3.4.0¶
(2021-04-12)
Enhancements¶
Added support for two-factor authentication at MKE web UI login (MKE-8053).
Learn more
Added the ability to rate your MKE experience on a five-star scale from within the MKE web UI (MKE-8151).
Learn more
Added the ability to submit detailed feedback by opening a ticket from within the MKE web UI (MKE-8176).
Learn more
Added the ability to send a support dump to Mirantis Customer Support from within the MKE web UI (MKE-8134).
Learn more
Added the ability to use the CLI to send a support dump to Mirantis Customer Support, by including the --submit option with the support command (MKE-8150).
Learn more
Updated Kubernetes to version 1.20.1 (MKE-8052).
HitlessServiceUpdate
is now enabled by default, but only when Interlock is first enabled through MKE. This does not apply to existing deployments or self-managed deployments, such as those using service clusters (MKE-8152).The
matchExpressions
field now displays in the NetworkPolicy for both PodSelector and Ingress Rules (MKE-8074).Added the
allowPrivilegedPods
setting, which when set totrue
enables users operating under thePodSecurityPolicy
to create Kubernetes pods using theprivileged
parameter. Note that by defaultallowPrivilegedPods
is set tofalse
, under which users cannot create privileged pods even when their applicablePodSecurityPolicy
specifies that they can do so.The new
allowPrivilegedPods
setting only applies to theauthz
admission controller (MKE-7960).Compose-on-Kubernetes will be deprecated in a future release (ENGDOCS-959).
The MKE restore process now detects corrupted tar files, thus accelerating the restore process. Specifically, the backup RethinkDB model now includes an
md5sum
field. The backup log file stores the MD5 checksum if the user adds the --include-logs flag when using the ucp backup command (MKE-8077).MKE web UI dropdown options no longer display with a transparent background (MKE 8102).
The LDAP search initiates stricter checks, and as such user syncing errors can no longer cause MKE users to be deactivated. User syncing now aborts when any of the following conditions are met:
An incorrect LDAP configuration is found
A configured LDAP URL is inaccessible
An LDAP URL that
SearchResultReference
points to is inaccessible
(FIELD-3619).
MKE now enforces the HTTP Strict Transport Security (HTST) header with the following values:
max-age=63072000; includeSubDomains
(FIELD-2900).Support dumps no longer contain false positives that suggest nonexistent IP or network overlaps (FIELD-2925).
Known issues¶
Due to a bug in Calico 3.16.2, upgrading to MKE 3.4.0 can cause
ucp-kv
containers to consume unexpectedly high amounts of both CPU and memory,calico-node
to operate incorrectly, and application Pod networking issues to occur (FIELD-4007).Workaround:
Upgrade to MKE 3.4.2 or later.
After upgrading to MKE 3.4.0 or later, the strict affinity setting is enabled for Calico CNI and cannot be disabled. This can impact networking functionality in large Kubernetes clusters with a limited private IP space allocated for pods using the
--pod-cidr
MKE install flag.Mirantis strongly recommends that impacted customers wait to upgrade until this issue is resolved in an upcoming release (FIELD-4182).
Major component versions¶
Component |
Version |
---|---|
MKE |
3.4.0 |
Interlock |
3.2.1 |
Interlock NGINX proxy |
1.17.10 |
CSI Attacher |
2.1.1 |
CSI Provisioner |
1.4.0 |
CSI Snapshotter |
1.2.2 |
CSI Resizer |
0.4.0 |
CSI Node Driver Registrar |
1.2.0 |
CSI Liveness Probe |
1.1.0 |