Calico for Windows




Interlock NGINX proxy


Istio Ingress








CSI Attacher


CSI Provisioner


CSI Snapshotter


CSI Resizer


CSI Node Driver Registrar


CSI Liveness Probe


What’s new

  • Updated Interlock to version 3.2.4 and the Interlock NGINX proxy to version 1.21.1, thus resolving CVE-2021-23017 (FIELD-4190).

  • The MSR page of the MKE web UI (<username> > Admin Settings > Mirantis Secure Registry) now always displays both the Windows PowerShell and Unix shell versions of the MSR install command template (MKE-8042).

  • The MKE help command no longer displays internal commands (FIELD-4093).

  • MKE SAML integration now uses SHA-256 signatures rather than SHA-1 (FIELD-3902).

  • MKE now accepts only JWT licenses. To upgrade MKE, customers using a Docker Hub-issued license must first replace it with the new license version (MKE-8399).

    To request a JWT license, contact support@mirantis.com.

Bug fixes

  • Fixed an issue in the MKE web UI wherein deleting a node did not trigger the correct redirect (FIELD-2710).

  • Fixed an issue wherein the CLI failed to properly generate support dumps (FIELD-4141).

  • Fixed an issue with several bootstrap operations wherein nodes temporarily turned red and showed a log link component error (FIELD-4057).

  • Fixed an issue wherein performing unnecessary log link component reconciliations slowed down a number of bootstrap operations (FIELD-4057).

  • Fixed an issue wherein MKE images pulled from private registries caused upgrades to fail (FIELD-3994).

  • Fixed incorrect documentation links in the MKE web UI (FIELD-3959).

  • Fixed an issue with the MKE support dump wherein the containerd version was missing from the dsinfo.txt file (FIELD-3853).

  • Fixed an issue wherein the kubectl streaming functions exec, logs, and cp failed when a NodePort conflicted with the kubelet local streaming server port. Kubelet now appends the configured NodePort range (default: 32768-35535) to net.ipv4.ip_local_reserved_ports at start up (MKE-3495).

  • Fixed an issue wherein connecting to MKE with IPv6 failed after upgrading MCR to version 20.10.0 or later (FIELD-4144).

  • Fixed an issue on Windows nodes wherein unexpectedly closing the named pipe used for healthchecks could cause containers to hang. MKE now terminates Windows containers whenever this pipe is closed (FIELD-4065).

Known issues

  • After upgrading to MKE 3.3.11, the Strict Affinity setting is enabled for Calico CNI and cannot be disabled. This can impact networking functionality in large Kubernetes clusters with a limited private IP space allocated for pods using the --pod-cidr MKE install flag.

    Starting with this release, Strict Affinity is enabled only if there are one or more Windows nodes in the cluster, no matter which MKE version you upgrade from. For new installations, Strict Affinity is enabled when you join one or more Windows nodes to the cluster.

    Nodes in clusters with Strict Affinity enabled due to the presence of Windows nodes cannot borrow IP addresses from IP pools that have affinity for other nodes. In such clusters, this is true for both Linux and Windows nodes, and MKE continues to use without interruption any borrowed IP addresses that were allocated prior to the enablement of Strict Affinity.

    If you plan to add Windows nodes to your cluster, ensure that there are enough IP addresses available in subnet blocks to allocate for each node (Linux or Windows) without having to borrow IP addresses from the subnet blocks of other nodes (FIELD-4182).

Deprecation notes

  • In correlation with the End of Life date for MKE 3.2.x and MSR 2.7.x, Mirantis stopped maintaining the associated documentation set on 2021-07-21.