Enhancements¶
Detail on the new features and enhancements introduced in MKE 3.6.2 includes:
[FIELD-5464] support CLI command options for node support dumps
[MKE-9265] Self ports no longer checked during upgrade (Linux only)
[MKE-9366] –kube-protect-kernel-defaults install option¶
Using the new --kube-protect-kernel-defaults
option with the
install command prevents kubelet from modifying kernel
parameters.
Important
When enabled, kubelet can fail to start if the following kernel parameters are not properly set on the nodes before you install MKE or before you add a new node to an existing cluster.
vm.panic_on_oom=0
vm.overcommit_memory=1
kernel.panic=10
kernel.panic_on_oops=1
kernel.keys.root_maxkeys=1000000
kernel.keys.root_maxbytes=25000000
[MKE-9365] kube_api_server_auditing configuration option¶
The new kube_api_server_auditing
MKE configuration option enables auditing
to the log file in the kube-apiserver
container. Be aware, though, that to
use the option you must first enable auditing in MKE.
[MKE-9364] Configuration options for disabling profiling¶
Three new configuration options allow for the enabling and disabling of profiling:
kube_api_server_profiling_enabled
affects thekube-api-server
component.kube_controller_manager_profiling_enabled
affects thekube-controller-manager
component.kube_scheduler_profiling_enabled
affects thekube-scheduler
component.
[FIELD-5464] support CLI command options for node support dumps¶
Users can now specify support CLI command options for individual node support dumps, including:
--loglines
--until
--since
--goroutine
[MKE-9518] Configuration options for system hardening¶
Two new configuration options enable features that harden and secure MKE.
limit_kernel_capabilities
minimizes kernel capabilities to only those required by a container.pid_limit
indicates the maximum number of PIDs (Process IDs) that are allowed.
[MKE-9273] etcd storage quota UI notification¶
A new UI notification indicates when the etcd storage quota is near capacity.
[MKE-9265] Self ports no longer checked during upgrade (Linux only)¶
Self ports were removed from the checks on Linux-based machines and nodes. These ports are accessed by machine processes only and not by another node, and thus they do not need to be open at the firewall level. Be aware that this enhancement does not apply to Windows-based machines and nodes.