Skip to content

Release v1.30.0
Compare
Choose a tag to compare
@SIGHUP-C-3PO SIGHUP-C-3PO released this 28 Nov 09:58
· 8 commits to main since this release
v1.30.0
ef81ad0
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Learn about vigilant mode.

Kubernetes Fury Distribution Release v1.30.0

Welcome to KFD release v1.30.0. This is the first release of KFD supporting Kubernetes 1.30.

The distribution is maintained with ❤️ by the team SIGHUP.

New Features since v1.29.4

Installer Updates

  • on-premises 📦 installer: v1.30.6
    • Updated etcd default version to 3.5.15
    • Updated HAProxy version to 3.0 TLS
    • Updated containerd default version to 1.7.23
    • Added support for Kubernetes versions 1.30.6, 1.29.10 and 1.28.15
  • eks 📦 installer: v3.2.0
    • Introduced AMI selection type: alinux2023 and alinux2
    • Fixed eks-managed nodepool node labels

Module updates

  • networking 📦 core module: v2.0.0
    • Updated Tigera operator to v1.36.1 (that includes calico v3.29.0)
    • Updated Cilium to v1.16.3
  • monitoring 📦 core module: v3.3.0
    • Updated blackbox-exporter to v0.25.0
    • Updated grafana to v11.3.0
    • Updated kube-rbac-proxy to v0.18.1
    • Updated kube-state-metrics to v2.13.0
    • Updated node-exporter to v1.8.2
    • Updated prometheus-adapter to v0.12.0
    • Updated prometheus-operator to v0.76.2
    • Updated prometheus to v2.54.1
    • Updated x509-exporter to v3.17.0
    • Updated mimir to v2.14.0
    • Updated minio to version RELEASE.2024-10-13T13-34-11Z
  • logging 📦 core module: v4.0.0
    • Updated opensearch and opensearch-dashboards to v2.17.1
    • Updated logging-operator to v4.10.0
    • Updated loki to v2.9.10
    • Updated minio to version RELEASE.2024-10-13T13-34-11Z
  • ingress 📦 core module: v3.0.1
    • Updated cert-manager to v1.16.1
    • Updated external-dns to v0.15.0
    • Updated forecastle to v1.0.145
    • Updated nginx to v1.11.3
  • auth 📦 core module: v0.4.0
    • Updated dex to v2.41.1
    • Updated pomerium to v0.27.1
  • dr 📦 core module: v3.0.0
    • Updated velero to v1.15.0
    • Updated all velero plugins to v1.11.0
    • Added snapshot-controller v8.0.1
  • tracing 📦 core module: v1.1.0
    • Updated tempo to v2.6.0
    • Updated minio to version RELEASE.2024-10-13T13-34-11Z
  • opa 📦 core module: v1.13.0
    • Updated gatekeeper to v3.17.1
    • Updated gatekeeper-policy-manager to v1.0.13
    • Updated kyverno to v1.12.6
  • aws 📦 module: v4.3.0
    • Updated cluster-autoscaler to v1.30.0
    • Updated snapshot-controller to v8.1.0
    • Updated aws-load-balancer-controller to v2.10.0
    • Updated node-termination-handler to v1.22.0

Breaking changes 💔

  • Loki store and schema change: A new store and schema has been introduced in order to improve efficiency, speed and scalability of Loki clusters. See "New features" below for more details.
  • DR schema change: A new format for the schedule customization has been introduced to improve the usability. See "New Features" section below for more details.
  • Kyverno validation failure action: Kyverno has deprecated audit and enforce as valid options for the validationFailureAction, valid options are now Audit and Enforce, in title case. Adjust your .spec.distribution.modules.policy.kyverno.validationFailureAction value accordingly.

New features 🌟

  • New option for Logging: Loki's configuration has been extended to accommodate a new tsdbStartDate required option to allow a migration towards TSDB and schema v13 storage (note: this is a breaking change):

    ...
spec:
  distribution:
    modules:
      logging:
        loki:
          tsdbStartDate: "2024-11-18"
...
    • tsdbStartDate (required): a string in ISO 8601 date format that represents the day starting from which Loki will record logs with the new store and schema.

    ℹ️ Note: Loki will assume the start of the day on the UTC midnight of the specified day.

  • Improved configurable schedules for DR backups: the schedule configuration has been updated to enhance the usability of schedule customization (note: this is a breaking change):

    ...
spec:
  distribution:
    modules:
      dr:
        velero:
          schedules:
            install: true
            definitions:
              manifests:
                schedule: "*/15 * * * *"
                ttl: "720h0m0s"
              full:
                schedule: "0 1 * * *"
                ttl: "720h0m0s"
                snapshotMoveData: false
...

  • DR snapshotMoveData options for full schedule: a new parameter has been introduced in the velero full schedule to enable the snapshotMoveData feature. This feature allows data captured from a snapshot to be copied to the object storage location. Important: Setting this parameter to true will cause Velero to upload all data from the snapshotted volumes to S3 using Kopia. While backups are deduplicated, significant storage usage is still expected. To enable this use the following parameter in the full schedule configuration:

    ...
spec:
  distribution:
    modules:
      dr:
        velero:
          schedules:
            install: true
            definitions:
              full:
                snapshotMoveData: true
...

General example to enable Volume Snapshotting on rook-ceph (from our storage add-on module):

apiVersion: snapshot.storage.k8s.io/v1
kind: VolumeSnapshotClass
metadata:
name: velero-snapclass
labels:
  velero.io/csi-volumesnapshot-class: "true"
driver: rook-ceph.rbd.csi.ceph.com
parameters:
  clusterID: rook-ceph
  csi.storage.k8s.io/snapshotter-secret-name: rook-csi-rbd-provisioner
  csi.storage.k8s.io/snapshotter-secret-namespace: rook-ceph
deletionPolicy: Retain

deletionPolicy: Retain is important because if the volume snapshot is deleted from the namespace, the cluster wide volumesnapshotcontent CR will be preserved, maintaining the snapshot on the storage that the cluster is using.

NOTE: For EKSCluster provider, a default VolumeSnapshotClass is created automatically.

  • DR optional snapshot-controller installation: To leverage VolumeSnapshots on the OnPremises and KFDDistribution providers, a new option on velero has been added to install the snapshot-controller component. Before activating this parameter make sure that in your cluster there is not another snapshot-controller component deployed. By default this parameter is false.

    ...
spec:
  distribution:
    modules:
      dr:
        velero:
          snapshotController:
            install: true
...

  • Prometheus ScrapeConfigs: the Monitoring module now enables by default the scrapeConfig CRDs from the Prometheus Operator. All the scrapeConfig objects present in the cluster will now be detected by the operator. ScrapeConfig objects are used to instruct Prometheus to scrape specific endpoints that could be outside the cluster.

  • Components Hardening: we hardened the security context of several components, improving the out-of-the-box security of the distribution.

  • On-premises minimal clusters: it is now possible to create clusters with only control-plane nodes, for minimal clusters installations that need to handle minimal workloads.

  • Helm Plugins: Helm plugins now allow disabling validation at installation time with the disableValidationOnInstall option. This can be useful when installing Helm charts that fail the diff step on a first installation, for example.

  • Network Policies (experimental 🧪): a new experimental feature is introduced in this version. You can now enable the installation of network policies that will restrict the traffic across all the infrastructural namespaces of KFD to just the access needed for its proper functioning and denying the rest of it. Improving the overall security of the cluster. This experimental feature is only available in OnPremises cluster at the moment. Read more in the Pull Request introducing the feature and in the relative documentation.

  • Global CVE patched images for core modules: This distribution version includes images that have been patched for OS vulnerabilities (CVE). To use these patched images, select the following option:

    ...
spec:
  distribution:
    common:
      registry: registry.sighup.io/fury-secured
...

Fixes 🐞

  • Improved Configuration Schema documentation: documentation for the configuration schemas was lacking, we greatly improved the quality and quantity of the documentation regarding each option in the schemas, for all the configuration kinds (OnPremises, EKSCluster, KFDDistribution).
  • [#264] Hubble UI: now is shown in the right group in the Directory
  • [#277] Hubble UI: make it work when auth type is SSO.
  • [#275] On-premises: use the org parameter for additional created users, it was being ignored before.
  • [#279] Monitoring: don't install x509 data plane on EKS clusters because it is not needed and triggers false alerts.
  • [#280] Migrations: fix migration from Auth type from sso to basicAuth and viceversa.
  • [#281] Migrations: some ingresses were not being deleted when migrating to Ingress type none.
  • [#281] Ingress: don't create TLS secret when ingress type is none.
  • [#283] EKS schema validation: fix DNS validation depending on if nginx is single, dual or none.
  • [#291] Monitoring: minio-monitoring ingress is now working when SSO is enabled.
  • [#291] Tracing: minio-tracing ingress is now created when Logging type is none and auth.type is sso.
  • [#293] Monitoring migrations: remove minio-monitoring ingress when migrating monitoring type from mimir to none.
  • [#301] Migrations: fix an error on the concatenation of kustomize bases. external-dns and opensearch are properly deleted now and no components are left behind.
  • [#310] Migrations: fix an error while migrating from auth type none to sso related to old ingresses not being deleted first.

Upgrade procedure

Check the upgrade docs for the detailed procedure.

Assets 5
Loading