Addressed issues#
Issues addressed in the MKE 4.2.0 release include:
Backup and Restore#
- Restore operations no longer fail on hosts where
/var/libor/var/lib/kubeletis a separate volume or dedicated mount. This covers the post-wipe reboot race, the "device or resource busy" errors, and mount points not being preserved. - Custom node labels are preserved across restore operations.
- SELinux labeling steps are no longer skipped during a restore operation.
- The registry CA and containerd registry configuration are now distributed to workers during the restore operation.
- The OIDC issuer URL now uses the public domain name instead of an internal address after a restore operation.
- Restore operations work when the cluster uses custom certificates for the kube-apiserver.
- Restore operations no longer hang indefinitely when a node is unreachable.
- Backup and restore operations can now be run on Windows clusters.
Upgrade and migration#
- Rollback no longer exits early when reboot-wait polling hits a transient SSH failure.
- SELinux labeling steps are no longer skipped during rollback.
- The OIDC issuer URL uses the public domain name instead of an internal address following a rollback.
- etcd server certificates no longer expire shortly after an MKE 3 migration.
- Fix of the Helm upgrade loop that previously occurred in the
mkenamespace following an upgrade from 4.1.x. - MKE 3 to MKE 4 upgrade with Windows workers no longer fails, and rollback no longer leaves workers
NotReady. - Organizations and teams are now visible in the MKE Dashboard following a successful MKE 3 to MKE 4 migration.
- Velero no longer ends up in
CrashLoopBackOfffollowing upgrade. - Tne
mkectl applycommand no longer fails its re-apply checks on the operator image version following the initial cluster creation.
Cluster reset and node cleanup#
- The
mkectl resetcommand no longer deletes or unmounts the data directory or/var/lib/kubeletwhen the kubelet root is a mount point or is located under the data directory. - The
mkectl resetcommand no longer leaves traces of MKE 4 installation. - Reset of a node is much faster on Calico eBPF clusters, on which the
k0s resetcommand could previously take more than an hour. - A cluster can be reset even when a deployment failed due to an unreachable external address.
Networking and load balancing#
- Load balancer can now be changed post-install.
- mkectl apply no longer publishes the Kubernetes service endpoint with the Docker bridge IP.
Ingress and Envoy Gateway#
The Envoy Gateway controller is configured to create gateway Pods in the gateway namespaces.
High Availability and scheduling#
The fixes herein address scheduling issues uncovered by the new High Availability defaults.
- The k0rdent controller manager now uses the configured resource values rather than upstream chart defaults.
- A Sveltos addon controller restart no longer triggers an infinite Helm upgrade loop.
- Installs on a minimal one-control-plane, one-worker topology with the AWS cloud controller manager no longer fail on a premature upgrade readiness check.
- The etcd maintenance service is now uninstalled cleanly, which allows a fresh cluster install can proceed.
Node add and remove#
- Node labels in install flags no longer cause every run of the
mkectl applycommand to reinstall nodes.
Kubernetes 1.35 and host configuration#
- Install validation now rejects cgroup v1 hosts, which k0s 1.35 no longer supports.
- The k0s version resolves correctly for child clusters instead of always resolving to the latest.
Security#
- Non-admin users can no longer list all cluster nodes and their cached images, thus closing a multi-tenant information leak.
- The Dex authentication server now verifies LDAP server certificates.
Authentication and MKE Dashboard#
- The MKE Dashboard no longer returns a 500 error for users who belong to numberous LDAP groups.
- The
KUBECONFIGenvironment variable no longer silently overrides the--kubeconfigflag. - Local user deletion is reliable: the MKE Dashboard no longer treats a 500 response as success, and the intermittent 500 on delete is fixed.
- Specifying a pre-existing audience for authentication now returns an error instead of being silently accepted.
- The
mkectl applycommand no longer hangs on "Wait for Dex admin user" whenlocalUsersis disabled.
Registry and provisioning#
- Child cluster nodes on RHEL and Rocky no longer fail to provision due to a TLS verification error in the oci-downloader pre-start step.
- Custom worker profile names now reject underscores, per RFC 1123.