentalAllowedUnsafeSysctls has moved to AllowedUnsafeSysctls in k8s 1.11 @rdrgmnzs #6179
• Add GCE europe-north1-{a,b,c} @eetujalonen #6152
• Automated cherry pick of #6253: Add p3dn.24xlarge @mikesplain #6254

Changes from 1.11.0 to 1.11.1

• Don’t panic when an etcd cluster is added @justinsb #6180
• Add Docker 18.06.1 for CentOS and RHEL 7 @bcorijn #6202
• Update go version to 1.10.8 @justinsb #6401
• Normalize etcd cluster provider names @justinsb #6410
• Automated cherry pick of #6288: Recognize 2019 as a year @justinsb #6364
• Fix machine types and cleanup makefile @mikesplain #6427
• Upgrade base image to alpine 3.8 and GO to 1.10.8 @ricardo-larosa #6458
• Support etcd-manager v3, suitable for backporting @justinsb #6411
• Choose docker version 18.06.2 for k8s >= 1.12 @justinsb #6488
• Workaround for overlay2 vs rhel-family docker bug @justinsb #6491
• Try using chattr to mark docker-runc as immutable @justinsb #6506
• include docker 18.06.1 missed dependency @nareshku #6338
• set net.ipv4.ip_local_reserved_ports to the KubeAPIServer ServiceNodePortRange parameter on nodeup @sp-joseluis-ledesma #6343
• Add jessie patch @jjo #6461
• Bump etcd-manager version to 3.0.20190224 @justinsb #6526
• Make docker 18.06.3 the default for k8s >= 1.12 @justinsb #6524
• update-machine-types: more metal instance types @justinsb #6551
• Map docker 18.06.3 @justinsb #6523
• Sync up docker with master @justinsb #6559
• Update distroless @justinsb #6287
• Mark 1.11.1 @justinsb #6561