3.4.7

(2021-12-20)

Components

Component

Version

MKE

3.4.7

Kubernetes

1.20.11

Calico

3.19.1

Calico for Windows

3.19.1

Interlock

3.3.1

Interlock NGINX proxy

1.21.1

Istio Ingress

1.4.10

CoreDNS

1.7.0

RethinkDB

2.3.6

etcd

3.4.16

CSI Attacher

2.1.1

CSI Provisioner

1.4.0

CSI Snapshotter

1.2.2

CSI Resizer

0.4.0

CSI Node Driver Registrar

1.2.0

CSI Liveness Probe

1.1.0

Openstack Cinder CSI plugin

1.20.3

What’s new

  • MKE now logs DesiredStrictAffinity messages at the debug level (FIELD-4313).

Bug fixes

  • Fixed an issue with the MSR web UI wherein SAML users could fail to be redirected to MSR after login (MKE-1344).

  • Fixed an issue with etcd disk space use in Swarm-only installations (FIELD-4458).

  • Fixed an issue with the performance of docker service ls when used with the MKE client bundle and docker daemon 20.10.x (FIELD-4409).

  • Removed the Kubernetes API documentation link from the MKE web UI left-side navigation panel while in Swarm-only mode (FIELD-4331).

  • Fixed various layout issues in the MKE web UI Admin Settings > Mirantis Secure Registry page (FIELD-4224, FIELD-4216).

  • Fixed an issue with the MKE web UI wherein modifications to the <user name> > Admin Settings > Ingress page reset to the default settings upon being saved (MKE-8478).

    The MKE 3.4.6 release notes report the issue as resolved. The fix, however, was not merged until MKE 3.4.7.

  • Fixed an issue wherein a number of Kuberenetes-related components repeatedly restarted while content trust was enabled (FIELD-4491).

  • Fixed an issue with the MKE web UI wherein the mke-containers and ucp-backup volumes were not tagged as system resources (FIELD-4456).

  • Improved the presentation of nodes in the MKE web UI (FIELD-4444).

  • Fixed an issue with the MKE web UI wherein grant information did not display on the <user name> > My Profile > My Grants page (FIELD-4445).

  • Port 12387 is no longer verified during upgrade in Swarm-only mode (MKE-8640).

Known issues

  • The calico-node firewalld-policy init container can disable the docker ingress routing mesh when reloading firewalld (FIELD-4200).

    Workaround:

    1. Prevent the issue from recurring by disabling firewalld:

      sudo systemctl disable --now firewalld
      
    2. Restore missing iptables chains by restarting dockerd:

      sudo systemctl restart docker
      

      Note

      Restarting dockerd stops all containers on the corresponding node. The node capacity will not be available to the cluster until the node returns to a healthy state in MKE. You must restart dockerd on manager nodes one node at a time, confirming the health of each one in MKE before moving on to the next.

    3. Confirm issue resolution by checking for the presence of the DOCKER-INGRESS iptables chain:

      sudo iptables --list DOCKER-INGRESS
      

      Expected output:

      Chain DOCKER-INGRESS (2 references)
      target     prot opt source               destination
      [...]
      
  • CLI-based support dumps are unavailable on Windows worker nodes (MKE-8538).

    Workaround:

    For Swarm-orchestrated Windows nodes, use the MKE web UI to obtain a support bundle. For Kubernetes-orchestrated Windows nodes, you must manually collect the logs.