Kubernetes 1.10 Release Notes Draft

Major Themes

Node

Many of the changes within SIG-Node revolve around control, with the beta release of Dynamic Kubelet Configuration, the ability to make changes to Kubelet without having to bring down the node, and alpha support for the ability to configure whether containers in a pod should share a single process namespace, The CRI has also seen some improvements and has been upgraded to v1alpha2, with support for support for Windows Container Configuration and the beta release of the CRI validation test suite.

The Resource Management Working Group graduated three features to beta in the 1.10 release. First, CPU Manager, which allows users to request exclusive CPU cores. This helps performance in a variety of use-cases, including network latency sensitive applications, as well as applications that benefit from CPU cache residency. Next, Huge Pages, which allows pods to consume either 2Mi or 1Gi Huge Pages. This benefits applications that consume large amounts of memory. Use of Huge Pages is a common tuning recommendation for databases and JVMs. Finally, the Device Plugin feature, which provides a framework for vendors to advertise their resources to the Kubelet without changing Kubernetes core code. Targeted devices include GPUs, High-performance NICs, FPGAs, InfiniBand, and other similar computing resources that may require vendor specific initialization and setup.

Storage

This release brings additional power to both local storage and Persistent Volumes. Mount namespace propagation allows a container to mount a volume as rslave so that host mounts can be seen inside the container, or as rshared so that mounts made inside a container can be seen by the host. (Note that this is not supported on Windows.) Local Ephemeral Storage Capacity Isolation makes it possible to set requests and limits on ephemeral local storage resources. In addition, you can now create Local Persistent Storage, which enables PersistentVolumes to be created with locally attached disks, and not just network volumes.

On the Persistent Volumes side, this release Prevents deletion of Persistent Volume Claims that are used by a pod and Persistent Volumes that are bound to a Persistent Volume Claim, making it impossible to delete storage that is in use by a pod.

This release also includes Topology Aware Volume Scheduling for local persistent volumes and beta support for Out-of-tree CSI Volume Plugins.

Windows

This release continues to enable more existing features on Windows, including container CPU resources, image filesystem stats, and flexvolumes. It also adds Windows service control manager support and experimental support for Hyper-V isolation of single-container pods.

OpenStack

SIG-OpenStack updated the OpenStack provider to use newer APIs, consolidated community code into one repository, engaged with the Cloud Provider Working Group to have a consistent plan for moving provider code into individual repositories, improved testing of provider code, and strengthened ties with the OpenStack developer community.

API-machinery

API Aggregation has been upgraded to "stable" in Kubernetes 1.10, so you can use it in production. Webhooks have seen numerous improvements, including alpha Support for self-hosting authorizer webhooks.

Auth

This release lays the groundwork for new authentication methods, including the alpha release of External client-go credential providers and the TokenRequest API. In addition, Pod Security Policy now lets administrators decide what contexts pods can run in, and gives administrators the ability to limit node access to the API.

Azure

Kubernetes 1.10 includes alpha Azure support for cluster-autoscaler, as well as support for Azure Virtual Machine Scale Sets.

CLI

This release includes a change to kubectl get and describe to work better with extensions, as the server, rather than the client, returns this information for a smoother user experience.

Cluster Lifecycle

This release includes beta support for out-of-process and out-of-tree cloud providers.

Network

In terms of networking, Kubernetes 1.10 is about control. Users now have beta support for the ability to configure a pod's resolv.conf, rather than relying on the cluster DNS, as well as configuring the NodePort IP address. You can also switch the default DNS plugin to CoreDNS (beta).

Before Upgrading

In-place node upgrades to this release from versions 1.7.14, 1.8.9, and 1.9.4 are not supported if using subpath volumes with PVCs. Such pods should be drained from the node first.
The minimum supported version of Docker is now 1.11; if you are using Docker 1.10 or below, be sure to upgrade Docker before upgrading Kubernetes. (#57845, @yujuhong)
The Container Runtime Interface (CRI) version has increased from v1alpha1 to v1alpha2. Runtimes implementing the CRI will need to update to the new version, which configures container namespaces using an enumeration rather than booleans. This change to the alpha API is not backwards compatible; implementations of the CRI such as containerd, will need to update to the new API version. (#58973, @verb)
The default Flexvolume plugin directory for COS images on GCE has changed to /home/kubernetes/flexvolume, rather than /etc/srv/kubernetes/kubelet-plugins/volume/exec. Existing Flexvolume installations in clusters using COS images must be moved to the new directory, and installation processes must be updated with the new path. (#58171, @verult)
Default values differ between the Kubelet's componentconfig (config file) API and the Kubelet's command line. Be sure to review the default values when migrating to using a config file. For example, the authz mode is set to "AlwaysAllow" if you rely on the command line, but defaults to the more secure "Webhook" mode if you load config from a file. (#59666, @mtaufen)
[GCP kube-up.sh] Variables that were part of kube-env that were only used for kubelet flags are no longer being set, and are being replaced by the more portable mechanism of the kubelet configuration file. The individual variables in the kube-env metadata entry were never meant to be a stable interface and this release note only applies if you are depending on them. (#60020, @roberthbailey)
kube-proxy: feature gates are now specified as a map when provided via a JSON or YAML KubeProxyConfiguration, rather than as a string of key-value pairs. For example:

KubeProxyConfiguration Before:

apiVersion: kubeproxy.config.k8s.io/v1alpha1
kind: KubeProxyConfiguration
**featureGates: "SupportIPVSProxyMode=true"**

KubeProxyConfiguration After:

apiVersion: kubeproxy.config.k8s.io/v1alpha1
kind: KubeProxyConfiguration
**featureGates:**
**  SupportIPVSProxyMode: true**

(#57962, @xiangpengzhao)

The kubeletconfig API group has graduated from alpha to beta, and the name has changed to kubelet.config.k8s.io. Please use kubelet.config.k8s.io/v1beta1, as kubeletconfig/v1alpha1 is no longer available. (#53833, @mtaufen)
kube-apiserver: the experimental in-tree Keystone password authenticator has been removed in favor of extensions that enable use of Keystone tokens. (#59492, @dims)
The udpTimeoutMilliseconds field in the kube-proxy configuration file has been renamed to udpIdleTimeout. Administrators must update their files accordingly. (#57754, @ncdc)
The kubelet's --cloud-provider=auto-detect feature has been removed; make certain to specify the cloud provider. (#56287, @stewart-yu)
kube-apiserver: the OpenID Connect authenticator no longer accepts tokens from the Google v3 token APIs; users must switch to the "https://www.googleapis.com/oauth2/v4/token" endpoint.
kube-apiserver: the root /proxy paths have been removed (deprecated since v1.2). Use the /proxy subresources on objects that support HTTP proxying. (#59884, @mikedanese)
Eviction thresholds set to 0% or 100% will turn off eviction. (#59681, @mtaufen)
CustomResourceDefinitions: OpenAPI v3 validation schemas containing $refreferences are no longer permitted. Before upgrading, ensure CRD definitions do not include those $ref fields. (#58438, @carlory)
Webhooks now do not skip cluster-scoped resources. Before upgrading your Kubernetes clusters, double check whether you have configured webhooks for cluster-scoped objects (e.g., nodes, persistentVolume), as these webhooks will start to take effect. Delete/modify the configs if that's not desirable. (#58185, @caesarxuchao)
Using kubectl gcp auth plugin with a Google Service Account to authenticate to a cluster now additionally requests a token with the "userinfo.email" scope. This way, users can write ClusterRoleBindings/RoleBindings with the email address of the service account directly. (This is a breaking change if the numeric uniqueIDs of the Google service accounts were being used in RBAC role bindings. The behavior can be overridden by explicitly specifying the scope values as comma-separated string in the "users[*].config.scopes" field in the KUBECONFIG file.) This way, users can now set a Google Service Account JSON key in the GOOGLE_APPLICATION_CREDENTIALS environment variable, craft a kubeconfig file with GKE master IP+CA cert, and authenticate to GKE in headless mode without requiring gcloud CLI. (#58141, @ahmetb)
kubectl port-forward no longer supports the deprecated -p flag; the flag itself is unnecessary and should be replaced by just the <pod-name>. (#59705, @phsiao)
Removed deprecated --require-kubeconfig flag, removed default --kubeconfig value ((#58367, @zhangxiaoyu-zidif)
The public-address-override, address, and port flags have been removed and replaced by bind-address, insecure-bind-address, and insecure-port, respectively. They are marked as deprecated in #36604, which is more than a year ago. (#59018, @hzxuzhonghu)
The alpha --init-config-dir flag has been removed. Instead, use the --config flag to reference a kubelet configuration file directly. (#57624, @mtaufen)
Removed deprecated and unmaintained salt support. kubernetes-salt.tar.gz will no longer be published in the release tarball. (#58248, @mikedanese)
The deprecated –mode switch for GCE has been removed.(#61203)
The word “manifest” has been expunged from the Kubelet API. (#60314)
kubernetes/kubernetes#49213 sig-cluster-lifecycle has decided to phase out the cluster/ directory over the next couple of releases in favor of deployment automations maintained outside of the core repo and outside of kubernetes orgs. @kubernetes/sig-cluster-lifecycle-misc)
- Remove deprecated ContainerVM support from GCE kube-up. (#58247, @mikedanese)
- Remove deprecated kube-push.sh functionality. (#58246, @mikedanese)
- Remove deprecated container-linux support in gce kube-up.sh. (#58098, @mikedanese)
- Remove deprecated and unmaintained photon-controller kube-up.sh. (#58096, @mikedanese)
- Remove deprecated and unmaintained libvirt-coreos kube-up.sh. (#58023, @mikedanese)
- Remove deprecated and unmaintained windows installer. (#58020, @mikedanese)
- Remove deprecated and unmaintained openstack-heat kube-up.sh. (#58021, @mikedanese)
- Remove deprecated vagrant kube-up.sh. (#58118,@roberthbailey)
The DaemonSet controller, its integration tests, and its e2e tests, have been updated to use the apps/v1 API. Users should, but are not yet required to, update their scripts accordingly. (#59883, @kow3ns)
MountPropagation feature is now beta. As a consequence, all volume mounts in containers are now rslave on Linux by default. To make this default work in all Linux environments the entire mount tree should be marked as shareable, e.g. via mount --make-rshared /. All Linux distributions that use systemd already have the root directory mounted as rshared and hence they need not do anything. In Linux environments without systemd we recommend running mount --make-rshared / during boot before docker is started, (@jsafrane)

Known Issues

Use of subPath module with hostPath volumes can cause issues during reconstruction (#61446) and with containerized kubelets (#61456). The workaround for this issue is to specify the complete path in the hostPath volume. Use of subPathmounts nested within atomic writer volumes (configmap, secret, downwardAPI, projected) does not work (#61545), and socket files cannot be loaded from a subPath (#62377). Work on these issues is ongoing.
Kubeadm is currently omitting etcd certificates in a self-hosted deployment; this will be fixed in a point relelase. (#61322)
Some users, especially those with very large clusters, may see higher memory usage by the kube-controller-manager in 1.10. (#61041)

Deprecations

etcd2 as a backend is deprecated and support will be removed in Kubernetes 1.13.
VolumeScheduling and LocalPersistentVolume features are beta and enabled by default. The PersistentVolume NodeAffinity alpha annotation is deprecated and will be removed in a future release. (#59391, @msau42)
The alpha Accelerators feature gate is deprecated and will be removed in v1.11. Please use device plugins (kubernetes/enhancements#368) instead. They can be enabled using the DevicePlugins feature gate. (#57384, @mindprince)
The ability to use kubectl scale jobs is deprecated. All other scale operations remain in place, but the ability to scale jobs will be removed in a future release. (#60139, @soltysh)
Flags that can be set via the Kubelet's --config file are now deprecated in favor of the file. (#60148, @mtaufen)
--show-all (which only affected pods and only for human readable/non-API printers) is now defaulted to true and deprecated. The flag determines whether pods in a terminal state are displayed. It will be inert in 1.11 and removed in a future release. (#60210, @deads2k)
The ability to use the insecure HTTP port of kube-controller-manager and cloud-controller-manager has been deprecated, and will be removed in a future release. Use --secure-port and --bind-address instead. (#59582, @sttts)
The ability to use the insecure flags --insecure-bind-address, --insecure-port in the apiserver has been deprecated and will be removed in a future release. Use --secure-port and --bind-address instead. (#59018, @hzxuzhonghu)
The recycling reclaim policy has been deprecated. Users should use dynamic provisioning instead. (#59063, @ayushpateria)
kube-apiserver flag --tls-ca-file has had no effect for some time. It is now deprecated and slated for removal in 1.11. If you are specifying this flag, you must remove it from your launch config before upgrading to 1.11. (#58968, @deads2k)
The PodSecurityPolicy API has been moved to the policy/v1beta1 API group. The PodSecurityPolicy API in the extensions/v1beta1 API group is deprecated and will be removed in a future release. Authorizations for using pod security policy resources should change to reference the policy API group after upgrading to 1.11. (#54933, @php-coder)
Add --enable-admission-plugin --disable-admission-plugin flags and deprecate --admission-control. When using the separate flag, the order in which they're specified doesn't matter. (#58123, @hzxuzhonghu)
The kubelet --docker-disable-shared-pid flag, which runs docker containers with a process namespace that is shared between all containers in a pod, is now deprecated and will be removed in a future release. It is replaced by v1.Pod.Spec.ShareProcessNamespace, which configures this behavior. This field is alpha and can be enabled with --feature-gates=PodShareProcessNamespace=true. (#58093, @verb)
The kubelet's cadvisor port has been deprecated. The default will change to 0 (disabled) in 1.12, and the cadvisor port will be removed entirely in 1.13. (#59827, @dashpole)
rktnetes has been deprecated in favor of rktlet. Please see https://github.com/kubernetes-incubator/rktlet for more information. (#58418, @yujuhong)
The Kubelet now explicitly registers all of its command-line flags with an internal flagset, which prevents flags from third party libraries from unintentionally leaking into the Kubelet's command-line API. Many unintentionally leaked flags are now marked deprecated, so that users have a chance to migrate away from them before they are removed. In addition, one previously leaked flag, --cloud-provider-gce-lb-src-cidrs, has been entirely removed from the Kubelet's command-line API, because it is irrelevant to Kubelet operation. The deprecated flags are:
- --application_metrics_count_limit
- --boot_id_file
- --container_hints
- --containerd
- --docker
- --docker_env_metadata_whitelist
- --docker_only
- --docker-tls
- --docker-tls-ca
- --docker-tls-cert
- --docker-tls-key
- --enable_load_reader
- --event_storage_age_limit
- --event_storage_event_limit
- --global_housekeeping_interval
- --google-json-key
- --log_cadvisor_usage
- --machine_id_file
- --storage_driver_user
- --storage_driver_password
- --storage_driver_host
- --storage_driver_db
- --storage_driver_table
- --storage_driver_secure
- --storage_driver_buffer_duration

(#57613, @mtaufen)

The boostrapped RBAC role and rolebinding for the cloud-provider service account is now deprecated. If you're currently using this service account, you must create and apply your own RBAC policy for new clusters. (#59949, @nicksardo)
Format-separated endpoints for the OpenAPI spec, such as /swagger.json, /swagger-2.0.0.0.json, and so on, have been deprecated. The old endpoints will remain in 1.10, 1.11, 1.12 and 1.13, and get removed in 1.14. Please use single /openapi/v2 endpoint with the appropriate Accept: header instead. For example:

previous	now
GET /swagger.json	GET /openapi/v2 Accept: application/json
GET /swagger-2.0.0.pb-v1	GET /openapi/v2 Accept: application/com.github.proto-openapi.spec.v2@v1.0+protobuf
GET /swagger-2.0.0.pb-v1.gz	GET /openapi/v2 Accept: application/com.github.proto-openapi.spec.v2@v1.0+protobuf Accept-Encoding: gzip

(#59293, @roycaihw)

Other Notable Changes

Apps

Updated defaultbackend image to 1.4 and deployment apiVersion to apps/v1. Users should concentrate on updating scripts to the new version. (#57866, @zouyee)
Fix StatefulSet to work correctly with set-based selectors. (#59365, @ayushpateria)
Fixes a case when Deployment with recreate strategy could get stuck on old failed Pod. (#60301, @tnozicka)
ConfigMap objects now support binary data via a new binaryData field. When using kubectl create configmap --from-file, files containing non-UTF8 data will be placed in this new field in order to preserve the non-UTF8 data. Note that kubectl's --append-hash feature doesn't take binaryData into account. Use of this feature requires 1.10+ apiserver and kubelets. (#57938, @dims)

AWS

Add AWS cloud provider option to use an assumed IAM role. For example, this allows running Controller Manager in a account separate from the worker nodes, but still allows all resources created to interact with the workers. ELBs created would be in the same account as the worker nodes for instance.(#59668, @brycecarman)
AWS EBS volume plugin now includes block and volumeMode support. (#58625, @screeley44)
On AWS kubelet returns an error when started under conditions that do not allow it to work (AWS has not yet tagged the instance), rather than failing silently. (#60125, @vainu-arto)
AWS Security Groups created for ELBs will now be tagged with the same additional tags as the ELB; that is, the tags specified by the "service.beta.kubernetes.io/aws-load-balancer-additional-resource-tags" annotation. This is useful for identifying orphaned resources. (#58767, @2rs2ts)
AWS Network Load Balancers will now be deleted properly, including security group rules. Fixes #57568 (#57569, @micahhausler)
Time for attach/detach retry operations has been decreased from 10-12s to 2-6s (#56974, @gnufied)

Auth

Contexts must be named in kubeconfigs. (#56769, @dixudx)
vSphere operations will no longer fail due to authentication errors. (#57978, @prashima)
This removes the cloud-provider role and role binding from the rbac boostrapper and replaces it with a policy applied via addon mgr. This also creates a new clusterrole allowing the service account to create events for any namespace.
client-go: alpha support for out-of-tree exec-based credential providers. For example, a cloud provider could create their own authentication system rather than using the standard authentication provided with Kubernetes. (#59495, @ericchiang)
The node authorizer now allows nodes to request service account tokens for the service accounts of pods running on them. This allows agents using the node identity to take actions on behalf of local pods. (#55019, @mikedanese)
kube-apiserver: the OpenID Connect authenticator can now verify ID Tokens signed with JOSE algorithms other than RS256 through the --oidc-signing-algs flag. (#58544, @ericchiang)
Requests with invalid credentials no longer match audit policy rules where users or groups are set, correcting a problem where authorized requests were getting through. (#59398, @CaoShuFeng)
The Stackdriver Metadata Agent addon now includes RBAC manifests, enabling it to watch nodes and pods. (#57455, @kawych)
Fix RBAC role for certificate controller to allow cleaning up of Certificate Signing Requests that are Approved and issued or Denied. (#59375, @mikedanese)
kube-apiserver: Use of the --admission-control-config-file with a file containing an AdmissionConfiguration apiserver.k8s.io/v1alpha1 config object no longer leads to an error when launching kube-apiserver. (#58439 @liggitt)
Default enabled admission plugins are now NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,DefaultTolerationSeconds,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,ResourceQuota. Please note that if you previously had not set the --admission-control flag, your cluster behavior may change (to be more standard). (#58684, @hzxuzhonghu)
Encryption key and encryption provider rotation now works properly. (#58375, @liggitt
RBAC: The system:kubelet-api-admin cluster role can be used to grant full access to the kubelet API so integrators can grant this role to the --kubelet-client-certificate credential given to the apiserver. (#57128, @liggitt)
DenyEscalatingExec admission controller now checks psp HostNetwork as well as hostIPC and hostPID. hostNetwork is also checked to deny exec /attach. (#56839, [@hzxuzhonghu]=(https://github.com/hzxuzhonghu))
When using Role-Based Access Control, the "admin", "edit", and "view" roles now have the expected permissions on NetworkPolicy resources, rather than reserving those permissions to only cluster-admin. (#56650, @danwinship)
Added docker-logins config to kubernetes-worker charm. (#56217, @Cynerva)
Add ability to control primary GID of containers through Pod Spec at Pod level and Per Container SecurityContext level. (#52077)

CLI

Use structured generator for kubectl autoscale. (#55913, @wackxu)
Allow kubectl to set image|env on a cronjob (#57742, @soltysh)
Fixed crash in kubectl cp when path has multiple leading slashes. (#58144, @tomerf)
kubectl port-forward now allows using resource name (e.g., deployment/www) to select a matching pod, as well as the use of --pod-running-timeout to wait until at least one pod is running. (#59705, @phsiao)
'cj' has been added as a shortname for CronJobs, as in kubectl get cj (#59499, @soltysh)
crds has been added as a shortname for CustomResourceDefinition, as in kubectl get crds (#59061, @nikhita)
Fix kubectl explain for resources not existing in default version of API group, such as batch/v1, Kind=CronJob. (#58753, @soltysh)
Added the ability to select pods in a chosen node to be drained based on given pod label-selector. (#56864, @juanvallejo)
Kubectl explain now prints out the Kind and API version of the resource being explained. (#55689, @luksa)

Cluster Lifecycle

The default Kubernetes version for kubeadm is now 1.10. (#61127, @timothysc)
The minimum Kubernetes version in kubeadm is now v1.9.0. (#57233, @xiangpengzhao)
Fixes a bug in Heapster deployment for google sink. (#57902, @kawych)
On cluster provision or upgrade, kubeadm now generates certs and secures all connections to the etcd static-pod with mTLS. This includes the etcd serving cert, the etcd peer cert, and the apiserver etcd client cert. Flags and hostMounts are added to the etcd and apiserver static-pods to load these certs. For connections to etcd, https is now used in favor of http. (#57415, @stealthybox These certs are also generated on upgrade. (#60385, @stealthybox)
Demoted controlplane passthrough flags apiserver-extra-args, controller-manager-extra-args, scheduler-extra-args to alpha flags (#59882, @kris-nova)
The new flag --apiserver-advertise-dns-address is used in the node's kubelet.confg to point to the API server, allowing users to define a DNS entry instead of an IP address. (#59288, @stevesloka)
MasterConfiguration manifiest The criSocket flag is now usable within the MasterConfiguration and NodeConfiguration manifest files that exist for configuring kubeadm. Before it only existed as a command line flag and was not able to be configured when using the --config flag and the manifest files. (#59057(#59292, @JordanFaust)
kubeadm init can now omit the tainting of the master node if configured to do so in kubeadm.yaml using noTaintMaster: true. For example, uses can create a file with the content:

apiVersion: [kubeadm.k8s.io/v1alpha1](http://kubeadm.k8s.io/v1alpha1)
kind: MasterConfiguration
kubernetesVersion: v1.9.1
noTaintMaster: true

And point to the file using the --config flag, as in

kubeadm init --config /etc/kubeadm/kubeadm.yaml

(#55479, @ijc)

kubeadm: New "imagePullPolicy" option in the init configuration file, that gets forwarded to kubelet static pods to control pull policy for etcd and control plane images. This option allows for precise image pull policy specification for master nodes and thus for more tight control over images. It is useful in CI environments and in environments, where the user has total control over master VM templates (thus, the master VM templates can be preloaded with the required Docker images for the control plane services). (#58960, @rosti)
Fixed issue with charm upgrades resulting in an error state. (#59064, @hyperbolic2346)
kube-apiserver --advertise-address is now set using downward API for self-hosted Kubernetes with kubeadm. (#56084, @andrewsykim)
When using client or server certificate rotation, the Kubelet will no longer wait until the initial rotation succeeds or fails before starting static pods. This makes running self-hosted masters with rotation more predictable. (#58930, @smarterclayton)
Kubeadm no longer throws an error for the --cloud-provider=external flag. (#58259, @dims)
Added support for network spaces in the kubeapi-load-balancer charm. (#58708, @hyperbolic2346)
Added support for network spaces in the kubernetes-master charm. (#58704, @hyperbolic2346)
Added support for network spaces in the kubernetes-worker charm. (#58523, @hyperbolic2346)
Added support for changing nginx and default backend images to kubernetes-worker config. (#58542, @hyperbolic2346)
kubeadm now accepts --apiserver-extra-args, --controller-manager-extra-args and --scheduler-extra-args, making it possible to override / specify additional flags for control plane components. One good example is to deploy Kubernetes with a different admission-control flag on API server. (#58080, @simonferquel)
Alpha Initializers have been removed from kubadm admission control. Kubeadm users who still want to use Initializers can use apiServerExtraArgs through the kubeadm config file to enable it when booting up the cluster. (#58428, @dixudx)
ValidatingAdmissionWebhook and MutatingAdmissionWebhook are beta, and are enabled in kubeadm by default. (#58255, @dixudx)
Add proxy_read_timeout flag to kubeapi_load_balancer charm. (#57926, @wwwtyro)
Check for known manifests during preflight instead of only checking for non-empty manifests directory. This makes the preflight checks less heavy-handed by specifically checking for well-known files (kube-apiserver.yaml, kube-controller-manager.yaml, kube-scheduler.yaml, etcd.yaml) in /etc/kubernetes/manifests instead of simply checking for a non-empty directory. (#57287, @mattkelly)
PVC Protection alpha feature was renamed to Storage Protection. The Storage Protection feature is beta. (#59052, @pospispa)
iSCSI sessions managed by kubernetes will now explicitly set startup.mode to 'manual' to prevent automatic login after node failure recovery. This is the default open-iscsi mode, so this change will only impact users who have changed their startup.mode to be 'automatic' in /etc/iscsi/iscsid.conf. (#57475, @stmcginnis)
The IPVS feature gateway is now enabled by default in kubeadm, which makes the --feature-gates=SupportIPVSProxyMode=true obsolete, and it is no longer supported. (#60540, @m1093782566)

GCP

ingress-gce image in glbc.manifest updated to 1.0.0 (#61302, @rramkumar1)

Instrumentation

For advanced auditing, audit policy supports subresources wildcard matching, such as "resource/", "/subresource","*". (#55306, @hzxuzhonghu)
Auditing is now enabled behind a featureGate in kubeadm. A user can supply their own audit policy with configuration option as well as a place for the audit logs to live. If no policy is supplied a default policy will be provided. The default policy will log all Metadata level policy logs. It is the example provided in the documentation. (#59067, @chuckha)
Reduce Metrics Server memory requirement from 140Mi + 4Mi per node to 40Mi + 4Mi per node. (#58391, @kawych)
Annotations is added to advanced audit api. (#58806, @CaoShuFeng)
Reorganized iptables rules to fix a performance regression on clusters with thousands of services. (#56164, @danwinship)
Container runtime daemon (e.g. dockerd) logs in GCE cluster will be uploaded to stackdriver and elasticsearch with tag container-runtime. (#59103, @Random-Liu)
Enable prometheus apiserver metrics for custom resources. (#57682, @nikhita)
Add apiserver metric for number of requests dropped because of inflight limit, making it easier to figure out on which dimension the master is overloaded. (#58340, @gmarek)
The Metrics Server now exposes metrics via the /metric endpoint. These metrics are in the prometheus format. (#57456, @kawych)
Reduced the CPU and memory requests for the Metrics Server Nanny sidecar container to free up unused resources. (#57252, @kawych)
Enabled log rotation for load balancer's api logs to prevent running out of disk space. (#56979, @hyperbolic2346)
Fixed etcd-version-monitor to backward compatibly support etcd 3.1 go-grpc-prometheus metrics format. (#56871, @jpbetz)

Node

Summary of Container Runtime changes:
- [beta] cri-tools: CLI and validation tools for CRI is now v1.0.0-beta.0. This release mainly focused on UX improvements. [@feiskyer]
- [stable] containerd: containerd v1.1 natively supports CRI v1alpha2 now, so users can use Kubernetes v1.10 with containerd v1.1 directly, without having to use the intermediate cri-containerd daemon. All Kubernetes 1.10 tests passed. [@Random-Liu]
- [stable] cri-o: cri-o v1.10 updated CRI version to v1alpha2 and made several bug and stability fixes. [@mrunalp]
- [stable] frakti: frakti v1.10 implemented GCE Persistent Disk as a high performance volume, fixed several bugs, added ARM64 support, and passed all CRI validation conformance tests and node e2e conformance tests. [@resouer]
Fixed race conditions around devicemanager Allocate() and endpoint deletion. (#60856, @jiayingz)
kubelet initial flag parse now normalizes flags instead of exiting. (#61053, @andrewsykim)
Fixed regression where kubelet --cpu-cfs-quota flag did not work when --cgroups-per-qos was enabled (#61294, @derekwaynecarr)
Kubelet now supports container log rotation for container runtimes implementing CRI (container runtime interface). The feature can be enabled with feature gate CRIContainerLogRotation. The flags --container-log-max-size and --container-log-max-files can be used to configure the rotation behavior. (#59898, @Random-Liu)
Fixed a bug where if an error was returned that was not an autorest.DetailedError we would return "not found", nil which caused nodes to go to NotReady state. (#57484, @brendandburns)
HugePages feature is beta, and thus enabled by default. (#56939, @derekwaynecarr)
Avoid panic when failing to allocate a Cloud CIDR (aka GCE Alias IP Range). (#58186, @negz)
'none' can now be specified in KubeletConfiguration.EnforceNodeAllocatable (--enforce-node-allocatable) to explicitly disable enforcement. (#59515, @mtaufen)
The alpha KubeletConfiguration.ConfigTrialDuration field is no longer available. It can still be set using the dynamic configuration alpha feature. (#59628, @mtaufen)
Summary API will include pod CPU and Memory stats for CRI container runtime. (#60328, @Random-Liu)
Some field names in the Kubelet's now v1beta1 config API differ from the v1alpha1 API: for example, PodManifestPath is renamed to StaticPodPath, ManifestURL is renamed to StaticPodURL, and ManifestURLHeader is renamed to StaticPodURLHeader. Users should focus on switching to the v1beta1 API. (#60314, @mtaufen)
The DevicePlugins feature has graduated to beta, and is now enabled by default; users should focus on moving to the v1beta API if possible. (#60170, @jiayingz)
Per-cpu metrics have been disabled by default for to improve scalability. (#60106, @dashpole)
When the PodShareProcessNamespace alpha feature is enabled, setting pod.Spec.ShareProcessNamespace to true will cause a single process namespace to be shared between all containers in a pod. (#58716, @verb)
Resource quotas on extended resources such as GPUs are now supported. (#57302, @lichuqiang)
If the TaintNodesByCondition is enabled, a node will be tainted when it is under PID pressure. (#60008, @k82cn)
The Kubelet Summary API will now include total usage of pods through the "pods" SystemContainer. (#57802, @dashpole)
vSphere Cloud Provider supports VMs provisioned on vSphere v6.5. (#59519, @abrarshivani)
Created k8s.gcr.io image repo alias to pull images from the closest regional repo. Replaces gcr.io/google_containers. (#57824, @thockin)
Fix the bug where kubelet in the standalone mode would wait for the update from the apiserver source, even if there wasn't one. (#59276, @roboll)
Changes secret, configMap, downwardAPI and projected volumes to mount read-only, instead of allowing applications to write data and then reverting it automatically. Until version 1.11, setting the feature gate ReadOnlyAPIDataVolumes=false will preserve the old behavior. (#58720, @joelsmith)
Fixes a bug where kubelet crashes trying to free memory under memory pressure. (#58574, @yastij)
New alpha feature limits the number of processes running in a pod. Cluster administrators will be able to place limits by using the new kubelet command line parameter --pod-max-pids. Note that since this is a alpha feature they will need to enable the "SupportPodPidsLimit" feature. By default, we do not set any maximum limit, If an administrator wants to enable this, they should enable SupportPodPidsLimit=true in the --feature-gates= parameter to kubelet and specify the limit using the --pod-max-pids parameter. The limit set is the total count of all processes running in all containers in the pod. (#57973,@dims)
Fixes bug finding master replicas in GCE when running multiple Kubernetes clusters. (#58561, @jesseshieh)
--tls-min-version on kubelet and kube-apiserver allow for configuring minimum TLS versions (#58528, @deads2k)
Fix a bug affecting nested data volumes such as secret, configmap, etc. (#57422, @joelsmith)
kubelet will no longer attempt to remove images being used by running containers when garbage collecting. (#57020, @dixudx)
Allow kubernetes components to react to SIGTERM signal and shutdown gracefully. (#57756, @mborsz)
Fixed garbage collection and resource quota issue when the controller-manager uses --leader-elect=false (#57340, @jmcmeek)
Fixed issue creating docker secrets with kubectl 1.9 for accessing docker private registries. (#57463, @dims)
The CPU Manager feature is now beta, and is enabled by default, but the default policy is no-op so no action is required. (#55977, @ConnorDoyle)

OpenStack

Fixed a bug in the OpenStack cloud provider where dual stack deployments (IPv4 and IPv6) did not work well when using kubenet as the network plugin. (#59749, @zioproto)
Fixed a bug that tries to use the octavia client to query flip. (#59075, @jrperritt)
Kubernetes now registers metadata.hostname as node name for OpenStack nodes, eliminating a problem with invalid node names. (#58502, @dixudx)
Authentication information for OpenStack cloud provider can now be specified as environment variables. When we convert the OpenStack cloud provider to run in an external process, we can now use the kubernetes Secrets capability to inject the OS_* variables. This way we can specify the cloud configuration as a configmap, and specify secrets for the userid/password information. The configmap is mounted as a file, and the secrets are made available as environment variables. The external controller itself runs as a pod/daemonset. For backward compatibility, we preload all the OS_* variables, and if anything is in the config file, then that overrides the environment variables. (#58300, @dims)
Fixed issue when using OpenStack config drive for node metadata. Since we need to run commands such as blkid, we need to ensure that api server and kube controller are running in the privileged mode. (#57561, @dims)
Orphaned routes are properly removed from terminated instances. (#56258, @databus23)
OpenStack Cinder will now detach properly when Nova is shut down. (#56846, @zetaab)

Scalability

Added the ability to limit the increase in apiserver memory usage when audit logging with buffering is enabled. (#61118, @shyamjvs)
Upgrade to etcd client 3.2.13 and grpc 1.7.5 to improve HA etcd cluster stability. (#57480, @jpbetz)

Storage

Fixes CVE-2017-1002101 - See https://issue.k8s.io/60813 for details on this major security fix. (#61044, @liggitt)
Fixed missing error checking that could cause kubelet to crash in a race condition. (#60962, @technicianted)
Fixed a regression that prevented using subPath volume mounts with secret, configMap, projected, and downwardAPI volumes. (#61080, @liggitt)
K8s supports cephfs fuse mount. (#55866, @zhangxiaoyu-zidif)
Use GiB unit for creating and resizing volumes for Glusterfs. (#56581, @gnufied)
Adding support for Block Volume type to rbd plugin. (#56651, @sbezverk)
Add FSType for CSI volume source to specify filesystems (alpha defaults to ext4) (#58209, @NickrenREN)
Enabled File system resize of mounted volumes. (#58794, @gnufied)
The Local Volume Plugin has been updated to support Block volumeMode PVs. With this change, it is now possible to create local volume PVs for raw block devices. (#59303, @dhirajh)
Fixed an issue where Portworx volume driver wasn't passing namespace and annotations to the Portworx Create API. (#59607, @harsh-px)
Addressed breaking changes introduced by new 0.2.0 release of CSI spec. Specifically, csi.Version was removed from all API calls and CcontrollerProbe and NodeProbe were consolidated into a single Probe API call. (#59209, @sbezverk)
GCE PD volume plugin now supports block volumes. (#58710, @screeley44)
Implements MountDevice and UnmountDevice for the CSI Plugin, the functions will call through to NodeStageVolume/NodeUnstageVolume for CSI plugins. (#60115, @davidz627)
The LocalStorageCapacityIsolation feature is beta and enabled by default. The LocalStorageCapacityIsolation feature added a new resource type ResourceEphemeralStorage "ephemeral-storage" so that this resource can be allocated, limited, and consumed as the same way as CPU/memory. All the features related to resource management (resource request/limit, quota, limitrange) are available for local ephemeral storage. This local ephemeral storage represents the storage for root file system, which will be consumed by containers' writable layer and logs. Some volumes such as emptyDir might also consume this storage. (#60159, @jingxu97)
VolumeScheduling and LocalPersistentVolume features are beta and enabled by default. The PersistentVolume NodeAffinity alpha annotation is deprecated and will be removed in a future release. (#59391, @msau42)
K8s now supports rbd-nbd for Ceph rbd volume mounts. (#58916, @ianchakeres)
CSI now allows credentials to be specified on CreateVolume/DeleteVolume, ControllerPublishVolume/ControllerUnpublishVolume, and NodePublishVolume/NodeUnpublishVolume operations. Before this change all API calls had to fetch key/value stored in secret and use it to authenticate/authorize these operations. With this change API calls receive key/value as a input parameter so they not need to know where and how credentials were stored and fetched. Main goal was to make these API calls CO (Container Orchestrator) agnostic. (#60118, @sbezverk)
StorageOS volume plugin has been updated to support mount options and environments where the kubelet runs in a container and the device location should be specified. (#58816, @croomes)
Get parent dir via canonical absolute path when trying to judge mount-point, fixing a problem that caused an NFS volume with improper permissions to get stuck in TERMINATING status. (#58433, [@yue9944882]](https://github.com/yue9944882))
Clusters with GCE feature 'DiskAlphaAPI' enabled can now dynamically provision GCE PD volumes. (#59447, @verult)
Added keyring parameter for Ceph RBD provisioner. (#58287, @madddi)
Added xfsprogs to hyperkube container image. (#56937, @redbaron)
Improved messages user gets during and after volume resizing is done, providing a clear message to the user explaining what to do when resizing is finished. (#58415, @gnufied)
MountPropagation feature is now beta. As consequence, all volume mounts in containers are now "rslave" on Linux by default. To make this default work in all Linux environments you should have entire mount tree marked as shareable via "mount --make-rshared /". All Linux distributions that use systemd already have root directory mounted as rshared and hence they need not do anything. In Linux environments without systemd we recommend running "mount --make-rshared /" during boot, before docker is started. (#59252, @jsafrane)
Volume metrics support for vSphere Cloud Provider has been added. You can now monitor available space, capacity, and used space on volumes created using vSphere. (#59328, @divyenpatel)
Emit number of bound and unbound persistent volumes as Metrics. This PR adds four kinds of Volume Metrics for kube-controller-manager: bound PVC numbers, unbound PVC numbers, bound PV numbers and unbound PV numbers. The PVC metrics use namespace as dimension and the PV metrics use StorageClassName as its dimension. With these metrics we can better monitor the use of volumes in the cluster. (#57872, @mlmhl)
Add windows config to Kubelet CRI so that WindowsContainerResources can be managed. (#57076, @feiskyer)
PersistentVolumes that are bound to a PersistentVolumeClaim will not be deleted. (#58743, @NickrenREN)
The VolumeAttachment API is now available as V1beta1, and is enabled by default. The Alpha API is deprecated and will be removed in a future release. (#58462, @NickrenREN)
Add storage-backend configuration option to kubernetes-master charm. (#58830, @wwwtyro)
Fixed dynamic provisioning of GCE PDs to round to the next GB (base 1000) instead of GiB (base 1024). (#56600, @edisonxiang)
PersistentVolume flexVolume sources can now reference secrets in a namespace other than the PersistentVolumeClaim's namespace. (#56460, @liggitt)

Windows

kubelet and kube-proxy can now be run as native Windows services. (#60144, @alinbalutoiu)
WindowsContainerResources is set now for windows containers. (#59333, @feiskyer)
Disable mount propagation for windows containers (because it is not supported by the OS). (#60275, @feiskyer)
Fix image file system stats for windows nodes. (#59743, @feiskyer)
Kubernetes will now return an error if New-SmbGlobalMapping failed when mounting an azure file on Windows. (#59540, @andyzhangx)
Kubernetes now uses the more reliable GlobalMemoryStatusEx to get total physical memory on windows nodes. (#57124, @JiangtianLi)
Windows containers now support experimental Hyper-V isolation by setting annotation experimental.windows.kubernetes.io/isolation-type=hyperv and feature gates HyperVContainer. At the moment this function only supports one container per pod. (#58751, @feiskyer)
Get windows kernel version directly from registry rather than windows.getVersion(). (#58498, @feiskyer)
Fixed controller manager crash when using mixed case names in a vSphere cloud provider environment. (#57286, @rohitjogvmw)
Flexvolume is now enabled on Windows nodes. (#56921, @andyzhangx)

Autoscaling

The getSubnetIDForLB() returns subnet id rather than net id. (#58208, @FengyunPan)
kubectl scale can now scale any resource (kube, CRD, aggregate) conforming to the standard scale endpoint (#58298, @p0lyn0mial)
Cluster Autoscaler has been updated to Version 1.2.0, which includes fixes around GPUs and base image change. See https://github.com/kubernetes/autoscaler/releases/tag/cluster-autoscaler-1.2.0for details. (#60842, @mwielgus)
Allows HorizontalPodAutoscaler to use global metrics not associated with any Kubernetes object (for example metrics from a hosting service running outside of the Kubernetes cluster). (#60096, @MaciekPytel)
fluentd-gcp resources can be modified via a ScalingPolicy. (#59657, @x13n)
Added anti-affinity to kube-dns pods. Otherwise the "no single point of failure" setting doesn't actually work (a single node failure can still take down the entire cluster). (#57683, @vainu-arto)

API-Machinery

Fixed webhooks to use the scheme provided in clientConfig, instead of defaulting to http. (#60943, @jennybuckley)
The webhook admission controller in a custom apiserver now works off-the-shelf. (#60995, @caesarxuchao)
Upgrade the default etcd server version to 3.1.12 to pick up critical etcd "mvcc "unsynced" watcher restore operation" fix. (#60998, @jpbetz)
Fixed bug allowing garbage collector to enter a broken state that could only be fixed by restarting the controller-manager. (#61201, @jennybuckley)
kube-apiserver: The external hostname no longer longer use the cloud provider API to select a default. It can be set explicitly using --external-hostname, if needed. If there is no default, AdvertiseAddress or os.Hostname() will be used, in that order. (#56812, @dims)
Custom resources can be listed with a set of grouped resources (category) by specifying the categories in the CustomResourceDefinition spec. Example: They can be used with kubectl get important, where important is a category. (#59561, @nikhita)
Fixed an issue making it possible to create a situation in which two webhooks make it impossible to delete each other. ValidatingWebhooks and MutatingWebhooks will not be called on admission requests for ValidatingWebhookConfiguration and MutatingWebhookConfiguration objects in the admissionregistration.k8s.io group (#59840, @jennybuckley)
Fixed potential deadlock when deleting CustomResourceDefinition for custom resources with finalizers. (#60542, @liggitt)
A buffered audit backend can be used with other audit backends. (#60076, @crassirostris)
Introduced --http2-max-streams-per-connection command line flag on api-servers and set default to 1000 for aggregated API servers. (#60054, @MikeSpreitzer)
APIserver backed by etcdv3 exports metric shows number of resources per kind. (#59757, @gmarek)
Add kubectl create job --from-cronjob command. (#60084, @soltysh)
/status and /scale subresources have been added for custom resources. See kubernetes/kubernetes#55168 for more details. (#55168, @nikhita)
Restores the ability of older clients to delete and scale jobs with initContainers. (#59880, @liggitt)
Fixed a race condition causing apiserver crashes during etcd healthchecking. (#60069, @wojtek-t)
Fixed a race condition in k8s.io/client-go/tools/cache.SharedInformer that could violate the sequential delivery guarantee and cause panics on shutdown in Kubernetes 1.8.* and 1.9.*. (#59828, @krousey)
Add automatic etcd 3.2->3.1 and 3.1->3.0 minor version rollback support to gcr.io/google_container/etcd images. For HA clusters, all members must be stopped before performing a rollback. (#59298, @jpbetz)
The meta.k8s.io/v1alpha1 objects for retrieving tabular responses from the server (Table) or fetching just the ObjectMeta for an object (as PartialObjectMetadata) are now beta as part of meta.k8s.io/v1beta1 and configurations must be changed to use the new API. Clients may request alternate representations of normal Kubernetes objects by passing an Accept header like application/json;as=Table;g=meta.k8s.io;v=v1beta1 or application/json;as=PartialObjectMetadata;g=meta.k8s.io;v1=v1beta1. Older servers will ignore this representation or return an error if it is not available. Clients may request fallback to the normal object by adding a non-qualified mime-type to their Accept header like application/json - the server will then respond with either the alternate representation if it is supported or the fallback mime-type which is the normal object response. (#59059, @smarterclayton)
kube-apiserver now uses SSH tunnels for webhooks if the webhook is not directly routable from apiserver's network environment. (#58644, @yguo0905)
Access to externally managed IP addresses via the kube-apiserver service proxy subresource is no longer allowed by default. This can be re-enabled via the ServiceProxyAllowExternalIPs feature gate, but will be disallowed completely in 1.11 (#57265, @brendandburns)
The apiregistration.k8s.io (aggregation) is now generally available. Users should transition from the v1beta1 API to the v1 API. (#58393, @deads2k)
Fixes an issue where the resourceVersion of an object in a DELETE watch event was not the resourceVersion of the delete itself, but of the last update to the object. This could disrupt the ability of clients clients to re-establish watches properly. (#58547, @liggitt)
kube-apiserver: requests to endpoints handled by unavailable extension API servers (as indicated by an Available condition of false in the registered APIService) now return 503 errors instead of 404 errors. (#58070, @weekface)
Custom resources can now be submitted to and received from the API server in application/yaml format, consistent with other API resources. (#58260, @liggitt)

Network

Fixed kube-proxy to work correctly with iptables 1.6.2 and later. (#60978, @danwinship)
Makes the kube-dns addon optional so that users can deploy their own DNS solution. (#57113, @wwwtyro)
kubectl port-forward now supports specifying a service to port forward to, as in kubectl port-forward svc/myservice 8443:443. Additional support has also been added for looking up targetPort for a service, as well as enabling using svc/name to select a pod. (#59809, @phsiao)
Make NodePort IP address ses configurabl e. (#58052, @m1093782566)
Fixed the issue in kube-proxy iptables/ipvs mode to properly handle incorrect IP version. (#56880, @MrHohn)
Kubeadm: CoreDNS supports migration of the kube-dns configuration to CoreDNS configuration when upgrading the service discovery from kube-dns to CoreDNS as part of Beta. (#58828, @rajansandeep)
Adds BETA support for DNSConfig field in PodSpec and DNSPolicy=None, so configurable pod resolve.conf is now enabled by default. (#59771, @MrHohn)
Removed some redundant rules created by the iptables proxier to improve performance on systems with very many services. (#57461, @danwinship)
Fix an issue where port forwarding doesn't forward local TCP6 ports to the pod (#57457, @vfreex)
Correctly handle transient connection reset errors on GET requests from client library. (#58520, @porridge)
GCE: Allows existing internal load balancers to continue using a subnetwork that may have been wrongfully chosen due to a bug choosing subnetworks on automatic networks. (#57861, @nicksardo)

Azure

Set node external IP for azure node when disabling UseInstanceMetadata. (#60959, @feiskyer)
Changed default azure file/dir mode to 0755. (#56551, @andyzhangx)
Fixed azure file plugin failure issue on Windows after node restart. (#60625, @andyzhangx)(#60623, @feiskyer)
Fixed race condition issue when detaching azure disk, preventing Multi-Attach errors when scheduling one pod from one node to another. (#60183, @andyzhangx)
Add AzureDisk support for vmss nodes. (#59716, @feiskyer)
Map correct vmset name for Azure internal load balancers. (#59747, @feiskyer)
Node's providerID will now follow the Azure resource ID format (azure:///subscriptions/<id>/resourceGroups/<rg>/providers/Microsoft.Compute/virtualMachines/<node-name> rather than azure://d84a1c30-0c9f-11e8-8a34-000d3a919531) when useInstanceMetadata is enabled (#59539, @feiskyer)
Azure public IP is now correctly removed after a service is deleted. (#59340, @feiskyer)
Added PV size grow feature for azure filesystems. (#57017, @andyzhangx)
Ensured IP is set for Azure internal load balancer. (#59083, @feiskyer)
Set fsGroup by securityContext.fsGroup in azure file. However,f user both sets gid=xxx in mountOptions in azure storage class and securityContext.fsGroup, gid=xxx setting in mountOptions takes precedence. (#58316, @andyzhangx)
If an Azure disk is not found, K8s will immediately detach it. (#58345, @rootfs)
Instrumented the Azure cloud provider for Prometheus monitoring. (#58204, @cosmincojocar)
Fixed device name change issues for azure disk. (#57953, @andyzhangx) (#57549, @andyzhangx)
Support multiple scale sets in Azure cloud provider. (#57543, @feiskyer)
Support LoadBalancer for Azure Virtual Machine Scale Sets (#57131, @feiskyer)
Fixed incorrect error info when creating an azure file PVC failed. (#56550, @andyzhangx)
Added mount options support for azure disk. For example:

kind: StorageClass
apiVersion: storage.k8s.io/v1
metadata:
  name: hdd
provisioner: kubernetes.io/azure-disk
mountOptions:
  - barrier=1
  - acl
parameters:
  skuname: Standard_LRS
  kind: Managed
  fstype: ext3

(#56147, @andyzhangx)

Scheduling

Fixed a bug the in scheduler cache by using Pod UID as the cache key instead of namespace/name (#61069, @anfernee)
When TaintNodesByCondition is enabled, added node.kubernetes.io/unschedulable:NoSchedule (#61161, @k82cn)
kube-scheduler: Support extender managed extended resources in kube-scheduler (#60332, @yguo0905)
Updated priority of mirror pod according to PriorityClassName. (#58485, @k82cn)
kube-scheduler: restores default leader election behavior. Setting the --leader-elect command line parameter to true (#60524, @dims)
All pods with priorityClassName system-node-critical and system-cluster-critical will be critical pods while preserving backwards compatibility. (#58835, @ravisantoshgudimetla)
Priority admission controller picks a global default with the lowest priority value if more than one such default PriorityClass exists. (#59991, @bsalamat)
Disallow PriorityClass names with 'system-' prefix for user defined priority classes. (#59382, @bsalamat)
kube-scheduler: Use default predicates/prioritizers if they are unspecified in the policy config. (#59363, @yguo0905)
Scheduler should be able to read from config file if configmap is not present. (#59386, @ravisantoshgudimetla)
Add apiserver metric for current inflight-request usage. (#58342, @gmarek)
Stability: Make Pod delete event handling of scheduler more robust. (#58712, @bsalamat)* Allow scheduler set AlwaysCheckAllPredicates, short circuit all predicates if one predicate fails can greatly improve the scheduling performance. (#56926, @wgliang)
GCE: support passing kube-scheduler policy config via SCHEDULER_POLICY_CONFIG. This allows us to specify a customized scheduler policy configuration. (#57425, @yguo0905)
Returns an error for non overcommitable resources if they don't have limit field set in container spec to prevent users from creating invalid configurations. (#57170, @jiayingz)
GCE: Fixed ILB creation on automatic networks with manually created subnetworks. (#57351, @nicksardo)
Multiple Performance Improvements to the MatchInterPodAffinity predicate (#57476, @misterikkit)(#57477, @misterikkit)
The calico-node addon tolerates all NoExecute and NoSchedule taints by default. So Calico components can even be scheduled on tainted nodes. (#57122, @caseydavenport)
The scheduler skips pods that use a PVC that either does not exist or is being deleted. (#55957, @jsafrane)

Other changes

Updated dashboard version to v1.8.3, which keeps auto-generated certs in memory. (#57326, @floreks)
fluentd-gcp addon: Fixed bug with reporting metrics in event-exporter. (#60126, @serathius)
Avoid hook errors when effecting label changes on kubernetes-worker charm. (#59803, @wwwtyro)
Fixed charm issue where docker login would run prior to daemon options being set. (#59396, @kwmonroe)
Implementers of the cloud provider interface will note the addition of a context to this interface. Trivial code modification will be necessary for a cloud provider to continue to compile. (#59287, @cheftako)
Added configurable etcd quota backend bytes in GCE. (#59259, @wojtek-t)
GCP: allow a master to not include a metadata concealment firewall rule (if it's not running the metadata proxy). (#58104, @ihmccreery)
Fixed issue with kubernetes-worker option allow-privileged not properly handling the value True with a capital T. (#59116, @hyperbolic2346)
Controller-manager --service-sync-period flag has been removed. (It was never used in the code and should have no user impact.) (#59359, @khenidak)
[fluentd-gcp addon] Switch to the image provided by Stackdriver. The Stackdriver Logging Agent container image uses fluentd v0.14.25. (#59128, @bmoyles0117)

Non-user-facing Changes

CRI now uses moutpoint as image filesystem identifier instead of UUID. (#59475, @Random-Liu)
GCE: support Cloud TPU API in cloud provider (#58029, @yguo0905)
kubelet now notifies systemd that it has finished starting, if systemd is available and running. (#60654, @dcbw)
Do not count failed pods as unready in HPA controller (#60648, @bskiba)
fixed foreground deletion of podtemplates (#60683, @nilebox)
Conformance tests are added for the DaemonSet kinds in the apps/v1 group version. Deprecated versions of DaemonSet will not be tested for conformance, and conformance is only applicable to release 1.10 and later. (#60456, @kow3ns)
Log audit backend can now be configured to perform batching before writing events to disk. (#60237, @crassirostris)
New conformance tests added for the Garbage Collector (#60116, @jennybuckley)
Fixes a bug where character devices are not recognized by the kubelet (#60440, @andrewsykim)
StatefulSet in apps/v1 is now included in Conformance Tests. (#60336, @enisoc)
dockertools: disable memory swap on Linux. (#59404, @ohmystack)
Increase timeout of integration tests (#60458, @jennybuckley)
force node name lowercase on static pod name generating (#59849, @yue9944882
fix device name change issue for azure disk (#60346, @andyzhangx)
Additional changes to iptables kube-proxy backend to improve performance on clusters with very large numbers of services. (#60306, @danwinship)
add spelling checking script (#59463, @dixudx)
Use consts as predicate name in handlers (#59952, @resouer)
Fix instanceID for vmss nodes. (#59857, @feiskyer)
Increase allowed lag for ssh key sync loop in tunneler to allow for one failure (#60068, @wojtek-t)
Set an upper bound (5 minutes) on how long the Kubelet will wait before exiting when the client cert from disk is missing or invalid. This prevents the Kubelet from waiting forever without attempting to bootstrap a new client credentials. (#59316, @smarterclayton)
Add ipset binary for IPVS to hyperkube docker image (#57648, @Fsero)
Making sure CSI E2E test runs on a local cluster (#60017, @sbezverk)
Fix kubelet PVC stale metrics (#59170, @cofyc)
Separate current ARM rate limiter into read/write (#59830, @khenidak)
Improve control over how ARM rate limiter is used within Azure cloud provider, add generic cache for Azure VM/LB/NSG/RouteTable (#59520, @feiskyer)
fix typo (#59619, @jianliao82)
DaemonSet, Deployment, ReplicaSet, and StatefulSet objects are now persisted in etcd in apps/v1 format (#58854, @liggitt)
YAMLDecoder Read now tracks rest of buffer on io.ErrShortBuffer (#58817, @karlhungus)
Prevent kubelet from getting wedged if initialization of modules returns an error. (#59020, @brendandburns)
Fixed a race condition inside kubernetes-worker that would result in a temporary error situation. (#59005, @hyperbolic2346)
Fix regression in the CRI: do not add a default hostname on short image names (#58955, @runcom)
use containing API group when resolving shortname from discovery (#58741, @dixudx)
remove spaces from kubectl describe hpa (#56331, @shiywang)
fluentd-es addon: multiline stacktraces are now grouped into one entry automatically (#58063, @monotek)
Default scheduler code is moved out of the plugin directory. (#57852, @misterikkit)
CDK nginx ingress is now handled via a daemon set. (#57530, @hyperbolic2346)
Move local PV negative scheduling tests to integration (#57570, @sbezverk)
Only create Privileged PSP binding during e2e tests if RBAC is enabled. (#56382, @mikkeloscar)
ignore nonexistent ns net file error when deleting container network in case a retry (#57697, @dixudx)
Use old dns-ip mechanism with older cdk-addons. (#57403, @wwwtyro)
Retry 'connection refused' errors when setting up clusters on GCE. (#57394, @mborsz)
YAMLDecoder Read now returns the number of bytes read (#57000, @sel)
Drop hacks used for Mesos integration that was already removed from main kubernetes repository (#56754, @dims)
Compare correct file names for volume detach operation (#57053, @prashima)
Fixed documentation typo in IPVS README. (#56578, @shift)
The ConfigOK node condition has been renamed to KubeletConfigOk. (#59905, @mtaufen)
Adding pkg/kubelet/apis/deviceplugin/v1beta1 API. (#59588, @jiayingz)
Fixes volume predicate handler for equiv class (#59335, @resouer)
Bugfix: vSphere Cloud Provider (VCP) does not need any special service account anymore. (#59440, @rohitjogvmw)
fix the error prone account creation method of blob disk (#59739, @andyzhangx)
Updated kubernetes-worker to request new security tokens when the aws cloud provider changes the registered node name. (#59730, @hyperbolic2346)
Pod priority can be specified ins PodSpec even when the feature is disabled, but it will be effective only when the feature is enabled. (#59291, @bsalamat)* Add generic cache for Azure VMSS (#59652, @feiskyer)
fix the create azure file pvc failure if there is no storage account in current resource group (#56557, @andyzhangx)
Implement envelope service with gRPC, so that KMS providers can be pulled out from API server. (#55684, @wu-qiang)
Enable golint for pkg/scheduler and fix the golint errors in it. (#58437, @tossmilestone)
Ensure euqiv hash calculation is per schedule (#59245, @resouer)
Upped the timeout for apiserver communication in the juju kubernetes-worker charm. (#59219, @hyperbolic2346)
kubeadm init: skip checking cri socket in preflight checks (#58802, @dixudx)
Configurable etcd compaction frequency in GCE (#59106, @wojtek-t)
Fixed a bug which caused the apiserver reboot failure in the presence of malfunctioning webhooks. (#59073, @caesarxuchao)
GCE: Apiserver uses InternalIP as the most preferred kubelet address type by default. (#59019, @MrHohn)
CRI: Add a call to reopen log file for a container. (#58899, @yujuhong)
The alpha KubeletConfigFile feature gate has been removed, because it was redundant with the Kubelet's --config flag. It is no longer necessary to set this gate to use the flag. The --config flag is still considered alpha. (#58978, @mtaufen)
Fixing extra_sans option on master and load balancer. (#58843, @hyperbolic2346)
Ensure config has been created before attempting to launch ingress. (#58756, @wwwtyro)
Support metrics API in kubectl top commands. (#56206, @brancz)
Bump GCE metadata proxy to v0.1.9 to pick up security fixes. (#58221, @ihmccreery)
"ExternalTrafficLocalOnly" has been removed from feature gate. It has been a GA feature since v1.7. (#56948, @MrHohn)
feat(fakeclient): push event on watched channel on add/update/delete (#57504, @yue9944882)
Fixes a possible deadlock preventing quota from being recalculated (#58107, @ironcladlou)
Bump metadata proxy version to v0.1.7 to pick up security fix. (#57762, @ihmccreery)
The kubelet uses a new release 3.1 of the pause container with the Docker runtime. This version will clean up orphaned zombie processes that it inherits. (#57517, @verb)
Add cache for VM get operation in azure cloud provider (#57432, @karataliu)
Configurable liveness probe initial delays for etcd and kube-apiserver in GCE (#57749, @wojtek-t)
Fixed garbage collection hang (#57503, @liggitt
Improve scheduler performance of MatchInterPodAffinity predicate. (#57478, @misterikkit)
Add the path '/version/' to the system:discovery cluster role. (#57368, @brendandburns)
adding predicates ordering for the kubernetes scheduler. (#57168, @yastij)
Fix ipvs proxier nodeport ethassumption (#56685, @m1093782566)
Fix Heapster configuration and Metrics Server configuration to enable overriding default resource requirements. (#56965, @kawych)
Improved event generation in volume mount, attach, and extend operations (#56872, @davidz627)
Remove ScrubDNS interface from cloudprovider. (#56955, @feiskyer)
Fixed a garbage collection race condition where objects with ownerRefs pointing to cluster-scoped objects could be deleted incorrectly. (#57211, @liggitt)
api-server provides specific events when unable to repair a service cluster ip or node port (#54304, @frodenas)
delete useless params containerized (#56146, @jiulongzaitian)
dockershim now makes an Image's Labels available in the Info field of ImageStatusResponse (#58036, @shlevy)
Support GetLabelsForVolume in OpenStack Provider (#58871, @edisonxiang)
Add "nominatedNodeName" field to PodStatus. This field is set when a pod preempts other pods on the node. (#58990, @bsalamat)* Fix the PersistentVolumeLabel controller from initializing the PV labels when it's not the next pending initializer. (#56831, @jhorwit2)
Rename StorageProtection to StorageObjectInUseProtection (#59901, @NickrenREN)
Add support for cloud-controller-manager in local-up-cluster.sh (#57757, @dims)
GCE: A role and clusterrole will now be provided with GCE/GKE for allowing the cloud-provider to post warning events on all services and watching configmaps in the kube-system namespace. No user action is required. (#59686, @nicksardo)
Wait for kubedns to be ready when collecting the cluster IP. (#57337, @wwwtyro)

External Dependencies

The supported etcd server version is 3.1.12, as compared to 3.0.17 in v1.9 (#60988)
The validated docker versions are the same as for v1.9: 1.11.2 to 1.13.1 and 17.03.x (ref)
The Go version is go1.9.3, as compared to go1.9.2 in v1.9. (#59012)
The minimum supported go is the same as for v1.9: go1.9.1. (#55301)
CNI is the same as v1.9: v0.6.0 (#51250)
CSI is updated to 0.2.0 as compared to 0.1.0 in v1.9. (#60736)
The dashboard add-on has been updated to v1.8.3, as compared to 1.8.0 in v1.9. (#517326)
Heapster has is the same as v1.9: v1.5.0. It will be upgraded in v1.11. (ref)
Cluster Autoscaler has been updated to v1.2.0. (#60842, @mwielgus)
Updates kube-dns to v1.14.8 (#57918, @rramkumar1)
Influxdb is unchanged from v1.9: v1.3.3 (#53319)
Grafana is unchanged from v1.9: v4.4.3 (#53319)
CAdvisor is v0.29.1 (#60867)
fluentd-gcp-scaler is v0.3.0 (#61269)
Updated fluentd in fluentd-es-image to fluentd v1.1.0 (#58525, @monotek)
fluentd-elasticsearch is v2.0.4 (#58525)
Updated fluentd-gcp to v3.0.0. (#60722)
Ingress glbc is v1.0.0 (#61302)
OIDC authentication is coreos/go-oidc v2 (#58544)
Updated fluentd-gcp updated to v2.0.11. (#56927, @x13n)
Calico has been updated to v2.6.7 (#59130, @caseydavenport)

Files

release-notes-draft.md

Latest commit

History

release-notes-draft.md

File metadata and controls

Kubernetes 1.10 Release Notes Draft

Major Themes

Node

Storage

Windows

OpenStack

API-machinery

Auth

Azure

CLI

Cluster Lifecycle

Network

Before Upgrading

Known Issues

Deprecations

Other Notable Changes

Apps

AWS

Auth

CLI

Cluster Lifecycle

GCP

Instrumentation

Node

OpenStack

Scalability

Storage

Windows

Autoscaling

API-Machinery

Network

Azure

Scheduling

Other changes

Non-user-facing Changes

External Dependencies