v1.26.X
Before upgrading from earlier releases, be sure to read the Kubernetes Urgent Upgrade Notes.
Release v1.26.15+k3s1
This release updates Kubernetes to v1.26.15, and fixes a number of issues.
For more details on what's new, see the Kubernetes release notes.
Changes since v1.26.14+k3s1:
- Update klipper-lb image version (#9607)
- Install and Unit test backports (#9645)
- Adjust first node-ip based on configured clusterCIDR (#9633)
- Add an integration test for flannel-backend=none (#9610)
- Improve tailscale e2e test (#9655)
- Backports for 2024-03 release cycle (#9692)
- Fix: use correct wasm shims names
- The embedded flannel cni-plugin binary is now built and versioned separate from the rest of the cni plugins and the embedded flannel controller.
- Bump spegel to v0.0.18-k3s3
- Adds wildcard registry support
- Fixes issue with excessive CPU utilization while waiting for containerd to start
- Add env var to allow spegel mirroring of latest tag
- Tweak netpol node wait logs
- Fix coredns NodeHosts on dual-stack clusters
- Bump helm-controller/klipper-helm versions
- Fix snapshot prune
- Fix issue with etcd node name missing hostname
- Rootless mode should also bind service nodePort to host for LoadBalancer type, matching UX of rootful mode.
- To enable raw output for the
check-config
subcommand, you may now set NO_COLOR=1 - Fix additional corner cases in registries handling
- Bump metrics-server to v0.7.0
- K3s will now warn and suppress duplicate entries in the mirror endpoint list for a registry. Containerd does not support listing the same endpoint multiple times as a mirror for a single upstream registry.
- Fix wildcard entry upstream fallback (#9735)
- Update to v1.26.15-k3s1 and Go 1.21.8 (#9740)
Release v1.26.14+k3s1
This release updates Kubernetes to v1.26.14, and fixes a number of issues.
For more details on what's new, see the Kubernetes release notes.
Changes since v1.26.13+k3s2:
- Chore: bump Local Path Provisioner version (#9428)
- Bump cri-dockerd to fix compat with Docker Engine 25 (#9292)
- Auto Dependency Bump (#9421)
- Runtimes refactor using exec.LookPath (#9429)
- Directories containing runtimes need to be included in the $PATH environment variable for effective runtime detection.
- Changed how lastHeartBeatTime works in the etcd condition (#9423)
- Allow executors to define containerd and docker behavior (#9252)
- Update Kube-router to v2.0.1 (#9406)
- Backports for 2024-02 release cycle (#9464)
- Bump flannel version + remove multiclustercidr (#9409)
- Enable longer http timeout requests (#9446)
- Test_UnitApplyContainerdQoSClassConfigFileIfPresent (#9442)
- Support PR testing installs (#9471)
- Update Kubernetes to v1.26.14 (#9490)
- Fix drone publish for arm (#9510)
- Remove failing Drone step (#9514)
- Restore original order of agent startup functions (#9547)
- Fix netpol startup when flannel is disabled (#9580)
Release v1.26.13+k3s2
This release updates Kubernetes to v1.26.13, and fixes a number of issues.
For more details on what's new, see the Kubernetes release notes.
Important Notes
Addresses the runc CVE: CVE-2024-21626 by updating runc to v1.1.12.
Changes since v1.26.12+k3s1:
- Add a retry around updating a secrets-encrypt node annotations (#9123)
- Added support for env *_PROXY variables for agent loadbalancer (#9116)
- Wait for taint to be gone in the node before starting the netpol controller (#9177)
- Etcd condition (#9183)
- Backports for 2024-01 (#9212)
- Move proxy dialer out of init() and fix crash (#9221)
- Pin opa version for missing dependency chain (#9218)
- Etcd node is nil (#9230)
- Update to v1.26.13 and Go 1.20.13 (#9262)
- Use
ipFamilyPolicy: RequireDualStack
for dual-stack kube-dns (#9271) - Backports for 2024-01 k3s2 (#9338)
- Bump runc to v1.1.12 and helm-controller to v0.15.7
- Fix handling of bare hostname or IP as endpoint address in registries.yaml
- Bump helm-controller to fix issue with ChartContent (#9348)
Release v1.26.12+k3s1
This release updates Kubernetes to v1.26.12, and fixes a number of issues.
For more details on what's new, see the Kubernetes release notes.
Changes since v1.26.11+k3s2:
- Runtimes backport (#9014)
- Added runtime classes for wasm/nvidia/crun
- Added default runtime flag for containerd
- Bump containerd/runc to v1.7.10-k3s1/v1.1.10 (#8964)
- Fix overlapping address range (#9019)
- Allow setting default-runtime on servers (#9028)
- Bump containerd to v1.7.11 (#9042)
- Update to v1.26.12-k3s1 (#9077)
Release v1.26.11+k3s2
This release updates Kubernetes to v1.26.11, and fixes a number of issues.
For more details on what's new, see the Kubernetes release notes.
Changes since v1.26.10+k3s2:
- Etcd status condition (#8820)
- Backports for 2023-11 release (#8879)
- New timezone info in Docker image allows the use of
spec.timeZone
in CronJobs - Bumped kine to v0.11.0 to resolve issues with postgres and NATS, fix performance of watch channels under heavy load, and improve compatibility with the reference implementation.
- Containerd may now be configured to use rdt or blockio configuration by defining
rdt_config.yaml
orblockio_config.yaml
files. - Add agent flag disable-apiserver-lb, agent will not start load balance proxy.
- Improved ingress IP ordering from ServiceLB
- Disable helm CRD installation for disable-helm-controller
- Omit snapshot list configmap entries for snapshots without extra metadata
- Add jitter to client config retry to avoid hammering servers when they are starting up
- New timezone info in Docker image allows the use of
- Add warning for removal of multiclustercidr flag (#8760)
- Handle nil pointer when runtime core is not ready in etcd (#8888)
- Improve dualStack log (#8829)
- Bump dynamiclistener; reduce snapshot controller log spew (#8903)
- Bumped dynamiclistener to address a race condition that could cause a server to fail to sync its certificates into the Kubernetes secret
- Reduced etcd snapshot log spam during initial cluster startup
- Fix etcd snapshot S3 issues (#8938)
- Don't apply S3 retention if S3 client failed to initialize
- Don't request metadata when listing S3 snapshots
- Print key instead of file path in snapshot metadata log message
- Update to v1.26.11 and Go to 1.20.11 (#8922)
- Remove s390x (#9000)
Release v1.26.10+k3s2
This release updates Kubernetes to v1.26.10, and fixes a number of issues.
For more details on what's new, see the Kubernetes release notes.
Changes since v1.26.10+k3s1:
- Fix SystemdCgroup in templates_linux.go (#8766)
- Fixed an issue with identifying additional container runtimes
- Update traefik chart to v25.0.0 (#8776)
- Update traefik to fix registry value (#8790)
Release v1.26.10+k3s1
This release updates Kubernetes to v1.26.10, and fixes a number of issues.
For more details on what's new, see the Kubernetes release notes.
Changes since v1.26.9+k3s1:
- Fix error reporting (#8412)
- Add context to flannel errors (#8420)
- Testing Backports for September (#8300)
- Include the interface name in the error message (#8436)
- Update kube-router (#8444)
- Add extraArgs to tailscale (#8465)
- Added error when cluster reset while using server flag (#8456)
- The user will receive a error when --cluster-reset with the --server flag
- Cluster reset from non bootstrap nodes (#8453)
- Fix spellcheck problem (#8510)
- Take IPFamily precedence based on order (#8505)
- Network defaults are duplicated, remove one (#8552)
- Advertise address integration test (#8517)
- System agent push tags fix (#8570)
- Fixed tailscale node IP dualstack mode in case of IPv4 only node (#8559)
- Server Token Rotation (#8577)
- Users can now rotate the server token using
k3s token rotate -t <OLD_TOKEN> --new-token <NEW_TOKEN>
. After command succeeds, all server nodes must be restarted with the new token.
- Users can now rotate the server token using
- Clear remove annotations on cluster reset (#8590)
- Fixed an issue that could cause k3s to attempt to remove members from the etcd cluster immediately following a cluster-reset/restore, if they were queued for removal at the time the snapshot was taken.
- Use IPv6 in case is the first configured IP with dualstack (#8598)
- Backports for 2023-10 release (#8616)
- E2E Domain Drone Cleanup (#8583)
- Update kube-router package in build script (#8635)
- Add etcd-only/control-plane-only server test and fix control-plane-only server crash (#8643)
- Use
version.Program
not K3s in token rotate logs (#8655) - Windows agent support (#8647)
- Add --image-service-endpoint flag (#8279) (#8663)
- Add
--image-service-endpoint
flag to specify an external image service socket.
- Add
- Backport etcd fixes (#8691)
- Re-enable etcd endpoint auto-sync
- Manually requeue configmap reconcile when no nodes have reconciled snapshots
- Update to v1.26.10 and Go to v1.20.10 (#8680)
- Fix s3 snapshot restore (#8734)
Release v1.26.9+k3s1
This release updates Kubernetes to v1.26.9, and fixes a number of issues.
For more details on what's new, see the Kubernetes release notes.
Changes since v1.26.8+k3s1:
- Bump kine to v0.10.3 (#8325)
- Update to v1.26.9 and go to v1.20.8 (#8357)
- Bump embedded containerd to v1.7.6
- Bump embedded stargz-snapshotter plugin to latest
- Fixed intermittent drone CI failures due to race conditions in test environment setup scripts
- Fixed CI failures due to changes to api discovery changes in Kubernetes 1.28
Release v1.26.8+k3s1
This release updates Kubernetes to v1.26.8, and fixes a number of issues.
This release includes support for remediating CVE-2023-32187, a potential Denial of Service attack vector on K3s servers. See https://github.com/k3s-io/k3s/security/advisories/GHSA-m4hf-6vgr-75r2 for more information, including mandatory steps necessary to harden clusters against this vulnerability.
For more details on what's new, see the Kubernetes release notes.
Changes since v1.26.7+k3s1:
- Update flannel and plugins (#8075)
- Fix tailscale bug with ip modes (#8097)
- Etcd snapshots retention when node name changes (#8122)
- August Test Backports (#8126)
- Backports for 2023-08 release (#8129)
- K3s's external apiserver listener now declines to add to its certificate any subject names not associated with the kubernetes apiserver service, server nodes, or values of the --tls-san option. This prevents the certificate's SAN list from being filled with unwanted entries.
- K3s no longer enables the apiserver's
enable-aggregator-routing
flag when the egress proxy is not being used to route connections to in-cluster endpoints. - Updated the embedded containerd to v1.7.3+k3s1
- Updated the embedded runc to v1.1.8
- Updated the embedded etcd to v3.5.9+k3s1
- User-provided containerd config templates may now use
{{ template "base" . }}
to include the default K3s template content. This makes it easier to maintain user configuration if the only need is to add additional sections to the file. - Bump docker/docker module version to fix issues with cri-dockerd caused by recent releases of golang rejecting invalid host headers sent by the docker client.
- Updated kine to v0.10.2
-
- K3s etcd-snapshot delete fail to delete local file when called with s3 flag (#8144)
-
- Fix for cluster-reset backup from s3 when etcd snapshots are disabled (#8170)
- Fixed the etcd retention to delete orphaned snapshots based on the date (#8189)
- Additional backports for 2023-08 release (#8212)
- The version of
helm
used by the bundled helm controller's job image has been updated to v3.12.3 - Bumped dynamiclistener to address an issue that could cause the apiserver/supervisor listener on 6443 to stop serving requests on etcd-only nodes.
- The K3s external apiserver/supervisor listener on 6443 now sends a complete certificate chain in the TLS handshake.
- The version of
- Move flannel to 0.22.2 (#8222)
- Update to v1.26.8 (#8235)
- Add new CLI flag to enable TLS SAN CN filtering (#8258)
- Added a new
--tls-san-security
option. This flag defaults to false, but can be set to true to disable automatically adding SANs to the server's TLS certificate to satisfy any hostname requested by a client.
- Added a new
- Add RWMutex to address controller (#8274)
Release v1.26.7+k3s1
This release updates Kubernetes to v1.26.7, and fixes a number of issues. For more details on what's new, see the Kubernetes release notes.
Changes since v1.26.6+k3s1:
- Remove file_windows.go (#7855)
- Fix code spell check (#7859)
- Allow k3s to customize apiServerPort on helm-controller (#7874)
- Check if we are on ipv4, ipv6 or dualStack when doing tailscale (#7882)
- Support setting control server URL for Tailscale. (#7893)
- S3 and Startup tests (#7885)
- Fix rootless node password (#7901)
- Backports for 2023-07 release (#7908)
- Resolved an issue that caused agents joined with kubeadm-style bootstrap tokens to fail to rejoin the cluster when their node object is deleted.
- The
k3s certificate rotate-ca
command now supports the data-dir flag.
- Adding cli to custom klipper helm image (#7914)
- The default helm-controller job image can now be overridden with the --helm-job-image CLI flag
- Generation of certs and keys for etcd gated if etcd is disabled (#7944)
- Don't use zgrep in
check-config
if apparmor profile is enforced (#7956) - Fix image_scan.sh script and download trivy version (#7950) (#7968)
- Adjust default kubeconfig file permissions (#7983)
- Update to v1.26.7 (#8022)
Release v1.26.6+k3s1
This release updates Kubernetes to v1.26.6, and fixes a number of issues.
For more details on what's new, see the Kubernetes release notes.
Changes since v1.26.5+k3s1:
- Update flannel version (#7648)
- Bump vagrant libvirt with fix for plugin installs (#7658)
- E2E and Dep Backports - June (#7693)
- Bump docker go.mod #7681
- Shortcircuit commands with version or help flags #7683
- Add Rotation certification Check, remove func to restart agents #7097
- E2E: Sudo for RunCmdOnNode #7686
- VPN integration (#7727)
- E2e: Private registry test (#7721)
- Fix spelling check (#7751)
- Remove unused libvirt config (#7757)
- Backport version bumps and bugfixes (#7717)
- The bundled metrics-server has been bumped to v0.6.3, and now uses only secure TLS ciphers by default.
- The
coredns-custom
ConfigMap now allows for*.override
sections to be included in the.:53
default server block. - The K3s core controllers (supervisor, deploy, and helm) no longer use the admin kubeconfig. This makes it easier to determine from access and audit logs which actions are performed by the system, and which are performed by an administrative user.
- Bumped klipper-lb image to v0.4.4 to resolve an issue that prevented access to ServiceLB ports from localhost when the Service ExternalTrafficPolicy was set to Local.
- Make LB image configurable when compiling k3s
- K3s now allows nodes to join the cluster even if the node password secret cannot be created at the time the node joins. The secret create will be retried in the background. This resolves a potential deadlock created by fail-closed validating webhooks that block secret creation, where the webhook is unavailable until new nodes join the cluster to run the webhook pod.
- The bundled containerd's aufs/devmapper/zfs snapshotter plugins have been restored. These were unintentionally omitted when moving containerd back into the k3s multicall binary in the previous release.
- The embedded helm controller has been bumped to v0.15.0, and now supports creating the chart's target namespace if it does not exist.
- Add format command on makefile (#7762)
- Fix logging and cleanup in Tailscale (#7782)
- Update Kubernetes to v1.26.6 (#7789)
Release v1.26.5+k3s1
This release updates Kubernetes to v1.26.5, and fixes a number of issues.
For more details on what's new, see the Kubernetes release notes.
Changes since v1.26.4+k3s1:
- Ensure that klog verbosity is set to the same level as logrus (#7360)
- Prepend release branch to dependabot (#7374)
- Add integration tests for etc-snapshot server flags (#7377)
- Bump Runc and Containerd (#7399)
- CLI + Config Enhancement (#7403)
--Tls-sans
now accepts multiple arguments:--tls-sans="foo,bar"
Prefer-bundled-bin: true
now works properly when set inconfig.yaml.d
files
- Migrate netutil methods into /utils/net.go (#7432)
- Bump kube-router version to fix a bug when a port name is used (#7460)
- Kube flags and longhorn storage tests (#7465)
- Local-storage: Fix permission (#7474)
- Bump containerd to v1.7.0 and move back into multicall binary (#7444)
- The embedded containerd version has been bumped to
v1.7.0-k3s1
, and has been reintegrated into the main k3s binary for a significant savings in release artifact size.
- The embedded containerd version has been bumped to
- Backport version bumps and bugfixes (#7514)
- K3s now retries the cluster join operation when receiving a "too many learners" error from etcd. This most frequently occurred when attempting to add multiple servers at the same time.
- K3s once again supports aarch64 nodes with page size > 4k
- The packaged Traefik version has been bumped to v2.9.10 / chart 21.2.0
- K3s now prints a more meaningful error when attempting to run from a filesystem mounted
noexec
. - K3s now exits with a proper error message when the server token uses a bootstrap token
id.secret
format. - Fixed an issue where Addon, HelmChart, and HelmChartConfig CRDs were created without structural schema, allowing the creation of custom resources of these types with invalid content.
- Servers started with the (experimental) --disable-agent flag no longer attempt to run the tunnel authorizer agent component.
- Fixed an regression that prevented the pod and cluster egress-selector modes from working properly.
- K3s now correctly passes through etcd-args to the temporary etcd that is used to extract cluster bootstrap data when restarting managed etcd nodes.
- K3s now properly handles errors obtaining the current etcd cluster member list when a new server is joining the managed etcd cluster.
- The embedded kine version has been bumped to v0.10.1. This replaces the legacy
lib/pq
postgres driver withpgx
. - The bundled CNI plugins have been upgraded to v1.2.0-k3s1. The bandwidth and firewall plugins are now included in the bundle.
- The embedded Helm controller now supports authenticating to chart repositories via credentials stored in a Secret, as well as passing repo CAs via ConfigMap.
- Bump containerd/runc to v1.7.1-k3s1/v1.1.7 (#7534)
- The bundled containerd and runc versions have been bumped to v1.7.1-k3s1/v1.1.7
- Wrap error stating that it is coming from netpol (#7547)
- Add '-all' flag to apply to inactive units (#7573)
- Update to v1.26.5-k3s1 (#7576)
- Pin emicklei/go-restful to v3.9.0 (#7598)
Release v1.26.4+k3s1
This release updates Kubernetes to v1.26.4, and fixes a number of issues.
For more details on what's new, see the Kubernetes release notes.
Changes since v1.26.3+k3s1:
- Enhance
k3s check-config
(#7091) - Update stable channel to v1.25.8+k3s1 (#7161)
- Drone Pipelines enhancement (#7169)
- Fix_get_sha_url (#7187)
- Improve Updatecli local-path-provisioner pipeline (#7181)
- Improve workflow (#7142)
- Improve Trivy configuration (#7154)
- Bump Local Path Provisioner version (#7167)
- The bundled local-path-provisioner version has been bumped to v0.0.24
- Bump etcd to v3.5.7 (#7170)
- The embedded etcd version has been bumped to v3.5.7
- Bump runc to v1.1.5 (#7171)
- The bundled runc version has been bumped to v1.1.5
- Fix race condition caused by etcd advertising addresses that it does not listen on (#7147)
- Fixed a race condition during cluster reset that could cause the operation to hang and time out.
- Bump coredns to v1.10.1 (#7168)
- The bundled coredns version has been bumped to v1.10.1
- Don't apply hardened args to agent (#7089)
- Upgrade helm-controller to v0.13.3 (#7209)
- Improve Klipper Helm and Helm controller bumps (#7146)
- Fix issue with stale connections to removed LB server (#7194)
- The client load-balancer that maintains connections to active server nodes now closes connections to servers when they are removed from the cluster. This ensures that agent components immediately reconnect to a current cluster member.
- Bump actions/setup-go from 3 to 4 (#7111)
- Lock bootstrap data with empty key to prevent conflicts (#7215)
- When using an external datastore, K3s now locks the bootstrap key while creating initial cluster bootstrap data, preventing a race condition when multiple servers attempted to initialize the cluster simultaneously.
- Updated kube-router to move the default ACCEPT rule at the end of the chain (#7218)
- The embedded kube-router controller has been updated to fix a regression that caused traffic from pods to be blocked by any default drop/deny rules present on the host. Users should still confirm that any externally-managed firewall rules explicitly allow traffic to/from pod and service networks, but this returns the old behavior that was relied upon by some users.
- Add make commands to terraform automation and fix external dbs related issue (#7159)
- Update klipper lb to v0.4.2 (#7210)
- Add coreos and sle micro to selinux support (#6945)
- Fix call for k3s-selinux versions in airgapped environments (#7264)
- Update Kube-router ACCEPT rule insertion and install script to clean rules before start (#7274)
- The embedded kube-router controller has been updated to fix a regression that caused traffic from pods to be blocked by any default drop/deny rules present on the host. Users should still confirm that any externally-managed firewall rules explicitly allow traffic to/from pod and service networks, but this returns the old behavior that was relied upon by some users.
- Update to v1.26.4-k3s1 (#7282)
- Bump golang:alpine image version (#7292)
- Bump Sonobuoy version (#7256)
- Bump Trivy version (#7257)
Release v1.26.3+k3s1
This release updates Kubernetes to v1.26.3, and fixes a number of issues.
For more details on what's new, see the Kubernetes release notes.
Changes since v1.26.2+k3s1:
- Add E2E to Drone (#6890)
- Add flannel adr (#6973)
- Update flannel and kube-router (#7039)
- Bump various dependencies for CVEs (#7044)
- Adds a warning about editing to the containerd config.toml file (#7057)
- Update stable version in channel server (#7066)
- Wait for kubelet port to be ready before setting (#7041)
- The agent tunnel authorizer now waits for the kubelet to be ready before reading the kubelet port from the node object.
- Improve support for rotating the default self-signed certs (#7032)
- The
k3s certificate rotate-ca
checks now support rotating self-signed certificates without the--force
option.
- The
- Skip all pipelines based on what is in the PR (#6996)
- Add missing kernel config checks (#6946)
- Remove deprecated nodeSelector label beta.kubernetes.io/os (#6970)
- MultiClusterCIDR for v1.26 (#6885)
- MultiClusterCIDR feature
- Remove Nikolai from MAINTAINERS list (#7088)
- Add automation for Restart command for K3s (#7002)
- Fix to Rotate CA e2e test (#7101)
- Drone: Cleanup E2E VMs on test panic (#7104)
- Update to v1.26.3-k3s1 (#7108)
- Pin golangci-lint version to v1.51.2 (#7113)
- Clean E2E VMs before testing (#7109)
- Update flannel to fix NAT issue with old iptables version (#7136)