Addressed issues¶

Issues addressed in the MKE 3.6.5 release include:

[MKE-9743] Fixed non-compliance of bind-address configuration in ucp-kube-scheduler container.

Kubernetes scheduler now binds to 127.0.0.1 by default. Admins can return binding capability to all available network interfaces by configurating the new kube_scheduler_bind_to_all setting under cluster_config in the MKE configuration file.
[MKE-9742] Fixed controls 1.1.32 and 1.1.34 in the built-in CIS benchmark (and removed control 1.1.6 from the control list) to resolve non-compliance of the following configurations in ucp-kube-api-server container:
- insecure-port
- authorization-mode/Node
- encryption-provider-config
[MKE-9746] Fixed controls 2.1.1-2.1.4 and 2.1.10 in the built-in CIS benchmark to resolve non-compliance of the following configurations in the ucp-kubelet container:
- anonymous-auth
- authorization-mode
- client-ca-file
- read-only-port
- tls-cert-file
- tls-private-key-file
[FIELD-6221] Fixed an issue wherein the cri-dockerd binary was not updated following upgrade.
[FIELD-6126] Fixed a memory leak in the ucp-cluster-agent container.
[FIELD-6104] Fixed an issue wherein cri-dockerd continued to use the old ucp-pause image following upgrade.
[FIELD-5931] Fixed an issue wherein LDAP sync occasionally failed after replacing manager nodes.
[FIELD-6210] Addressed an issue wherein CPU usage increased significantly in docker daemon following upgrade to MKE 3.6.

Note

FIELD-6210 was appended to the MKE 3.6.5 release notes on 2023-07-19.

[MKE-10017] Fixed an issue wherein ucp-pause containers were not carried forward during MKE upgrade.

Note

MKE-10017 was appended to the MKE 3.6.5 release notes on 2023-08-16.

Perform the following steps on each Linux node where the ucp-pause containers are built from the upgraded MKE image version.

Verify that the ucp-pause containers are using the MKE image version to which you tried to upgrade:

docker ps -a | grep ucp-pause

Example output:

01a80dd175de   mirantiseng/ucp-pause:3.7.0   "/pause"   17 minutes ago   Up 16 minutes   k8s_POD_ucp-node-feature-discovery-9bwsj_node-feature-discovery_0a601160-ecf7-412f-bff8-e421a4f1712d_0
498371f35994   mirantiseng/ucp-pause:3.7.0   "/pause"   20 minutes ago   Up 18 minutes   k8s_POD_coredns-7fb76597fc-k2q2k_kube-system_83fee771-dc1d-4e34-ae45-f0ab9dee5942_0
a94cfcfb18f6   mirantiseng/ucp-pause:3.7.0   "/pause"   22 minutes ago   Up 21 minutes   k8s_POD_calico-kube-controllers-58c64b9976-mg5dn_kube-system_0b80ed92-be02-40de-827e-6a6b6e7f27da_0
0a2cf203f77c   mirantiseng/ucp-pause:3.7.0   "/pause"   22 minutes ago   Up 21 minutes   k8s_POD_calico-node-f2xhl_kube-system_3c4a27c5-b832-417d-bc30-b6a7ca8f7627_0

If the ucp-pause containers are using the correct image version, proceed to the next node.

Copy the cri-dockerd-mke.service configuration file from the tmp directory to /usr/lib/systemd/system:
```
sudo cp /tmp/cri-dockerd-mke.service /usr/lib/systemd/system
```
Restart kubelet to load the most recent configuration file:
```
docker rm -f ucp-kubelet
```

Delete all ucp-pause containers that are on the node:

docker rm -f <pause-containrer-id-1> <pause-containrer-id-n>

Verify that the ucp-pause containers are using the correct MKE image version:

docker ps -a | grep ucp-pause

Example output:

236b3dfb1bf6   mirantiseng/ucp-pause:3.6.4   "/pause"   12 seconds ago   Up 11 seconds   k8s_POD_calico-node-dp7hd_kube-system_d59d9004-5a59-46f8-8281-3c917c62fe20_0
56994306b181   mirantiseng/ucp-pause:3.6.4   "/pause"   12 seconds ago   Up 11 seconds   k8s_POD_calico-kube-controllers-64844db68f-br9dh_kube-system_5ea39708-231a-45f5-aa7c-f7b842131941_0
e62ae3c2a871   mirantiseng/ucp-pause:3.6.4   "/pause"   12 seconds ago   Up 11 seconds   k8s_POD_ucp-node-feature-discovery-rdrb7_node-feature-discovery_848cda05-74ec-4db2-825f-05afa53b2502_0
d51eba420f34   mirantiseng/ucp-pause:3.6.4   "/pause"   12 seconds ago
Up 11 seconds
k8s_POD_coredns-78c7f4f4c7-lljzc_kube-system_92936b7c-6a7c-4eb5-a83f-22514acac636_0