Important notes

  • After the update, the UID will change for all Grafana data sources created using the GrafanaAdditionalDatasource resource. If a data source was referenced by UID, that reference will no longer be valid.

Major changes

  • A new parameter, iamNodeRole, has been introduced for the AWS provider. It lets you specify the name of the IAM role to bind to all AWS instances of cluster nodes. This can come in handy if you need to grant additional permissions (for example, access to ECR, etc.).

  • Creating nodes of the CloudPermanent type now takes less time. Now, CloudPermanent nodes are created in parallel. Previously, they were created in parallel only within a single group.

  • Monitoring changes:
    • Support for monitoring certificates in secrets of the Opaque type has been added.
    • Support for monitoring images in Amazon ECR has been added.
    • A bug that could cause partial loss of metrics when Prometheus instances were restarted has been fixed.

  • When using a multi-cluster Istio configuration or federation, you can now explicitly specify the list of addresses used for inter-cluster requests. Previously, these addresses were determined automatically; however, in some configurations, they could not be resolved.

  • The DexAuthenticator resource now has a highAvailability parameter that controls high availability mode. In high availability mode, multiple replicas of the authenticator are launched. Previously, high availability mode of all authenticators was determined by a global parameter or by the user-authn module. All authenticators deployed by DKP now inherit the high availability mode of the corresponding module.

  • Node labels can now be added, removed, or modified using files stored on the node in the /var/lib/node_labels directory and its subdirectories. The full set of applied labels is stored in the node.deckhouse.io/last-applied-local-labels annotation.

  • Support for the Huawei Cloud provider has been added.

  • The new keepDeletedFilesOpenedFor parameter in the log-shipper module allows you to configure the period to keep the deleted log files open. This way, you can continue reading logs from deleted pods for some time if log storage is temporarily unavailable.

  • TLS encryption for log collectors (Elasticsearch, Vector, Loki, Splunk, Logstash, Socket, Kafka) can now be configured using secrets, rather than by storing certificates in the ClusterLogDestination resources. The secret must reside in the d8-log-shipper namespace and have the log-shipper.deckhouse.io/watch-secret: true label.

  • In the project status under the resources section, you can now see which project resources have been installed. Those resources are marked with installed: true.

  • A new parameter, --tf-resource-management-timeout, has been added to the installer. It controls the resource creation timeout in cloud environments. By default, the timeout is set to 10 minutes. This parameter applies only to the following clouds: AWS, Azure, GCP, OpenStack.

Security

Known vulnerabilities have been addressed in the following modules:

  • admission-policy-engine
  • chrony
  • cloud-provider-azure
  • cloud-provider-gcp
  • cloud-provider-openstack
  • cloud-provider-yandex
  • cloud-provider-zvirt
  • cni-cilium
  • control-plane-manager
  • extended-monitoring
  • descheduler
  • documentation
  • ingress-nginx
  • istio
  • loki
  • metallb
  • monitoring-kubernetes
  • monitoring-ping
  • node-manager
  • operator-trivy
  • pod-reloader
  • prometheus
  • prometheus-metrics-adapter
  • registrypackages
  • runtime-audit-engine
  • terraform-manager
  • user-authn
  • vertical-pod-autoscaler
  • static-routing-manager

Component version updates

The following DKP components have been updated:

  • Kubernetes Control Plane: 1.29.14, 1.30.10, 1.31.6
  • aws-node-termination-handler: 1.22.1
  • capcd-controller-manager: 1.3.2
  • cert-manager: 1.16.2
  • chrony: 4.6.1
  • cni-flannel: 0.26.2
  • docker_auth: 1.13.0
  • flannel-cni: 1.6.0-flannel1
  • gatekeeper: 3.18.1
  • jq: 1.7.1
  • kubernetes-cni: 1.6.2
  • kube-state-metrics: 2.14.0
  • vector (log-shipper): 0.44.0
  • prometheus: 2.55.1
  • snapshot-controller: 8.2.0
  • yq4: 3.45.1

Mandatory component restart

The following components will be restarted after updating DKP to 1.68:

  • Kubernetes Control Plane
  • Ingress controller
  • Prometheus, Grafana
  • admission-policy-engine
  • chrony
  • cloud-provider-azure
  • cloud-provider-gcp
  • cloud-provider-openstack
  • cloud-provider-yandex
  • cloud-provider-zvirt
  • cni-cilium
  • control-plane-manager
  • descheduler
  • documentation
  • extended-monitoring
  • ingress-nginx
  • istio
  • kube-state-metrics
  • log-shipper
  • loki
  • metallb
  • monitoring-kubernetes
  • monitoring-ping
  • node-manager
  • openvpn
  • operator-trivy
  • prometheus
  • prometheus-metrics-adapter
  • pod-reloader
  • registrypackages
  • runtime-audit-engine
  • service-with-healthchecks
  • static-routing-manager
  • terraform-manager
  • user-authn
  • vertical-pod-autoscaler