Enhancements

Detail on the new features and enhancements introduced in MKE 3.5.7 includes:

[MKE-9366] –kube-protect-kernel-defaults install option

Using the new --kube-protect-kernel-defaults option with the install command prevents kubelet from modifying kernel parameters.

Important

When enabled, kubelet can fail to start if the following kernel parameters are not properly set on the nodes before you install MKE or before you add a new node to an existing cluster.

vm.panic_on_oom=0
vm.overcommit_memory=1
kernel.panic=10
kernel.panic_on_oops=1
kernel.keys.root_maxkeys=1000000
kernel.keys.root_maxbytes=25000000

[MKE-9365] kube_api_server_auditing configuration option

The new kube_api_server_auditing MKE configuration option enables auditing to the log file in the kube-apiserver container. Be aware, though, that to use the option you must first enable auditing in MKE.

[MKE-9364] Configuration options for disabling profiling

Three new configuration options allow for the enabling and disabling of profiling:

  • kube_api_server_profiling_enabled affects the kube-api-server component.

  • kube_controller_manager_profiling_enabled affects the kube-controller-manager component.

  • kube_scheduler_profiling_enabled affects the kube-scheduler component.

[FIELD-5464] CLI support command options for node support dumps

Users can now specify support CLI command options for individual node support dumps, including:

  • --loglines

  • --until

  • --since

  • --goroutine

[MKE-9518] Configuration options for system hardening

Two new configuration options enable features that harden and secure MKE.

  • limit_kernel_capabilities minimizes kernel capabilities to only those required by a container.

  • pid_limit indicates the maximum number of PIDs (Process IDs) that are allowed.

[MKE-9276] MKE web UI Banner design update

A new MKE web UI banner design improves the user experience.

[MKE-9273] etcd storage quota UI notification

A new UI notification indicates when the etcd storage quota is near capacity.

[MKE-9265] Self ports no longer checked during upgrade (Linux only)

Self ports were removed from the checks on Linux-based machines and nodes. These ports are accessed by machine processes only and not by another node, and thus they do not need to be open at the firewall level. Be aware that this enhancement does not apply to Windows-based machines and nodes.