Skip to content
This repository has been archived by the owner on Jan 11, 2023. It is now read-only.

v0.12.0
Compare
Choose a tag to compare
@jackfrancis jackfrancis released this 16 Jan 19:28
· 1180 commits to master since this release
v0.12.0
1d33229

Secure Kubernetes

This is the first minor release that includes "breaking" security hardening additions. Specifically, we are now shipping etcd v3 w/ TLS communications enforced between both client/server (k8s cluster and etcd API, and between etcd peer nodes themselves. This is an important cluster security story, but its current implementation does not provide automatic backwards-compatible cluster operations for clusters deployed with prior versions of acs-engine. In practice this means upgrade operations against preëxisting clusters will not work with v0.12.0.

Also, etcdctl commands requiring auth (e.g., etcdctl cluster-health) now require sudo privileges to properly establish communications with the protected private key.

On that note we'll be calling out security-related items going forward!

Generic Kubernetes Configuration Interfaces

This release introduces generic configuration interfaces for Kubernetes cluster deployments for the kubelet, controller-manager, and apiserver run-time components. These conveniences (1) allow for more explicit configuration declarations, where appropriate, and more importantly (2) enable user-provided configuration values for the various Kubernetes components without changing acs-engine code (where acs-engine itself does not enforce an opinionated requirement).

This change also includes some breaking changes for existing kubernetesConfig property usage patterns using the vlabs api model paradigm:

  • HardEvictionThreshold, NodeStatusUpdateFrequency, and NonMasqueradeCidr properties have been moved to the new kubernetesConfig.kubeletConfig configuration object. E.g.:
"kubernetesConfig": {
    <...>
    "kubeletConfig": {
        "--eviction-hard": "memory.available<250Mi,nodefs.available<20%,nodefs.inodesFree<10%",
        "--node-status-update-frequency": "1m",
        "--non-masquerade-cidr": "10.0.0.0/8"
    }
    <...>
}
  • CtrlMgrNodeMonitorGracePeriod, CtrlMgrPodEvictionTimeout, and CtrlMgrRouteReconciliationPeriod properties have been moved to the new kubernetesConfig.controllerManagerConfig configuration object. E.g.:
"kubernetesConfig": {
    <...>
    "controllerManagerConfig": {
          "--node-monitor-grace-period": "40s",
          "--pod-eviction-timeout": "5m0s",
          "--route-reconciliation-period": "10s"
    }
    <...>
}

KUBERNETES SECURITY 🔐

FEATURES: 🌈

BUGS FIXED: 🐞

DEV IMPROVEMENTS/CHORES: 🔧

Assets 8
Loading