v1.25.X
Before upgrading from earlier releases, be sure to read the Kubernetes Urgent Upgrade Notes.
Release v1.25.16+k3s4
This release updates Kubernetes to v1.25.16, and fixes a number of issues.
For more details on what's new, see the Kubernetes release notes.
Changes since v1.25.15+k3s2:
- Etcd status condition (#8819)
- Backports for 2023-11 release (#8880)
- New timezone info in Docker image allows the use of
spec.timeZone
in CronJobs - Bumped kine to v0.11.0 to resolve issues with postgres and NATS, fix performance of watch channels under heavy load, and improve compatibility with the reference implementation.
- Containerd may now be configured to use rdt or blockio configuration by defining
rdt_config.yaml
orblockio_config.yaml
files. - Add agent flag disable-apiserver-lb, agent will not start load balance proxy.
- Improved ingress IP ordering from ServiceLB
- Disable helm CRD installation for disable-helm-controller
- Omit snapshot list configmap entries for snapshots without extra metadata
- Add jitter to client config retry to avoid hammering servers when they are starting up
- New timezone info in Docker image allows the use of
- Handle nil pointer when runtime core is not ready in etcd (#8889)
- Improve dualStack log (#8867)
- Bump dynamiclistener; reduce snapshot controller log spew (#8904)
- Bumped dynamiclistener to address a race condition that could cause a server to fail to sync its certificates into the Kubernetes secret
- Reduced etcd snapshot log spam during initial cluster startup
- Fix etcd snapshot S3 issues (#8939)
- Don't apply S3 retention if S3 client failed to initialize
- Don't request metadata when listing S3 snapshots
- Print key instead of file path in snapshot metadata log message
- Update to v1.25.16 (#8923)
- Remove s390x steps temporarily since runners are disabled (#8993)
- Remove s390x from manifest script (#8994)
Release v1.25.15+k3s2
This release updates Kubernetes to v1.25.15, and fixes a number of issues.
For more details on what's new, see the Kubernetes release notes.
Changes since v1.25.15+k3s1:
- E2E Domain Drone Cleanup (#8584)
- Fix SystemdCgroup in templates_linux.go (#8767)
- Fixed an issue with identifying additional container runtimes
- Update traefik chart to v25.0.0 (#8777)
- Update traefik to fix registry value (#8791)
Release v1.25.15+k3s1
This release updates Kubernetes to v1.25.15, and fixes a number of issues.
For more details on what's new, see the Kubernetes release notes.
Changes since v1.25.14+k3s1:
- Fix error reporting (#8413)
- Add context to flannel errors (#8421)
- Testing Backports for September (#8301)
- Include the interface name in the error message (#8437)
- Add extraArgs to tailscale (#8466)
- Update kube-router (#8445)
- Added error when cluster reset while using server flag (#8457)
- The user will receive a error when --cluster-reset with the --server flag
- Cluster reset from non bootstrap nodes (#8454)
- Fix spellcheck problem (#8511)
- Take IPFamily precedence based on order (#8506)
- Network defaults are duplicated, remove one (#8553)
- Advertise address integration test (#8518)
- Fixed tailscale node IP dualstack mode in case of IPv4 only node (#8560)
- Server Token Rotation (#8578)
- Users can now rotate the server token using
k3s token rotate -t <OLD_TOKEN> --new-token <NEW_TOKEN>
. After command succeeds, all server nodes must be restarted with the new token.
- Users can now rotate the server token using
- Clear remove annotations on cluster reset (#8589)
- Fixed an issue that could cause k3s to attempt to remove members from the etcd cluster immediately following a cluster-reset/restore, if they were queued for removal at the time the snapshot was taken.
- Use IPv6 in case is the first configured IP with dualstack (#8599)
- Backports for 2023-10 release (#8617)
- Update kube-router package in build script (#8636)
- Add etcd-only/control-plane-only server test and fix control-plane-only server crash (#8644)
- Windows agent support (#8646)
- Use
version.Program
not K3s in token rotate logs (#8654) - Add --image-service-endpoint flag (#8279) (#8664)
- Add
--image-service-endpoint
flag to specify an external image service socket.
- Add
- Backport etcd fixes (#8692)
- Re-enable etcd endpoint auto-sync
- Manually requeue configmap reconcile when no nodes have reconciled snapshots
- Update to v1.25.15 and Go to v1.20.10 (#8679)
- Fix s3 snapshot restore (#8735)
Release v1.25.14+k3s1
This release updates Kubernetes to v1.25.14, and fixes a number of issues.
For more details on what's new, see the Kubernetes release notes.
Changes since v1.25.13+k3s1:
- Bump kine to v0.10.3 (#8326)
- Update Kubernetes to v1.25.14 and go to 1.20.8 (#8350)
- Backport containerd bump and and test fixes (#8384)
- Bump embedded containerd to v1.7.6
- Bump embedded stargz-snapshotter plugin to latest
- Fixed intermittent drone CI failures due to race conditions in test environment setup scripts
- Fixed CI failures due to changes to api discovery changes in Kubernetes 1.28
Release v1.25.13+k3s1
This release updates Kubernetes to v1.25.13, and fixes a number of issues.
This release includes support for remediating CVE-2023-32187, a potential Denial of Service attack vector on K3s servers. See https://github.com/k3s-io/k3s/security/advisories/GHSA-m4hf-6vgr-75r2 for more information, including mandatory steps necessary to harden clusters against this vulnerability.
For more details on what's new, see the Kubernetes release notes.
Changes since v1.25.12+k3s1:
- Update flannel and plugins (#8076)
- Fix tailscale bug with ip modes (#8098)
- Etcd snapshots retention when node name changes (#8123)
- August Test Backports (#8127)
- Backports for 2023-08 release (#8132)
- K3s's external apiserver listener now declines to add to its certificate any subject names not associated with the kubernetes apiserver service, server nodes, or values of the --tls-san option. This prevents the certificate's SAN list from being filled with unwanted entries.
- K3s no longer enables the apiserver's
enable-aggregator-routing
flag when the egress proxy is not being used to route connections to in-cluster endpoints. - Updated the embedded containerd to v1.7.3+k3s1
- Updated the embedded runc to v1.1.8
- User-provided containerd config templates may now use
{{ template "base" . }}
to include the default K3s template content. This makes it easier to maintain user configuration if the only need is to add additional sections to the file. - Bump docker/docker module version to fix issues with cri-dockerd caused by recent releases of golang rejecting invalid host headers sent by the docker client.
- Updated kine to v0.10.2
- K3s etcd-snapshot delete fail to delete local file when called with s3 flag (#8145)
- Fix for cluster-reset backup from s3 when etcd snapshots are disabled (#8169)
- Fixed the etcd retention to delete orphaned snapshots based on the date (#8190)
- Additional backports for 2023-08 release (#8213)
- The version of
helm
used by the bundled helm controller's job image has been updated to v3.12.3 - Bumped dynamiclistener to address an issue that could cause the apiserver/supervisor listener on 6443 to stop serving requests on etcd-only nodes.
- The K3s external apiserver/supervisor listener on 6443 now sends a complete certificate chain in the TLS handshake.
- The version of
- Move flannel to 0.22.2 (#8223)
- Update to v1.25.13 (#8241)
- Fix runc version bump (#8246)
- Add new CLI flag to enable TLS SAN CN filtering (#8259)
- Added a new
--tls-san-security
option. This flag defaults to false, but can be set to true to disable automatically adding SANs to the server's TLS certificate to satisfy any hostname requested by a client.
- Added a new
- Add RWMutex to address controller (#8275)
Release v1.25.12+k3s1
This release updates Kubernetes to v1.25.12, and fixes a number of issues.
For more details on what's new, see the Kubernetes release notes.