3.3.13

(2021-10-6)

Components

Component

Version

MKE

3.3.13

Kubernetes

1.18.19

Calico

3.18.4

Calico for Windows

3.18.4

Interlock

3.2.4

Interlock NGINX proxy

1.21.1

Istio Ingress

1.4.10

CoreDNS

1.7.0

RethinkDB

2.3.6

etcd

3.4.3

CSI Attacher

2.1.1

CSI Provisioner

1.4.0

CSI Snapshotter

1.2.2

CSI Resizer

0.4.0

CSI Node Driver Registrar

1.2.0

CSI Liveness Probe

1.1.0

Openstack Cinder CSI plugin

1.20.3

What’s new

  • MKE 3.3.13 did not release in conjunction with a new MCR patch version. As such, unlike with previous releases, you cannot simultaneously upgrade the two products.

  • Added the nvidia_device_plugin setting to the MKE Configuration File, which you can use to enable the NVIDIA device plugin (MKE-8387).

  • Added a cleanup step to the uninstall process pertaining to Calico CNI files in /etc/cni that are deployed by kubectl apply. All other files and subdirectories in that location are left in place (MKE-7674).

  • Added the --unmanaged-cni option to the ucp uninstall-ucp command. Those who used --unmanaged-cni to install MKE in Unmanaged CNI mode must use --unmanaged-cni when uninstalling MKE. By omitting the /etc/cni cleanup step from the uninstall process, --unmanaged-cni option leaves all user-supplied CNI configuration files intact (MKE-7674).

  • Added a checkbox to the MKE web UI Upgrade Management Plane on the <username> > Admin Settings > Upgrade page to indicate that SELinux is enabled when generating an MKE upgrade string (FIELD-2698).

  • Mirantis no longer supports legacy Docker Hub-issued licenses for MKE installation (MKE-8350).

    To request a JWT license, contact support@mirantis.com.

Bug fixes

  • Fixed an issue with the MKE web UI wherein the product was referred to as UCP on the <user name> > Admin Settings > Authentication & Authorization page (MKE-8437).

  • Fixed an issue with the MKE web UI wherein the Upgrade Now feature on the <user name> > Admin Settings > Upgrade page failed to initiate upgrade (FIELD-4230).

  • Fixed an issue wherein using a JWT license with an MKE instance that manages MCR caused MCR to log error messages (FIELD-4201).

  • Fixed an issue with the MKE web UI wherein enabling the option to hide the Swarm UI caused Collections and Stacks not to display under Kubernetes in the left-side menu (FIELD-3929).

  • Fixed an issue with the MKE web UI wherein clicking the Pod options icon on the Pod details page caused the vulnerability data to disappear (FIELD-3859).

  • Backported a resolution for CVE-2021-25741 from the upstream Kubernetes fix (MKE-8580).

  • Fixed an issue wherein Pods could not be removed if the associated image pull secret has been previously deleted (FIELD-3638).

Known issue

  • The calico-node firewalld-policy init container can disable the docker ingress routing mesh when reloading firewalld (FIELD-4200).

    Workaround:

    1. Prevent the issue from recurring by disabling firewalld:

      sudo systemctl disable --now firewalld
      
    2. Restore missing iptables chains by restarting dockerd:

      sudo systemctl restart docker
      

      Note

      Restarting dockerd stops all containers on the corresponding node. The node capacity will not be available to the cluster until the node returns to a healthy state in MKE. You must restart dockerd on manager nodes one node at a time, confirming the health of each node in MKE before moving on to the next.

    3. Confirm that the issue is no longer present by checking for the presence of the DOCKER-INGRESS iptables chain:

      sudo iptables --list DOCKER-INGRESS
      

      Expected output:

      Chain DOCKER-INGRESS (2 references)
      target     prot opt source               destination
      [...]