Learn about new features, bug fixes, breaking changes, and known issues for MKE version 3.2.
(2021-06-29)
Note
MKE 3.2.15 is the final 3.2 release, as MKE version 3.2 becomes end-of-life on 2021-07-21.
Component | Version |
---|---|
MKE | 3.2.15 |
Kubernetes | 1.14.14 |
Calico | 3.8.9 |
Interlock | 3.2.3 |
Interlock NGINX proxy | 1.19.9 |
anonymize_tracking
setting, and the MKE web UI no longer includes the
Make data anonymous toggle (MKE-8316).ServerNamesHashBucketSize
setting. The setting was confusing users because MKE adaptively calculates
the setting and overrides any manual input (MKE-8306).authz_cache_timeout
setting to the MKE configuration, which
allows the caching of role-based access control (RBAC) information for
non-Kubernetes MKE resource listing APIs. When enabled, this setting improves
API performance and reduces the MKE database load. MKE does not enable the
cache by default (FIELD-3540).FELIX_LOGSEVERITYSCREEN
can now adhere to a greater number of MKE log
verbosity levels resulting in less log content when users do not want debug
or error information (FIELD-2673).Due to potential port conflicts between kubectl
and NodePort, it may not
be possible to use kubectl
where a NodePort is established throughout
the cluster (FIELD-3495).
Workaround:
Reconfigure the ephemeral port range on each container host to avoid overlapping ports:
Create the file /etc/sysctl.d/kubelet_ephemeral_port.conf
:
net.ipv4.ip_local_port_range=35536 60999
Load the change for the current boot:
sudo sysctl -p /etc/sysctl.d/kubelet_ephemeral_port.conf
Restart kubelet:
docker restart ucp-kubelet
Wherever possible, Mirantis recommends that you put the Kubernetes node that you plan to restart into drain status, which thereby migrates running pods to other nodes. In the event that the kubelet restart lasts longer than five minutes, this migration will minimize the potential impact on those services.
Undertake any restart of the kubelet on a manager node with care, as this action will impact the services and API of any Kubernetes system pod that restarts concurrently, until the manager node kubelet operates normally.
Note that this workaround may not be a viable option in a production environment, as restarting the kubelet can result in any of the following:
(2021-05-17)
Component | Version |
---|---|
MKE | 3.2.14 |
Kubernetes | 1.14.8 |
Calico | 3.8.9 |
Interlock | 3.2.3 |
Interlock NGINX proxy | 1.14.2 |
server_names_hash_bucket_size
could not handle very long host names,
sometimes causing existing services to become unreachable.
server_names_hash_bucket_size
is now fully adaptive within hard bounds.
(MKE-8262).HitlessServiceUpdate
while a proxy update
is in progress caused the proxy update to stop (FIELD-3623).ucp-backup
volume
(/var/lib/docker/volumes/ucp-backup
) after the completion of the back-up
process. Now, following back-up, only the back-up archive and log file (if
included) remain (FIELD-3612).disconnected
for drained
nodes (FIELD-3771).(2021-04-12)
Component | Version |
---|---|
MKE | 3.2.13 |
Kubernetes | 1.14.8 |
Calico | 3.8.9 |
Interlock | 3.2.1 |
Interlock NGINX proxy | 1.14.2 |
Added the ability to use the CLI to send a support dump to Mirantis Customer Support, by including the --submit option with the support command (MKE-8150).
Learn more
Compose-on-Kubernetes will be deprecated in a future release (ENGDOCS-959).
The LDAP search initiates stricter checks, and as such user syncing errors can no longer cause MKE users to be deactivated. User syncing now aborts when any of the following conditions are met:
SearchResultReference
points to is inaccessible(FIELD-3619).
(2021-03-01)
Component | Version |
---|---|
MKE | 3.2.12 |
Kubernetes | 1.14.8 |
Calico | 3.8.9 |
Interlock | 3.2.1 |
Interlock NGINX proxy | 1.14.2 |
Fixed an issue with running Kubernetes on Azure wherein pods failed to start with the following error:
Failed to create pod sandbox: rpc error: code = Unknown desc = failed to
set up sandbox container "[…]" network for pod "[…]": networkPlugin cni
failed to set up pod "[…]" network: Failed to allocate address: Invalid
address space
FIELD-3635
Resolved an important security issue in Go’s encoding/xml
package that
affects all prior versions of MKE 3.2. Specifically, maliciously crafted XML
markup was able to potentially mutate during round trips through Go’s
decoder and encoder implementations.
Implementations of Go-based SAML (Security Assertion Markup Language,
an XML-based standard approach to Single Sign-On – SSO – on the web) are
often vulnerable to tampering by an attacker injecting malicious markup to
a correctly-signed SAML message. MKE uses crewjam/saml
, a Go SAML
implementation that is affected by the vulnerability and which is tracked
by CVE-2020-27846.
MKE-8149
(2021-02-02)
Component | Version |
---|---|
MKE | 3.2.11 |
Kubernetes | 1.14.8 |
Calico | 3.8.9 |
Interlock | 3.2.1 |
Interlock NGINX proxy | 1.14.2 |
It may not be possible to use kubectl where a NodePort has already been established throughout the cluster, due to potential port conflicts between kubectl and NodePort (FIELD-3495).
Workaround:
Restart the kubelet to resolve the port conflict, after which you can exec into the node.
Wherever possible, it is recommended that you put the Kubernetes node that you plan to restart into drain status, thereby migrating running pods to other nodes. In the event that the kubelet restart lasts longer than five minutes, this migration will minimize the potential impact on those services.
Restarting the kubelet on a manager node should be undertaken with care. The services and API of any Kubernetes system pod that restarts concurrently will be impacted until the manager node’s kubelet is operating normally.
Note that this workaround may not be a viable option in a production environment, and that restarting the kubelet can result in any of the following:
(2020-12-17)
Component | Version |
---|---|
UCP | 3.2.10 |
Kubernetes | 1.14.8 |
Calico | 3.8.9 |
Interlock | 3.2.0 |
Interlock NGINX proxy | 1.14.2 |
(2020-11-12)
Component | Version |
---|---|
MKE | 3.2.9 |
Kubernetes | 1.14.8 |
Calico | 3.8.9 |
Interlock | 3.2.0 |
Interlock NGINX proxy | 1.14.2 |
(2020-08-10)
Component | Version |
---|---|
MKE | 3.2.8 |
Kubernetes | 1.14.8 |
Calico | 3.8.9 |
Interlock | 3.2.0 |
Interlock NGINX proxy | 1.14.2 |
On Docker Hub, MKE images are now released to ‘mirantis’ instead of ‘docker’.
We updated the location of our offline bundles for MKE from https://packages.docker.com/caas/ to https://packages.mirantis.com/caas/ for the following versions of MKE.
Offline bundles for other previous versions of MKE will remain on the docker domain.
Whitelisting of all MKE repos (FIELD-2723).
Added tracing to Interlock (ENGORC-7565).
We fixed an issue in which Docker Content Trust was randomly failing to verify valid signatures (FIELD-2302).
The MKE upgrade GUI create a command string that uses
docker image pull docker/ucp:....
. You should change it to
`` docker image pull mirantis/ucp:….” for starting with MKE
version 3.1.15 (ENGORC-7806).
We fixed an issue that caused the following ucp-kubelet error when the docker root location (/var/lib/docker) was modified (ENGORC-7671).
failed to load Kubelet config file
/var/lib/docker/volumes/ucp-node-certs/_data/kubelet_daemon.conf,
error failed to read kubelet config file
"/var/lib/docker/volumes/ucp-node-certs/_data/kubelet_daemon.conf",
error: open /var/lib/docker/volumes/ucp-node-certs/_data/kubelet_daemon.
conf: no such file or directory
We updated the container/ps APIs to require admin access (ENGORC-7618).
We fixed an issue that prevented users from logging into MKE using Security Assertion Markup Language (SAML) after the root certificate for Active Directory Federation Services (ADFS) has been renewed (ENGORC-7754).
We added support for installing MKE on cloud providers using
cloud-provider=external
(ENGORC-7686).
We fixed an issue that allowed users unlimited login attempts in MKE, MSR, and eNZi (ENGORC-7742).
We fixed an issue that prevented the HNS network from starting before starting the kube-proxy on Windows, which prevented kube bringup on the node (ENGORC-7961).
We fixed an issue with the MKE user interface for Kubernetes pods that made it look like no data was returned if no vulnerabilities were found, instead of indicating a clean report (ENGORC-7685).
We fixed an issue that caused Kubernetes windows nodes take too long to come up (ENGORC-7660).
Added interlock configuration validation (ENGORC-7643).
When HitlessServiceUpdate is enabled, the config service no longer waits for the proxy service to complete an update, thus reducing the delay between a configuration change being made and taking effect (FIELD-2152).
Improved the speed of interlock API calls (ENGORC-7366).
We fixed an issue that causes API path traversal (ENGORC-7744).
Using Docker Enterprise with the AWS Kubernetes cloud provider requires the metadata service for Linux nodes. Enabling the metadata service also enables access from Linux workload containers. It’s a best practice to limit access to Linux workload containers. You can create an iptable to block access to workload containers. It can be made persistent by adding it to the docker systemd unit (ENGORC-7620).
Create a file /etc/systemd/system/docker.service.d/block-aws-metadata.conf with the following contents:
# /etc/systemd/system/docker.service.d/block-aws-metadata.conf
[Service]
ExecStartPost=/bin/sh -c ""iptables -I DOCKER-USER -d 169.254.169.254/32 -j DROP
systemctl daemon-reload
).The iptables rule will now be installed every time the Docker engine starts.
Check for the presence of the rule with iptables -nvL DOCKER-USER
.
We fixed an issue in which the MKE support dump script checks for the obsolete legacy DTR (1.x) dtr-br bridge network, and being unable to find it subsequently reports an error in dsinfo.txt (FIELD-2670).
Fixed an issue wherein swarm rotated the CA causing AuthorizeNode to fail (FIELD-2875).
2020-06-24
Component | Version |
---|---|
MKE | 3.2.7 |
Kubernetes | 1.14.8 |
Calico | 3.8.9 |
Interlock | 3.1.3 |
Interlock NGINX proxy | 1.14.2 |
Golang | 1.13.8 |
2020-03-10
Component | Version |
---|---|
MKE | 3.2.6 |
Kubernetes | 1.14.8 |
Calico | 3.8.2 |
Interlock | 3.0.0 |
Interlock NGINX proxy | 1.14.2 |
Golang | 1.13.8 |
(2020-01-28)
MKE currently turns on vulnerability information for images deployed within MKE by default for upgrades. This may cause clusters to fail due to performance issues. (ENGORC-2746)
For Red Hat Enterprise Linux (RHEL) 8, if firewalld is running and
FirewallBackend=nftables
is set in
/etc/firewalld/firewalld.conf
, change this to
FirewallBackend=iptables
, or you can explicitly run the following
commands to allow traffic to enter the default bridge (docker0)
network:
firewall-cmd --permanent --zone=trusted --add-interface=docker0
firewall-cmd --reload
Component | Version |
---|---|
MKE | 3.2.5 |
Kubernetes | 1.14.8 |
Calico | 3.8.2 |
Interlock | 3.0.0 |
Interlock NGINX proxy | 1.14.2 |
2019-11-14
MKE currently turns on vulnerability information for images deployed within MKE by default for upgrades. This may cause clusters to fail due to performance issues. (ENGORC-2746)
For Red Hat Enterprise Linux (RHEL) 8, if firewalld is running and
FirewallBackend=nftables
is set in
/etc/firewalld/firewalld.conf
, change this to
FirewallBackend=iptables
, or you can explicitly run the following
commands to allow traffic to enter the default bridge (docker0)
network:
firewall-cmd --permanent --zone=trusted --add-interface=docker0
firewall-cmd --reload
secure-overlay
. This
flag enables IPSec Network Encryption in Kubernetes.Restricted Control
role
to obtain Admin access to MKE. (ENGORC-2781)--file
switch is used. (FIELD-2043)ImageScanAggregationEnabled
setting in the MKE tuning config.
(ENGORC-2746)VolumesFrom
Containers option. Previously, this field was ignored
by the container create request parser, leading to a gap in
permissions checks. (ENGORC-2781)Component | Version |
---|---|
MKE | 3.2.4 |
Kubernetes | 1.14.8 |
Calico | 3.8.2 |
Interlock | 3.0.0 |
Interlock NGINX proxy | 1.14.2 |
2019-10-21
true
, the proxy service
no longer needs to restart when services are updated, reducing
service interruptions. The proxy also does not have to restart
when services are added or removed, as long as the set of
service networks attached to the proxy is unchanged. If secrets
or service networks need to be added or removed, the proxy
service will restart as in previous releases. (ENGCORE-792)com.docker.lb.network
label does not match
any of the networks to which the service is attached.
(ENGCORE-837)HTTPVersion
is invalid. (FIELD-2046)Component | Version |
---|---|
MKE | 3.2.3 |
Kubernetes | 1.14.7 |
Calico | 3.8.2 |
Interlock | 3.0.0 |
Interlock NGINX proxy | 1.14.2 |
2019-09-03
azure-ip-count
variable is now exposed at install time,
allowing a user to customize the number of IP addresses MKE
provisions for each node.Component | Version |
---|---|
MKE | 3.2.1 |
Kubernetes | 1.14.6 |
Calico | 3.8.2 |
Interlock | 2.6.1 |
Interlock NGINX proxy | 1.14.2 |
2019-7-22
Refer to MKE image vulnerabilities for details regarding actions to be taken, timeline, and any status updates, issues, and recommendations.
--credential-spec
with the
config://<config-name>
format. This passes the gMSA credentials
file directly to nodes before a container starts.The following features are deprecated in MKE 3.2:
stop
and restart
. Additional upgrade functionality has
been included which eliminates the need for these commands.ucp-agent-pause
is no longer supported. To pause MKE
reconciliation on a specific node, for example, when repairing
unhealthy etcd
or rethinkdb
replicas, you can use swarm node
labels as shown in the following example:docker node update --label-add com.docker.ucp.agent-pause=true <NODE>
docker service update ucp-manager-agent --config-add <Docker config> ...
is deprecated and will be removed in a future release. To update the
MKE config, use the /api/ucp/config-toml
endpoint described in
https://docs.docker.com/ee/ucp/admin/configure/ucp-configuration-file/.If your cluster has lost quorum and you cannot recover it on your own, please contact Docker Support.
In order to optimize user experience and security, support for Internet Explorer (IE) version 11 is not provided for Windows 7 with MKE version 3.2. Docker recommends updating to a newer browser version if you plan to use MKE 3.2, or remaining on MKE 3.1.x or older until EOL of IE11 in January 2020.
VolumeScheduling
and
DynamicProvisioningScheduling
.--service-account-issuer
--service-account-signing-key-file
--service-account-api-audiences
--cadvisor-port flag
from kubelet--cadvisor-port
was removed in 1.12. If cAdvisor is
needed, run it via a DaemonSet. kubernetes
#65707kube-apiserver
, the Priority
admission plugin is now
enabled by default when using --enable-admission-plugins
. If
using --admission-control
to fully specify the set of
admission plugins, the Priority
admission plugin should be
added if using the PodPriority
feature, which is enabled by
default in 1.11.autoscaling/v2beta2
and custom_metrics/v1beta2
implement
metric selectors for Object and Pods metrics, as well as allow
AverageValue targets on Objects, similar to External
metric.kubernetes
#64097--audit-webhook-version
and
--audit-log-version
are changed from audit.k8s.io/v1beta1
to audit.k8s.io/v1
. kubernetes
#65891Kubelet fails mounting local volumes in “Block” mode on SLES 12 and SLES
15 hosts. The error message from the kubelet looks like the following,
with mount
returning error code 32.
Operation for "\"kubernetes.io/local-volume/local-pxjz5\"" failed. No retries
permitted until 2019-07-18 20:28:28.745186772 +0000 UTC m=+5936.009498175
(durationBeforeRetry 2m2s). Error: "MountVolume.MountDevice failed for volume \"local-pxjz5\"
(UniqueName: \"kubernetes.io/local-volume/local-pxjz5\") pod
\"pod-subpath-test-local-preprovisionedpv-l7k9\" (UID: \"364a339d-a98d-11e9-8d2d-0242ac11000b\")
: local: failed to mount device /dev/loop0 at
/var/lib/kubelet/plugins/kubernetes.io/local-volume/mounts/local-pxjz5 (fstype: ),
error exit status 32"
Issuing “dmesg” on the system will show something like the following:
[366633.029514] EXT4-fs (loop3): Couldn't mount RDWR because of SUSE-unsupported optional feature METADATA_CSUM. Load module with allow_unsupported=1.
For block volumes, if a specific filesystem is not specified, “ext4” is used as the default to format the volume. “mke2fs” is the util used for formatting and is part of the hyperkube image. The config file for mke2fs is at /etc/mke2fs.conf. The config file by default has the following line for ext4. Note that the features list includes “metadata_csum”, which enables storing checksums to ensure filesystem integrity.
[fs_types]...
ext4 = {features = has_journal,extent,huge_file,flex_bg,metadata_csum,64bit,dir_nlink,extra_isizeinode_size = 256}
“metadata_csum” for ext4 on SLES12 and SLES15 is an “experimental feature” and the kernel does not allow mounting of volumes that have been formatted with “metadata checksum” enabled. In the ucp-kubelet container, mke2fs is configured to enable metadata check-summing while formatting block volumes. The kubelet tries to mount such a block volume, but the kernel denies the mount with exit error 32.
To resolve this issue on SLES12 and SLES15 hosts, use sed
to remove
the metadata_csum
feature from the ucp-kubelet
container:sed -i 's/metadata_csum,//g' /etc/mke2fs.conf
This
resolution can be automated across your cluster of SLES12 and SLES15
hosts, by creating a Docker swarm service as follows. Note that, for
this, the hosts should be in “swarm” mode:
Create a global docker service that removes the “metadata_csum” feature from the mke2fs config file (/etc/mke2fs.conf) in ucp-kubelet container. For this, use the MKE client bundle to point to the MKE cluster and run the following swarm commands:
docker service create --mode=global --restart-condition none --mount
type=bind,source=/var/run/docker.sock,target=/var/run/docker.sock mavenugo/swarm-exec:17.03.0-ce docker
exec ucp-kubelet "/bin/bash" "-c" "sed -i 's/metadata_csum,//g' /etc/mke2fs.conf"
You can now switch nodes to be kubernetes workers.
The symptom of this issue is that kubelets or Calico-node pods are down with one of the following error messages: - Kubelet is unhealthy - Calico-node pod is unhealthy
This is a rare issue, but there is a race condition in MKE today where Docker iptables rules get permanently deleted. This happens when Calico tries to update the iptables state using delete commands passed to iptables-restore while Docker simultaneously updates its iptables state and Calico ends up deleting the wrong rules.
Rules that are affected:
/sbin/iptables --wait -I FORWARD -o docker_gwbridge -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables --wait -I FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables --wait -I POSTROUTING -s 172.17.0.0/24 ! -o docker0 -j MASQUERADE
The fix for this issue should be available as a minor version release in Calico and incorporated into MKE in a subsequent patch release. Until then, as a workaround we recommend: - re-adding the above rules manually or via cron or - restarting Docker
Running the engine with "selinux-enabled": true
and installing MKE returns
the following error
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Running the engine with "selinux-enabled": true
and installing MKE
returns the following error:
time="2019-05-22T00:27:54Z" level=fatal msg="the following required ports are blocked on your host: 179, 443, 2376, 6443, 6444, 10250, 12376, 12378 - 12386. Check your firewall settings"
This is due to an updated selinux context. Versions affected: 18.09 or
19.03-rc3 engine on Centos 7.6 with selinux enabled. Until
container-selinux-2.99
is available for CentOS7, the current
workaround on CentOS7 is to downgrade to container-selinux-2.74
:
$ sudo yum downgrade container-selinux-2.74-1.el7
Attempts to deploy local PV fail with regular MKE configuration unless PV binder SA is bound to cluster admin role. ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Attempts to deploy local PV fail with regular MKE configuration unless
PV binder SA is bound to cluster admin role. The workaround is to create
a ClusterRoleBinding
that binds the persistent-volume-binder
ServiceAccount to a cluster-admin
ClusterRole
, as shown in the
following example:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
subjectName: kube-system-persistent-volume-binder
name: kube-system-persistent-volume-binder:cluster-admin
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: persistent-volume-binder
namespace: kube-system
Using Kubernetes iSCSI on SLES 12 or SLES 15 hosts results in failures. Kubelet logs might have errors, similar to the following, when there is an attempt to attach the iSCSI-based persistent volume:
{kubelet ip-172-31-13-214.us-west-2.compute.internal} FailedMount: MountVolume.WaitForAttach failed for volume "iscsi-4mpvj" : exit status 127"
The failure is because the containerized kubelet in MKE does not contain certain library dependencies (libopeniscsiusr and libcrypto) for iscsiadm version 2.0.876 on SLES 12 and SLES 15.
The workaround is to use a swarm service to deploy this change across the cluster as follows:
zypper -n install open-iscsi
modprobe iscsi_tcp
service start iscsid
docker service create --mode=global --restart-condition none --mount type=bind,source=/var/run/docker.sock,target=/var/run/docker.sock mavenugo/swarm-exec:17.03.0-ce docker exec ucp-kubelet "/bin/bash" "-c" "echo /rootfs/usr/lib64 >> /etc/ld.so.conf.d/libc.conf && echo /rootfs/lib64 >> /etc/ld.so.conf.d/libc.conf && ldconfig"
4b1qxigqht0vf5y4rtplhygj8
overall progress: 0 out of 3 tasks
overall progress: 0 out of 3 tasks
overall progress: 0 out of 3 tasks
ugb24g32knzv: running
overall progress: 0 out of 3 tasks
overall progress: 0 out of 3 tasks
overall progress: 0 out of 3 tasks
overall progress: 0 out of 3 tasks
<Ctrl-C>
Operation continuing in background.
Use `docker service ps 4b1qxigqht0vf5y4rtplhygj8` to check progress.
$ docker service ps 4b1qxigqht0vf5y4rtplhygj8
ID NAME IMAGE NODE DESIRED STATE CURRENT STATE
ERROR PORTS
bkgqsbsffsvp hopeful_margulis.ckh79t5dot7pdv2jsl3gs9ifa mavenugo/swarm-exec:17.03.0-ce user-testkit-4DA6F6-sles-1 Shutdown Complete 7 minutes ago
nwnur7r1mq77 hopeful_margulis.2gzhtgazyt3hyjmffq8f2vro4 mavenugo/swarm-exec:17.03.0-ce user-testkit-4DA6F6-sles-0 Shutdown Complete 7 minutes ago
uxd7uxde21gx hopeful_margulis.ugb24g32knzvvjq9d82jbuba1 mavenugo/swarm-exec:17.03.0-ce user
-testkit-4DA6F6-sles-2 Shutdown Complete 7 minutes ago
Component | Version |
---|---|
MKE | 3.2.0 |
Kubernetes | 1.14.3 |
Calico | 3.5.7 |
Interlock | 2.4.0 |
Interlock NGINX proxy | 1.14.2 |