3.4.0

(2021-04-12)

Enhancements

  • Added support for two-factor authentication at MKE web UI login (MKE-8053).

  • Added the ability to rate your MKE experience on a five-star scale from within the MKE web UI (MKE-8151).

    Learn more

    Customer feedback

  • Added the ability to submit detailed feedback by opening a ticket from within the MKE web UI (MKE-8176).

    Learn more

    Customer feedback

  • Added the ability to send a support dump to Mirantis Customer Support from within the MKE web UI (MKE-8134).

    Learn more

    Get support

  • Added the ability to use the CLI to send a support dump to Mirantis Customer Support, by including the --submit option with the support command (MKE-8150).

  • Updated Kubernetes to version 1.20.1 (MKE-8052).

  • HitlessServiceUpdate is now enabled by default, but only when Interlock is first enabled through MKE. This does not apply to existing deployments or self-managed deployments, such as those using service clusters (MKE-8152).

  • The matchExpressions field now displays in the NetworkPolicy for both PodSelector and Ingress Rules (MKE-8074).

  • Added the allowPrivilegedPods setting, which when set to true enables users operating under the PodSecurityPolicy to create Kubernetes pods using the privileged parameter. Note that by default allowPrivilegedPods is set to false, under which users cannot create privileged pods even when their applicable PodSecurityPolicy specifies that they can do so.

    The new allowPrivilegedPods setting only applies to the authz admission controller (MKE-7960).

  • Compose-on-Kubernetes will be deprecated in a future release (ENGDOCS-959).

  • The MKE restore process now detects corrupted tar files, thus accelerating the restore process. Specifically, the backup RethinkDB model now includes an md5sum field. The backup log file stores the MD5 checksum if the user adds the --include-logs flag when using the ucp backup command (MKE-8077).

  • MKE web UI dropdown options no longer display with a transparent background (MKE 8102).

  • The LDAP search initiates stricter checks, and as such user syncing errors can no longer cause MKE users to be deactivated. User syncing now aborts when any of the following conditions are met:

    • An incorrect LDAP configuration is found

    • A configured LDAP URL is inaccessible

    • An LDAP URL that SearchResultReference points to is inaccessible

    (FIELD-3619).

  • MKE now enforces the HTTP Strict Transport Security (HTST) header with the following values: max-age=63072000; includeSubDomains (FIELD-2900).

  • Support dumps no longer contain false positives that suggest nonexistent IP or network overlaps (FIELD-2925).

Known issues

  • Due to a bug in Calico 3.16.2, upgrading to MKE 3.4.0 can cause ucp-kv containers to consume unexpectedly high amounts of both CPU and memory, calico-node to operate incorrectly, and application Pod networking issues to occur (FIELD-4007).

    Workaround:

    Upgrade to MKE 3.4.2 or later.

  • After upgrading to MKE 3.4.0 or later, the strict affinity setting is enabled for Calico CNI and cannot be disabled. This can impact networking functionality in large Kubernetes clusters with a limited private IP space allocated for pods using the --pod-cidr MKE install flag.

    Mirantis strongly recommends that impacted customers wait to upgrade until this issue is resolved in an upcoming release (FIELD-4182).

Major component versions

Component

Version

MKE

3.4.0

Kubernetes

1.20.1

Calico

3.16.2

Calico for Windows

3.16.2

Interlock

3.2.1

Interlock NGINX proxy

1.17.10

Istio Ingress

1.4.10

CoreDNS

1.7.0

etcd

3.4.13

CSI Attacher

2.1.1

CSI Provisioner

1.4.0

CSI Snapshotter

1.2.2

CSI Resizer

0.4.0

CSI Node Driver Registrar

1.2.0

CSI Liveness Probe

1.1.0