Skip to content

chore(deps): update dependency k3s-io/k3s to v1.33.2+k3s1

Renovate Bot requested to merge renovate/k3s-io-k3s-1.x into main

This MR contains the following updates:

Package Update Change
k3s-io/k3s minor v1.24.12+k3s1 -> v1.33.2+k3s1

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

Release Notes

k3s-io/k3s (k3s-io/k3s)

v1.33.2+k3s1: v1.33.2+k3s1

Compare Source

This release updates Kubernetes to v1.33.2, and fixes a number of issues.

For more details on what's new, see the Kubernetes release notes.

Changes since v1.33.1+k3s1:

Embedded Component Versions

Component Version
Kubernetes v1.33.2
Kine v0.13.15
SQLite 3.49.1
Etcd v3.5.21-k3s1
Containerd v2.0.5-k3s1
Runc v1.2.6
Flannel v0.27.0
Metrics-server v0.7.2
Traefik v3.3.6
CoreDNS v1.12.1
Helm-controller v0.16.11
Local-path-provisioner v0.0.31

Helpful Links

As always, we welcome and appreciate feedback from our community of users. Please feel free to:

v1.33.1+k3s1: v1.33.1+k3s1

Compare Source

This release updates Kubernetes to v1.33.1, and fixes a number of issues.

For more details on what's new, see the Kubernetes release notes.

Changes since v1.33.0+k3s1:

Embedded Component Versions

Component Version
Kubernetes v1.33.1
Kine v0.13.15
SQLite 3.49.1
Etcd v3.5.21-k3s1
Containerd v2.0.5-k3s1
Runc v1.2.6
Flannel v0.26.7
Metrics-server v0.7.2
Traefik v3.3.6
CoreDNS v1.12.1
Helm-controller v0.16.10
Local-path-provisioner v0.0.31

Helpful Links

As always, we welcome and appreciate feedback from our community of users. Please feel free to:

v1.33.0+k3s1: v1.33.0+k3s1

Compare Source

This release updates Kubernetes to v1.33.0, and fixes a number of issues.

For more details on what's new, see the Kubernetes release notes.

Changes since v1.32.4+k3s1

Embedded Component Versions

Component Version
Kubernetes v1.33.0
Kine v0.13.14
SQLite v3.46.1
Etcd v3.5.21-k3s1
Containerd v2.0.4-k3s4
Runc v1.2.5
Flannel v0.26.7
Metrics-server v0.7.2
Traefik v3.3.6
CoreDNS v1.12.1
Helm-controller v0.16.10
Local-path-provisioner v0.0.31

Helpful Links

As always, we welcome and appreciate feedback from our community of users. Please feel free to:

v1.32.6+k3s1: v1.32.6+k3s1

Compare Source

This release updates Kubernetes to v1.32.6, and fixes a number of issues.

For more details on what's new, see the Kubernetes release notes.

Changes since v1.32.5+k3s1:

Embedded Component Versions

Component Version
Kubernetes v1.32.6
Kine v0.13.15
SQLite 3.49.1
Etcd v3.5.21-k3s1
Containerd v2.0.5-k3s1.32
Runc v1.2.6
Flannel v0.27.0
Metrics-server v0.7.2
Traefik v3.3.6
CoreDNS v1.12.1
Helm-controller v0.16.11
Local-path-provisioner v0.0.31

Helpful Links

As always, we welcome and appreciate feedback from our community of users. Please feel free to:

v1.32.5+k3s1: v1.32.5+k3s1

Compare Source

This release updates Kubernetes to v1.32.5, and fixes a number of issues.

For more details on what's new, see the Kubernetes release notes.

Changes since v1.32.4+k3s1:

Embedded Component Versions

Component Version
Kubernetes v1.32.5
Kine v0.13.15
SQLite 3.49.1
Etcd v3.5.21-k3s1
Containerd v2.0.5-k3s1.32
Runc v1.2.6
Flannel v0.26.7
Metrics-server v0.7.2
Traefik v3.3.6
CoreDNS v1.12.1
Helm-controller v0.16.10
Local-path-provisioner v0.0.31

Helpful Links

As always, we welcome and appreciate feedback from our community of users. Please feel free to:

v1.32.4+k3s1: v1.32.4+k3s1

Compare Source

This release updates Kubernetes to v1.32.4, and fixes a number of issues.

For more details on what's new, see the Kubernetes release notes.

Changes since v1.32.3+k3s1:

  • Migrate to UrfaveCLI v2 (#​12031)
  • Improve readiness polling on node startup (#​12038)
  • Fix issue caused by default authorization-mode apiserver arg (#​12042)
  • Fix flakey etcd startup tests (#​12050)
  • Cleanup anonymous and named volumes for docker tests (#​12079)
  • Add support for secretbox encryption provider with the k3s secrets-encrypt command (#​12067)
    • Users can now configure secrets encryption to use secretbox provider by setting the secrets-encryption-provider flag.
  • Add error in certificate check (#​12098)
  • Backports for 2025-04 (#​12104)
  • Bump kine for nats-server/v2 CVE-2025-30215 (#​12141)
  • Drone Test Split and Reduction (#​12151)
  • More backports for 2025-04 (#​12167)
  • Fix handler panic when bootstrapper returns empty peer list (#​12178)
  • Bump traefik to v3.3.6 (#​12189)
  • Update to v1.32.4-k3s1 and Go 1.23.6 (#​12209)

Embedded Component Versions

Component Version
Kubernetes v1.32.4
Kine v0.13.14
SQLite 3.46.1
Etcd v3.5.21-k3s1
Containerd v2.0.4-k3s2
Runc v1.2.5
Flannel v0.26.7
Metrics-server v0.7.2
Traefik v3.3.6
CoreDNS v1.12.1
Helm-controller v0.16.10
Local-path-provisioner v0.0.31

Helpful Links

As always, we welcome and appreciate feedback from our community of users. Please feel free to:

v1.32.3+k3s1: v1.32.3+k3s1

Compare Source

This release updates Kubernetes to v1.32.3, and fixes a number of issues.

For more details on what's new, see the Kubernetes release notes.

Changes since v1.32.2+k3s1:

Embedded Component Versions

Component Version
Kubernetes v1.32.3
Kine v0.13.9
SQLite 3.46.1
Etcd v3.5.19-k3s1
Containerd v2.0.4-k3s2
Runc v1.2.5
Flannel v0.25.7
Metrics-server v0.7.2
Traefik v3.3.2
CoreDNS v1.12.0
Helm-controller v0.16.6
Local-path-provisioner v0.0.31

Helpful Links

As always, we welcome and appreciate feedback from our community of users. Please feel free to:

v1.32.2+k3s1: v1.32.2+k3s1

Compare Source

This release updates Kubernetes to v1.32.2, and fixes a number of issues.

For more details on what's new, see the Kubernetes release notes.

Changes since v1.32.1+k3s1:

  • Correct the k3s token command help (#​11686)
  • Jan 2025 Testing Overhaul, E2E to Docker Migration, (#​11723)
  • Backports for 2025-02 (#​11730)
    • Align the CLI-reported default --etcd-snapshot-dir value with the actual one (server, etcd-snapshot commands).
    • Disable s3 transport transparent compression/decompression
    • Etcd snapshot backup/restore now supports loading s3 credentials from an AWS SDK shared credentials file.
    • Bump klipper-helm to v0.9.4
    • Bump klipper-lb to v0.4.10
    • Bump spegel to v0.0.30
    • Bump local-path-provisioner to v0.0.31
    • Bump kine to v0.13.8
    • Bump etcd to v3.5.18
    • Bump traefik to 3.3.2
    • Containerd has been bumped to version 2.0.
    • The containerd config templates for linux and windows have been consolidated and are no longer os-specific.
    • Containerd 2.0 uses a new config file schema. If you are using a custom containerd config template, you should migrate your template to config-v3.toml.tmpl to switch to the new version. See the upstream documentation for more information.
  • Update to v1.32.2-k3s1 and Go 1.23.6 (#​11788)
  • Render CNI dir config whenever vars are set (#​11819)
  • Bump containerd for go-cni deadlock fix (#​11833)

Embedded Component Versions

Component Version
Kubernetes v1.32.2
Kine v0.13.9
SQLite 3.46.1
Etcd v3.5.18-k3s1
Containerd v2.0.2-k3s2
Runc v1.2.4-k3s1
Flannel v0.25.7
Metrics-server v0.7.2
Traefik v3.3.2
CoreDNS v1.12.0
Helm-controller v0.16.6
Local-path-provisioner v0.0.31

Helpful Links

As always, we welcome and appreciate feedback from our community of users. Please feel free to:

v1.32.1+k3s1: v1.32.1+k3s1

Compare Source

This release updates Kubernetes to v1.32.1, and fixes a number of issues.

For more details on what's new, see the Kubernetes release notes.

Changes since v1.32.0+k3s1:

Embedded Component Versions

Component Version
Kubernetes v1.32.1
Kine v0.13.5
SQLite 3.46.1
Etcd v3.5.16-k3s1
Containerd v1.7.23-k3s2
Runc v1.2.4-k3s1
Flannel v0.25.7
Metrics-server v0.7.2
Traefik v2.11.18
CoreDNS v1.12.0
Helm-controller v0.16.5
Local-path-provisioner v0.0.30

Helpful Links

As always, we welcome and appreciate feedback from our community of users. Please feel free to:

What's Changed

Full Changelog: https://github.com/k3s-io/k3s/compare/v1.32.1-rc1+k3s1...v1.32.1+k3s1

v1.32.0+k3s1: v1.32.0+k3s1

Compare Source

This release is K3S's first in the v1.32 line. This release updates Kubernetes to v1.32.0.

Kubernetes 1.32 moves the AuthorizeNodeWithSelectors feature gate to Beta and on by default. See KEP-4601 for more information.

This feature-gate breaks some of the RBAC that previous releases of K3s relied upon. The January releases of K3s v1.29, v1.30, and v1.31 will contain backported fixes. Until then, you must set --kube-apiserver-arg=feature-gates=AuthorizeNodeWithSelectors=false on server nodes, if you want to mix K3s v1.32 nodes with nodes of other versions (within the limits of what is supported by the Kubernetes Version Skew Policy).

For more details on what's new, see the Kubernetes release notes.

Changes since v1.31.4+k3s1:

  • Fix rotateca validation failures when not touching default self-signed CAs (#​10710)
  • Bump runc to v1.1.13 (#​10737)
  • Update stable channel to v1.30.4+k3s1 (#​10739)
  • Fix deploy latest commit on E2E tests (#​10725)
  • Remove secrets encryption controller (#​10612)
  • Update kubernetes to v1.31.0-k3s3 (#​10764)
  • Bump traefik to v2.11.8 (#​10779)
  • Update coredns to 1.11.3 and metrics-server to 0.7.2 (#​10760)
  • Add trivy scanning to MR reports (#​10758)
  • Cover edge case when on new minor release for E2E upgrade test (#​10781)
  • Bump aquasecurity/trivy-action from 0.20.0 to 0.24.0 (#​10795)
  • Update CNI plugins version (#​10798)
  • Bump Sonobuoy version (#​10792)
  • Fix /trivy action running against target branch instead of MR branch (#​10824)
  • Launch private registry with init (#​10822)
  • Add channel for v1.31 (#​10826)
  • Bump containerd to v1.7.21, runc to v1.1.14 (#​10805)
  • Bump helm-controller for skip-verify/plain-http and updated tolerations (#​10832)
  • Tag MR image build as latest before scanning (#​10825)
  • Only clean up containerd hosts dirs managed by k3s (#​10823)
  • Remove otelgrpc pinned dependency (#​10799)
  • Add node-internal-dns/node-external-dns address pass-through support (#​10852)
  • Give good report if no CVEs found in trivy (#​10853)
  • Fix hosts.toml header var (#​10870)
  • Bump Trivy version (#​10863)
  • Add int test for flannel-ipv6masq (#​10440)
  • Bump Trivy version (#​10899)
  • Update Kubernetes to v1.31.1-k3s3 (#​10911)
  • Add MariaDB to CI (#​10724)
  • Update stable channel tov1.30.5+k3s1 (#​10921)
  • Use static CNI bin dir (#​10868)
    • K3s now uses a stable directory for CNI binaries, which simplifies the installation of additional CNI plugins.
  • Breakup trivy scan and check comment author (#​10935)
  • Fix getMembershipForUserInOrg call (#​10937)
  • Check k3s-io organization membership not team membership for trivy scans (#​10940)
  • Bump kine to v0.13.0 (#​10932)
    • Kine has been bumped to v0.13.0. This release includes changes that should enhance performance when using postgres as an external DB. The updated schema will be automatically used for new databases; to migrate to the new schema on existing databases, K3s can be started with the KINE_SCHEMA_MIGRATION=2 environment variable set.
  • Fix trivy report download (#​10943)
  • Trivy workflow: Specify GH_REPO env to use gh cli (#​10949)
  • Bump Trivy version (#​10924)
  • Bump traefik to chart 27.0.2 (#​10939)
  • Pass Rancher's VEX report to Trivy to remove known false-positives CVEs (#​10956)
  • Fix trivy vex line (#​10970)
  • Add user path to runtimes search (#​10953)
    • Runtimes detection will now use $PATH
  • Bump to new wharfie version (#​10971)
  • Update README.md (#​10523)
  • Remove trailing whitespace (#​9362)
  • Bump kine to v0.13.2 (#​10978)
  • Allow configuration of Rootlesskit's CopyUpDirs through an environment variable (#​10386)
    • Add new environment variable "K3S_ROOTLESS_COPYUPDIRS" to add folders to the Rootlesskit configuration.
  • Fix race condition when multiple nodes reconcile S3 snapshots (#​10979)
  • Bump Trivy version (#​10996)
  • Add ca-cert rotation integration test, and fix ca-cert rotation (#​11013)
  • Add e2e test which verifies traffic policies and firewall in services (#​10972)
  • Update tcpproxy for import path change (#​11029)
  • Bump Local Path Provisioner version (#​10862)
  • Bump local-path-provisioner to v0.0.30 (#​11049)
  • Bump helm-controller and klipper-helm (#​11060)
  • Bump containerd to v1.7.22 (#​11067)
  • Simplify svclb daemonset (#​10954)
    • Stop using klipper-lb as the image for svclb. Replace it with a simple busybox which just sleeps
  • Add the nvidia runtime cdi (#​11065)
    • Add nvidia cdi runtime to the list of supported and discoverable runtimes
  • Bump Trivy version (#​11103)
  • Rollback GHA to Ubuntu 22.04 (#​11111)
  • Revert "Make svclb as simple as possible" (#​11109)
  • Fix Github Actions for Ubuntu-24.04 (#​11112)
  • Bump aquasecurity/trivy-action from 0.24.0 to 0.27.0 (#​11105)
  • Check the last 10 commits for upgrade E2E test (#​11086)
  • Bump aquasecurity/trivy-action from 0.27.0 to 0.28.0 (#​11138)
  • Fixes "file exists" error from CNI bins when upgrading k3s (#​11123)
  • Reduce the number of GH api request for E2E nightly (#​11148)
  • Update Kubernetes to v1.31.2-k3s1 and Go 1.22.8 (#​11163)
  • Update stable channel to v1.30.6+k3s1 (#​11186)
  • Fix timeout when defragmenting etcd on startup (#​11164)
  • Capture all fedora atomic variants in install script (#​11170)
    • Allow easier installation of k3s on all variants of fedora atomic that use rpm-ostree
  • Typo fixes in contributing.md (#​11201)
  • Bump Trivy version (#​11206)
  • Pin vagrant to older version to avoid known issue 13527 (#​11226)
  • Set kine EmulatedETCDVersion from embedded etcd version (#​11221)
  • Add nonroot-devices flag to agent CLI (#​11200)
    • Device_ownership_from_security_context can now be enabled in the containerd CRI config by setting the --nonroot-devices flag or config key.
  • Bump runc to v1.2 (#​10896)
  • Update flannel and base cni plugins version (#​11188)
  • Bump github.com/golang-jwt/jwt/v4 from 4.5.0 to 4.5.1 (#​11236)
  • Fix MustFindString returning override flags on external CLI commands (#​11237)
  • Bump containerd to v1.7.23-k3s1 to fix registry rewrite token scopes (#​11238)
  • Fix the "Standalone"-mode of oidc-login in the wrapped kubectl library (#​11266)
    • Fixes 'no Auth Provider found for name "oidc"' when using oidc-login in standalone mode.
  • Bump K3s-root version to v0.14.1 (#​11282)
  • Bump kine (#​11277)
  • Bump kine for mysql connection close fix (#​11305)
  • Fix handling of wrapped subcommands when run with a path (#​11306)
  • Fix updatecli config for klipper and helm-controller (#​11290)
  • Fix issue with loadbalancer failover to default server (#​11319)
  • Update localstorage_int_test.go reference (#​11339)
    • Update localstorage_int_test.go reference in tests/integration/README.md
  • Add to the output command to be consistent with the product command (#​11345)
  • Allow install script to print error on failed binary download (#​11335)
  • Remove the go toolchain line (#​11358)
  • Add ubuntu 24.04 apt command for e2e test (#​11361)
  • Bump Trivy version (#​11360)
  • Bump aquasecurity/trivy-action from 0.28.0 to 0.29.0 (#​11364)
  • Convert legacy docker tests from bash to golang (#​11357)
  • Update Kubernetes to v1.31.3-k3s1 (#​11373)
  • Fix Branch Name logic for Dependabot and UpdateCLI pushes to k3s-io (#​11376)
  • Fix INSTALL_K3S_PR support (#​11383)
  • Fix etcd backup/restore test and add guardrail for etcd-snapshot (#​11314)
  • Bump containerd to -k3s2 to fix rewrites (#​11401)
  • Fix opensuse-leap install test (#​11379)
  • Fix secrets-encrypt reencrypt timeout error (#​11385)
  • Rework loadbalancer server selection logic (#​11329)
  • Remove experimental from embedded-registry flag (#​11443)
  • Update stable channel to v1.31.3+k3s1 (#​11436)
  • Fix agent tunnel address with dedicated supervisor port (#​11427)
  • Update coredns to 1.12.0 (#​11387)
  • Bump Trivy version (#​11430)
  • Update to v1.31.4-k3s1 and Go 1.22.9 (#​11463)
  • Bump alpine from 3.20 to 3.21 in /conformance (#​11433)
  • Fix docker check warnings (#​11474)
  • Update stable channel to v1.31.4+k3s1 (#​11483)
  • V1.32.0+k3s1 (#​11478)
  • Switch to using kubelet config file for all supported flags (#​10433)
  • Load kernel modules for nft in agent setup (#​11527)

Embedded Component Versions

Component Version
Kubernetes v1.32.0
Kine v0.13.5
SQLite 3.46.1
Etcd v3.5.16-k3s1
Containerd v1.7.23-k3s2
Runc v1.2.1-k3s1
Flannel v0.25.7
Metrics-server v0.7.2
Traefik v2.11.10
CoreDNS v1.12.0
Helm-controller v0.16.5
Local-path-provisioner v0.0.30

Helpful Links

As always, we welcome and appreciate feedback from our community of users. Please feel free to:

v1.31.10+k3s1: v1.31.10+k3s1

Compare Source

This release updates Kubernetes to v1.31.10, and fixes a number of issues.

For more details on what's new, see the Kubernetes release notes.

Changes since v1.31.9+k3s1:

Embedded Component Versions

Component Version
Kubernetes v1.31.10
Kine v0.13.15
SQLite 3.49.1
Etcd v3.5.21-k3s1
Containerd v2.0.5-k3s1.32
Runc v1.2.6
Flannel v0.27.0
Metrics-server v0.7.2
Traefik v2.11.24
CoreDNS v1.12.1
Helm-controller v0.16.11
Local-path-provisioner v0.0.31

Helpful Links

As always, we welcome and appreciate feedback from our community of users. Please feel free to:

v1.31.9+k3s1: v1.31.9+k3s1

Compare Source

This release updates Kubernetes to v1.31.9, and fixes a number of issues.

For more details on what's new, see the Kubernetes release notes.

Changes since v1.31.8+k3s1:

Embedded Component Versions

Component Version
Kubernetes v1.31.9
Kine v0.13.15
SQLite 3.49.1
Etcd v3.5.21-k3s1
Containerd v2.0.5-k3s1.32
Runc v1.2.6
Flannel v0.26.7
Metrics-server v0.7.2
Traefik v2.11.24
CoreDNS v1.12.1
Helm-controller v0.16.10
Local-path-provisioner v0.0.31

Helpful Links

As always, we welcome and appreciate feedback from our community of users. Please feel free to:

v1.31.8+k3s1: v1.31.8+k3s1

Compare Source

This release updates Kubernetes to v1.31.8, and fixes a number of issues.

For more details on what's new, see the Kubernetes release notes.

Changes since v1.31.7+k3s1:

  • Migrate to UrfaveCLI v2 (#​12030)
  • Improve readiness polling on node startup (#​12037)
  • Fix issue caused by default authorization-mode apiserver arg (#​12044)
  • Cleanup anonymous and named volumes for docker tests (#​12069) (#​12076)
  • Add support for secretbox encryption provider with the k3s secrets-encrypt command (#​12066)
    • Users can now configure secrets encryption to use secretbox provider by setting the secrets-encryption-provider flag.
  • Add error in certificate check (#​12097)
  • Backports for 2025-04 (#​12105)
  • Bump kine for nats-server/v2 CVE-2025-30215 (#​12142)
  • Drone Test Split and Reduction (#​12150)
  • More backports for 2025-04 (#​12168)
  • Fix handler panic when bootstrapper returns empty peer list (#​12179)
  • Bump traefik to v2.11.24 (#​12190)
  • Update to v1.31.8-k3s1 and Go 1.23.6 (#​12207)

Embedded Component Versions

Component Version
Kubernetes v1.31.8
Kine v0.13.14
SQLite 3.46.1
Etcd v3.5.21-k3s1
Containerd v2.0.4-k3s2
Runc v1.2.5
Flannel v0.26.7
Metrics-server v0.7.2
Traefik v2.11.24
CoreDNS v1.12.1
Helm-controller v0.16.10
Local-path-provisioner v0.0.31

Helpful Links

As always, we welcome and appreciate feedback from our community of users. Please feel free to:

v1.31.7+k3s1: v1.31.7+k3s1

Compare Source

This release updates Kubernetes to v1.31.7, and fixes a number of issues.

For more details on what's new, see the Kubernetes release notes.

Changes since v1.31.6+k3s1:

Embedded Component Versions

Component Version
Kubernetes v1.31.7
Kine v0.13.9
SQLite 3.46.1
Etcd v3.5.19-k3s1.30
Containerd v2.0.4-k3s2
Runc v1.2.5
Flannel v0.25.7
Metrics-server v0.7.2
Traefik v2.11.20
CoreDNS v1.12.0
Helm-controller v0.16.6
Local-path-provisioner v0.0.31

Helpful Links

As always, we welcome and appreciate feedback from our community of users. Please feel free to:

v1.31.6+k3s1: v1.31.6+k3s1

Compare Source

This release updates Kubernetes to v1.31.6, and fixes a number of issues.

For more details on what's new, see the Kubernetes release notes.

Changes since v1.31.5+k3s1:

  • Correct the k3s token command help (#​11685)
  • Jan 2025 Testing Overhaul, E2E to Docker Migration, (#​11724)
  • Backports for 2025-02 (#​11732)
    • Align the CLI-reported default --etcd-snapshot-dir value with the actual one (server, etcd-snapshot commands).
    • Disable s3 transport transparent compression/decompression
    • Etcd snapshot backup/restore now supports loading s3 credentials from an AWS SDK shared credentials file.
    • Bump klipper-helm to v0.9.4
    • Bump klipper-lb to v0.4.10
    • Bump spegel to v0.0.30
    • Bump local-path-provisioner to v0.0.31
    • Bump kine to v0.13.8
    • Bump etcd to v3.5.18
    • Bump traefik to 2.11.20
    • Containerd has been bumped to version 2.0.
    • The containerd config templates for linux and windows have been consolidated and are no longer os-specific.
    • Containerd 2.0 uses a new config file schema. If you are using a custom containerd config template, you should migrate your template to config-v3.toml.tmpl to switch to the new version. See the upstream documentation for more information.
  • Bump traefik to v2.11.20 (#​11763)
  • Update to v1.31.6-k3s1 and Go 1.22.12 (#​11787)
  • Render CNI dir config whenever vars are set (#​11820)
  • Bump containerd for go-cni deadlock fix (#​11834)

Embedded Component Versions

Component Version
Kubernetes v1.31.6
Kine v0.13.9
SQLite 3.46.1
Etcd v3.5.18-k3s1
Containerd v2.0.2-k3s2
Runc v1.2.4-k3s2
Flannel v0.25.7
Metrics-server v0.7.2
Traefik v2.11.20
CoreDNS v1.12.0
Helm-controller v0.16.6
Local-path-provisioner v0.0.31

Helpful Links

As always, we welcome and appreciate feedback from our community of users. Please feel free to:

v1.31.5+k3s1: v1.31.5+k3s1

Compare Source

This release updates Kubernetes to v1.31.5, and fixes a number of issues.

For more details on what's new, see the Kubernetes release notes.

Changes since v1.31.4+k3s1:

Embedded Component Versions

Component Version
Kubernetes v1.31.5
Kine v0.13.5
SQLite 3.46.1
Etcd v3.5.16-k3s1
Containerd v1.7.23-k3s2
Runc v1.2.4-k3s1
Flannel v0.25.7
Metrics-server v0.7.2
Traefik v2.11.18
CoreDNS v1.12.0
Helm-controller v0.16.5
Local-path-provisioner v0.0.30

Helpful Links

As always, we welcome and appreciate feedback from our community of users. Please feel free to:

What's Changed

Full Changelog: https://github.com/k3s-io/k3s/compare/v1.31.5-rc1+k3s1...v1.31.5+k3s1

v1.31.4+k3s1: v1.31.4+k3s1

Compare Source

This release updates Kubernetes to v1.31.4, and fixes a number of issues.

For more details on what's new, see the Kubernetes release notes.

Changes since v1.31.3+k3s1:

  • Fix secrets-encrypt reencrypt timeout error (#​11442)
  • Remove experimental from embedded-registry flag (#​11444)
  • Rework loadbalancer server selection logic (#​11457)
    • The embedded client loadbalancer that handles connectivity to control-plane elements has been extensively reworked for improved performance, reliability, and observability.
  • Update coredns to 1.12.0 (#​11454)
  • Add node-internal-dns/node-external-dns address pass-through support … (#​11464)
  • Update to v1.31.4-k3s1 and Go 1.22.9 (#​11462)

Embedded Component Versions

Component Version
Kubernetes v1.31.4
Kine v0.13.5
SQLite 3.46.1
Etcd v3.5.16-k3s1
Containerd v1.7.23-k3s2
Runc v1.2.1
Flannel v0.25.7
Metrics-server v0.7.2
Traefik v2.11.10
CoreDNS v1.12.0
Helm-controller v0.16.5
Local-path-provisioner v0.0.30

Helpful Links

As always, we welcome and appreciate feedback from our community of users. Please feel free to:

v1.31.3+k3s1: v1.31.3+k3s1

Compare Source

This release updates Kubernetes to v1.31.3, and fixes a number of issues.

For more details on what's new, see the Kubernetes release notes.

Changes since v1.31.2+k3s1:

Embedded Component Versions

Component Version
Kubernetes v1.31.3
Kine v0.13.5
SQLite 3.46.1
Etcd v3.5.16-k3s1
Containerd v1.7.23-k3s2
Runc v1.2.1
Flannel v0.25.7
Metrics-server v0.7.2
Traefik v2.11.10
CoreDNS v1.11.3
Helm-controller v0.16.5
Local-path-provisioner v0.0.30

Helpful Links

As always, we welcome and appreciate feedback from our community of users. Please feel free to:

v1.31.2+k3s1: v1.31.2+k3s1

Compare Source

This release updates Kubernetes to v1.31.2, and fixes a number of issues.

For more details on what's new, see the Kubernetes release notes.

Changes since v1.31.1+k3s1:

Embedded Component Versions

Component Version
Kubernetes v1.31.2
Kine v0.13.2
SQLite 3.46.1
Etcd v3.5.13-k3s1
Containerd v1.7.22-k3s1
Runc v1.1.14
Flannel v0.25.6
Metrics-server v0.7.2
Traefik v2.11.10
CoreDNS v1.11.3
Helm-controller v0.16.5
Local-path-provisioner v0.0.30

Helpful Links

As always, we welcome and appreciate feedback from our community of users. Please feel free to:

v1.31.1+k3s1: v1.31.1+k3s1

Compare Source

This release updates Kubernetes to v1.31.1, and fixes a number of issues.

For more details on what's new, see the Kubernetes release notes.

Changes since v1.31.0+k3s1:

  • Testing And Secrets-Encryption Backports for 2024-09 (#​10802)
    • Remove secrets encryption controller
    • Cover edge case when on new minor release for E2E upgrade test
  • Update CNI plugins version (#​10817)
  • Backports for 2024-09 (#​10842)
  • Fix hosts.toml header var (#​10871)
  • Update Kubernetes to v1.31.1 (#​10895)
  • Update Kubernetes to v1.31.1-k3s3 (#​10910)

Embedded Component Versions

Component Version
Kubernetes v1.31.1
Kine v0.12.0
SQLite 3.44.0
Etcd v3.5.13-k3s1
Containerd v1.7.21-k3s2
Runc v1.1.14
Flannel v0.25.6
Metrics-server v0.7.2
Traefik v2.11.8
CoreDNS v1.11.3
Helm-controller v0.16.4
Local-path-provisioner v0.0.28

Helpful Links

As always, we welcome and appreciate feedback from our community of users. Please feel free to:

v1.31.0+k3s1: v1.31.0+k3s1

Compare Source

This release is K3S's first in the v1.31 line. This release updates Kubernetes to v1.31.0.

For more details on what's new, see the Kubernetes release notes.

Changes since v1.30.4+k3s1:

  • Move test-compat docker test to GHA (#​10414)
  • Check for bad token permissions when install via MR (#​10387)
  • Bump k3s-root to v0.14.0 (#​10466)
    • The k3s bundled userspace has been bumped to a release based on buildroot 2024.02.3, addressing several CVEs in busybox and coreutils.
  • Fix INSTALL_K3S_PR support (#​10472)
  • Add data-dir to uninstall and killall scripts (#​10473)
  • Bump github.com/hashicorp/go-retryablehttp from 0.7.4 to 0.7.7 (#​10400)
  • Bump golang:alpine image version (#​10359)
  • Bump Local Path Provisioner version (#​10394)
  • Ensure remotedialer kubelet connections use kubelet bind address (#​10480)
    • Fixed an issue where setting the --bind-address flag to a non-loopback or wildcard address would prevent kubectl logs from working properly.
  • Bump Trivy version (#​10339)
  • Add etcd s3 config secret implementation (#​10340)
    • A proxy can now be configured for use when uploading etcd snapshots to a s3-compatible storage service. This overrides any proxy settings passed via environment variables.
    • Credentials and endpoint configuration for storing etcd snapshots on a s3-compatible storage service can now be read from a Secret, instead of passing them via the CLI or config file. See https://github.com/k3s-io/k3s/blob/master/docs/adrs/etcd-s3-secret.md for more information.
  • For E2E upgrade test, automatically determine the channel to use (#​10461)
  • Bump kine to v0.11.11 (#​10494)
  • Fix loadbalancer reentrant rlock (#​10511)
    • Fixed an issue that could cause the agent loadbalancer to deadlock when the currently in-use server goes down.
  • Don't use server value from config file for etcd-snapshot commands (#​10514)
    • The --server and --token flags for the k3s etcd-snapshot command have been renamed to --etcd-server and --etcd-token, to avoid unintentionally running snapshot management commands against a remote node when the cluster join address or token are present in a config file.
  • Use pagination when listing large numbers of resources (#​10527)
  • Fix multiple issues with servicelb (#​10552)
    • Fixed issue that caused ServiceLB to fail to create a daemonset for services with long names
    • Fixed issue that caused ServiceLB pods to crashloop on nodes with ipv6 disabled at the kernel level
  • Enhance E2E Hardened option (#​10558)
  • Allow Pprof and Superisor metrics in standalone mode (#​10576)
  • Use higher QPS for secrets reencryption (#​10571)
  • Fix issues loading data-dir value from env vars or dropin config files (#​10591)
  • Remove deprecated use of wait. functions (#​10546)
  • Wire lasso metrics up to metrics endpoint (#​10528)
  • Update stable channel to v1.30.3+k3s1 (#​10647)
  • Bump docker/docker to v25.0.6 (#​10642)
  • Add a change for killall to not unmount server and agent directory (#​10403)
  • Allow edge case OS rpm installs (#​10680)
  • Bump containerd to v1.7.20 (#​10659)
  • Update to newer OS images for install testing (#​10681)
  • Bump helm-controller to v0.16.3 to drop Helm v2 support (#​10628)
  • Add toleration support to ServiceLB DaemonSet (#​10687)
      • New Feature: Users can now define Kubernetes tolerations for ServiceLB DaemonSet directly in the svccontroller.k3s.cattle.io/tolerations annotation on services.
  • Fix: Add $SUDO prefix to transactional-update commands in install script (#​10531)
  • Update to v1.30.3-k3s1 and Go 1.22.5 (#​10707)
  • Fix caching name for e2e vagrant box (#​10695)
  • Fix k3s-killall.sh support for custom data dir (#​10709)
  • Adding MariaDB to README.md (#​10717)
  • Bump Trivy version (#​10670)
  • V1.31.0-k3s1 (#​10715)
  • Update kubernetes to v1.31.0-k3s3 (#​10780)

Embedded Component Versions

Component Version
Kubernetes v1.31.0
Kine v0.12.0
SQLite 3.44.0
Etcd v3.5.13-k3s1
Containerd v1.7.20-k3s1
Runc v1.1.12
Flannel v0.25.4
Metrics-server v0.7.0
Traefik v2.10.7
CoreDNS v1.10.1
Helm-controller v0.16.3
Local-path-provisioner v0.0.28

Helpful Links

As always, we welcome and appreciate feedback from our community of users. Please feel free to:

v1.30.14+k3s1: v1.30.14+k3s1

Compare Source

This release updates Kubernetes to v1.30.14, and fixes a number of issues.

For more details on what's new, see the Kubernetes release notes.

Changes since v1.30.13+k3s1:

Embedded Component Versions

Component Version
Kubernetes v1.30.14
Kine v0.13.15
SQLite 3.49.1
Etcd v3.5.21-k3s1
Containerd v1.7.27-k3s1
Runc v1.2.6
Flannel v0.27.0
Metrics-server v0.7.2
Traefik v2.11.24
CoreDNS v1.12.1
Helm-controller v0.16.11
Local-path-provisioner v0.0.31

Helpful Links

As always, we welcome and appreciate feedback from our community of users. Please feel free to:

v1.30.13+k3s1: v1.30.13+k3s1

Compare Source

This release updates Kubernetes to v1.30.13, and fixes a number of issues.

For more details on what's new, see the Kubernetes release notes.

Changes since v1.30.12+k3s1:

Embedded Component Versions

Component Version
Kubernetes v1.30.13
Kine v0.13.15
SQLite 3.49.1
Etcd v3.5.21-k3s1
Containerd v1.7.27-k3s1
Runc v1.2.6
Flannel v0.26.7
Metrics-server v0.7.2
Traefik v2.11.24
CoreDNS v1.12.1
Helm-controller v0.16.10
Local-path-provisioner v0.0.31

Helpful Links

As always, we welcome and appreciate feedback from our community of users. Please feel free to:

v1.30.12+k3s1: v1.30.12+k3s1

Compare Source

This release updates Kubernetes to v1.30.12, and fixes a number of issues.

For more details on what's new, see the Kubernetes release notes.

Changes since v1.30.11+k3s1:

  • Improve readiness polling on node startup (#​12035)
  • Fix issue caused by default authorization-mode apiserver arg (#​12043)
  • Cleanup anonymous and named volumes for docker tests (#​12077)
  • Add support for secretbox encryption provider with the k3s secrets-encrypt command (#​12065)
    • Users can now configure secrets encryption to use secretbox provider by setting the secrets-encryption-provider flag.
  • Add error in certificate check (#​12099)
  • Backports for 2025-04 (#​12106)
  • Bump kine for nats-server/v2 CVE-2025-30215 (#​12143)
  • Drone Test Split and Reduction (#​12149)
  • More backports for 2025-04 (#​12169)
  • Fix handler panic when bootstrapper returns empty peer list (#​12180)
  • Bump traefik to v2.11.24 (#​12191)
  • Update to v1.30.12-k3s1 and Go 1.23.6 (#​12208)

Embedded Component Versions

Component Version
Kubernetes v1.30.12
Kine v0.13.14
SQLite 3.46.1
Etcd v3.5.21-k3s1
Containerd v1.7.26-k3s1
Runc v1.2.5
Flannel v0.26.7
Metrics-server v0.7.2
Traefik v2.11.24
CoreDNS v1.12.1
Helm-controller v0.16.10
Local-path-provisioner v0.0.31

Helpful Links

As always, we welcome and appreciate feedback from our community of users. Please feel free to:

v1.30.11+k3s1: v1.30.11+k3s1

Compare Source

This release updates Kubernetes to v1.30.11, and fixes a number of issues.

For more details on what's new, see the Kubernetes release notes.

Changes since v1.30.10+k3s1:

Embedded Component Versions

Component Version
Kubernetes v1.30.11
Kine v0.13.9
SQLite 3.46.1
Etcd v3.5.19-k3s1.30
Containerd v1.7.26-k3s1
Runc v1.2.5
Flannel v0.25.7
Metrics-server v0.7.2
Traefik v2.11.20
CoreDNS v1.12.0
Helm-controller v0.16.6
Local-path-provisioner v0.0.31

Helpful Links

As always, we welcome and appreciate feedback from our community of users. Please feel free to:

v1.30.10+k3s1: v1.30.10+k3s1

Compare Source

This release updates Kubernetes to v1.30.10, and fixes a number of issues.

For more details on what's new, see the Kubernetes release notes.

Changes since v1.30.9+k3s1:

  • Correct the k3s token command help (#​11684)
  • Jan 2025 Testing Overhaul, E2E to Docker Migration, (#​11725)
  • Backports for 2025-02 (#​11737)
    • Align the CLI-reported default --etcd-snapshot-dir value with the actual one (server, etcd-snapshot commands).
    • Disable s3 transport transparent compression/decompression
    • Etcd snapshot backup/restore now supports loading s3 credentials from an AWS SDK shared credentials file.
    • The containerd config templates for linux and windows have been consolidated and are no longer os-specific.
    • Bump klipper-helm to v0.9.4
    • Bump klipper-lb to v0.4.10
    • Bump spegel to v0.0.30
    • Bump local-path-provisioner to v0.0.31
    • Bump kine to v0.13.8
    • Bump etcd to v3.5.18
    • Bump traefik to 2.11.20
  • Bump traefik to v2.11.20 (#​11764)
  • Update to v1.30.10-k3s1 and Go 1.22.12 (#​11786)
  • Render CNI dir config whenever vars are set (#​11821)

Embedded Component Versions

Component Version
Kubernetes v1.30.10
Kine v0.13.9
SQLite 3.46.1
Etcd v3.5.18-k3s1
Containerd v1.7.23-k3s2
Runc v1.2.4-k3s1
Flannel v0.25.7
Metrics-server v0.7.2
Traefik v2.11.20
CoreDNS v1.12.0
Helm-controller v0.16.6
Local-path-provisioner v0.0.31

Helpful Links

As always, we welcome and appreciate feedback from our community of users. Please feel free to:

v1.30.9+k3s1: v1.30.9+k3s1

Compare Source

This release updates Kubernetes to v1.30.9, and fixes a number of issues.

For more details on what's new, see the Kubernetes release notes.

Changes since v1.30.8+k3s1:

Embedded Component Versions

Component Version
Kubernetes v1.30.9
Kine v0.13.5
SQLite 3.46.1
Etcd v3.5.16-k3s1
Containerd v1.7.23-k3s2
Runc v1.2.4-k3s1
Flannel v0.25.7
Metrics-server v0.7.2
Traefik v2.11.18
CoreDNS v1.12.0
Helm-controller v0.16.5
Local-path-provisioner v0.0.30

Helpful Links

As always, we welcome and appreciate feedback from our community of users. Please feel free to:

What's Changed

Full Changelog: https://github.com/k3s-io/k3s/compare/v1.30.9-rc1+k3s1...v1.30.9+k3s1

v1.30.8+k3s1: v1.30.8+k3s1

Compare Source

This release updates Kubernetes to v1.30.8, and fixes a number of issues.

For more details on what's new, see the Kubernetes release notes.

Changes since v1.30.7+k3s1:

  • Fix secrets-encrypt reencrypt timeout error (#​11441)
  • Remove experimental from embedded-registry flag (#​11445)
  • Update coredns to 1.12.0 (#​11455)
  • Rework loadbalancer server selection logic (#​11458)
    • The embedded client loadbalancer that handles connectivity to control-plane elements has been extensively reworked for improved performance, reliability, and observability.
  • Add node-internal-dns/node-external-dns address pass-through support … (#​11465)
  • Update to v1.30.8-k3s1 and Go 1.22.9 (#​11461)

Embedded Component Versions

Component Version
Kubernetes v1.30.8
Kine v0.13.5
SQLite 3.46.1
Etcd v3.5.16-k3s1
Containerd v1.7.23-k3s2
Runc v1.2.1
Flannel v0.25.7
Metrics-server v0.7.2
Traefik v2.11.10
CoreDNS v1.12.0
Helm-controller v0.16.5
Local-path-provisioner v0.0.30

Helpful Links

As always, we welcome and appreciate feedback from our community of users. Please feel free to:

v1.30.7+k3s1: v1.30.7+k3s1

Compare Source

This release updates Kubernetes to v1.30.7, and fixes a number of issues.

For more details on what's new, see the Kubernetes release notes.

Changes since v1.30.6+k3s1:

Embedded Component Versions

Component Version
Kubernetes v1.30.7
Kine v0.13.5
SQLite 3.46.1
Etcd v3.5.16-k3s1
Containerd v1.7.23-k3s2
Runc v1.2.1
Flannel v0.25.7
Metrics-server v0.7.2
Traefik v2.11.10
CoreDNS v1.11.3
Helm-controller v0.16.5
Local-path-provisioner v0.0.30

Helpful Links

As always, we welcome and appreciate feedback from our community of users. Please feel free to:

v1.30.6+k3s1: v1.30.6+k3s1

Compare Source

This release updates Kubernetes to v1.30.6, and fixes a number of issues.

For more details on what's new, see the Kubernetes release notes.

Changes since v1.30.5+k3s1:

Embedded Component Versions

Component Version
Kubernetes v1.30.6
Kine v0.13.2
SQLite 3.46.1
Etcd v3.5.13-k3s1
Containerd v1.7.22-k3s1
Runc v1.1.14
Flannel v0.25.6
Metrics-server v0.7.2
Traefik v2.11.10
CoreDNS v1.11.3
Helm-controller v0.16.5
Local-path-provisioner v0.0.30

Helpful Links

As always, we welcome and appreciate feedback from our community of users. Please feel free to:

v1.30.5+k3s1: v1.30.5+k3s1

Compare Source

This release updates Kubernetes to v1.30.5, and fixes a number of issues.

For more details on what's new, see the Kubernetes release notes.

Changes since v1.30.4+k3s1:

  • Testing And Secrets-Encryption Backports for 2024-09 (#​10801)
    • Update to newer OS images for install testing
    • Fix caching name for e2e vagrant box
    • Remove secrets encryption controller
    • Cover edge case when on new minor release for E2E upgrade test
    • Removes deprecated alpha Secrets Encryption metrics (deprecated in 1.30, removed in 1.31)
  • Update CNI plugins version (#​10818)
  • Backports for 2024-09 (#​10843)
  • Fix hosts.toml header var (#​10872)
  • Update to v1.30.5-k3s1 and Go 1.22.6 (#​10888)
  • Update Kubernetes to v1.30.5-k3s2 (#​10909)

Embedded Component Versions

Component Version
Kubernetes v1.30.5
Kine v0.12.0
SQLite 3.44.0
Etcd v3.5.13-k3s1
Containerd v1.7.21-k3s2
Runc v1.1.14
Flannel v0.25.6
Metrics-server v0.7.2
Traefik v2.11.8
CoreDNS v1.11.3
Helm-controller v0.16.4
Local-path-provisioner v0.0.28

Helpful Links

As always, we welcome and appreciate feedback from our community of users. Please feel free to:

v1.30.4+k3s1: v1.30.4+k3s1

Compare Source

This release updates Kubernetes to v1.30.4, and fixes a number of issues.

For more details on what's new, see the Kubernetes release notes.

Changes since v1.30.3+k3s1:

  • Bump docker/docker to v25.0.6 (#​10649)
  • Backports for 2024-08 release cycle (#​10664)
    • Use pagination when listing large numbers of resources
    • Fix multiple issues with servicelb
    • Remove deprecated use of wait. functions
    • Wire lasso metrics up to metrics endpoint
  • Backports for August 2024 (#​10671)
  • Bump containerd to v1.7.20 (#​10660)
  • Add tolerations support for DaemonSet pods (#​10703)
    • New Feature: Users can now define Kubernetes tolerations for ServiceLB DaemonSet directly in the svccontroller.k3s.cattle.io/tolerations annotation on services.
  • Update to v1.30.4-k3s1 and Go 1.22.5 (#​10721)

Embedded Component Versions

Component Version
Kubernetes v1.30.4
Kine v0.11.11
SQLite 3.44.0
Etcd v3.5.13-k3s1
Containerd v1.7.20-k3s1
Runc v1.1.12
Flannel v0.25.4
Metrics-server v0.7.0
Traefik v2.10.7
CoreDNS v1.10.1
Helm-controller v0.16.1
Local-path-provisioner v0.0.28

Helpful Links

As always, we welcome and appreciate feedback from our community of users. Please feel free to:

v1.30.3+k3s1: v1.30.3+k3s1

Compare Source

This release updates Kubernetes to v1.30.3, and fixes a number of issues.

For more details on what's new, see the Kubernetes release notes.

Changes since v1.30.2+k3s2:

  • Update channel server for k3s2 (#​10446)
  • Set correct release channel for e2e upgrade test (#​10460)
  • Backports for 2024-07 release cycle (#​10497)
    • Bump k3s-root to v0.14.0
    • Bump github.com/hashicorp/go-retryablehttp from 0.7.4 to 0.7.7
    • Bump Local Path Provisioner version
    • Ensure remotedialer kubelet connections use kubelet bind address
    • Chore: Bump Trivy version
    • Add etcd s3 config secret implementation
  • July Test Backports (#​10507)
  • Update to v1.30.3-k3s1 and Go 1.22.5 (#​10536)
  • Fix issues loading data-dir value from env vars or dropping config files (#​10596)

Embedded Component Versions

Component Version
Kubernetes v1.30.3
Kine v0.11.11
SQLite 3.44.0
Etcd v3.5.13-k3s1
Containerd v1.7.17-k3s1
Runc v1.1.12
Flannel v0.25.4
Metrics-server v0.7.0
Traefik v2.10.7
CoreDNS v1.10.1
Helm-controller v0.16.1
Local-path-provisioner v0.0.28

Helpful Links

As always, we welcome and appreciate feedback from our community of users. Please feel free to:

v1.30.2+k3s1: v1.30.2+k3s1

Compare Source

This release updates Kubernetes to v1.30.2, and fixes a number of issues.

For more details on what's new, see the Kubernetes release notes.

Changes since v1.30.1+k3s1:

  • Fix bug when using tailscale config by file (#​10074)
    • Fix bug when using vpn-auth-file in the agent
  • Add WithSkipMissing to not fail import on missing blobs (#​10136)
  • Use fixed stream server bind address for cri-dockerd (#​9975)
  • Switch stargz over to cri registry config_path (#​9977)
  • Bump to containerd v1.7.17, etcd v3.5.13 (#​10123)
  • Bump spegel version (#​10118)
  • Fix issue installing artifacts from MR builds with multiple runs (#​10122)
  • Fix issue with externalTrafficPolicy: Local for single-stack services on dual-stack nodes (#​9963)
  • Update local-path-provisioner helper script (#​9964)
  • Add support for svclb pod PriorityClassName (#​10045)
    • ServiceLB now sets the priorityClassName on svclb pods to system-node-critical by default. This can be overridden on a per-service basis via the svccontroller.k3s.cattle.io/priorityclassname annotation.
  • Drop check for legacy traefik v1 chart (#​9593)
    • K3s no longer automatically skips deploying traefik v2 if traefik v1 is present. All clusters should have been upgraded to v2 at some point over the last three years.
  • Update kube-router version to v2.1.2 (#​10177)
  • Create ADR for branching strategy (#​10147)
  • Bump minio-go to v7.0.70 (#​10081)
  • Bump kine to v0.11.9 to fix pagination (#​10082)
  • Update valid resolv conf (#​9948)
  • Add missing kernel config check (#​10100)
  • Git workflow file name correction (#​10131)
    • None
  • Follow directory symlinks in auto deploying manifests (#​9288) (#​10049)
    • Symlinked sub-directories are now respected when scanning Auto-Deploying Manifests (AddOns)
  • Fix bug: allow helm controller set owner reference (#​10048)
  • Fix go.mod (#​10192)
  • Bump flannel version to v0.25.2 (#​10146)
  • Test: add agent with auth file (#​10119)
    • Fix bug when using vpn-auth-file in the agent
  • Add extra log in e2e tests (#​10145)
  • Update channel server for may 2024 (#​10137)
  • Bump klipper-helm image for tls secret support (#​10187)
  • Updating the script binary_size_check to complete the command name by… (#​9992)
  • Fix issue with k3s-etcd informers not starting (#​10047)
  • Enable serving supervisor metrics (#​10019)
    • --Enable-pprof can now be set on agents to enable the debug/pprof endpoints. When set, agents will listen on the supervisor port.
    • --Supervisor-metrics can now be set on servers to enable serving internal metrics on the supervisor endpoint; when set agents will listen on the supervisor port.
  • Bump alpine from 3.18 to 3.20 in /conformance (#​10210)
  • Bump alpine from 3.18 to 3.20 in /package (#​10211)
  • Bump ubuntu from 22.04 to 24.04 in /tests/e2e/scripts (#​10040)
  • Bump Trivy version (#​10039)
  • Fix netpol crash when node remains tainted uninitialized (#​10073)
  • Fix issue caused by sole server marked as failed under load (#​10241)
    • The embedded load-balancer will now fall back to trying all servers with health-checks ignored, if all servers have been marked unavailable due to failed health checks.
  • Add write-kubeconfig-group flag to server (#​9233)
    • New flag in k3s server: --write-kubeconfig-group
  • Fix embedded mirror blocked by SAR RBAC and re-enable test (#​10257)
  • Bump Local Path Provisioner version (#​10268)
  • Fix: Use actual warningPeriod in certmonitor (#​10271)
  • Fix bug that caused agents to bypass local loadbalancer (#​10280)
  • Add ADR for support for etcd s3 config secret (#​9364)
  • Add test for isValidResolvConf (#​10302)
  • Add snapshot retention etcd-s3-folder fix (#​10293)
  • Expand GHA golang caching to include newest release branch (#​10307)
  • Fix race condition panic in loadbalancer.nextServer (#​10318)
  • Fix typo, use rancher/permissions (#​10296)
  • Update Kubernetes to v1.30.2 (#​10349)
  • Fix agent supervisor port using apiserver port instead (#​10352)
  • Fix issue that allowed multiple simultaneous snapshots to be allowed (#​10372)

Embedded Component Versions

Component Version
Kubernetes v1.30.2
Kine v0.11.9
SQLite 3.44.0
Etcd v3.5.13-k3s1
Containerd v1.7.17-k3s1
Runc v1.1.12
Flannel v0.25.2
Metrics-server v0.7.0
Traefik v2.10.7
CoreDNS v1.10.1
Helm-controller v0.16.1
Local-path-provisioner v0.0.27

Helpful Links

As always, we welcome and appreciate feedback from our community of users. Please feel free to:

v1.30.2+k3s2: v1.30.2+k3s2

Compare Source

This release updates Kubernetes to v1.30.2, and fixes a number of issues.

For more details on what's new, see the Kubernetes release notes.

Changes since v1.30.2+k3s1:

  • Update stable channel to v1.29.6+k3s1 (#​10417)
  • Update flannel to v0.25.4 and fixed issue with IPv6 mask (#​10422)

Embedded Component Versions

Component Version
Kubernetes v1.30.2
Kine v0.11.9
SQLite 3.44.0
Etcd v3.5.13-k3s1
Containerd v1.7.17-k3s1
Runc v1.1.12
Flannel v0.25.4
Metrics-server v0.7.0
Traefik v2.10.7
CoreDNS v1.10.1
Helm-controller v0.16.1
Local-path-provisioner v0.0.27

Helpful Links

As always, we welcome and appreciate feedback from our community of users. Please feel free to:

v1.30.1+k3s1: v1.30.1+k3s1

Compare Source

This release updates Kubernetes to v1.30.1, and fixes a number of issues.

For more details on what's new, see the Kubernetes release notes.

Changes since v1.30.0+k3s1:

Embedded Component Versions

Component Version
Kubernetes v1.30.1
Kine v0.11.8-0.20240430184817-f9ce6f8da97b
SQLite 3.44.0
Etcd v3.5.9-k3s1
Containerd v1.7.15-k3s1
Runc v1.1.12-k3s1
Flannel v0.24.2
Metrics-server v0.7.0
Traefik v2.10.7
CoreDNS v1.10.1
Helm-controller v0.16.1-0.20240502205943-2f32059d43e6
Local-path-provisioner v0.0.26

Helpful Links

As always, we welcome and appreciate feedback from our community of users. Please feel free to:

What's Changed

Full Changelog: https://github.com/k3s-io/k3s/compare/v1.30.0+k3s1...v1.30.1+k3s1

v1.30.0+k3s1: v1.30.0+k3s1

Compare Source

This release is K3S's first in the v1.30 line. This release updates Kubernetes to v1.30.0.

For more details on what's new, see the Kubernetes release notes.

Changes since v1.29.4+k3s1:

Embedded Component Versions

Component Version
Kubernetes v1.30.0
Kine v0.11.8
SQLite 3.44.0
Etcd v3.5.9-k3s1
Containerd v1.7.15-k3s1
Runc v1.1.12
Flannel v0.24.2
Metrics-server v0.7.0
Traefik v2.10.7
CoreDNS v1.10.1
Helm-controller v0.16.1
Local-path-provisioner v0.0.26

Helpful Links

As always, we welcome and appreciate feedback from our community of users. Please feel free to:

v1.29.15+k3s1: v1.29.15+k3s1

Compare Source

This release updates Kubernetes to v1.29.15, and fixes a number of issues.

For more details on what's new, see the Kubernetes release notes.

Changes since v1.29.14+k3s1:

Embedded Component Versions

Component Version
Kubernetes v1.29.15
Kine v0.13.9
SQLite 3.46.1
Etcd v3.5.19-k3s1.30
Containerd v1.7.26-k3s1
Runc v1.2.5
Flannel v0.25.7
Metrics-server v0.7.2
Traefik v2.11.20
CoreDNS v1.12.0
Helm-controller v0.15.16
Local-path-provisioner v0.0.31

Helpful Links

As always, we welcome and appreciate feedback from our community of users. Please feel free to:

v1.29.14+k3s1: v1.29.14+k3s1

Compare Source

This release updates Kubernetes to v1.29.14, and fixes a number of issues.

For more details on what's new, see the Kubernetes release notes.

Changes since v1.29.13+k3s1:

  • Correct the k3s token command help (#​11683)
  • Jan 2025 Testing Overhaul, E2E to Docker Migration (#​11726)
  • Backports for 2025-02 (#​11738)
    • Align the CLI-reported default --etcd-snapshot-dir value with the actual one (server, etcd-snapshot commands).
    • Disable s3 transport transparent compression/decompression
    • Etcd snapshot backup/restore now supports loading s3 credentials from an AWS SDK shared credentials file.
    • The containerd config templates for linux and windows have been consolidated and are no longer os-specific.
    • Bump spegel to v0.0.30
    • Bump local-path-provisioner to v0.0.31
    • Bump kine to v0.13.8
    • Bump etcd to v3.5.18
    • Bump traefik to 2.11.20
  • Bump traefik to v2.11.20 (#​11765)
  • Chore: Bump klipper-lb and klipper-helm (#​11772)
  • Update to v1.29.14-k3s1 and Go 1.22.12 (#​11785)
  • Render CNI dir config whenever vars are set (#​11822)

Embedded Component Versions

Component Version
Kubernetes v1.29.14
Kine v0.13.9
SQLite 3.46.1
Etcd v3.5.18-k3s1
Containerd v1.7.23-k3s2
Runc v1.2.4-k3s1
Flannel v0.25.7
Metrics-server v0.7.2
Traefik v2.11.20
CoreDNS v1.12.0
Helm-controller v0.15.16
Local-path-provisioner v0.0.31

Helpful Links

As always, we welcome and appreciate feedback from our community of users. Please feel free to:

v1.29.13+k3s1: v1.29.13+k3s1

Compare Source

This release updates Kubernetes to v1.29.13, and fixes a number of issues.

For more details on what's new, see the Kubernetes release notes.

Changes since v1.29.12+k3s1:

Embedded Component Versions

Component Version
Kubernetes v1.29.13
Kine v0.13.5
SQLite 3.46.1
Etcd v3.5.16-k3s1
Containerd v1.7.23-k3s2
Runc v1.2.4-k3s1
Flannel v0.25.7
Metrics-server v0.7.2
Traefik v2.11.18
CoreDNS v1.12.0
Helm-controller v0.15.15
Local-path-provisioner v0.0.30

Helpful Links

As always, we welcome and appreciate feedback from our community of users. Please feel free to:

What's Changed

Full Changelog: https://github.com/k3s-io/k3s/compare/v1.29.13-rc2+k3s1...v1.29.13+k3s1

v1.29.12+k3s1: v1.29.12+k3s1

Compare Source

This release updates Kubernetes to v1.29.12, and fixes a number of issues.

For more details on what's new, see the Kubernetes release notes.

Changes since v1.29.11+k3s1:

  • Fix secrets-encrypt reencrypt timeout error (#​11440)
  • Remove experimental from embedded-registry flag (#​11446)
  • Update coredns to 1.12.0 (#​11456)
  • Rework loadbalancer server selection logic (#​11459)
    • The embedded client loadbalancer that handles connectivity to control-plane elements has been extensively reworked for improved performance, reliability, and observability.
  • Add node-internal-dns/node-external-dns address pass-through support … (#​11466)
  • Update to v1.29.12-k3s1 and Go 1.22.9 (#​11460)

Embedded Component Versions

Component Version
Kubernetes v1.29.12
Kine v0.13.5
SQLite 3.46.1
Etcd v3.5.16-k3s1
Containerd v1.7.23-k3s2
Runc v1.2.1
Flannel v0.25.7
Metrics-server v0.7.2
Traefik v2.11.10
CoreDNS v1.12.0
Helm-controller v0.15.15
Local-path-provisioner v0.0.30

Helpful Links

As always, we welcome and appreciate feedback from our community of users. Please feel free to:

v1.29.11+k3s1: v1.29.11+k3s1

Compare Source

This release updates Kubernetes to v1.29.11, and fixes a number of issues.

For more details on what's new, see the Kubernetes release notes.

Changes since v1.29.10+k3s1:

Embedded Component Versions

Component Version
Kubernetes v1.29.11
Kine v0.13.5
SQLite 3.46.1
Etcd v3.5.16-k3s1
Containerd v1.7.23-k3s2
Runc v1.2.1
Flannel v0.25.7
Metrics-server v0.7.2
Traefik v2.11.10
CoreDNS v1.11.3
Helm-controller v0.15.15
Local-path-provisioner v0.0.30

Helpful Links

As always, we welcome and appreciate feedback from our community of users. Please feel free to:

v1.29.10+k3s1: v1.29.10+k3s1

Compare Source

This release updates Kubernetes to v1.29.10, and fixes a number of issues.

For more details on what's new, see the Kubernetes release notes.

Changes since v1.29.9+k3s1:

Embedded Component Versions

Component Version
Kubernetes v1.29.10
Kine v0.13.2
SQLite 3.46.1
Etcd v3.5.13-k3s1
Containerd v1.7.22-k3s1
Runc v1.1.14
Flannel v0.25.6
Metrics-server v0.7.2
Traefik v2.11.10
CoreDNS v1.11.3
Helm-controller v0.15.15
Local-path-provisioner v0.0.30

Helpful Links

As always, we welcome and appreciate feedback from our community of users. Please feel free to:

v1.29.9+k3s1: v1.29.9+k3s1

Compare Source

This release updates Kubernetes to v1.29.9, and fixes a number of issues.

For more details on what's new, see the Kubernetes release notes.

Changes since v1.29.8+k3s1:

  • Update CNI plugins version (#​10819)
  • Backports for 2024-09 (#​10844)
  • Testing And Secrets-Encryption Backports for 2024-09 (#​10803)
    • Update to newer OS images for install testing
    • Fix caching name for e2e vagrant box
    • Fix deploy latest commit on E2E tests
    • Remove secrets encryption controller #​10612
    • DRY E2E Upgrade test setup
    • Cover edge case when on new minor release for E2E upgrade test
  • Fix hosts.toml header var (#​10873)
  • Update to v1.29.9-k3s1 and Go 1.22.6 (#​10885)
  • Update Kubernetes to v1.29.9-k3s2 (#​10908)

Embedded Component Versions

Component Version
Kubernetes v1.29.9
Kine v0.12.0
SQLite 3.44.0
Etcd v3.5.13-k3s1
Containerd v1.7.21-k3s2
Runc v1.1.14
Flannel v0.25.6
Metrics-server v0.7.2
Traefik v2.11.8
CoreDNS v1.11.3
Helm-controller v0.15.13
Local-path-provisioner v0.0.28

Helpful Links

As always, we welcome and appreciate feedback from our community of users. Please feel free to:

v1.29.8+k3s1: v1.29.8+k3s1

Compare Source

This release updates Kubernetes to v1.29.8, and fixes a number of issues.

For more details on what's new, see the Kubernetes release notes.

Changes since v1.29.7+k3s1:

  • Fixing setproctitle function (#​10623)
  • Bump docker/docker to v25.0.6 (#​10650)
  • Backports for 2024-08 release cycle (#​10665)
    • Use pagination when listing large numbers of resources
    • Fix multiple issues with servicelb
    • Remove deprecated use of wait. functions
    • Wire lasso metrics up to metrics endpoint
  • Backports for August 2024 (#​10672)
  • Bump containerd to v1.7.20 (#​10661)
  • Add tolerations support for DaemonSet pods (#​10704)
    • New Feature: Users can now define Kubernetes tolerations for ServiceLB DaemonSet directly in the svccontroller.k3s.cattle.io/tolerations annotation on services.
  • Update to v1.29.8-k3s1 and Go 1.22.5 (#​10720)

Embedded Component Versions

Component Version
Kubernetes v1.29.8
Kine v0.11.11
SQLite 3.44.0
Etcd v3.5.13-k3s1
Containerd v1.7.20-k3s1
Runc v1.1.12
Flannel v0.25.4
Metrics-server v0.7.0
Traefik v2.10.7
CoreDNS v1.10.1
Helm-controller v0.15.10
Local-path-provisioner v0.0.28

Helpful Links

As always, we welcome and appreciate feedback from our community of users. Please feel free to:

v1.29.7+k3s1: v1.29.7+k3s1

Compare Source

This release updates Kubernetes to v1.29.7, and fixes a number of issues.

For more details on what's new, see the Kubernetes release notes.

Changes since v1.29.6+k3s2:

  • Backports for 2024-07 release cycle (#​10498)
    • Bump k3s-root to v0.14.0
    • Bump github.com/hashicorp/go-retryablehttp from 0.7.4 to 0.7.7
    • Bump Local Path Provisioner version
    • Ensure remotedialer kubelet connections use kubelet bind address
    • Chore: Bump Trivy version
    • Add etcd s3 config secret implementation
  • July Test Backports (#​10508)
  • Update to v1.29.7-k3s1 and Go 1.22.5 (#​10539)
  • Fix issues loading data-dir value from env vars or dropping config files (#​10597)

Embedded Component Versions

Component Version
Kubernetes v1.29.7
Kine v0.11.11
SQLite 3.44.0
Etcd v3.5.13-k3s1
Containerd v1.7.17-k3s1
Runc v1.1.12
Flannel v0.25.4
Metrics-server v0.7.0
Traefik v2.10.7
CoreDNS v1.10.1
Helm-controller v0.15.10
Local-path-provisioner v0.0.28

Helpful Links

As always, we welcome and appreciate feedback from our community of users. Please feel free to:

v1.29.6+k3s1: v1.29.6+k3s1

Compare Source

This release updates Kubernetes to v1.29.6, and fixes a number of issues.

For more details on what's new, see the Kubernetes release notes.

Changes since v1.29.5+k3s1:

  • Fix bug when using tailscale config by file (#​10142)
  • Bump flannel version to v0.25.2 (#​10220)
  • Update kube-router version to v2.1.2 (#​10181)
  • Improve tailscale test & add extra log in e2e tests (#​10212)
  • Backports for 2024-06 release cycle (#​10249)
    • Add WithSkipMissing to not fail import on missing blobs
    • Use fixed stream server bind address for cri-dockerd
    • Switch stargz over to cri registry config_path
    • Bump to containerd v1.7.17, etcd v3.5.13
    • Bump spegel version
    • Fix issue with externalTrafficPolicy: Local for single-stack services on dual-stack nodes
    • ServiceLB now sets the priorityClassName on svclb pods to system-node-critical by default. This can be overridden on a per-service basis via the svccontroller.k3s.cattle.io/priorityclassname annotation.
    • Bump minio-go to v7.0.70
    • Bump kine to v0.11.9 to fix pagination
    • Update valid resolv conf
    • Add missing kernel config check
    • Symlinked sub-directories are now respected when scanning Auto-Deploying Manifests (AddOns)
    • Fix bug: allow helm controller set owner reference
    • Bump klipper-helm image for tls secret support
    • Fix issue with k3s-etcd informers not starting
    • --Enable-pprof can now be set on agents to enable the debug/pprof endpoints. When set, agents will listen on the supervisor port.
    • --Supervisor-metrics can now be set on servers to enable serving internal metrics on the supervisor endpoint; when set agents will listen on the supervisor port.
    • Fix netpol crash when node remains tainted uninitialized
    • The embedded load-balancer will now fall back to trying all servers with health-checks ignored, if all servers have been marked unavailable due to failed health checks.
  • More backports for 2024-06 release cycle (#​10288)
  • Add snapshot retention etcd-s3-folder fix (#​10316)
  • Add test for isValidResolvConf (#​10302) (#​10329)
  • Fix race condition panic in loadbalancer.nextServer (#​10322)
  • Fix typo, use rancher/permissions (#​10298)
  • Expand GHA go caching to include newest release branch (#​10334)
  • Update Kubernetes to v1.29.6 (#​10348)
  • Fix agent supervisor port using apiserver port instead (#​10354)
  • Fix issue that allowed multiple simultaneous snapshots to be allowed (#​10376)

Embedded Component Versions

Component Version
Kubernetes v1.29.6
Kine v0.11.9
SQLite 3.44.0
Etcd v3.5.13-k3s1
Containerd v1.7.17-k3s1
Runc v1.1.12
Flannel v0.25.2
Metrics-server v0.7.0
Traefik v2.10.7
CoreDNS v1.10.1
Helm-controller v0.15.10
Local-path-provisioner v0.0.27

Helpful Links

As always, we welcome and appreciate feedback from our community of users. Please feel free to:

v1.29.6+k3s2: v1.29.6+k3s2

Compare Source

This release updates Kubernetes to v1.29.6, and fixes a number of issues.

For more details on what's new, see the Kubernetes release notes.

Changes since v1.29.6+k3s1:

  • Update flannel to v0.25.4 and fixed issue with IPv6 mask (#​10427)

Embedded Component Versions

Component Version
Kubernetes v1.29.6
Kine v0.11.9
SQLite 3.44.0
Etcd v3.5.13-k3s1
Containerd v1.7.17-k3s1
Runc v1.1.12-
Flannel v0.25.4
Metrics-server v0.7.0
Traefik v2.10.7
CoreDNS v1.10.1
Helm-controller v0.15.10
Local-path-provisioner v0.0.27

Helpful Links

As always, we welcome and appreciate feedback from our community of users. Please feel free to:

v1.29.5+k3s1: v1.29.5+k3s1

Compare Source

This release updates Kubernetes to v1.29.5, and fixes a number of issues.

For more details on what's new, see the Kubernetes release notes.

Changes since v1.29.4+k3s1:

Embedded Component Versions

Component Version
Kubernetes v1.29.5
Kine v0.11.7
SQLite 3.44.0
Etcd v3.5.9-k3s1
Containerd v1.7.15-k3s1
Runc v1.1.12-k3s1
Flannel v0.24.2
Metrics-server v0.7.0
Traefik v2.10.7
CoreDNS v1.10.1
Helm-controller v0.15.9
Local-path-provisioner v0.0.26

Helpful Links

As always, we welcome and appreciate feedback from our community of users. Please feel free to:

What's Changed

Full Changelog: https://github.com/k3s-io/k3s/compare/v1.29.4+k3s1...v1.29.5+k3s1

v1.29.4+k3s1: v1.29.4+k3s1

Compare Source

This release updates Kubernetes to v1.29.4, and fixes a number of issues.

For more details on what's new, see the Kubernetes release notes.

Changes since v1.29.3+k3s1:

  • Send error response if member list cannot be retrieved (#​9722)
  • Respect cloud-provider fields set by kubelet (#​9721)
    • The k3s stub cloud provider now respects the kubelet's requested provider-id, instance type, and topology labels
  • Fix error when image has already been pulled (#​9770)
  • Add a new error when kine is with disable apiserver or disable etcd (#​9766)
  • Bump k3s-root to v0.13.0 (#​9718)
  • Use ubuntu latest for better golang caching keys (#​9711)
  • Bump Trivy version (#​9780)
  • Move to ubuntu 23.10 for E2E tests (#​9755)
  • Update channel server (#​9808)
  • Add /etc/passwd and /etc/group to k3s docker image (#​9784)
  • Fix etcd snapshot reconcile for agentless servers (#​9809)
  • Add health-check support to loadbalancer (#​9757)
  • Add tls for kine (#​9572)
    • Kine is now able to use TLS
  • Transition from deprecated pointer library to ptr (#​9801)
  • Remove old pinned dependencies (#​9806)
  • Several E2E Matrix improvements (#​9802)
  • Add certificate expiry check, events, and metrics (#​9772)
  • Add updatecli policy to update k3s-root (#​9844)
  • Bump Trivy version (#​9840)
  • Add workaround for containerd hosts.toml bug when passing config for default registry endpoint (#​9853)
  • Fix: agent volume in example docker compose (#​9838)
  • Bump spegel to v0.0.20-k3s1 (#​9863)
  • Add supervisor cert/key to rotate list (#​9832)
  • Add quotes to avoid useless updatecli updates (#​9877)
  • Bump containerd and cri-dockerd (#​9886)
    • The embedded containerd has been bumped to v1.7.15
    • The embedded cri-dockerd has been bumped to v0.3.12
  • Move etcd snapshot management CLI to request/response (#​9816)
    • The k3s etcd-snapshot command has been reworked for improved consistency. All snapshots operations are now performed by the server process, with the CLI acting as a client to initiate and report results. As a side effect, the CLI is now less noisy when managing snapshots.
  • Improve etcd load-balancer startup behavior (#​9883)
  • Actually fix agent certificate rotation (#​9902)
  • Bump latest to v1.29.3+k3s1 (#​9909)
  • Update packaged manifests (#​9920)
    • Traefik has been bumped to v2.10.7.
    • Traefik pod annotations are now set properly in the default chart values.
    • The system-default-registry value now supports RFC2732 IPv6 literals.
    • The local-path provisioner now defaults to creating local volumes, instead of hostPath.
  • Allow Local path provisioner to read helper logs (#​9835)
  • Update kube-router to v2.1.0 (#​9926)
  • Match setup-go caching key in GitHub Actions (#​9890)
  • Add startup testlet on preloaded images (#​9941)
  • Update to v1.29.4-k3s1 and Go 1.21.9 (#​9960)
  • Fix on-demand snapshots timing out; not honoring folder (#​9984)
  • Make /db/info available anonymously from localhost (#​10001)

Embedded Component Versions

Component Version
Kubernetes v1.29.4
Kine v0.11.7
SQLite 3.44.0
Etcd v3.5.9-k3s1
Containerd v1.7.15-k3s1
Runc v1.1.12
Flannel v0.24.2
Metrics-server v0.7.0
Traefik v2.10.7
CoreDNS v1.10.1
Helm-controller v0.15.9
Local-path-provisioner v0.0.26

Helpful Links

As always, we welcome and appreciate feedback from our community of users. Please feel free to:

v1.29.3+k3s1: v1.29.3+k3s1

Compare Source

This release updates Kubernetes to v1.29.3, and fixes a number of issues.

For more details on what's new, see the Kubernetes release notes.

Changes since v1.29.2+k3s1:

  • Testing ADR (#​9562)
  • Unit Testing Matrix and Actions bump (#​9479)
  • Update install test OS matrix (#​9480)
  • Update klipper-lb image version (#​9488)
  • Add an integration test for flannel-backend=none (#​9582)
  • Better GitHub CI caching strategy for golang (#​9495)
  • Correct formatting of GH MR sha256sum artifact (#​9472)
  • Rootless mode also bind service nodePort to host for LoadBalancer type (#​9512)
    • Rootless mode should also bind service nodePort to host for LoadBalancer type, matching UX of rootful mode.
  • Fix coredns NodeHosts on dual-stack clusters (#​9584)
  • Tweak netpol node wait logs (#​9581)
  • Fix issue with etcd node name missing hostname (#​9522)
  • Bump helm-controller/klipper-helm versions (#​9595)
  • Update stable channel to v1.28.7+k3s1 (#​9615)
  • Reenable Install and Snapshotter Testing (#​9601)
  • Move docker tests into tests folder (#​9555)
  • Fix setup-go typo (#​9634)
  • Fix additional corner cases in registries handling (#​9556)
  • Fix snapshot prune (#​9502)
  • Use and version flannel/cni-plugin properly (#​9635)
    • The embedded flannel cni-plugin binary is now built and versioned separate from the rest of the cni plugins and the embedded flannel controller.
  • Bump spegel (#​9599)
    • Bump spegel to v0.0.18-k3s3
    • Adds wildcard registry support
    • Fixes issue with excessive CPU utilization while waiting for containerd to start
    • Add env var to allow spegel mirroring of latest tag
  • Chore(deps): Remediating CVEs found by trivy; CVE-2023-45142 on otelrestful and CVE-2023-48795 on golang.org/x/crypto (#​9513)
  • Fix: use correct wasm shims names (#​9519)
  • Fix wildcard with embedded registry test (#​9649)
  • Disable color outputs using NO_COLOR env var (#​9357)
    • To enable raw output for the check-config subcommand, you may now set NO_COLOR=1
  • Improve tailscale e2e test (#​9586)
  • Adjust first node-ip based on configured clusterCIDR (#​9520)
  • Bump Trivy version (#​9528)
  • Include flannel version in flannel cni plugin version (#​9648)
    • The flannel controller version is now reported as build metadata on the flannel cni plugin version.
  • Enable E2E tests on GitHub Actions (#​9660)
  • Bump metrics-server to v0.7.0 (#​9673)
  • Bump upload and download actions to v4 (#​9666)
  • Warn and suppress duplicate registry mirror endpoints (#​9697)
    • K3s will now warn and suppress duplicate entries in the mirror endpoint list for a registry. Containerd does not support listing the same endpoint multiple times as a mirror for a single upstream registry.
  • Remove repetitive words (#​9671)
  • Run Subset of Docker tests in GitHub Actions (#​9698)
  • Fix wildcard entry upstream fallback (#​9729)
  • Update to v1.29.3-k3s1 and Go 1.21.8 (#​9747)

Embedded Component Versions

Component Version
Kubernetes v1.29.3
Kine v0.11.4
SQLite 3.44.0
Etcd v3.5.9-k3s1
Containerd v1.7.11-k3s2
Runc v1.1.12-k3s1
Flannel v0.24.2
Metrics-server v0.7.0
Traefik v2.10.5
CoreDNS v1.10.1
Helm-controller v0.15.9
Local-path-provisioner v0.0.26

Helpful Links

As always, we welcome and appreciate feedback from our community of users. Please feel free to:

v1.29.2+k3s1: v1.29.2+k3s1

Compare Source

This release updates Kubernetes to v1.29.2, and fixes a number of issues.

For more details on what's new, see the Kubernetes release notes.

Changes since v1.29.1+k3s2:

  • Bump Local Path Provisioner version (#​8953)
  • Add ability to install K3s MR Artifact from GitHub (#​9185)
    • Adds INSTALL_K3S_PR option to install a build of K3s from any open MR with CI approval
  • Bump Trivy version (#​9237)
  • Bump codecov/codecov-action from 3 to 4 (#​9353)
  • Update stable channel (#​9388)
  • Fix snapshot reconcile retry (#​9318)
  • Add check for etcd-snapshot-dir and fix panic in Walk (#​9317)
  • Bump CNI plugins to v1.4.0 (#​9249)
  • Fix issue with coredns node hosts controller (#​9354)
    • Fixed issue that could cause coredns pods to fail to start when the embedded helm controller is disabled, due to the configmap not being updated with node hosts entries.
  • Fix on-demand snapshots on ipv6-only nodes (#​9247)
  • Bump flannel version (#​9395)
    • Bumped flannel to v0.24.2
  • Build: Align drone base images (#​8959)
  • Changed how lastHeartBeatTime works in the etcd condition (#​9263)
  • Runtimes refactor using exec.LookPath (#​9311)
    • Directories containing runtimes need to be included in the $PATH environment variable for effective runtime detection.
  • Bump cri-dockerd to fix compat with Docker Engine 25 (#​9290)
  • Add codcov secret for integration tests on Push (#​9422)
  • Allow executors to define containerd and cridockerd behavior (#​9184)
  • Update Kube-router to v2.0.1 (#​9396)
  • : Test_UnitApplyContainerdQoSClassConfigFileIfPresent (Created) (#​8945)
  • Readd k3s secrets-encrypt rotate-keys with correct support for KMSv2 GA (#​9340)
  • Fix iptables check when sbin isn't in user PATH (#​9344)
  • Don't create NodePasswordValidationFailed event if agent is disabled (#​9312)
    • The NodePasswordValidationFailed Events will no longer be emitted, if the agent is disabled.
  • Expose rootless state dir under ~/.rancher/k3s/rootless (#​9308)
    • When running k3s in rootless mode, expose rootlesskit's state directory as ~/.rancher/k3s/rootless
  • Expose rootless containerd socket directories for external access (#​9309)
    • Mount k3s rootless containerd & cri-dockerd socket directories to $XDG_RUNTIME_DIR/k3s/containerd and $XDG_RUNTIME_DIR/k3s/cri-dockerd respectively.
  • Bump kine and set NotifyInterval to what the apiserver expects (#​9349)
  • Update Kubernetes to v1.29.2 (#​9493)
  • Fix drone publish for arm (#​9503)
  • Remove failing Drone step (#​9517)
  • Restore original order of agent startup functions (#​9539)
  • Fix netpol startup when flannel is disabled (#​9571)

Embedded Component Versions

Component Version
Kubernetes v1.29.2
Kine v0.11.4
SQLite 3.44.0
Etcd v3.5.9-k3s1
Containerd v1.7.11-k3s2
Runc v1.1.12-k3s1
Flannel v0.24.2
Metrics-server v0.6.3
Traefik v2.10.5
CoreDNS v1.10.1
Helm-controller v0.15.8
Local-path-provisioner v0.0.26

Helpful Links

As always, we welcome and appreciate feedback from our community of users. Please feel free to:

v1.29.1+k3s1: v1.29.1+k3s1

Compare Source

This release updates Kubernetes to v1.29.1, and fixes a number of issues.

For more details on what's new, see the Kubernetes release notes.

Changes since v1.29.0+k3s1:

  • Bump Sonobuoy version (#​8910)
  • Bump actions/setup-go from 4 to 5 (#​9036)
  • Chore: Update Code of Conduct to Redirect to CNCF CoC (#​9104)
    • NONE
  • Update stable channel to v1.28.5+k3s1 and add v1.29 channel (#​9110)
  • Added support for env *_PROXY variables for agent loadbalancer (#​9070)
    • HTTP_PROXY, HTTPS_PROXY and NO_PROXY environment variables are now taken into account by the agent loadbalancer if K3S_AGENT_HTTP_PROXY_ALLOWED env variable is set to true.
    • This however doesn't affect local requests as the function used prevents that: https://pkg.go.dev/net/http#ProxyFromEnvironment.
  • Add a retry around updating a secrets-encrypt node annotations (#​9039)
  • Silence SELinux warning on INSTALL_K3S_SKIP_SELINUX_RPM (#​8703)
  • Add ServiceLB support for PodHostIPs FeatureGate (#​8917)
  • Added support for env *_PROXY variables for agent loadbalancer (#​9118)
  • Redirect error stream to null when checking nm-cloud systemd unit (#​8815)
    • Remove confusing "nm-cloud-setup.service: No such file or directory" journalctl log
  • Dockerfile.dapper: set $HOME properly (#​9090)
  • Add system-agent-installer-k3s step to GA release instructions (#​9153)
  • Fix install script checksum (#​9159)
  • Fix the OTHER etcd snapshot s3 log message that prints the wrong variable (#​8944)
  • Handle logging flags when parsing kube-proxy args (#​8916)
  • Fix nil map in full snapshot configmap reconcile (#​9049)
  • Add support for containerd cri registry config_path (#​8973)
  • Add more paths to crun runtime detection (#​9086)
  • Add runtime checking of golang version (#​9054)
  • Fix OS PRETTY_NAME on tagged releases (#​9062)
  • Print error when downloading file error inside install script (#​6874)
  • Wait for cloud-provider taint to be gone before starting the netpol controller (#​9076)
  • Bump Trivy version (#​8812)
  • Use ipFamilyPolicy: RequireDualStack for dual-stack kube-dns (#​8984)
  • Handle etcd status condition when node is not ready and disable etcd (#​9084)
  • Update s3 e2e test (#​9025)
  • Add e2e startup test for rootless k3s (#​8383)
  • Add spegel distributed registry mirror (#​8977)
  • Bump quic-go for CVE-2023-49295 (#​9208)
  • Enable network policy controller metrics (#​9195)
    • Kube-router network policy controller metrics are now exposed via the default node metrics endpoint
  • Fix nonexistent dependency repositories (#​9213)
  • Move proxy dialer out of init() and fix crash when using K3S_AGENT_HTTP_PROXY_ALLOWED=true (#​9219)
  • Error getting node in setEtcdStatusCondition (#​9210)
  • Update to v1.29.1 and Go 1.21.6 (#​9259)

Embedded Component Versions

Component Version
Kubernetes v1.29.1
Kine v0.11.0
SQLite 3.42.0
Etcd v3.5.9-k3s1
Containerd v1.7.11-k3s2
Runc v1.1.10
Flannel v0.24.0
Metrics-server v0.6.3
Traefik v2.10.5
CoreDNS v1.10.1
Helm-controller v0.15.4
Local-path-provisioner v0.0.24

Helpful Links

As always, we welcome and appreciate feedback from our community of users. Please feel free to:

v1.29.1+k3s2: v1.29.1+k3s2

Compare Source

This release updates Kubernetes to v1.29.1, and fixes a number of issues.

For more details on what's new, see the Kubernetes release notes.

Important Notes

Addresses the runc CVE: CVE-2024-21626 by updating runc to v1.1.12.

Changes since v1.29.0+k3s1:

  • Bump Sonobuoy version (#​8910)
  • Bump actions/setup-go from 4 to 5 (#​9036)
  • Chore: Update Code of Conduct to Redirect to CNCF CoC (#​9104)
    • NONE
  • Update stable channel to v1.28.5+k3s1 and add v1.29 channel (#​9110)
  • Added support for env *_PROXY variables for agent loadbalancer (#​9070)
    • HTTP_PROXY, HTTPS_PROXY and NO_PROXY environment variables are now taken into account by the agent loadbalancer if K3S_AGENT_HTTP_PROXY_ALLOWED env variable is set to true.
    • This however doesn't affect local requests as the function used prevents that: https://pkg.go.dev/net/http#ProxyFromEnvironment.
  • Add a retry around updating a secrets-encrypt node annotations (#​9039)
  • Silence SELinux warning on INSTALL_K3S_SKIP_SELINUX_RPM (#​8703)
  • Add ServiceLB support for PodHostIPs FeatureGate (#​8917)
  • Added support for env *_PROXY variables for agent loadbalancer (#​9118)
  • Redirect error stream to null when checking nm-cloud systemd unit (#​8815)
    • Remove confusing "nm-cloud-setup.service: No such file or directory" journalctl log
  • Dockerfile.dapper: set $HOME properly (#​9090)
  • Add system-agent-installer-k3s step to GA release instructions (#​9153)
  • Fix install script checksum (#​9159)
  • Fix the OTHER etcd snapshot s3 log message that prints the wrong variable (#​8944)
  • Handle logging flags when parsing kube-proxy args (#​8916)
  • Fix nil map in full snapshot configmap reconcile (#​9049)
  • Add support for containerd cri registry config_path (#​8973)
  • Add more paths to crun runtime detection (#​9086)
  • Add runtime checking of golang version (#​9054)
  • Fix OS PRETTY_NAME on tagged releases (#​9062)
  • Print error when downloading file error inside install script (#​6874)
  • Wait for cloud-provider taint to be gone before starting the netpol controller (#​9076)
  • Bump Trivy version (#​8812)
  • Use ipFamilyPolicy: RequireDualStack for dual-stack kube-dns (#​8984)
  • Handle etcd status condition when node is not ready and disable etcd (#​9084)
  • Update s3 e2e test (#​9025)
  • Add e2e startup test for rootless k3s (#​8383)
  • Add spegel distributed registry mirror (#​8977)
  • Bump quic-go for CVE-2023-49295 (#​9208)
  • Enable network policy controller metrics (#​9195)
    • Kube-router network policy controller metrics are now exposed via the default node metrics endpoint
  • Fix nonexistent dependency repositories (#​9213)
  • Move proxy dialer out of init() and fix crash when using K3S_AGENT_HTTP_PROXY_ALLOWED=true (#​9219)
  • Error getting node in setEtcdStatusCondition (#​9210)
  • Update to v1.29.1 and Go 1.21.6 (#​9259)
  • New stale action (#​9278)
  • Fix handling of bare hostname or IP as endpoint address in registries.yaml (#​9323)
  • Bump runc to v1.1.12 and helm-controller to v0.15.7 (#​9332)
  • Bump helm-controller to fix issue with ChartContent (#​9345)

Embedded Component Versions

Component Version
Kubernetes v1.29.1
Kine v0.11.0
SQLite 3.42.0
Etcd v3.5.9-k3s1
Containerd v1.7.11-k3s2
Runc v1.1.12-k3s1
Flannel v0.24.0
Metrics-server v0.6.3
Traefik v2.10.5
CoreDNS v1.10.1
Helm-controller v0.15.8
Local-path-provisioner v0.0.24

Helpful Links

As always, we welcome and appreciate feedback from our community of users. Please feel free to:

v1.29.0+k3s1: v1.29.0+k3s1

Compare Source

This release is K3S's first in the v1.29 line. This release updates Kubernetes to v1.29.0.

Before upgrading from earlier releases, be sure to read the Kubernetes Urgent Upgrade Notes.

️ IMPORTANT: This release removes the experimental rotate-keys subcommand due to changes in Kubernetes upstream for KMSv2, the subcommand should be added back in future releases.

️ IMPORTANT: This release also removes the multi-cluster-cidr flag, since the support for this alpha feature has been removed completely from Kubernetes upstream, this flag should be removed from the configuration before upgrade.

Changes since v1.28.4+k3s2:

  • Fix overlapping address range (#​8913)
  • Modify CONTRIBUTING.md guide (#​8954)
  • Nov 2023 stable channel update (#​9022)
  • Default runtime and runtime classes for wasm/nvidia/crun (#​8936)
    • Added runtime classes for wasm/nvidia/crun
    • Added default runtime flag for containerd
  • Bump containerd/runc to v1.7.10-k3s1/v1.1.10 (#​8962)
  • Allow setting default-runtime on servers (#​9027)
  • Bump containerd to v1.7.11 (#​9040)
  • Remove GA feature-gates (#​8970)
  • Only publish to code_cov on merged E2E builds (#​9051)
  • Update Kubernetes to v1.29.0+k3s1 (#​9052)
  • Update flannel to v0.24.0 and remove multiclustercidr flag (#​9075)
  • Remove rotate-keys subcommand (#​9079)

Embedded Component Versions

Component Version
Kubernetes v1.29.0
Kine v0.11.0
SQLite 3.42.0
Etcd v3.5.9-k3s1
Containerd v1.7.11-k3s2
Runc v1.1.10
Flannel v0.24.0
Metrics-server v0.6.3
Traefik v2.10.5
CoreDNS v1.10.1
Helm-controller v0.15.4
Local-path-provisioner v0.0.24

Helpful Links

As always, we welcome and appreciate feedback from our community of users. Please feel free to:

v1.28.15+k3s1: v1.28.15+k3s1

Compare Source

This release updates Kubernetes to v1.28.15, and fixes a number of issues.

For more details on what's new, see the Kubernetes release notes.

Changes since v1.28.14+k3s1:

Embedded Component Versions

Component Version
Kubernetes v1.28.15
Kine v0.13.2
SQLite 3.46.1
Etcd v3.5.13-k3s1
Containerd v1.7.22-k3s1.28
Runc v1.1.14
Flannel v0.25.6
Metrics-server v0.7.2
Traefik v2.11.10
CoreDNS v1.11.3
Helm-controller v0.15.15
Local-path-provisioner v0.0.30

Helpful Links

As always, we welcome and appreciate feedback from our community of users. Please feel free to:

v1.28.14+k3s1: v1.28.14+k3s1

Compare Source

This release updates Kubernetes to v1.28.14, and fixes a number of issues.

For more details on what's new, see the Kubernetes release notes.

Changes since v1.28.13+k3s1:

  • Testing Backports for 2024-09 (#​10804)
    • Update to newer OS images for install testing
    • Fix caching name for e2e vagrant box
    • Fix deploy latest commit on E2E tests
    • DRY E2E Upgrade test setup
    • Cover edge case when on new minor release for E2E upgrade test
  • Update CNI plugins version (#​10820)
  • Backports for 2024-09 (#​10845)
  • Fix hosts.toml header var (#​10874)
  • Update to v1.28.14-k3s1 and Go 1.22.6 (#​10884)
  • Update Kubernetes to v1.28.14-k3s2 (#​10907)

Embedded Component Versions

Component Version
Kubernetes v1.28.14
Kine v0.12.0
SQLite 3.44.0
Etcd v3.5.13-k3s1
Containerd v1.7.21-k3s2.28
Runc v1.1.14
Flannel v0.25.6
Metrics-server v0.7.2
Traefik v2.11.8
CoreDNS v1.11.3
Helm-controller v0.15.13
Local-path-provisioner v0.0.28

Helpful Links

As always, we welcome and appreciate feedback from our community of users. Please feel free to:

v1.28.13+k3s1: v1.28.13+k3s1

Compare Source

This release updates Kubernetes to v1.28.13, and fixes a number of issues.

For more details on what's new, see the Kubernetes release notes.

Changes since v1.28.12+k3s1:

  • Fixing setproctitle function (#​10624)
  • Bump docker/docker to v24.0.10-0.20240723193628-852759a7df45 (#​10651)
  • Backports for 2024-08 release cycle (#​10666)
    • Use pagination when listing large numbers of resources
    • Fix multiple issues with servicelb
    • Remove deprecated use of wait. functions
    • Wire lasso metrics up to metrics endpoint
  • Backports for August 2024 (#​10673)
  • Bump containerd to v1.7.20 (#​10662)
  • Add tolerations support for DaemonSet pods (#​10705)
    • New Feature: Users can now define Kubernetes tolerations for ServiceLB DaemonSet directly in the svccontroller.k3s.cattle.io/tolerations annotation on services.
  • Update to v1.28.13-k3s1 and Go 1.22.5 (#​10719)

Embedded Component Versions

Component Version
Kubernetes v1.28.13
Kine v0.11.11
SQLite 3.44.0
Etcd v3.5.13-k3s1
Containerd v1.7.20-k3s2.28
Runc v1.1.12
Flannel v0.25.4
Metrics-server v0.7.0
Traefik v2.10.7
CoreDNS v1.10.1
Helm-controller v0.15.10
Local-path-provisioner v0.0.28

Helpful Links

As always, we welcome and appreciate feedback from our community of users. Please feel free to:

v1.28.12+k3s1: v1.28.12+k3s1

Compare Source

This release updates Kubernetes to v1.28.12, and fixes a number of issues.

For more details on what's new, see the Kubernetes release notes.

Changes since v1.28.11+k3s2:

  • Backports for 2024-07 release cycle (#​10499)
    • Bump k3s-root to v0.14.0
    • Bump github.com/hashicorp/go-retryablehttp from 0.7.4 to 0.7.7
    • Bump Local Path Provisioner version
    • Ensure remotedialer kubelet connections use kubelet bind address
    • Chore: Bump Trivy version
    • Add etcd s3 config secret implementation
  • July Test Backports (#​10509)
  • Update to v1.28.12-k3s1 and Go 1.22.5 (#​10541)
  • Fix issues loading data-dir value from env vars or dropping config files (#​10598)

Embedded Component Versions

Component Version
Kubernetes v1.28.12
Kine v0.11.11
SQLite 3.44.0
Etcd v3.5.13-k3s1
Containerd v1.7.17-k3s1.28
Runc v1.1.12
Flannel v0.25.4
Metrics-server v0.7.0
Traefik v2.10.7
CoreDNS v1.10.1
Helm-controller v0.15.10
Local-path-provisioner v0.0.28

Helpful Links

As always, we welcome and appreciate feedback from our community of users. Please feel free to:

v1.28.11+k3s1: v1.28.11+k3s1

Compare Source

This release updates Kubernetes to v1.28.11, and fixes a number of issues.

For more details on what's new, see the Kubernetes release notes.

Changes since v1.28.10+k3s1:

  • Replace deprecated ruby function (#​10090)
  • Fix bug when using tailscale config by file (#​10144)
  • Bump flannel version to v0.25.2 (#​10221)
  • Update kube-router version to v2.1.2 (#​10182)
  • Improve tailscale test & add extra log in e2e tests (#​10213)
  • Backports for 2024-06 release cycle (#​10258)
    • Add WithSkipMissing to not fail import on missing blobs
    • Use fixed stream server bind address for cri-dockerd
    • Switch stargz over to cri registry config_path
    • Bump to containerd v1.7.17, etcd v3.5.13
    • Bump spegel version
    • Fix issue with externalTrafficPolicy: Local for single-stack services on dual-stack nodes
    • ServiceLB now sets the priorityClassName on svclb pods to system-node-critical by default. This can be overridden on a per-service basis via the svccontroller.k3s.cattle.io/priorityclassname annotation.
    • Bump minio-go to v7.0.70
    • Bump kine to v0.11.9 to fix pagination
    • Update valid resolv conf
    • Add missing kernel config check
    • Symlinked sub-directories are now respected when scanning Auto-Deploying Manifests (AddOns)
    • Fix bug: allow helm controller set owner reference
    • Bump klipper-helm image for tls secret support
    • Fix issue with k3s-etcd informers not starting
    • --Enable-pprof can now be set on agents to enable the debug/pprof endpoints. When set, agents will listen on the supervisor port.
    • --Supervisor-metrics can now be set on servers to enable serving internal metrics on the supervisor endpoint; when set agents will listen on the supervisor port.
    • Fix netpol crash when node remains tainted uninitialized
    • The embedded load-balancer will now fall back to trying all servers with health-checks ignored, if all servers have been marked unavailable due to failed health checks.
  • More backports for 2024-06 release cycle (#​10289)
  • Add snapshot retention etcd-s3-folder fix (#​10315)
  • Add test for isValidResolvConf (#​10302) (#​10331)
  • Fix race condition panic in loadbalancer.nextServer (#​10323)
  • Fix typo, use rancher/permissions (#​10299)
  • Update Kubernetes to v1.28.11 (#​10347)
  • Fix agent supervisor port using apiserver port instead (#​10355)
  • Fix issue that allowed multiple simultaneous snapshots to be allowed (#​10377)

Embedded Component Versions

Component Version
Kubernetes v1.28.11
Kine v0.11.9
SQLite 3.44.0
Etcd v3.5.13-k3s1
Containerd v1.7.17-k3s1.28
Runc v1.1.12
Flannel v0.25.2
Metrics-server v0.7.0
Traefik v2.10.7
CoreDNS v1.10.1
Helm-controller v0.15.10
Local-path-provisioner v0.0.27

Helpful Links

As always, we welcome and appreciate feedback from our community of users. Please feel free to:

v1.28.11+k3s2: v1.28.11+k3s2

Compare Source

This release updates Kubernetes to v1.28.11, and fixes a number of issues.

For more details on what's new, see the Kubernetes release notes.

Changes since v1.28.11+k3s1:

  • Update flannel to v0.25.4 and fixed issue with IPv6 mask (#​10428)

Embedded Component Versions

Component Version
Kubernetes v1.28.11
Kine v0.11.9
SQLite 3.44.0
Etcd v3.5.13-k3s1
Containerd v1.7.17-k3s1.28
Runc v1.1.12
Flannel v0.25.4
Metrics-server v0.7.0
Traefik v2.10.7
CoreDNS v1.10.1
Helm-controller v0.15.10
Local-path-provisioner v0.0.27

Helpful Links

As always, we welcome and appreciate feedback from our community of users. Please feel free to:

v1.28.10+k3s1: v1.28.10+k3s1

Compare Source

This release updates Kubernetes to v1.28.10, and fixes a number of issues.

For more details on what's new, see the Kubernetes release notes.

Changes since v1.28.9+k3s1:

Embedded Component Versions

Component Version
Kubernetes v1.28.10
Kine v0.11.7
SQLite 3.44.0
Etcd v3.5.9-k3s1
Containerd v1.7.15-k3s1
Runc v1.1.12-k3s1
Flannel v0.24.2
Metrics-server v0.7.0
Traefik v2.10.7
CoreDNS v1.10.1
Helm-controller v0.15.9
Local-path-provisioner v0.0.26

Helpful Links

As always, we welcome and appreciate feedback from our community of users. Please feel free to:

What's Changed

Full Changelog: https://github.com/k3s-io/k3s/compare/v1.28.9+k3s1...v1.28.10+k3s1

v1.28.9+k3s1: v1.28.9+k3s1

Compare Source

This release updates Kubernetes to v1.28.9, and fixes a number of issues.

For more details on what's new, see the Kubernetes release notes.

Changes since v1.28.8+k3s1:

  • Add a new error when kine is with disable apiserver or disable etcd (#​9804)
  • Remove old pinned dependencies (#​9827)
  • Transition from deprecated pointer library to ptr (#​9824)
  • Golang caching and E2E ubuntu 23.10 (#​9821)
  • Add tls for kine (#​9849)
  • Bump spegel to v0.0.20-k3s1 (#​9880)
  • Backports for 2024-04 release cycle (#​9911)
    • Send error response if member list cannot be retrieved
    • The k3s stub cloud provider now respects the kubelet's requested provider-id, instance type, and topology labels
    • Fix error when image has already been pulled
    • Add /etc/passwd and /etc/group to k3s docker image
    • Fix etcd snapshot reconcile for agentless servers
    • Add health-check support to loadbalancer
    • Add certificate expiry check, events, and metrics
    • Add workaround for containerd hosts.toml bug when passing config for default registry endpoint
    • Add supervisor cert/key to rotate list
    • The embedded containerd has been bumped to v1.7.15
    • The embedded cri-dockerd has been bumped to v0.3.12
    • The k3s etcd-snapshot command has been reworked for improved consistency. All snapshots operations are now performed by the server process, with the CLI acting as a client to initiate and report results. As a side effect, the CLI is now less noisy when managing snapshots.
    • Improve etcd load-balancer startup behavior
    • Actually fix agent certificate rotation
    • Traefik has been bumped to v2.10.7.
    • Traefik pod annotations are now set properly in the default chart values.
    • The system-default-registry value now supports RFC2732 IPv6 literals.
    • The local-path provisioner now defaults to creating local volumes, instead of hostPath.
  • Allow LPP to read helper logs (#​9938)
  • Update kube-router to v2.1.0 (#​9942)
  • Update to v1.28.9-k3s1 and Go 1.21.9 (#​9959)
  • Fix on-demand snapshots timing out; not honoring folder (#​9994)
  • Make /db/info available anonymously from localhost (#​10002)

Embedded Component Versions

Component Version
Kubernetes v1.28.9
Kine v0.11.7
SQLite 3.44.0
Etcd v3.5.9-k3s1
Containerd v1.7.15-k3s1
Runc v1.1.12
Flannel v0.24.2
Metrics-server v0.7.0
Traefik v2.10.7
CoreDNS v1.10.1
Helm-controller v0.15.9
Local-path-provisioner v0.0.26

Helpful Links

As always, we welcome and appreciate feedback from our community of users. Please feel free to:

v1.28.8+k3s1: v1.28.8+k3s1

Compare Source

This release updates Kubernetes to v1.28.8, and fixes a number of issues.

For more details on what's new, see the Kubernetes release notes.

Changes since v1.28.7+k3s1:

  • Add an integration test for flannel-backend=none (#​9608)
  • Install and Unit test backports (#​9641)
  • Update klipper-lb image version (#​9605)
  • Chore(deps): Remediating CVE-2023-45142 CVE-2023-48795 (#​9647)
  • Adjust first node-ip based on configured clusterCIDR (#​9631)
  • Improve tailscale e2e test (#​9653)
  • Backports for 2024-03 release cycle (#​9669)
    • Fix: use correct wasm shims names
    • The embedded flannel cni-plugin binary is now built and versioned separate from the rest of the cni plugins and the embedded flannel controller.
    • Bump spegel to v0.0.18-k3s3
    • Adds wildcard registry support
    • Fixes issue with excessive CPU utilization while waiting for containerd to start
    • Add env var to allow spegel mirroring of latest tag
    • Tweak netpol node wait logs
    • Fix coredns NodeHosts on dual-stack clusters
    • Bump helm-controller/klipper-helm versions
    • Fix snapshot prune
    • Fix issue with etcd node name missing hostname
    • Rootless mode should also bind service nodePort to host for LoadBalancer type, matching UX of rootful mode.
    • To enable raw output for the check-config subcommand, you may now set NO_COLOR=1
    • Fix additional corner cases in registries handling
    • Bump metrics-server to v0.7.0
    • K3s will now warn and suppress duplicate entries in the mirror endpoint list for a registry. Containerd does not support listing the same endpoint multiple times as a mirror for a single upstream registry.
  • Docker and E2E Test Backports (#​9707)
  • Fix wildcard entry upstream fallback (#​9733)
  • Update to v1.28.8-k3s1 and Go 1.21.8 (#​9746)

Embedded Component Versions

Component Version
Kubernetes v1.28.8
Kine v0.11.4
SQLite 3.44.0
Etcd v3.5.9-k3s1
Containerd v1.7.11-k3s2
Runc v1.1.12-k3s1
Flannel v0.24.2
Metrics-server v0.7.0
Traefik v2.10.5
CoreDNS v1.10.1
Helm-controller v0.15.9
Local-path-provisioner v0.0.26

Helpful Links

As always, we welcome and appreciate feedback from our community of users. Please feel free to:

v1.28.7+k3s1: v1.28.7+k3s1

Compare Source

This release updates Kubernetes to v1.28.7, and fixes a number of issues.

For more details on what's new, see the Kubernetes release notes.

Changes since v1.28.6+k3s2:

  • Chore: bump Local Path Provisioner version (#​9426)
  • Bump cri-dockerd to fix compat with Docker Engine 25 (#​9293)
  • Auto Dependency Bump (#​9419)
  • Runtimes refactor using exec.LookPath (#​9431)
    • Directories containing runtimes need to be included in the $PATH environment variable for effective runtime detection.
  • Changed how lastHeartBeatTime works in the etcd condition (#​9424)
  • Bump Flannel v0.24.2 + remove multiclustercidr (#​9401)
  • Allow executors to define containerd and docker behavior (#​9254)
  • Update Kube-router to v2.0.1 (#​9404)
  • Backports for 2024-02 release cycle (#​9462)
  • Enable longer http timeout requests (#​9444)
  • Test_UnitApplyContainerdQoSClassConfigFileIfPresent (#​9440)
  • Support MR testing installs (#​9469)
  • Update Kubernetes to v1.28.7 (#​9492)
  • Fix drone publish for arm (#​9508)
  • Remove failing Drone step (#​9516)
  • Restore original order of agent startup functions (#​9545)
  • Fix netpol startup when flannel is disabled (#​9578)

Embedded Component Versions

Component Version
Kubernetes v1.28.7
Kine v0.11.4
SQLite 3.44.0
Etcd v3.5.9-k3s1
Containerd v1.7.11-k3s2
Runc v1.1.12-k3s1
Flannel v0.24.2
Metrics-server v0.6.3
Traefik v2.10.5
CoreDNS v1.10.1
Helm-controller v0.15.8
Local-path-provisioner v0.0.26

Helpful Links

As always, we welcome and appreciate feedback from our community of users. Please feel free to:

v1.28.6+k3s1: v1.28.6+k3s1

Compare Source

This release updates Kubernetes to v1.28.6, and fixes a number of issues.

For more details on what's new, see the Kubernetes release notes.

Changes since v1.28.5+k3s1:

  • Add a retry around updating a secrets-encrypt node annotations (#​9125)
  • Wait for taint to be gone in the node before starting the netpol controller (#​9175)
  • Etcd condition (#​9181)
  • Backports for 2024-01 (#​9203)
  • Pin opa version for missing dependency chain (#​9216)
  • Added support for env *_PROXY variables for agent loadbalancer (#​9206)
  • Etcd node is nil (#​9228)
  • Update to v1.28.6 and Go 1.20.13 (#​9260)
  • Use ipFamilyPolicy: RequireDualStack for dual-stack kube-dns (#​9269)

Embedded Component Versions

Component Version
Kubernetes v1.28.6
Kine v0.11.0
SQLite 3.42.0
Etcd v3.5.9-k3s1
Containerd v1.7.11-k3s2
Runc v1.1.10
Flannel v0.22.2
Metrics-server v0.6.3
Traefik v2.10.5
CoreDNS v1.10.1
Helm-controller v0.15.4
Local-path-provisioner v0.0.24

Helpful Links

As always, we welcome and appreciate feedback from our community of users. Please feel free to:

v1.28.6+k3s2: v1.28.6+k3s2

Compare Source

This release updates Kubernetes to v1.28.6, and fixes a number of issues.

For more details on what's new, see the Kubernetes release notes.

Important Notes

Addresses the runc CVE: CVE-2024-21626 by updating runc to v1.1.12.

Changes since v1.28.5+k3s1:

  • Add a retry around updating a secrets-encrypt node annotations (#​9125)
  • Wait for taint to be gone in the node before starting the netpol controller (#​9175)
  • Etcd condition (#​9181)
  • Backports for 2024-01 (#​9203)
  • Pin opa version for missing dependency chain (#​9216)
  • Added support for env *_PROXY variables for agent loadbalancer (#​9206)
  • Etcd node is nil (#​9228)
  • Update to v1.28.6 and Go 1.20.13 (#​9260)
  • Use ipFamilyPolicy: RequireDualStack for dual-stack kube-dns (#​9269)
  • Backports for 2024-01 k3s2 (#​9336)
    • Bump runc to v1.1.12 and helm-controller to v0.15.7
    • Fix handling of bare hostname or IP as endpoint address in registries.yaml
  • Bump helm-controller to fix issue with ChartContent (#​9346)

Embedded Component Versions

Component Version
Kubernetes v1.28.6
Kine v0.11.0
SQLite 3.42.0
Etcd v3.5.9-k3s1
Containerd v1.7.11-k3s2
Runc v1.1.12-k3s1
Flannel v0.22.2
Metrics-server v0.6.3
Traefik v2.10.5
CoreDNS v1.10.1
Helm-controller v0.15.8
Local-path-provisioner v0.0.24

Helpful Links

As always, we welcome and appreciate feedback from our community of users. Please feel free to:

v1.28.5+k3s1: v1.28.5+k3s1

Compare Source

This release updates Kubernetes to v1.28.5, and fixes a number of issues.

For more details on what's new, see the Kubernetes release notes.

Changes since v1.28.4+k3s1:

  • Remove s390x steps temporarily since runners are disabled (#​8983)
  • Remove s390x from manifest (#​8998)
  • Fix overlapping address range (#​8913)
  • Modify CONTRIBUTING.md guide (#​8954)
  • Nov 2023 stable channel update (#​9022)
  • Default runtime and runtime classes for wasm/nvidia/crun (#​8936)
    • Added runtime classes for wasm/nvidia/crun
    • Added default runtime flag for containerd
  • Bump containerd/runc to v1.7.10-k3s1/v1.1.10 (#​8962)
  • Allow setting default-runtime on servers (#​9027)
  • Bump containerd to v1.7.11 (#​9040)
  • Update to v1.28.5-k3s1 (#​9081)

Embedded Component Versions

Component Version
Kubernetes v1.28.5
Kine v0.11.0
SQLite 3.42.0
Etcd v3.5.9-k3s1
Containerd v1.7.11-k3s2
Runc v1.1.10
Flannel v0.22.2
Metrics-server v0.6.3
Traefik v2.10.5
CoreDNS v1.10.1
Helm-controller v0.15.4
Local-path-provisioner v0.0.24

Helpful Links

As always, we welcome and appreciate feedback from our community of users. Please feel free to:

v1.28.4+k3s1: v1.28.4+k3s1

Compare Source

Due to CI issues, v1.28.4+k3s1 should not be used. Please use v1.28.4+k3s2.

v1.28.4+k3s2: v1.28.4+k3s2

Compare Source

This release updates Kubernetes to v1.28.4, and fixes a number of issues.

For more details on what's new, see the Kubernetes release notes.

Changes since v1.28.3+k3s2:

  • Update channels latest to v1.27.7+k3s2 (#​8799)
  • Add etcd status condition (#​8724)
    • Now the user can see the etcd status from each node in a simple way
  • ADR for etcd status (#​8355)
  • Wasm shims detection (#​8751)
    • Automatic discovery of WebAssembly runtimes
  • Add warning for removal of multiclustercidr flag (#​8758)
  • Improve dualStack log (#​8798)
  • Optimize: Simplify and clean up Dockerfile (#​8244)
  • Add: timezone info in image (#​8764)
      • New timezone info in Docker image allows the use of spec.timeZone in CronJobs
  • Bump kine to fix nats, postgres, and watch issues (#​8778)
    • Bumped kine to v0.11.0 to resolve issues with postgres and NATS, fix performance of watch channels under heavy load, and improve compatibility with the reference implementation.
  • QoS-class resource configuration (#​8726)
    • Containerd may now be configured to use rdt or blockio configuration by defining rdt_config.yaml or blockio_config.yaml files.
  • Add agent flag disable-apiserver-lb (#​8717)
    • Add agent flag disable-apiserver-lb, agent will not start load balance proxy.
  • Force umount for NFS mount (like with longhorn) (#​8521)
  • General updates to README (#​8786)
  • Fix wrong warning from restorecon in install script (#​8871)
  • Fix issue with snapshot metadata configmap (#​8835)
    • Omit snapshot list configmap entries for snapshots without extra metadata
  • Skip initial datastore reconcile during cluster-reset (#​8861)
  • Tweaked order of ingress IPs in ServiceLB (#​8711)
    • Improved ingress IP ordering from ServiceLB
  • Disable helm CRD installation for disable-helm-controller (#​8702)
  • More improves for K3s patch release docs (#​8800)
  • Update install.sh sha256sum (#​8885)
  • Add jitter to client config retry to avoid hammering servers when they are starting up (#​8863)
  • Handle nil pointer when runtime core is not ready in etcd (#​8886)
  • Bump dynamiclistener; reduce snapshot controller log spew (#​8894)
    • Bumped dynamiclistener to address a race condition that could cause a server to fail to sync its certificates into the Kubernetes secret
    • Reduced etcd snapshot log spam during initial cluster startup
  • Remove depends_on for e2e step; fix cert rotate e2e (#​8906)
  • Fix etcd snapshot S3 issues (#​8926)
    • Don't apply S3 retention if S3 client failed to initialize
    • Don't request metadata when listing S3 snapshots
    • Print key instead of file path in snapshot metadata log message
  • Update to v1.28.4 and Go to v1.20.11 (#​8920)
  • Remove s390x steps temporarily since runners are disabled (#​8983)
  • Remove s390x from manifest (#​8998)

Embedded Component Versions

Component Version
Kubernetes v1.28.4
Kine v0.11.0
SQLite 3.42.0
Etcd v3.5.9-k3s1
Containerd v1.7.7-k3s1
Runc v1.1.8
Flannel v0.22.2
Metrics-server v0.6.3
Traefik v2.10.5
CoreDNS v1.10.1
Helm-controller v0.15.4
Local-path-provisioner v0.0.24

Helpful Links

As always, we welcome and appreciate feedback from our community of users. Please feel free to:

v1.28.3+k3s1: v1.28.3+k3s1

Compare Source

This release updates Kubernetes to v1.28.3, and fixes a number of issues.

For more details on what's new, see the Kubernetes release notes.

Changes since v1.28.2+k3s1:

  • Fix error reporting (#​8250)
  • Add context to flannel errors (#​8284)
  • Update channel, September patch release (#​8397)
  • Add missing link to drone in documentation (#​8295)
  • Include the interface name in the error message (#​8346)
  • Add extraArgs to vpn provider (#​8354)
    • Allow to pass extra args to the vpn provider
  • Disable HTTP on main etcd client port (#​8402)
    • Embedded etcd no longer serves http requests on the client port, only grpc. This addresses a performance issue that could cause watch stream starvation under load. For more information, see https://github.com/etcd-io/etcd/issues/15402
  • Server token rotation (#​8215)
  • Fix issues with etcd member removal after reset (#​8392)
    • Fixed an issue that could cause k3s to attempt to remove members from the etcd cluster immediately following a cluster-reset/restore, if they were queued for removal at the time the snapshot was taken.
  • Fix gofmt error (#​8439)
  • Added advertise address integration test (#​8344)
  • Added cluster reset from non bootstrap nodes on snapshot restore e2e test (#​8292)
  • Fix .github regex to skip drone runs on gh action bumps (#​8433)
  • Added error when cluster reset while using server flag (#​8385)
    • The user will receive a error when --cluster-reset with the --server flag
  • Update kube-router (#​8423)
    • Update kube-router to v2.0.0-rc7 to fix performance issues
  • Add SHA256 signatures of the install script (#​8312)
      • Add SHA256 signatures of the install script.
  • Add --image-service-endpoint flag (#​8279)
    • Add --image-service-endpoint flag to specify an external image service socket.
  • Don't ignore assets in home dir if system assets exist (#​8458)
  • Pass SystemdCgroup setting through to nvidia runtime options (#​8470)
    • Fixed issue that would cause pods using nvidia container runtime to be killed after a few seconds, when using newer versions of nvidia-container-toolkit.
  • Improve release docs - updated (#​8414)
  • Take IPFamily precedence based on order (#​8460)
  • Fix spellcheck problem (#​8507)
  • Network defaults are duplicated, remove one (#​8523)
  • Fix slemicro check for selinux (#​8526)
  • Update install.sh.sha256sum (#​8566)
  • System agent push tags fix (#​8568)
  • Fixed tailscale node IP dualstack mode in case of IPv4 only node (#​8524)
  • Server Token Rotation (#​8265)
    • Users can now rotate the server token using k3s token rotate -t <OLD_TOKEN> --new-token <NEW_TOKEN>. After command succeeds, all server nodes must be restarted with the new token.
  • E2E Domain Drone Cleanup (#​8579)
  • Bump containerd to v1.7.7-k3s1 (#​8604)
  • Bump busybox to v1.36.1 (#​8602)
  • Migrate to using custom resource to store etcd snapshot metadata (#​8064)
  • Switch build target from main.go to a package. (#​8342)
  • Use IPv6 in case is the first configured IP with dualstack (#​8581)
  • Bump traefik, golang.org/x/net, google.golang.org/grpc (#​8624)
  • Update kube-router package in build script (#​8630)
  • Add etcd-only/control-plane-only server test and fix control-plane-only server crash (#​8638)
  • Use version.Program not K3s in token rotate logs (#​8653)
  • [Windows Port (#​7259)
  • Fix CloudDualStackNodeIPs feature-gate inconsistency (#​8667)
  • Re-enable etcd endpoint auto-sync (#​8675)
  • Manually requeue configmap reconcile when no nodes have reconciled snapshots (#​8683)
  • Update to v1.28.3 and Go to v1.20.10 (#​8682)
  • Fix s3 snapshot restore (#​8729)

Embedded Component Versions

Component Version
Kubernetes v1.28.3
Kine v0.10.3
SQLite 3.42.0
Etcd v3.5.9-k3s1
Containerd v1.7.7-k3s1
Runc v1.1.8
Flannel v0.22.2
Metrics-server v0.6.3
Traefik v2.10.5
CoreDNS v1.10.1
Helm-controller v0.15.4
Local-path-provisioner v0.0.24

Helpful Links

As always, we welcome and appreciate feedback from our community of users. Please feel free to:

v1.28.3+k3s2: v1.28.3+k3s2

Compare Source

This release updates Kubernetes to v1.28.3, and fixes a number of issues.

For more details on what's new, see the Kubernetes release notes.

Changes since v1.28.3+k3s1:

  • Restore selinux context systemd unit file (#​8593)
  • Update channel to v1.27.7+k3s1 (#​8753)
  • Bump Sonobuoy version (#​8710)
  • Bump Trivy version (#​8739)
  • Fix: Access outer scope .SystemdCgroup (#​8761)
    • Fixed failing to start with nvidia-container-runtime
  • Upgrade traefik chart to v25.0.0 (#​8771)
  • Update traefik to fix registry value (#​8792)
  • Don't use iptables-save/iptables-restore if it will corrupt rules (#​8795)

Embedded Component Versions

Component Version
Kubernetes v1.28.3
Kine v0.10.3
SQLite 3.42.0
Etcd v3.5.9-k3s1
Containerd v1.7.7-k3s1
Runc v1.1.8
Flannel v0.22.2
Metrics-server v0.6.3
Traefik v2.10.5
CoreDNS v1.10.1
Helm-controller v0.15.4
Local-path-provisioner v0.0.24

Helpful Links

As always, we welcome and appreciate feedback from our community of users. Please feel free to:

v1.28.2+k3s1: v1.28.2+k3s1

Compare Source

This release updates Kubernetes to v1.28.2, and fixes a number of issues.

For more details on what's new, see the Kubernetes release notes.

Changes since v1.28.1+k3s1:

  • Update channel for version v1.28 (#​8305)
  • Bump kine to v0.10.3 (#​8323)
  • Update to v1.28.2 and go v1.20.8 (#​8364)
    • Bump embedded containerd to v1.7.6
    • Bump embedded stargz-snapshotter plugin to latest
    • Fixed intermittent drone CI failures due to race conditions in test environment setup scripts
    • Fixed CI failures due to changes to api discovery changes in Kubernetes 1.28

Embedded Component Versions

Component Version
Kubernetes v1.28.2
Kine v0.10.3
SQLite 3.42.0
Etcd v3.5.9-k3s1
Containerd v1.7.6-k3s1
Runc v1.1.8
Flannel v0.22.2
Metrics-server v0.6.3
Traefik v2.9.10
CoreDNS v1.10.1
Helm-controller v0.15.4
Local-path-provisioner v0.0.24

Helpful Links

As always, we welcome and appreciate feedback from our community of users. Please feel free to:

v1.28.1+k3s1: v1.28.1+k3s1

Compare Source

This release is K3S's first in the v1.28 line. This release updates Kubernetes to v1.28.1.

️ IMPORTANT: This release includes remediation for CVE-2023-32187, a potential Denial of Service attack vector on K3s servers. See https://github.com/k3s-io/k3s/security/advisories/GHSA-m4hf-6vgr-75r2 for more information, including documentation on changes in behavior that harden clusters against this vulnerability.

Kubernetes v1.28 contains a critical regression (kubernetes/kubernetes#120247) that causes init containers to run at the same time as app containers following a restart of the node. This issue will be fixed in v1.28.2. We do not recommend using K3s v1.28 at this time if your application depends on init containers.

For more details on what's new, see the Kubernetes release notes.

Changes since v1.27.5+k3s1:

Embedded Component Versions

Component Version
Kubernetes v1.28.1
Kine v0.10.3
SQLite 3.42.0
Etcd v3.5.9-k3s1
Containerd v1.7.3-k3s2
Runc v1.1.8
Flannel v0.22.2
Metrics-server v0.6.3
Traefik v2.9.10
CoreDNS v1.10.1
Helm-controller v0.15.4
Local-path-provisioner v0.0.24

Helpful Links

As always, we welcome and appreciate feedback from our community of users. Please feel free to:

v1.27.16+k3s1: v1.27.16+k3s1

Compare Source

This release updates Kubernetes to v1.27.16, and fixes a number of issues.

For more details on what's new, see the Kubernetes release notes.

Changes since v1.27.15+k3s2:

  • Backports for 2024-07 release cycle (#​10500)
    • Bump k3s-root to v0.14.0
    • Bump github.com/hashicorp/go-retryablehttp from 0.7.4 to 0.7.7
    • Bump Local Path Provisioner version
    • Ensure remotedialer kubelet connections use kubelet bind address
    • Chore: Bump Trivy version
    • Add etcd s3 config secret implementation
  • July Test Backports (#​10510)
  • Update to v1.27.16-k3s1 and Go 1.22.5 (#​10542)
  • Fix issues loading data-dir value from env vars or dropping config files (#​10599)

Embedded Component Versions

Component Version
Kubernetes v1.27.16
Kine v0.11.11
SQLite 3.44.0
Etcd v3.5.13-k3s1
Containerd v1.7.17-k3s2.27
Runc v1.1.12
Flannel v0.25.4
Metrics-server v0.7.0
Traefik v2.10.7
CoreDNS v1.10.1
Helm-controller v0.15.10
Local-path-provisioner v0.0.28

Helpful Links

As always, we welcome and appreciate feedback from our community of users. Please feel free to:

v1.27.15+k3s1: v1.27.15+k3s1

Compare Source

This release updates Kubernetes to v1.27.15, and fixes a number of issues.

For more details on what's new, see the Kubernetes release notes.

Changes since v1.27.14+k3s1:

  • Replace deprecated ruby function (#​10089)
  • Fix bug when using tailscale config by file (#​10143)
  • Bump flannel version to v0.25.2 (#​10222)
  • Update kube-router version to v2.1.2 (#​10183)
  • Improve tailscale test & add extra log in e2e tests (#​10214)
  • Backports for 2024-06 release cycle (#​10259)
    • Add WithSkipMissing to not fail import on missing blobs
    • Use fixed stream server bind address for cri-dockerd
    • Switch stargz over to cri registry config_path
    • Bump to containerd v1.7.17, etcd v3.5.13
    • Bump spegel version
    • Fix issue with externalTrafficPolicy: Local for single-stack services on dual-stack nodes
    • ServiceLB now sets the priorityClassName on svclb pods to system-node-critical by default. This can be overridden on a per-service basis via the svccontroller.k3s.cattle.io/priorityclassname annotation.
    • Bump minio-go to v7.0.70
    • Bump kine to v0.11.9 to fix pagination
    • Update valid resolv conf
    • Add missing kernel config check
    • Symlinked sub-directories are now respected when scanning Auto-Deploying Manifests (AddOns)
    • Fix bug: allow helm controller set owner reference
    • Bump klipper-helm image for tls secret support
    • Fix issue with k3s-etcd informers not starting
    • --Enable-pprof can now be set on agents to enable the debug/pprof endpoints. When set, agents will listen on the supervisor port.
    • --Supervisor-metrics can now be set on servers to enable serving internal metrics on the supervisor endpoint; when set agents will listen on the supervisor port.
    • Fix netpol crash when node remains tainted uninitialized
    • The embedded load-balancer will now fall back to trying all servers with health-checks ignored, if all servers have been marked unavailable due to failed health checks.
  • More backports for 2024-06 release cycle (#​10290)
  • Add snapshot retention etcd-s3-folder fix (#​10314)
  • Add test for isValidResolvConf (#​10302) (#​10332)
  • Fix race condition panic in loadbalancer.nextServer (#​10324)
  • Fix typo, use rancher/permissions (#​10297)
  • Update Kubernetes to v1.27.15 (#​10346)
    • Update Kubernetes to v1.27.15
  • Fix agent supervisor port using apiserver port instead (#​10356)
  • Fix issue that allowed multiple simultaneous snapshots to be allowed (#​10378)

Embedded Component Versions

Component Version
Kubernetes v1.27.15
Kine v0.11.9
SQLite 3.44.0
Etcd v3.5.13-k3s1
Containerd v1.7.17-k3s2.27
Runc v1.1.12
Flannel v0.25.2
Metrics-server v0.7.0
Traefik v2.10.7
CoreDNS v1.10.1
Helm-controller v0.15.10
Local-path-provisioner v0.0.27

Helpful Links

As always, we welcome and appreciate feedback from our community of users. Please feel free to:

v1.27.15+k3s2: v1.27.15+k3s2

Compare Source

This release updates Kubernetes to v1.27.15, and fixes a number of issues.

For more details on what's new, see the Kubernetes release notes.

Changes since v1.27.15+k3s1:

  • Update flannel to v0.25.4 and fixed issue with IPv6 mask (#​10429)

Embedded Component Versions

Component Version
Kubernetes v1.27.15
Kine v0.11.9
SQLite 3.44.0
Etcd v3.5.13-k3s1
Containerd v1.7.17-k3s2.27
Runc v1.1.12
Flannel v0.25.4
Metrics-server v0.7.0
Traefik v2.10.7
CoreDNS v1.10.1
Helm-controller v0.15.10
Local-path-provisioner v0.0.27

Helpful Links

As always, we welcome and appreciate feedback from our community of users. Please feel free to:

v1.27.14+k3s1: v1.27.14+k3s1

Compare Source

This release updates Kubernetes to v1.27.14, and fixes a number of issues.

For more details on what's new, see the Kubernetes release notes.

Changes since v1.27.13+k3s1:

Embedded Component Versions

Component Version
Kubernetes v1.27.14
Kine v0.11.7
SQLite 3.44.0
Etcd v3.5.9-k3s1
Containerd v1.7.15-k3s1.27
Runc v1.1.12-k3s1
Flannel v0.24.2
Metrics-server v0.7.0
Traefik v2.10.7
CoreDNS v1.10.1
Helm-controller v0.15.9
Local-path-provisioner v0.0.26

Helpful Links

As always, we welcome and appreciate feedback from our community of users. Please feel free to:

What's Changed

Full Changelog: https://github.com/k3s-io/k3s/compare/v1.27.13+k3s1...v1.27.14+k3s1

v1.27.13+k3s1: v1.27.13+k3s1

Compare Source

This release updates Kubernetes to v1.27.13, and fixes a number of issues.

For more details on what's new, see the Kubernetes release notes.

Changes since v1.27.12+k3s1:

  • Add a new error when kine is with disable apiserver or disable etcd (#​9803)
  • Remove old pinned dependencies (#​9828)
  • Transition from deprecated pointer library to ptr (#​9825)
  • Golang caching and E2E ubuntu 23.10 (#​9822)
  • Add tls for kine (#​9850)
  • Bump spegel to v0.0.20-k3s1 (#​9881)
  • Backports for 2024-04 release cycle (#​9912)
    • Send error response if member list cannot be retrieved
    • The k3s stub cloud provider now respects the kubelet's requested provider-id, instance type, and topology labels
    • Fix error when image has already been pulled
    • Add /etc/passwd and /etc/group to k3s docker image
    • Fix etcd snapshot reconcile for agentless servers
    • Add health-check support to loadbalancer
    • Add certificate expiry check, events, and metrics
    • Add workaround for containerd hosts.toml bug when passing config for default registry endpoint
    • Add supervisor cert/key to rotate list
    • The embedded containerd has been bumped to v1.7.15
    • The embedded cri-dockerd has been bumped to v0.3.12
    • The k3s etcd-snapshot command has been reworked for improved consistency. All snapshots operations are now performed by the server process, with the CLI acting as a client to initiate and report results. As a side effect, the CLI is now less noisy when managing snapshots.
    • Improve etcd load-balancer startup behavior
    • Actually fix agent certificate rotation
    • Traefik has been bumped to v2.10.7.
    • Traefik pod annotations are now set properly in the default chart values.
    • The system-default-registry value now supports RFC2732 IPv6 literals.
    • The local-path provisioner now defaults to creating local volumes, instead of hostPath.
  • Allow LPP to read helper logs (#​9939)
  • Update kube-router to v2.1.0 (#​9943)
  • Update to v1.27.13-k3s1 and Go 1.21.9 (#​9958)
  • Fix on-demand snapshots timing out; not honoring folder (#​9995)
  • Make /db/info available anonymously from localhost (#​10003)

Embedded Component Versions

Component Version
Kubernetes v1.27.13
Kine v0.11.7
SQLite 3.44.0
Etcd v3.5.9-k3s1
Containerd v1.7.15-k3s1.27
Runc v1.1.12
Flannel v0.24.2
Metrics-server v0.7.0
Traefik v2.10.7
CoreDNS v1.10.1
Helm-controller v0.15.9
Local-path-provisioner v0.0.26

Helpful Links

As always, we welcome and appreciate feedback from our community of users. Please feel free to:

v1.27.12+k3s1: v1.27.12+k3s1

Compare Source

This release updates Kubernetes to v1.27.12, and fixes a number of issues.

For more details on what's new, see the Kubernetes release notes.

Changes since v1.27.11+k3s1:

  • Add an integration test for flannel-backend=none (#​9609)
  • Install and Unit test backports (#​9642)
  • Update klipper-lb image version (#​9606)
  • Adjust first node-ip based on configured clusterCIDR (#​9632)
  • Improve tailscale e2e test (#​9654)
  • Backports for 2024-03 release cycle (#​9670)
    • Fix: use correct wasm shims names
    • The embedded flannel cni-plugin binary is now built and versioned separate from the rest of the cni plugins and the embedded flannel controller.
    • Bump spegel to v0.0.18-k3s3
    • Adds wildcard registry support
    • Fixes issue with excessive CPU utilization while waiting for containerd to start
    • Add env var to allow spegel mirroring of latest tag
    • Tweak netpol node wait logs
    • Fix coredns NodeHosts on dual-stack clusters
    • Bump helm-controller/klipper-helm versions
    • Fix snapshot prune
    • Fix issue with etcd node name missing hostname
    • Rootless mode should also bind service nodePort to host for LoadBalancer type, matching UX of rootful mode.
    • To enable raw output for the check-config subcommand, you may now set NO_COLOR=1
    • Fix additional corner cases in registries handling
    • Bump metrics-server to v0.7.0
    • K3s will now warn and suppress duplicate entries in the mirror endpoint list for a registry. Containerd does not support listing the same endpoint multiple times as a mirror for a single upstream registry.
  • Docker and E2E Test Backports (#​9708)
  • Fix wildcard entry upstream fallback (#​9734)
  • Update to v1.27.12-k3s1 and Go 1.21.8 (#​9745)

Embedded Component Versions

Component Version
Kubernetes v1.27.12
Kine v0.11.4
SQLite 3.44.0
Etcd v3.5.9-k3s1
Containerd v1.7.11-k3s2.27
Runc v1.1.12-k3s1
Flannel v0.24.2
Metrics-server v0.7.0
Traefik v2.10.5
CoreDNS v1.10.1
Helm-controller v0.15.9
Local-path-provisioner v0.0.26

Helpful Links

As always, we welcome and appreciate feedback from our community of users. Please feel free to:

v1.27.11+k3s1: v1.27.11+k3s1

Compare Source

This release updates Kubernetes to v1.27.11, and fixes a number of issues.

For more details on what's new, see the Kubernetes release notes.

Changes since v1.27.10+k3s2:

  • Chore: bump Local Path Provisioner version (#​9427)
  • Bump cri-dockerd to fix compat with Docker Engine 25 (#​9291)
  • Auto Dependency Bump (#​9420)
  • Runtimes refactor using exec.LookPath (#​9430)
    • Directories containing runtimes need to be included in the $PATH environment variable for effective runtime detection.
  • Changed how lastHeartBeatTime works in the etcd condition (#​9425)
  • Allow executors to define containerd and docker behavior (#​9253)
  • Update Kube-router to v2.0.1 (#​9405)
  • Backports for 2024-02 release cycle (#​9463)
  • Bump flannel version + remove multiclustercidr (#​9407)
  • Enable longer http timeout requests (#​9445)
  • Test_UnitApplyContainerdQoSClassConfigFileIfPresent (#​9441)
  • Support MR testing installs (#​9470)
  • Update Kubernetes to v1.27.11 (#​9491)
  • Fix drone publish for arm (#​9509)
  • Remove failing Drone step (#​9515)
  • Restore original order of agent startup functions (#​9546)
  • Fix netpol startup when flannel is disabled (#​9579)

Embedded Component Versions

Component Version
Kubernetes v1.27.11
Kine v0.11.4
SQLite 3.44.0
Etcd v3.5.9-k3s1
Containerd v1.7.11-k3s2.27
Runc v1.1.12-k3s1
Flannel v0.24.2
Metrics-server v0.6.3
Traefik v2.10.5
CoreDNS v1.10.1
Helm-controller v0.15.8
Local-path-provisioner v0.0.26

Helpful Links

As always, we welcome and appreciate feedback from our community of users. Please feel free to:

v1.27.10+k3s1: v1.27.10+k3s1

Compare Source

This release updates Kubernetes to v1.27.10, and fixes a number of issues.

For more details on what's new, see the Kubernetes release notes.

Changes since v1.27.9+k3s1:

  • Add a retry around updating a secrets-encrypt node annotations (#​9124)
  • Added support for env *_PROXY variables for agent loadbalancer (#​9117)
  • Wait for taint to be gone in the node before starting the netpol controller (#​9176)
  • Etcd condition (#​9182)
  • Backports for 2024-01 (#​9211)
  • Move proxy dialer out of init() and fix crash (#​9220)
  • Pin opa version for missing dependency chain (#​9217)
  • Etcd node is nil (#​9229)
  • Update to v1.27.10 and Go 1.20.13 (#​9261)
  • Use ipFamilyPolicy: RequireDualStack for dual-stack kube-dns (#​9270)

Embedded Component Versions

Component Version
Kubernetes v1.27.10
Kine v0.11.0
SQLite 3.42.0
Etcd v3.5.9-k3s1
Containerd v1.7.11-k3s2.27
Runc v1.1.10
Flannel v0.22.2
Metrics-server v0.6.3
Traefik v2.10.5
CoreDNS v1.10.1
Helm-controller v0.15.4
Local-path-provisioner v0.0.24

Helpful Links

As always, we welcome and appreciate feedback from our community of users. Please feel free to:

v1.27.10+k3s2: v1.27.10+k3s2

Compare Source

This release updates Kubernetes to v1.27.10, and fixes a number of issues.

For more details on what's new, see the Kubernetes release notes.

Important Notes

Addresses the runc CVE: CVE-2024-21626 by updating runc to v1.1.12.

Changes since v1.27.9+k3s1:

  • Add a retry around updating a secrets-encrypt node annotations (#​9124)
  • Added support for env *_PROXY variables for agent loadbalancer (#​9117)
  • Wait for taint to be gone in the node before starting the netpol controller (#​9176)
  • Etcd condition (#​9182)
  • Backports for 2024-01 (#​9211)
  • Move proxy dialer out of init() and fix crash (#​9220)
  • Pin opa version for missing dependency chain (#​9217)
  • Etcd node is nil (#​9229)
  • Update to v1.27.10 and Go 1.20.13 (#​9261)
  • Use ipFamilyPolicy: RequireDualStack for dual-stack kube-dns (#​9270)
  • Backports for 2024-01 k3s2 (#​9337)
    • Bump runc to v1.1.12 and helm-controller to v0.15.7
    • Fix handling of bare hostname or IP as endpoint address in registries.yaml
  • Bump helm-controller to fix issue with ChartContent (#​9347)

Embedded Component Versions

Component Version
Kubernetes v1.27.10
Kine v0.11.0
SQLite 3.42.0
Etcd v3.5.9-k3s1
Containerd v1.7.11-k3s2.27
Runc v1.1.12-k3s1
Flannel v0.22.2
Metrics-server v0.6.3
Traefik v2.10.5
CoreDNS v1.10.1
Helm-controller v0.15.8
Local-path-provisioner v0.0.24

Helpful Links

As always, we welcome and appreciate feedback from our community of users. Please feel free to:

v1.27.9+k3s1: v1.27.9+k3s1

Compare Source

This release updates Kubernetes to v1.27.9, and fixes a number of issues.

For more details on what's new, see the Kubernetes release notes.

Changes since v1.27.8+k3s2:

  • Bump containerd/runc to v1.7.10-k3s1/v1.1.10 (#​8963)
  • Fix overlapping address range (#​9018)
  • Runtimes backport (#​9013)
    • Added runtime classes for wasm/nvidia/crun
    • Added default runtime flag for containerd
  • Bump containerd to v1.7.11 (#​9041)
  • Update to v1.27.9-k3s1 (#​9078)

Embedded Component Versions

Component Version
Kubernetes v1.27.9
Kine v0.11.0
SQLite 3.42.0
Etcd v3.5.9-k3s1
Containerd v1.7.11-k3s2.27
Runc v1.1.10
Flannel v0.22.2
Metrics-server v0.6.3
Traefik v2.10.5
CoreDNS v1.10.1
Helm-controller v0.15.4
Local-path-provisioner v0.0.24

Helpful Links

As always, we welcome and appreciate feedback from our community of users. Please feel free to:

What's Changed

Full Changelog: https://github.com/k3s-io/k3s/compare/v1.27.9-rc1+k3s1...v1.27.9+k3s1

v1.27.8+k3s1: v1.27.8+k3s1

Compare Source

Due to CI issues, v1.27.8+k3s1 should not be used. Please use v1.27.8+k3s2.

v1.27.8+k3s2: v1.27.8+k3s2

Compare Source

This release updates Kubernetes to v1.27.8, and fixes a number of issues.

For more details on what's new, see the Kubernetes release notes.

Changes since v1.27.7+k3s2:

  • Etcd status condition (#​8821)
  • Add warning for removal of multiclustercidr flag (#​8759)
  • Backports for 2023-11 release (#​8878)
    • New timezone info in Docker image allows the use of spec.timeZone in CronJobs
    • Bumped kine to v0.11.0 to resolve issues with postgres and NATS, fix performance of watch channels under heavy load, and improve compatibility with the reference implementation.
    • Containerd may now be configured to use rdt or blockio configuration by defining rdt_config.yaml or blockio_config.yaml files.
    • Add agent flag disable-apiserver-lb, agent will not start load balance proxy.
    • Improved ingress IP ordering from ServiceLB
    • Disable helm CRD installation for disable-helm-controller
    • Omit snapshot list configmap entries for snapshots without extra metadata
    • Add jitter to client config retry to avoid hammering servers when they are starting up
  • Handle nil pointer when runtime core is not ready in etcd (#​8887)
  • Improve dualStack log (#​8828)
  • Bump dynamiclistener; reduce snapshot controller log spew (#​8902)
    • Bumped dynamiclistener to address a race condition that could cause a server to fail to sync its certificates into the Kubernetes secret
    • Reduced etcd snapshot log spam during initial cluster startup
  • Remove depends_on for e2e step; fix cert rotate e2e (#​8907)
  • Fix etcd snapshot S3 issues (#​8937)
    • Don't apply S3 retention if S3 client failed to initialize
    • Don't request metadata when listing S3 snapshots
    • Print key instead of file path in snapshot metadata log message
  • Update to v1.27.8 and Go to 1.20.11 (#​8921)
  • Remove s390x (#​8999)

Embedded Component Versions

Component Version
Kubernetes v1.27.8
Kine v0.11.0
SQLite 3.42.0
Etcd v3.5.9-k3s1
Containerd v1.7.7-k3s1.27
Runc v1.1.8
Flannel v0.22.2
Metrics-server v0.6.3
Traefik v2.10.5
CoreDNS v1.10.1
Helm-controller v0.15.4
Local-path-provisioner v0.0.24

Helpful Links

As always, we welcome and appreciate feedback from our community of users. Please feel free to:

v1.27.7+k3s1: v1.27.7+k3s1

Compare Source

This release updates Kubernetes to v1.27.7, and fixes a number of issues.

For more details on what's new, see the Kubernetes release notes.

Changes since v1.27.6+k3s1:

  • Fix error reporting (#​8411)
  • Add context to flannel errors (#​8419)
  • Include the interface name in the error message (#​8435)
  • Update kube-router (#​8443)
  • Add extraArgs to tailscale (#​8464)
  • Added error when cluster reset while using server flag (#​8455)
    • The user will receive a error when --cluster-reset with the --server flag
  • Cluster reset from non bootstrap nodes (#​8451)
  • Take IPFamily precedence based on order (#​8504)
  • Fix spellcheck problem (#​8509)
  • Network defaults are duplicated, remove one (#​8551)
  • Advertise address integration test (#​8516)
  • System agent push tags fix (#​8569)
  • Fixed tailscale node IP dualstack mode in case of IPv4 only node (#​8558)
  • Server Token Rotation (#​8576)
    • Users can now rotate the server token using k3s token rotate -t <OLD_TOKEN> --new-token <NEW_TOKEN>. After command succeeds, all server nodes must be restarted with the new token.
  • E2E Domain Drone Cleanup (#​8582)
  • Clear remove annotations on cluster reset (#​8587)
    • Fixed an issue that could cause k3s to attempt to remove members from the etcd cluster immediately following a cluster-reset/restore, if they were queued for removal at the time the snapshot was taken.
  • Use IPv6 in case is the first configured IP with dualstack (#​8597)
  • Backports for 2023-10 release (#​8615)
  • Update kube-router package in build script (#​8634)
  • Add etcd-only/control-plane-only server test and fix control-plane-only server crash (#​8642)
  • Use version.Program not K3s in token rotate logs (#​8656)
  • Windows agent support (#​8650)
  • Fix CloudDualStackNodeIPs feature-gate inconsistency (#​8669)
  • Add --image-service-endpoint flag (#​8279) (#​8662)
    • Add --image-service-endpoint flag to specify an external image service socket.
  • Backport etcd fixes (#​8690)
    • Re-enable etcd endpoint auto-sync
    • Manually requeue configmap reconcile when no nodes have reconciled snapshots
  • Update to v1.27.7 and Go to v1.20.10 (#​8681)
  • Fix s3 snapshot restore (#​8733)

Embedded Component Versions

Component Version
Kubernetes v1.27.7
Kine v0.10.3
SQLite 3.42.0
Etcd v3.5.9-k3s1
Containerd v1.7.7-k3s1.27
Runc v1.1.8
Flannel v0.22.2
Metrics-server v0.6.3
Traefik v2.10.5
CoreDNS v1.10.1
Helm-controller v0.15.4
Local-path-provisioner v0.0.24

Helpful Links

As always, we welcome and appreciate feedback from our community of users. Please feel free to:

v1.27.7+k3s2: v1.27.7+k3s2

Compare Source

This release updates Kubernetes to v1.27.7, and fixes a number of issues.

For more details on what's new, see the Kubernetes release notes.

Changes since v1.27.7+k3s1:

  • Fix SystemdCgroup in templates_linux.go (#​8765)
    • Fixed an issue with identifying additional container runtimes
  • Update traefik chart to v25.0.0 (#​8775)
  • Update traefik to fix registry value (#​8789)

Embedded Component Versions

Component Version
Kubernetes v1.27.7
Kine v0.10.3
SQLite 3.42.0
Etcd v3.5.9-k3s1
Containerd v1.7.7-k3s1.27
Runc v1.1.8
Flannel v0.22.2
Metrics-server v0.6.3
Traefik v2.10.5
CoreDNS v1.10.1
Helm-controller v0.15.4
Local-path-provisioner v0.0.24

Helpful Links

As always, we welcome and appreciate feedback from our community of users. Please feel free to:

v1.27.6+k3s1: v1.27.6+k3s1

Compare Source

This release updates Kubernetes to v1.27.6, and fixes a number of issues.

For more details on what's new, see the Kubernetes release notes.

Changes since v1.27.5+k3s1:

  • Bump kine to v0.10.3 (#​8324)
  • Update to v1.27.6 and Go to 1.20.8 (#​8356)
    • Bump embedded containerd to v1.7.6
    • Bump embedded stargz-snapshotter plugin to latest
    • Fixed intermittent drone CI failures due to race conditions in test environment setup scripts
    • Fixed CI failures due to changes to api discovery changes in Kubernetes 1.28

Embedded Component Versions

Component Version
Kubernetes v1.27.6
Kine v0.10.3
SQLite 3.42.0
Etcd v3.5.9-k3s1
Containerd v1.7.6-k3s1.27
Runc v1.1.8
Flannel v0.22.2
Metrics-server v0.6.3
Traefik v2.9.10
CoreDNS v1.10.1
Helm-controller v0.15.4
Local-path-provisioner v0.0.24

Helpful Links

As always, we welcome and appreciate feedback from our community of users. Please feel free to:

v1.27.5+k3s1: v1.27.5+k3s1

Compare Source

This release updates Kubernetes to v1.27.5, and fixes a number of issues.

️ IMPORTANT: This release includes support for remediating CVE-2023-32187, a potential Denial of Service attack vector on K3s servers. See https://github.com/k3s-io/k3s/security/advisories/GHSA-m4hf-6vgr-75r2 for more information, including mandatory steps necessary to harden clusters against this vulnerability.

For more details on what's new, see the Kubernetes release notes.

Changes since v1.27.4+k3s1:

  • Update cni plugins version to v1.3.0 (#​8056)
    • Upgraded cni-plugins to v1.3.0
  • Update flannel to v0.22.1 (#​8057)
    • Update flannel to v0.22.1
  • ADR on secrets encryption v3 (#​7938)
  • Unit test for MustFindString (#​8013)
  • Add support for using base template in etc/containerd/config.toml.tmpl (#​7991)
    • User-provided containerd config templates may now use {{ template "base" . }} to include the default K3s template content. This makes it easier to maintain user configuration if the only need is to add additional sections to the file.
  • Make apiserver egress args conditional on egress-selector-mode (#​7972)
    • K3s no longer enables the apiserver's enable-aggregator-routing flag when the egress proxy is not being used to route connections to in-cluster endpoints.
  • Security bump to docker/distribution (#​8047)
  • Fix coreos multiple installs (#​8083)
  • Update stable channel to v1.27.4+k3s1 (#​8067)
  • Fix tailscale bug with ip modes (#​8077)
  • Consolidate CopyFile functions (#​8079)
  • E2E: Support GOCOVER for more tests + fixes (#​8080)
  • Fix typo in terraform/README.md (#​8090)
  • Add FilterCN function to prevent SAN Stuffing (#​8085)
    • K3s's external apiserver listener now declines to add to its certificate any subject names not associated with the kubernetes apiserver service, server nodes, or values of the --tls-san option. This prevents the certificate's SAN list from being filled with unwanted entries.
  • Bump docker/docker to master commit; cri-dockerd to 0.3.4 (#​8092)
    • Bump docker/docker module version to fix issues with cri-dockerd caused by recent releases of golang rejecting invalid host headers sent by the docker client.
  • Bump versions for etcd, containerd, runc (#​8109)
    • Updated the embedded containerd to v1.7.3+k3s1
    • Updated the embedded runc to v1.1.8
    • Updated the embedded etcd to v3.5.9+k3s1
  • Etcd snapshots retention when node name changes (#​8099)
  • Bump kine to v0.10.2 (#​8125)
    • Updated kine to v0.10.2
  • Remove terraform package (#​8136)
  • Fix etcd-snapshot delete when etcd-s3 is true (#​8110)
  • Add --disable-cloud-controller and --disable-kube-proxy test (#​8018)
  • Use go list -m instead of grep to look up versions (#​8138)
  • Use VERSION_K8S in tests instead of grep go.mod (#​8147)
  • Fix for Kubeflag Integration test (#​8154)
  • Fix for cluster-reset backup from s3 when etcd snapshots are disabled (#​8155)
  • Run integration test CI in parallel (#​8156)
  • Bump Trivy version (#​8150)
  • Bump Trivy version (#​8178)
  • Fixed the etcd retention to delete orphaned snapshots based on the date (#​8177)
  • Bump dynamiclistener (#​8193)
    • Bumped dynamiclistener to address an issue that could cause the apiserver/supervisor listener on 6443 to stop serving requests on etcd-only nodes.
    • The K3s external apiserver/supervisor listener on 6443 now sends a complete certificate chain in the TLS handshake.
  • Bump helm-controller/klipper-helm versions (#​8204)
    • The version of helm used by the bundled helm controller's job image has been updated to v3.12.3
  • E2E: Add test for k3s token (#​8184)
  • Move flannel to 0.22.2 (#​8219)
    • Move flannel to v0.22.2
  • Update to v1.27.5 (#​8236)
  • Add new CLI flag to enable TLS SAN CN filtering (#​8257)
    • Added a new --tls-san-security option. This flag defaults to false, but can be set to true to disable automatically adding SANs to the server's TLS certificate to satisfy any hostname requested by a client.
  • Add RWMutex to address controller (#​8273)

Embedded Component Versions

Component Version
Kubernetes v1.27.5
Kine v0.10.2
SQLite 3.42.0
Etcd v3.5.9-k3s1
Containerd v1.7.3-k3s1
Runc v1.1.8
Flannel v0.22.2
Metrics-server v0.6.3
Traefik v2.9.10
CoreDNS v1.10.1
Helm-controller v0.15.4
Local-path-provisioner v0.0.24

Helpful Links

As always, we welcome and appreciate feedback from our community of users. Please feel free to:

v1.27.4+k3s1: v1.27.4+k3s1

Compare Source

This release updates Kubernetes to v1.27.4, and fixes a number of issues.
​ For more details on what's new, see the Kubernetes release notes. ​

Changes since v1.27.3+k3s1:

  • Pkg imported more than once (#​7803)
  • Faster K3s Binary Build Option (#​7805)
  • Update stable channel to v1.27.3+k3s1 (#​7827)
  • Adding cli to custom klipper helm image (#​7682)
    • The default helm-controller job image can now be overridden with the --helm-job-image CLI flag
  • Check if we are on ipv4, ipv6 or dualStack when doing tailscale (#​7838)
  • Remove file_windows.go (#​7845)
  • Add a k3s data directory location specified by the cli (#​7791)
  • Fix e2e startup flaky test (#​7839)
  • Allow k3s to customize apiServerPort on helm-controller (#​7834)
  • Fall back to basic/bearer auth when node identity auth is rejected (#​7836)
    • Resolved an issue that caused agents joined with kubeadm-style bootstrap tokens to fail to rejoin the cluster when their node object is deleted.
  • Fix code spell check (#​7858)
  • Add e2e s3 test (#​7833)
  • Warn that v1.28 will deprecate reencrypt/prepare (#​7848)
  • Support setting control server URL for Tailscale (#​7807)
    • Support connecting tailscale to a separate server (e.g. headscale)
  • Improve for K3s release Docs (#​7864)
  • Fix rootless node password location (#​7887)
  • Bump google.golang.org/grpc from 1.51.0 to 1.53.0 in /tests/terraform (#​7879)
  • Add retry for clone step (#​7862)
  • Generation of certificates and keys for etcd gated if etcd is disabled. (#​6998)
  • Don't use zgrep in check-config if apparmor profile is enforced (#​7939)
  • Fix image_scan.sh script and download trivy version (#​7950)
  • Revert "Warn that v1.28 will deprecate reencrypt/prepare" (#​7977)
  • Adjust default kubeconfig file permissions (#​7978)
  • Fix update go version command on release documentation (#​8028)
  • Update to v1.27.4 (#​8014)

Embedded Component Versions

Component Version
Kubernetes v1.27.4
Kine v0.10.1
SQLite 3.39.2
Etcd v3.5.7-k3s1
Containerd v1.7.1-k3s1
Runc v1.1.7
Flannel v0.22.0
Metrics-server v0.6.3
Traefik v2.9.10
CoreDNS v1.10.1
Helm-controller v0.15.2
Local-path-provisioner v0.0.24

Helpful Links

As always, we welcome and appreciate feedback from our community of users. Please feel free to:

v1.27.3+k3s1: v1.27.3+k3s1

Compare Source

This release updates Kubernetes to v1.27.3, and fixes a number of issues.

For more details on what's new, see the Kubernetes release notes.

Changes since v1.27.2+k3s1:

  • Update flannel version (#​7628)
    • Update flannel to v0.22.0
  • Add el9 selinux rpm (#​7635)
  • Update channels (#​7634)
  • Allow coredns override extensions (#​7583)
    • The coredns-custom ConfigMap now allows for *.override sections to be included in the .:53 default server block.
  • Bump klipper-lb to v0.4.4 (#​7617)
    • Bumped klipper-lb image to v0.4.4 to resolve an issue that prevented access to ServiceLB ports from localhost when the Service ExternalTrafficPolicy was set to Local.
  • Bump metrics-server to v0.6.3 and update tls-cipher-suites (#​7564)
    • The bundled metrics-server has been bumped to v0.6.3, and now uses only secure TLS ciphers by default.
  • Do not use the admin kubeconfig for the supervisor and core controllers (#​7616)
    • The K3s core controllers (supervisor, deploy, and helm) no longer use the admin kubeconfig. This makes it easier to determine from access and audit logs which actions are performed by the system, and which are performed by an administrative user.
  • Bump golang:alpine image version (#​7619)
  • Make LB image configurable when compiling k3s (#​7626)
  • Bump vagrant libvirt with fix for plugin installs (#​7605)
  • Add format command on Makefile (#​7437)
  • Use el8 rpm for fedora 38 and 39 (#​7664)
  • Check variant before version to decide rpm target and packager closes #​7666 (#​7667)
  • Test Coverage Reports for E2E tests (#​7526)
  • Soft-fail on node password verification if the secret cannot be created (#​7655)
    • K3s now allows nodes to join the cluster even if the node password secret cannot be created at the time the node joins. The secret create will be retried in the background. This resolves a potential deadlock created by fail-closed validating webhooks that block secret creation, where the webhook is unavailable until new nodes join the cluster to run the webhook pod.
  • Enable containerd aufs/devmapper/zfs snapshotter plugins (#​7661)
    • The bundled containerd's aufs/devmapper/zfs snapshotter plugins have been restored. These were unintentionally omitted when moving containerd back into the k3s multicall binary in the previous release.
  • Bump docker go.mod (#​7681)
  • Shortcircuit commands with version or help flags (#​7683)
    • Non root users can now call k3s --help and k3s --version commands without running into permission errors over the default config file.
  • Bump Trivy version (#​7672)
  • E2E: Capture coverage of K3s subcommands (#​7686)
  • Integrate tailscale into k3s (#​7352)
    • Integration of tailscale VPN into k3s
  • Add private registry e2e test (#​7653)
  • E2E: Remove unnecessary daemonset addition/deletion (#​7696)
  • Add issue template for OS validation (#​7695)
  • Fix spelling check (#​7740)
  • Remove useless libvirt config (#​7745)
  • Bump helm-controller to v0.15.0 for create-namespace support (#​7716)
    • The embedded helm controller has been bumped to v0.15.0, and now supports creating the chart's target namespace if it does not exist.
  • Fix error logging in tailscale (#​7776)
  • Add commands to remove advertised routes of tailscale in k3s-killall.sh (#​7777)
  • Update Kubernetes to v1.27.3 (#​7790)

Embedded Component Versions

Component Version
Kubernetes v1.27.3
Kine v0.10.1
SQLite 3.39.2
Etcd v3.5.7-k3s1
Containerd v1.7.1-k3s1
Runc v1.1.7
Flannel v0.22.0
Metrics-server v0.6.3
Traefik v2.9.10
CoreDNS v1.10.1
Helm-controller v0.15.0
Local-path-provisioner v0.0.24

Helpful Links

As always, we welcome and appreciate feedback from our community of users. Please feel free to:

v1.27.2+k3s1: v1.27.2+k3s1

Compare Source

This release updates Kubernetes to v1.27.2, and fixes a number of issues.

For more details on what's new, see the Kubernetes release notes.

Changes since v1.27.1+k3s1:

  • Ensure that klog verbosity is set to the same level as logrus (#​7303)
  • Create CRDs with schema (#​7308)
    • Fixed an issue where Addon, HelmChart, and HelmChartConfig CRDs were created without structural schema, allowing the creation of custom resources of these types with invalid content.
  • Bump k3s-root for aarch64 page size fix (#​7364)
    • K3s once again supports aarch64 nodes with page size > 4k
  • Bump Runc and Containerd (#​7339)
  • Add integration tests for etc-snapshot server flags and refactor /tests/integration/integration.go/K3sStartServer (#​7300)
  • Bump traefik to v2.9.10 / chart 21.2.0 (#​7324)
    • The packaged Traefik version has been bumped to v2.9.10 / chart 21.2.0
  • Add longhorn storage test (#​6445)
  • Improve error message when CLI wrapper Exec fails (#​7373)
    • K3s now prints a more meaningful error when attempting to run from a filesystem mounted noexec.
  • Fix issues with --disable-agent and --egress-selector-mode=pod|cluster (#​7331)
    • Servers started with the (experimental) --disable-agent flag no longer attempt to run the tunnel authorizer agent component.
    • Fixed an regression that prevented the pod and cluster egress-selector modes from working properly.
  • Retry cluster join on "too many learners" error (#​7351)
    • K3s now retries the cluster join operation when receiving a "too many learners" error from etcd. This most frequently occurred when attempting to add multiple servers at the same time.
  • Fix MemberList error handling and incorrect etcd-arg passthrough (#​7371)
    • K3s now correctly passes through etcd-args to the temporary etcd that is used to extract cluster bootstrap data when restarting managed etcd nodes.
    • K3s now properly handles errors obtaining the current etcd cluster member list when a new server is joining the managed etcd cluster.
  • Bump Trivy version (#​7383)
  • Handle multiple arguments with StringSlice flags (#​7380)
  • Add v1.27 channel (#​7387)
  • Enable FindString to search dotD config files (#​7323)
  • Migrate netutil methods into /util/net.go (#​7422)
  • Local-storage: Fix permission (#​7217)
  • Bump cni plugins to v1.2.0-k3s1 (#​7425)
    • The bundled CNI plugins have been upgraded to v1.2.0-k3s1. The bandwidth and firewall plugins are now included in the bundle.
  • Add dependabot label and reviewer (#​7423)
  • E2E: Startup test cleanup + RunCommand Enhancement (#​7388)
  • Fail to validate server tokens that use bootstrap id/secret format (#​7389)
    • K3s now exits with a proper error message when the server token uses a bootstrap token id.secret format.
  • Fix token startup test (#​7442)
  • Bump kine to v0.10.1 (#​7414)
    • The embedded kine version has been bumped to v0.10.1. This replaces the legacy lib/pq postgres driver with pgx.
  • Add kube-* server flags integration tests (#​7416)
  • Add support for -cover + integration test code coverage (#​7415)
  • Bump kube-router version to fix a bug when a port name is used (#​7454)
  • Consistently use constant-time comparison of password hashes instead of bare password strings (#​7455)
  • Bump containerd to v1.7.0 and move back into multicall binary (#​7418)
    • The embedded containerd version has been bumped to v1.7.0-k3s1, and has been reintegrated into the main k3s binary for a significant savings in release artifact size.
  • Adding PITS and Getdeck Beiboot as adopters thanks to Schille and Miw… (#​7524)
  • Bump helm-controller version for repo auth/ca support (#​7525)
    • The embedded Helm controller now supports authenticating to chart repositories via credentials stored in a Secret, as well as passing repo CAs via ConfigMap.
  • Bump containerd/runc to v1.7.1-k3s1/v1.1.7 (#​7533)
    • The bundled containerd and runc versions have been bumped to v1.7.1-k3s1/v1.1.7
  • Wrap error stating that it is coming from netpol (#​7539)
  • Add Rotation certification Check, remove func to restart agents (#​7097)
  • Bump alpine from 3.17 to 3.18 in /package (#​7550)
  • Bump alpine from 3.17 to 3.18 in /conformance (#​7551)
  • Add '-all' flag to apply to inactive systemd units (#​7567)
  • Update to v1.27.2-k3s1 (#​7575)
  • Fix iptables rules clean during upgrade (#​7591)
  • Pin emicklei/go-restful to v3.9.0 (#​7597)
  • Add el9 selinux rpm (#​7443)
  • Revert "Add el9 selinux rpm (#​7443)" (#​7608)

Embedded Component Versions

Component Version
Kubernetes v1.27.2
Kine v0.10.1
SQLite 3.39.2
Etcd v3.5.7-k3s1
Containerd v1.7.1-k3s1
Runc v1.1.7
Flannel v0.21.4
Metrics-server v0.6.2
Traefik v2.9.10
CoreDNS v1.10.1
Helm-controller v0.14.0
Local-path-provisioner v0.0.24

Helpful Links

As always, we welcome and appreciate feedback from our community of users. Please feel free to:

v1.27.1+k3s1: v1.27.1+k3s1

Compare Source

This release is K3S's first in the v1.27 line. This release updates Kubernetes to v1.27.1.

Before upgrading from earlier releases, be sure to read the Kubernetes Urgent Upgrade Notes.

Changes since v1.26.4+k3s1:

  • Kubernetes 1.27.1 (#​7271)
  • V1.27.1 CLI Deprecation (#​7311)
    • --flannel-backed=wireguard has been completely replaced with --flannel-backend=wireguard-native
    • The k3s etcd-snapshot command will now print a help message, to save a snapshot use: k3s etcd-snapshot save
    • The following flags will now cause fatal errors (with full removal coming in v1.28.0):
      • --flannel-backed=ipsec: replaced with --flannel-backend=wireguard-native see docs for more info.
      • Supplying multiple --flannel-backend values is no longer valid. Use --flannel-conf instead.
  • Changed command -v redirection for iptables bin check (#​7315)
  • Update channel server for april 2023 (#​7327)
  • Bump cri-dockerd (#​7347)
  • Cleanup help messages (#​7369)

Embedded Component Versions

Component Version
Kubernetes v1.27.1
Kine v0.9.9
SQLite 3.39.2
Etcd v3.5.7-k3s1
Containerd v1.6.19-k3s1
Runc v1.1.5
Flannel v0.21.4
Metrics-server v0.6.2
Traefik v2.9.4
CoreDNS v1.10.1
Helm-controller v0.13.3
Local-path-provisioner v0.0.24

Helpful Links

As always, we welcome and appreciate feedback from our community of users. Please feel free to:

v1.26.15+k3s1: v1.26.15+k3s1

Compare Source

This release updates Kubernetes to v1.26.15, and fixes a number of issues.

For more details on what's new, see the Kubernetes release notes.

Changes since v1.26.14+k3s1:

  • Update klipper-lb image version (#​9607)
  • Install and Unit test backports (#​9645)
  • Adjust first node-ip based on configured clusterCIDR (#​9633)
  • Add an integration test for flannel-backend=none (#​9610)
  • Improve tailscale e2e test (#​9655)
  • Backports for 2024-03 release cycle (#​9692)
    • Fix: use correct wasm shims names
    • The embedded flannel cni-plugin binary is now built and versioned separate from the rest of the cni plugins and the embedded flannel controller.
    • Bump spegel to v0.0.18-k3s3
    • Adds wildcard registry support
    • Fixes issue with excessive CPU utilization while waiting for containerd to start
    • Add env var to allow spegel mirroring of latest tag
    • Tweak netpol node wait logs
    • Fix coredns NodeHosts on dual-stack clusters
    • Bump helm-controller/klipper-helm versions
    • Fix snapshot prune
    • Fix issue with etcd node name missing hostname
    • Rootless mode should also bind service nodePort to host for LoadBalancer type, matching UX of rootful mode.
    • To enable raw output for the check-config subcommand, you may now set NO_COLOR=1
    • Fix additional corner cases in registries handling
    • Bump metrics-server to v0.7.0
    • K3s will now warn and suppress duplicate entries in the mirror endpoint list for a registry. Containerd does not support listing the same endpoint multiple times as a mirror for a single upstream registry.
  • Fix wildcard entry upstream fallback (#​9735)
  • Update to v1.26.15-k3s1 and Go 1.21.8 (#​9740)

Embedded Component Versions

Component Version
Kubernetes v1.26.15
Kine v0.11.4
SQLite 3.44.0
Etcd v3.5.9-k3s1
Containerd v1.7.11-k3s2.26
Runc v1.1.12-k3s1
Flannel v0.24.2
Metrics-server v0.7.0
Traefik v2.10.5
CoreDNS v1.10.1
Helm-controller v0.15.9
Local-path-provisioner v0.0.26

Helpful Links

As always, we welcome and appreciate feedback from our community of users. Please feel free to:

v1.26.14+k3s1: v1.26.14+k3s1

Compare Source

This release updates Kubernetes to v1.26.14, and fixes a number of issues.

For more details on what's new, see the Kubernetes release notes.

Changes since v1.26.13+k3s2:

  • Chore: bump Local Path Provisioner version (#​9428)
  • Bump cri-dockerd to fix compat with Docker Engine 25 (#​9292)
  • Auto Dependency Bump (#​9421)
  • Runtimes refactor using exec.LookPath (#​9429)
    • Directories containing runtimes need to be included in the $PATH environment variable for effective runtime detection.
  • Changed how lastHeartBeatTime works in the etcd condition (#​9423)
  • Allow executors to define containerd and docker behavior (#​9252)
  • Update Kube-router to v2.0.1 (#​9406)
  • Backports for 2024-02 release cycle (#​9464)
  • Bump flannel version + remove multiclustercidr (#​9409)
  • Enable longer http timeout requests (#​9446)
  • Test_UnitApplyContainerdQoSClassConfigFileIfPresent (#​9442)
  • Support MR testing installs (#​9471)
  • Update Kubernetes to v1.26.14 (#​9490)
  • Fix drone publish for arm (#​9510)
  • Remove failing Drone step (#​9514)
  • Restore original order of agent startup functions (#​9547)
  • Fix netpol startup when flannel is disabled (#​9580)

Embedded Component Versions

Component Version
Kubernetes v1.26.14
Kine v0.11.4
SQLite 3.44.0
Etcd v3.5.9-k3s1
Containerd v1.7.11-k3s2.26
Runc v1.1.12-k3s1
Flannel v0.24.2
Metrics-server v0.6.3
Traefik v2.10.5
CoreDNS v1.10.1
Helm-controller v0.15.8
Local-path-provisioner v0.0.26

Helpful Links

As always, we welcome and appreciate feedback from our community of users. Please feel free to:

v1.26.13+k3s1: v1.26.13+k3s1

Compare Source

This release updates Kubernetes to v1.26.13, and fixes a number of issues.

For more details on what's new, see the Kubernetes release notes.

Changes since v1.26.12+k3s1:

  • Add a retry around updating a secrets-encrypt node annotations (#​9123)
  • Added support for env *_PROXY variables for agent loadbalancer (#​9116)
  • Wait for taint to be gone in the node before starting the netpol controller (#​9177)
  • Etcd condition (#​9183)
  • Backports for 2024-01 (#​9212)
  • Move proxy dialer out of init() and fix crash (#​9221)
  • Pin opa version for missing dependency chain (#​9218)
  • Etcd node is nil (#​9230)
  • Update to v1.26.13 and Go 1.20.13 (#​9262)
  • Use ipFamilyPolicy: RequireDualStack for dual-stack kube-dns (#​9271)

Embedded Component Versions

Component Version
Kubernetes v1.26.13
Kine v0.11.0
SQLite 3.42.0
Etcd v3.5.9-k3s1
Containerd v1.7.11-k3s2.26
Runc v1.1.10
Flannel v0.22.2
Metrics-server v0.6.3
Traefik v2.10.5
CoreDNS v1.10.1
Helm-controller v0.15.4
Local-path-provisioner v0.0.24

Helpful Links

As always, we welcome and appreciate feedback from our community of users. Please feel free to:

v1.26.13+k3s2: v1.26.13+k3s2

Compare Source

This release updates Kubernetes to v1.26.13, and fixes a number of issues.

For more details on what's new, see the Kubernetes release notes.

Important Notes

Addresses the runc CVE: CVE-2024-21626 by updating runc to v1.1.12.

Changes since v1.26.12+k3s1:

  • Add a retry around updating a secrets-encrypt node annotations (#​9123)
  • Added support for env *_PROXY variables for agent loadbalancer (#​9116)
  • Wait for taint to be gone in the node before starting the netpol controller (#​9177)
  • Etcd condition (#​9183)
  • Backports for 2024-01 (#​9212)
  • Move proxy dialer out of init() and fix crash (#​9221)
  • Pin opa version for missing dependency chain (#​9218)
  • Etcd node is nil (#​9230)
  • Update to v1.26.13 and Go 1.20.13 (#​9262)
  • Use ipFamilyPolicy: RequireDualStack for dual-stack kube-dns (#​9271)
  • Backports for 2024-01 k3s2 (#​9338)
    • Bump runc to v1.1.12 and helm-controller to v0.15.7
    • Fix handling of bare hostname or IP as endpoint address in registries.yaml
  • Bump helm-controller to fix issue with ChartContent (#​9348)

Embedded Component Versions

Component Version
Kubernetes v1.26.13
Kine v0.11.0
SQLite 3.42.0
Etcd v3.5.9-k3s1
Containerd v1.7.11-k3s2.26
Runc v1.1.12-k3s1
Flannel v0.22.2
Metrics-server v0.6.3
Traefik v2.10.5
CoreDNS v1.10.1
Helm-controller v0.15.8
Local-path-provisioner v0.0.24

Helpful Links

As always, we welcome and appreciate feedback from our community of users. Please feel free to:

v1.26.12+k3s1: v1.26.12+k3s1

Compare Source

This release updates Kubernetes to v1.26.12, and fixes a number of issues.

For more details on what's new, see the Kubernetes release notes.

Changes since v1.26.11+k3s2:

  • Runtimes backport (#​9014)
    • Added runtime classes for wasm/nvidia/crun
    • Added default runtime flag for containerd
  • Bump containerd/runc to v1.7.10-k3s1/v1.1.10 (#​8964)
  • Fix overlapping address range (#​9019)
  • Allow setting default-runtime on servers (#​9028)
  • Bump containerd to v1.7.11 (#​9042)
  • Update to v1.26.12-k3s1 (#​9077)

Embedded Component Versions

Component Version
Kubernetes v1.26.12
Kine v0.11.0
SQLite 3.42.0
Etcd v3.5.9-k3s1
Containerd v1.7.11-k3s2.26
Runc v1.1.10
Flannel v0.22.2
Metrics-server v0.6.3
Traefik v2.10.5
CoreDNS v1.10.1
Helm-controller v0.15.4
Local-path-provisioner v0.0.24

Helpful Links

As always, we welcome and appreciate feedback from our community of users. Please feel free to:

What's Changed

Full Changelog: https://github.com/k3s-io/k3s/compare/v1.26.11+k3s2...v1.26.12+k3s1

v1.26.11+k3s1: v1.26.11+k3s1

Compare Source

Due to CI issues, v1.26.11+k3s1 should not be used. Please use v1.26.11+k3s2.

v1.26.11+k3s2: v1.26.11+k3s2

Compare Source

This release updates Kubernetes to v1.26.11, and fixes a number of issues.

For more details on what's new, see the Kubernetes release notes.

Changes since v1.26.10+k3s2:

  • Etcd status condition (#​8820)
  • Backports for 2023-11 release (#​8879)
    • New timezone info in Docker image allows the use of spec.timeZone in CronJobs
    • Bumped kine to v0.11.0 to resolve issues with postgres and NATS, fix performance of watch channels under heavy load, and improve compatibility with the reference implementation.
    • Containerd may now be configured to use rdt or blockio configuration by defining rdt_config.yaml or blockio_config.yaml files.
    • Add agent flag disable-apiserver-lb, agent will not start load balance proxy.
    • Improved ingress IP ordering from ServiceLB
    • Disable helm CRD installation for disable-helm-controller
    • Omit snapshot list configmap entries for snapshots without extra metadata
    • Add jitter to client config retry to avoid hammering servers when they are starting up
  • Add warning for removal of multiclustercidr flag (#​8760)
  • Handle nil pointer when runtime core is not ready in etcd (#​8888)
  • Improve dualStack log (#​8829)
  • Bump dynamiclistener; reduce snapshot controller log spew (#​8903)
    • Bumped dynamiclistener to address a race condition that could cause a server to fail to sync its certificates into the Kubernetes secret
    • Reduced etcd snapshot log spam during initial cluster startup
  • Fix etcd snapshot S3 issues (#​8938)
    • Don't apply S3 retention if S3 client failed to initialize
    • Don't request metadata when listing S3 snapshots
    • Print key instead of file path in snapshot metadata log message
  • Update to v1.26.11 and Go to 1.20.11 (#​8922)
  • Remove s390x (#​9000)

Embedded Component Versions

Component Version
Kubernetes v1.26.11
Kine v0.11.0
SQLite 3.42.0
Etcd v3.5.9-k3s1
Containerd v1.7.7-k3s1.26
Runc v1.1.8
Flannel v0.22.2
Metrics-server v0.6.3
Traefik v2.10.5
CoreDNS v1.10.1
Helm-controller v0.15.4
Local-path-provisioner v0.0.24

Helpful Links

As always, we welcome and appreciate feedback from our community of users. Please feel free to:

v1.26.10+k3s1: v1.26.10+k3s1

Compare Source

This release updates Kubernetes to v1.26.10, and fixes a number of issues.

For more details on what's new, see the Kubernetes release notes.

Changes since v1.26.9+k3s1:

  • Fix error reporting (#​8412)
  • Add context to flannel errors (#​8420)
  • Testing Backports for September (#​8300)
  • Include the interface name in the error message (#​8436)
  • Update kube-router (#​8444)
  • Add extraArgs to tailscale (#​8465)
  • Added error when cluster reset while using server flag (#​8456)
    • The user will receive a error when --cluster-reset with the --server flag
  • Cluster reset from non bootstrap nodes (#​8453)
  • Fix spellcheck problem (#​8510)
  • Take IPFamily precedence based on order (#​8505)
  • Network defaults are duplicated, remove one (#​8552)
  • Advertise address integration test (#​8517)
  • System agent push tags fix (#​8570)
  • Fixed tailscale node IP dualstack mode in case of IPv4 only node (#​8559)
  • Server Token Rotation (#​8577)
    • Users can now rotate the server token using k3s token rotate -t <OLD_TOKEN> --new-token <NEW_TOKEN>. After command succeeds, all server nodes must be restarted with the new token.
  • Clear remove annotations on cluster reset (#​8590)
    • Fixed an issue that could cause k3s to attempt to remove members from the etcd cluster immediately following a cluster-reset/restore, if they were queued for removal at the time the snapshot was taken.
  • Use IPv6 in case is the first configured IP with dualstack (#​8598)
  • Backports for 2023-10 release (#​8616)
  • E2E Domain Drone Cleanup (#​8583)
  • Update kube-router package in build script (#​8635)
  • Add etcd-only/control-plane-only server test and fix control-plane-only server crash (#​8643)
  • Use version.Program not K3s in token rotate logs (#​8655)
  • Windows agent support (#​8647)
  • Add --image-service-endpoint flag (#​8279) (#​8663)
    • Add --image-service-endpoint flag to specify an external image service socket.
  • Backport etcd fixes (#​8691)
    • Re-enable etcd endpoint auto-sync
    • Manually requeue configmap reconcile when no nodes have reconciled snapshots
  • Update to v1.26.10 and Go to v1.20.10 (#​8680)
  • Fix s3 snapshot restore (#​8734)

Embedded Component Versions

Component Version
Kubernetes v1.26.10
Kine v0.10.3
SQLite 3.42.0
Etcd v3.5.9-k3s1
Containerd v1.7.7-k3s1.26
Runc v1.1.8
Flannel v0.22.2
Metrics-server v0.6.3
Traefik v2.10.5
CoreDNS v1.10.1
Helm-controller v0.15.4
Local-path-provisioner v0.0.24

Helpful Links

As always, we welcome and appreciate feedback from our community of users. Please feel free to:

v1.26.10+k3s2: v1.26.10+k3s2

Compare Source

This release updates Kubernetes to v1.26.10, and fixes a number of issues.

For more details on what's new, see the Kubernetes release notes.

Changes since v1.26.10+k3s1:

  • Fix SystemdCgroup in templates_linux.go (#​8766)
    • Fixed an issue with identifying additional container runtimes
  • Update traefik chart to v25.0.0 (#​8776)
  • Update traefik to fix registry value (#​8790)

Embedded Component Versions

Component Version
Kubernetes v1.26.10
Kine v0.10.3
SQLite 3.42.0
Etcd v3.5.9-k3s1
Containerd v1.7.7-k3s1.26
Runc v1.1.8
Flannel v0.22.2
Metrics-server v0.6.3
Traefik v2.10.5
CoreDNS v1.10.1
Helm-controller v0.15.4
Local-path-provisioner v0.0.24

Helpful Links

As always, we welcome and appreciate feedback from our community of users. Please feel free to:

v1.26.9+k3s1: v1.26.9+k3s1

Compare Source

This release updates Kubernetes to v1.26.9, and fixes a number of issues.

For more details on what's new, see the Kubernetes release notes.

Changes since v1.26.8+k3s1:

  • Bump kine to v0.10.3 (#​8325)
  • Update to v1.26.9 and go to v1.20.8 (#​8357)
    • Bump embedded containerd to v1.7.6
    • Bump embedded stargz-snapshotter plugin to latest
    • Fixed intermittent drone CI failures due to race conditions in test environment setup scripts
    • Fixed CI failures due to changes to api discovery changes in Kubernetes 1.28

Embedded Component Versions

Component Version
Kubernetes v1.26.9
Kine v0.10.3
SQLite 3.42.0
Etcd v3.5.9-k3s1
Containerd v1.7.6-k3s1.26
Runc v1.1.8
Flannel v0.22.2
Metrics-server v0.6.3
Traefik v2.9.10
CoreDNS v1.10.1
Helm-controller v0.15.4
Local-path-provisioner v0.0.24

Helpful Links

As always, we welcome and appreciate feedback from our community of users. Please feel free to:

v1.26.8+k3s1: v1.26.8+k3s1

Compare Source

This release updates Kubernetes to v1.26.8, and fixes a number of issues.

️ IMPORTANT: This release includes support for remediating CVE-2023-32187, a potential Denial of Service attack vector on K3s servers. See https://github.com/k3s-io/k3s/security/advisories/GHSA-m4hf-6vgr-75r2 for more information, including mandatory steps necessary to harden clusters against this vulnerability.

For more details on what's new, see the Kubernetes release notes.

Changes since v1.26.7+k3s1:

  • Update flannel and plugins (#​8075)
  • Fix tailscale bug with ip modes (#​8097)
  • Etcd snapshots retention when node name changes (#​8122)
  • August Test Backports (#​8126)
  • Backports for 2023-08 release (#​8129)
    • K3s's external apiserver listener now declines to add to its certificate any subject names not associated with the kubernetes apiserver service, server nodes, or values of the --tls-san option. This prevents the certificate's SAN list from being filled with unwanted entries.
    • K3s no longer enables the apiserver's enable-aggregator-routing flag when the egress proxy is not being used to route connections to in-cluster endpoints.
    • Updated the embedded containerd to v1.7.3+k3s1
    • Updated the embedded runc to v1.1.8
    • Updated the embedded etcd to v3.5.9+k3s1
    • User-provided containerd config templates may now use {{ template "base" . }} to include the default K3s template content. This makes it easier to maintain user configuration if the only need is to add additional sections to the file.
    • Bump docker/docker module version to fix issues with cri-dockerd caused by recent releases of golang rejecting invalid host headers sent by the docker client.
    • Updated kine to v0.10.2
    • K3s etcd-snapshot delete fail to delete local file when called with s3 flag (#​8144)
    • Fix for cluster-reset backup from s3 when etcd snapshots are disabled (#​8170)
  • Fixed the etcd retention to delete orphaned snapshots based on the date (#​8189)
  • Additional backports for 2023-08 release (#​8212)
    • The version of helm used by the bundled helm controller's job image has been updated to v3.12.3
    • Bumped dynamiclistener to address an issue that could cause the apiserver/supervisor listener on 6443 to stop serving requests on etcd-only nodes.
    • The K3s external apiserver/supervisor listener on 6443 now sends a complete certificate chain in the TLS handshake.
  • Move flannel to 0.22.2 (#​8222)
  • Update to v1.26.8 (#​8235)
  • Add new CLI flag to enable TLS SAN CN filtering (#​8258)
    • Added a new --tls-san-security option. This flag defaults to false, but can be set to true to disable automatically adding SANs to the server's TLS certificate to satisfy any hostname requested by a client.
  • Add RWMutex to address controller (#​8274)

Embedded Component Versions

Component Version
Kubernetes v1.26.8
Kine v0.10.2
SQLite 3.42.0
Etcd v3.5.9-k3s1
Containerd v1.7.3-k3s1
Runc v1.1.8
Flannel v0.22.2
Metrics-server v0.6.3
Traefik v2.9.10
CoreDNS v1.10.1
Helm-controller v0.15.4
Local-path-provisioner v0.0.24

Helpful Links

As always, we welcome and appreciate feedback from our community of users. Please feel free to:

v1.26.7+k3s1: v1.26.7+k3s1

Compare Source

This release updates Kubernetes to v1.26.7, and fixes a number of issues. ​ For more details on what's new, see the Kubernetes release notes. ​

Changes since v1.26.6+k3s1:

  • Remove file_windows.go (#​7855)
  • Fix code spell check (#​7859)
  • Allow k3s to customize apiServerPort on helm-controller (#​7874)
  • Check if we are on ipv4, ipv6 or dualStack when doing tailscale (#​7882)
  • Support setting control server URL for Tailscale. (#​7893)
  • S3 and Startup tests (#​7885)
  • Fix rootless node password (#​7901)
  • Backports for 2023-07 release (#​7908)
    • Resolved an issue that caused agents joined with kubeadm-style bootstrap tokens to fail to rejoin the cluster when their node object is deleted.
    • The k3s certificate rotate-ca command now supports the data-dir flag.
  • Adding cli to custom klipper helm image (#​7914)
    • The default helm-controller job image can now be overridden with the --helm-job-image CLI flag
  • Generation of certs and keys for etcd gated if etcd is disabled (#​7944)
  • Don't use zgrep in check-config if apparmor profile is enforced (#​7956)
  • Fix image_scan.sh script and download trivy version (#​7950) (#​7968)
  • Adjust default kubeconfig file permissions (#​7983)
  • Update to v1.26.7 (#​8022)

Embedded Component Versions

Component Version
Kubernetes v1.26.7
Kine v0.10.1
SQLite 3.39.2
Etcd v3.5.7-k3s1
Containerd v1.7.1-k3s1
Runc v1.1.7
Flannel v0.22.0
Metrics-server v0.6.3
Traefik v2.9.10
CoreDNS v1.10.1
Helm-controller v0.15.2
Local-path-provisioner v0.0.24

Helpful Links

As always, we welcome and appreciate feedback from our community of users. Please feel free to:

v1.26.6+k3s1: v1.26.6+k3s1

Compare Source

This release updates Kubernetes to v1.26.6, and fixes a number of issues.

For more details on what's new, see the Kubernetes release notes.

Changes since v1.26.5+k3s1:

  • Update flannel version (#​7648)
  • Bump vagrant libvirt with fix for plugin installs (#​7658)
  • E2E and Dep Backports - June (#​7693)
    • Bump docker go.mod #​7681
    • Shortcircuit commands with version or help flags #​7683
    • Add Rotation certification Check, remove func to restart agents #​7097
    • E2E: Sudo for RunCmdOnNode #​7686
  • VPN integration (#​7727)
  • E2e: Private registry test (#​7721)
  • Fix spelling check (#​7751)
  • Remove unused libvirt config (#​7757)
  • Backport version bumps and bugfixes (#​7717)
    • The bundled metrics-server has been bumped to v0.6.3, and now uses only secure TLS ciphers by default.
    • The coredns-custom ConfigMap now allows for *.override sections to be included in the .:53 default server block.
    • The K3s core controllers (supervisor, deploy, and helm) no longer use the admin kubeconfig. This makes it easier to determine from access and audit logs which actions are performed by the system, and which are performed by an administrative user.
    • Bumped klipper-lb image to v0.4.4 to resolve an issue that prevented access to ServiceLB ports from localhost when the Service ExternalTrafficPolicy was set to Local.
    • Make LB image configurable when compiling k3s
    • K3s now allows nodes to join the cluster even if the node password secret cannot be created at the time the node joins. The secret create will be retried in the background. This resolves a potential deadlock created by fail-closed validating webhooks that block secret creation, where the webhook is unavailable until new nodes join the cluster to run the webhook pod.
    • The bundled containerd's aufs/devmapper/zfs snapshotter plugins have been restored. These were unintentionally omitted when moving containerd back into the k3s multicall binary in the previous release.
    • The embedded helm controller has been bumped to v0.15.0, and now supports creating the chart's target namespace if it does not exist.
  • Add format command on makefile (#​7762)
  • Fix logging and cleanup in Tailscale (#​7782)
  • Update Kubernetes to v1.26.6 (#​7789)

Embedded Component Versions

Component Version
Kubernetes v1.26.6
Kine v0.10.1
SQLite 3.39.2
Etcd v3.5.7-k3s1
Containerd v1.7.1-k3s1
Runc v1.1.7
Flannel v0.22.0
Metrics-server v0.6.3
Traefik v2.9.10
CoreDNS v1.10.1
Helm-controller v0.15.0
Local-path-provisioner v0.0.24

Helpful Links

As always, we welcome and appreciate feedback from our community of users. Please feel free to:

v1.26.5+k3s1: v1.26.5+k3s1

Compare Source

This release updates Kubernetes to v1.26.5, and fixes a number of issues.

For more details on what's new, see the Kubernetes release notes.

Changes since v1.26.4+k3s1:

  • Ensure that klog verbosity is set to the same level as logrus (#​7360)
  • Prepend release branch to dependabot (#​7374)
  • Add integration tests for etc-snapshot server flags (#​7377)
  • Bump Runc and Containerd (#​7399)
  • CLI + Config Enhancement (#​7403)
    • --Tls-sans now accepts multiple arguments: --tls-sans="foo,bar"
    • Prefer-bundled-bin: true now works properly when set in config.yaml.d files
  • Migrate netutil methods into /utils/net.go (#​7432)
  • Bump kube-router version to fix a bug when a port name is used (#​7460)
  • Kube flags and longhorn storage tests (#​7465)
  • Local-storage: Fix permission (#​7474)
  • Bump containerd to v1.7.0 and move back into multicall binary (#​7444)
    • The embedded containerd version has been bumped to v1.7.0-k3s1, and has been reintegrated into the main k3s binary for a significant savings in release artifact size.
  • Backport version bumps and bugfixes (#​7514)
    • K3s now retries the cluster join operation when receiving a "too many learners" error from etcd. This most frequently occurred when attempting to add multiple servers at the same time.
    • K3s once again supports aarch64 nodes with page size > 4k
    • The packaged Traefik version has been bumped to v2.9.10 / chart 21.2.0
    • K3s now prints a more meaningful error when attempting to run from a filesystem mounted noexec.
    • K3s now exits with a proper error message when the server token uses a bootstrap token id.secret format.
    • Fixed an issue where Addon, HelmChart, and HelmChartConfig CRDs were created without structural schema, allowing the creation of custom resources of these types with invalid content.
    • Servers started with the (experimental) --disable-agent flag no longer attempt to run the tunnel authorizer agent component.
    • Fixed an regression that prevented the pod and cluster egress-selector modes from working properly.
    • K3s now correctly passes through etcd-args to the temporary etcd that is used to extract cluster bootstrap data when restarting managed etcd nodes.
    • K3s now properly handles errors obtaining the current etcd cluster member list when a new server is joining the managed etcd cluster.
    • The embedded kine version has been bumped to v0.10.1. This replaces the legacy lib/pq postgres driver with pgx.
    • The bundled CNI plugins have been upgraded to v1.2.0-k3s1. The bandwidth and firewall plugins are now included in the bundle.
    • The embedded Helm controller now supports authenticating to chart repositories via credentials stored in a Secret, as well as passing repo CAs via ConfigMap.
  • Bump containerd/runc to v1.7.1-k3s1/v1.1.7 (#​7534)
    • The bundled containerd and runc versions have been bumped to v1.7.1-k3s1/v1.1.7
  • Wrap error stating that it is coming from netpol (#​7547)
  • Add '-all' flag to apply to inactive units (#​7573)
  • Update to v1.26.5-k3s1 (#​7576)
  • Pin emicklei/go-restful to v3.9.0 (#​7598)

Embedded Component Versions

Component Version
Kubernetes v1.26.5
Kine v0.10.1
SQLite 3.39.2
Etcd v3.5.7-k3s1
Containerd v1.7.1-k3s1
Runc v1.1.7
Flannel v0.21.4
Metrics-server v0.6.2
Traefik v2.9.10
CoreDNS v1.10.1
Helm-controller v0.14.0
Local-path-provisioner v0.0.24

Helpful Links

As always, we welcome and appreciate feedback from our community of users. Please feel free to:

v1.26.4+k3s1: v1.26.4+k3s1

Compare Source

This release updates Kubernetes to v1.26.4, and fixes a number of issues.

For more details on what's new, see the Kubernetes release notes.

Changes since v1.26.3+k3s1:

  • Enhance k3s check-config (#​7091)
  • Update stable channel to v1.25.8+k3s1 (#​7161)
  • Drone Pipelines enhancement (#​7169)
  • Fix_get_sha_url (#​7187)
  • Improve Updatecli local-path-provisioner pipeline (#​7181)
  • Improve workflow (#​7142)
  • Improve Trivy configuration (#​7154)
  • Bump Local Path Provisioner version (#​7167)
    • The bundled local-path-provisioner version has been bumped to v0.0.24
  • Bump etcd to v3.5.7 (#​7170)
    • The embedded etcd version has been bumped to v3.5.7
  • Bump runc to v1.1.5 (#​7171)
    • The bundled runc version has been bumped to v1.1.5
  • Fix race condition caused by etcd advertising addresses that it does not listen on (#​7147)
    • Fixed a race condition during cluster reset that could cause the operation to hang and time out.
  • Bump coredns to v1.10.1 (#​7168)
    • The bundled coredns version has been bumped to v1.10.1
  • Don't apply hardened args to agent (#​7089)
  • Upgrade helm-controller to v0.13.3 (#​7209)
  • Improve Klipper Helm and Helm controller bumps (#​7146)
  • Fix issue with stale connections to removed LB server (#​7194)
    • The client load-balancer that maintains connections to active server nodes now closes connections to servers when they are removed from the cluster. This ensures that agent components immediately reconnect to a current cluster member.
  • Bump actions/setup-go from 3 to 4 (#​7111)
  • Lock bootstrap data with empty key to prevent conflicts (#​7215)
    • When using an external datastore, K3s now locks the bootstrap key while creating initial cluster bootstrap data, preventing a race condition when multiple servers attempted to initialize the cluster simultaneously.
  • Updated kube-router to move the default ACCEPT rule at the end of the chain (#​7218)
    • The embedded kube-router controller has been updated to fix a regression that caused traffic from pods to be blocked by any default drop/deny rules present on the host. Users should still confirm that any externally-managed firewall rules explicitly allow traffic to/from pod and service networks, but this returns the old behavior that was relied upon by some users.
  • Add make commands to terraform automation and fix external dbs related issue (#​7159)
  • Update klipper lb to v0.4.2 (#​7210)
  • Add coreos and sle micro to selinux support (#​6945)
  • Fix call for k3s-selinux versions in airgapped environments (#​7264)
  • Update Kube-router ACCEPT rule insertion and install script to clean rules before start (#​7274)
    • The embedded kube-router controller has been updated to fix a regression that caused traffic from pods to be blocked by any default drop/deny rules present on the host. Users should still confirm that any externally-managed firewall rules explicitly allow traffic to/from pod and service networks, but this returns the old behavior that was relied upon by some users.
  • Update to v1.26.4-k3s1 (#​7282)
  • Bump golang:alpine image version (#​7292)
  • Bump Sonobuoy version (#​7256)
  • Bump Trivy version (#​7257)

Embedded Component Versions

Component Version
Kubernetes v1.26.4
Kine v0.9.9
SQLite 3.39.2
Etcd v3.5.7-k3s1
Containerd v1.6.19-k3s1
Runc v1.1.5
Flannel v0.21.4
Metrics-server v0.6.2
Traefik v2.9.4
CoreDNS v1.10.1
Helm-controller v0.13.3
Local-path-provisioner v0.0.24

Helpful Links

As always, we welcome and appreciate feedback from our community of users. Please feel free to:

v1.26.3+k3s1: v1.26.3+k3s1

Compare Source

This release updates Kubernetes to v1.26.3, and fixes a number of issues.

For more details on what's new, see the Kubernetes release notes.

Changes since v1.26.2+k3s1:

  • Add E2E to Drone (#​6890)
  • Add flannel adr (#​6973)
  • Update flannel and kube-router (#​7039)
  • Bump various dependencies for CVEs (#​7044)
  • Adds a warning about editing to the containerd config.toml file (#​7057)
  • Update stable version in channel server (#​7066)
  • Wait for kubelet port to be ready before setting (#​7041)
    • The agent tunnel authorizer now waits for the kubelet to be ready before reading the kubelet port from the node object.
  • Improve support for rotating the default self-signed certs (#​7032)
    • The k3s certificate rotate-ca checks now support rotating self-signed certificates without the --force option.
  • Skip all pipelines based on what is in the MR (#​6996)
  • Add missing kernel config checks (#​6946)
  • Remove deprecated nodeSelector label beta.kubernetes.io/os (#​6970)
  • MultiClusterCIDR for v1.26 (#​6885)
    • MultiClusterCIDR feature
  • Remove Nikolai from MAINTAINERS list (#​7088)
  • Add automation for Restart command for K3s (#​7002)
  • Fix to Rotate CA e2e test (#​7101)
  • Drone: Cleanup E2E VMs on test panic (#​7104)
  • Update to v1.26.3-k3s1 (#​7108)
  • Pin golangci-lint version to v1.51.2 (#​7113)
  • Clean E2E VMs before testing (#​7109)
  • Update flannel to fix NAT issue with old iptables version (#​7136)

Embedded Component Versions

Component Version
Kubernetes v1.26.3
Kine v0.9.9
SQLite 3.39.2
Etcd v3.5.5-k3s1
Containerd v1.6.19-k3s1
Runc v1.1.4
Flannel v0.21.4
Metrics-server v0.6.2
Traefik v2.9.4
CoreDNS v1.9.4
Helm-controller v0.13.1
Local-path-provisioner v0.0.23

Helpful Links

As always, we welcome and appreciate feedback from our community of users. Please feel free to:

v1.26.2+k3s1: v1.26.2+k3s1

Compare Source

This release updates Kubernetes to v1.26.2, and fixes a number of issues.

For more details on what's new, see the Kubernetes release notes.

Changes since v1.26.1+k3s1:

  • Add build tag to disable cri-dockerd (#​6760)
  • Bump cri-dockerd (#​6797)
    • The embedded cri-dockerd has been updated to v0.3.1
  • Update stable channel to v1.25.6+k3s1 (#​6828)
  • E2E Rancher and Hardened script improvements (#​6778)
  • Add Ayedo to Adopters (#​6801)
  • Consolidate E2E tests and GH Actions (#​6772)
  • Allow ServiceLB to honor ExternalTrafficPolicy=Local (#​6726)
    • ServiceLB now honors the Service's ExternalTrafficPolicy. When set to Local, the LoadBalancer will only advertise addresses of Nodes with a Pod for the Service, and will not forward traffic to other cluster members.
  • Fix cronjob example (#​6707)
  • Bump vagrant boxes to fedora37 (#​6832)
  • Ensure flag type consistency (#​6852)
  • E2E: Consoldiate docker and prefer bundled tests into new startup test (#​6851)
  • Fix reference to documentation (#​6860)
  • Bump deps: trivy, sonobuoy, dapper, golangci-lint, gopls (#​6807)
  • Fix check for (open)SUSE version (#​6791)
  • Add support for user-provided CA certificates (#​6615)
    • K3s now functions properly when the cluster CA certificates are signed by an existing root or intermediate CA. You can find a sample script for generating such certificates before K3s starts in the github repo at contrib/util/certs.sh.
  • Ignore value conflicts when reencrypting secrets (#​6850)
  • Add kubeadm style bootstrap token secret support (#​6663)
    • K3s now supports kubeadm style join tokens. k3s token create now creates join token secrets, optionally with a limited TTL.
    • K3s agents joined with an expired or deleted token stay in the cluster using existing client certificates via the NodeAuthorization admission plugin, unless their Node object is deleted from the cluster.
  • Add NATS to the list of supported data stores (#​6876)
  • Use default address family when adding kubernetes service address to SAN list (#​6857)
    • The apiserver advertised address and IP SAN entry are now set correctly on clusters that use IPv6 as the default IP family.
  • Fix issue with servicelb startup failure when validating webhooks block creation (#​6911)
    • The embedded cloud controller manager will no longer attempt to unconditionally re-create its namespace and serviceaccount on startup. This resolves an issue that could cause a deadlocked cluster when fail-closed webhooks are in use.
  • Fix access to hostNetwork port on NodeIP when egress-selector-mode=agent (#​6829)
    • Fixed an issue that would cause the apiserver egress proxy to attempt to use the agent tunnel to connect to service endpoints even in agent or disabled mode.
  • Wait for server to become ready before creating token (#​6932)
  • Allow for multiple sets of leader-elected controllers (#​6922)
    • Fixed an issue where leader-elected controllers for managed etcd did not run on etcd-only nodes
  • Update Flannel to v0.21.1 (#​6944)
  • Fix Nightly E2E tests (#​6950)
  • Fix etcd and ca-cert rotate issues (#​6952)
  • Fix ServiceLB dual-stack ingress IP listing (#​6979)
    • Resolved an issue with ServiceLB that would cause it to advertise node IPv6 addresses, even if the cluster or service was not enabled for dual-stack operation.
  • Bump kine to v0.9.9 (#​6974)
    • The embedded kine version has been bumped to v0.9.9. Compaction log messages are now omitted at info level for increased visibility.
  • Update to v1.26.2-k3s1 (#​7011)

Embedded Component Versions

Component Version
Kubernetes v1.26.2
Kine v0.9.9
SQLite 3.39.2
Etcd v3.5.5-k3s1
Containerd v1.6.15-k3s1
Runc v1.1.4
Flannel v0.21.1
Metrics-server v0.6.2
Traefik v2.9.4
CoreDNS v1.9.4
Helm-controller v0.13.1
Local-path-provisioner v0.0.23

Helpful Links

As always, we welcome and appreciate feedback from our community of users. Please feel free to:

v1.26.1+k3s1: v1.26.1+k3s1

Compare Source

This release updates Kubernetes to v1.26.1, and fixes a number of issues.

For more details on what's new, see the Kubernetes release notes.

Changes since v1.26.0+k3s2:

  • Add jitter to scheduled snapshots and retry harder on conflicts (#​6715)
    • Scheduled etcd snapshots are now offset by a short random delay of up to several seconds. This should prevent multi-server clusters from executing pathological behavior when attempting to simultaneously update the snapshot list ConfigMap. The snapshot controller will also be more persistent in attempting to update the snapshot list.
  • Adjust e2e test run script and fixes (#​6718)
  • RIP Codespell (#​6701)
  • Bump alpine from 3.16 to 3.17 in /package (#​6688)
  • Bump alpine from 3.16 to 3.17 in /conformance (#​6687)
  • Bump containerd to v1.6.15-k3s1 (#​6722)
    • The embedded containerd version has been bumped to v1.6.15-k3s1
  • Containerd restart testlet (#​6696)
  • Bump ubuntu from 20.04 to 22.04 in /tests/e2e/scripts (#​6686)
  • Add explicit read permissions to workflows (#​6700)
  • Pass through default tls-cipher-suites (#​6725)
    • The K3s default cipher suites are now explicitly passed in to kube-apiserver, ensuring that all listeners use these values.
  • Bump golang:alpine image version (#​6683)
  • Bugfix: do not break cert-manager when pprof is enabled (#​6635)
  • Fix CI tests on Alpine 3.17 (#​6744)
  • Update Stable to 1.25.5+k3s2 (#​6753)
  • Bump action/download-artifact to v3 (#​6746)
  • Generate report and upload test results (#​6737)
  • Slow dependency CI to weekly (#​6764)
  • Fix Drone plugins/docker tag for 32 bit arm (#​6769)
  • Update to v1.26.1-k3s1 (#​6774)

Embedded Component Versions

Component Version
Kubernetes v1.26.1
Kine v0.9.8
SQLite 3.39.2
Etcd v3.5.5-k3s1
Containerd v1.6.15-k3s1
Runc v1.1.4
Flannel v0.20.2
Metrics-server v0.6.2
Traefik v2.9.4
CoreDNS v1.9.4
Helm-controller v0.13.1
Local-path-provisioner v0.0.23

Helpful Links

As always, we welcome and appreciate feedback from our community of users. Please feel free to:

v1.26.0+k3s1: v1.26.0+k3s1

Compare Source

️ WARNING

This release is affected by https://github.com/containerd/containerd/issues/7843, which causes the kubelet to restart all pods whenever K3s is restarted. For this reason, we have removed this K3s release from the channel server. Please use v1.26.0+k3s2 instead.

This release is K3S's first in the v1.26 line. This release updates Kubernetes to v1.26.0.

Before upgrading from earlier releases, be sure to read the Kubernetes Urgent Upgrade Notes.

Changes since v1.25.5+k3s1:

  • Remove deprecated flags in v1.26 (#​6574)
  • Using "etcd-snapshot" for saving snapshots is now deprecated, use "etcd-snapshot save" instead. (#​6575)
  • Update to v1.26.0-k3s1
    • Update kubernetes to v1.26.0-k3s1
    • Update cri-tools to v1.26.0-rc.0-k3s1
    • Update helm controller to v0.13.1
    • Update etcd to v3.5.5-k3s1
    • Update cri-dockerd to the latest 1.26.0
    • Update cadvisor
  • Preload iptable_filter/ip6table_filter (#​6645)
  • Bump k3s-root version to v0.12.1 (#​6651)

Embedded Component Versions

Component Version
Kubernetes v1.26.0
Kine v0.9.8
SQLite 3.39.2
Etcd v3.5.5-k3s1
Containerd v1.6.12-k3s1
Runc v1.1.4
Flannel v0.20.2
Metrics-server v0.6.2
Traefik v2.9.4
CoreDNS v1.9.4
Helm-controller v0.13.1
Local-path-provisioner v0.0.23

Helpful Links

As always, we welcome and appreciate feedback from our community of users. Please feel free to:

v1.26.0+k3s2: v1.26.0+k3s2

Compare Source

This release updates containerd to v1.6.14 to resolve an issue where pods would lose their CNI information when containerd was restarted, as well as a number of other stability and administrative changes.

Before upgrading from earlier releases, be sure to read the Kubernetes Urgent Upgrade Notes.

Changes since v1.26.0+k3s1:

  • Current status badges (#​6653)
  • Add initial Updatecli ADR automation (#​6583)
  • December 2022 channels update (#​6618)
  • Change Updatecli GH action reference branch (#​6682)
  • Fix OpenRC init script error 'openrc-run.sh: source: not found' (#​6614)
  • Add Dependabot config for security ADR (#​6560)
  • Bump containerd to v1.6.14-k3s1 (#​6693)
    • The embedded containerd version has been bumped to v1.6.14-k3s1. This includes a backported fix for containerd/7843 which caused pods to lose their CNI info when containerd was restarted, which in turn caused the kubelet to recreate the pod.
  • Exclude December r1 releases from channel server (#​6706)

Embedded Component Versions

Component Version
Kubernetes v1.26.0
Kine v0.9.8
SQLite 3.39.2
Etcd v3.5.5-k3s1
Containerd v1.6.14-k3s1
Runc v1.1.4
Flannel v0.20.2
Metrics-server v0.6.2
Traefik v2.9.4
CoreDNS v1.9.4
Helm-controller v0.13.1
Local-path-provisioner v0.0.23

Helpful Links

As always, we welcome and appreciate feedback from our community of users. Please feel free to:

v1.25.16+k3s1: v1.25.16+k3s1

Compare Source

Due to CI issues, v1.26.11+k3s1 should not be used. Please use v1.25.16+k3s4.

v1.25.16+k3s2: v1.25.16+k3s2

Compare Source

Due to CI issues, v1.26.11+k3s2 should not be used. Please use v1.25.16+k3s4.

v1.25.16+k3s3: v1.25.16+k3s3

Compare Source

Due to CI issues, v1.26.11+k3s3 should not be used. Please use v1.25.16+k3s4.

v1.25.16+k3s4: v1.25.16+k3s4

Compare Source

This release updates Kubernetes to v1.25.16, and fixes a number of issues.

For more details on what's new, see the Kubernetes release notes.

Changes since v1.25.15+k3s2:

  • Etcd status condition (#​8819)
  • Backports for 2023-11 release (#​8880)
    • New timezone info in Docker image allows the use of spec.timeZone in CronJobs
    • Bumped kine to v0.11.0 to resolve issues with postgres and NATS, fix performance of watch channels under heavy load, and improve compatibility with the reference implementation.
    • Containerd may now be configured to use rdt or blockio configuration by defining rdt_config.yaml or blockio_config.yaml files.
    • Add agent flag disable-apiserver-lb, agent will not start load balance proxy.
    • Improved ingress IP ordering from ServiceLB
    • Disable helm CRD installation for disable-helm-controller
    • Omit snapshot list configmap entries for snapshots without extra metadata
    • Add jitter to client config retry to avoid hammering servers when they are starting up
  • Handle nil pointer when runtime core is not ready in etcd (#​8889)
  • Improve dualStack log (#​8867)
  • Bump dynamiclistener; reduce snapshot controller log spew (#​8904)
    • Bumped dynamiclistener to address a race condition that could cause a server to fail to sync its certificates into the Kubernetes secret
    • Reduced etcd snapshot log spam during initial cluster startup
  • Fix etcd snapshot S3 issues (#​8939)
    • Don't apply S3 retention if S3 client failed to initialize
    • Don't request metadata when listing S3 snapshots
    • Print key instead of file path in snapshot metadata log message
  • Update to v1.25.16 (#​8923)
  • Remove s390x steps temporarily since runners are disabled (#​8993)
  • Remove s390x from manifest script (#​8994)

Embedded Component Versions

Component Version
Kubernetes v1.25.16
Kine v0.11.0
SQLite 3.42.0
Etcd v3.5.3-k3s1
Containerd v1.7.7-k3s1
Runc v1.1.8
Flannel v0.22.2
Metrics-server v0.6.3
Traefik v2.10.5
CoreDNS v1.10.1
Helm-controller v0.15.4
Local-path-provisioner v0.0.24

Helpful Links

As always, we welcome and appreciate feedback from our community of users. Please feel free to:

v1.25.15+k3s1: v1.25.15+k3s1

Compare Source

This release updates Kubernetes to v1.25.15, and fixes a number of issues.

For more details on what's new, see the Kubernetes release notes.

Changes since v1.25.14+k3s1:

  • Fix error reporting (#​8413)
  • Add context to flannel errors (#​8421)
  • Testing Backports for September (#​8301)
  • Include the interface name in the error message (#​8437)
  • Add extraArgs to tailscale (#​8466)
  • Update kube-router (#​8445)
  • Added error when cluster reset while using server flag (#​8457)
    • The user will receive a error when --cluster-reset with the --server flag
  • Cluster reset from non bootstrap nodes (#​8454)
  • Fix spellcheck problem (#​8511)
  • Take IPFamily precedence based on order (#​8506)
  • Network defaults are duplicated, remove one (#​8553)
  • Advertise address integration test (#​8518)
  • Fixed tailscale node IP dualstack mode in case of IPv4 only node (#​8560)
  • Server Token Rotation (#​8578)
    • Users can now rotate the server token using k3s token rotate -t <OLD_TOKEN> --new-token <NEW_TOKEN>. After command succeeds, all server nodes must be restarted with the new token.
  • Clear remove annotations on cluster reset (#​8589)
    • Fixed an issue that could cause k3s to attempt to remove members from the etcd cluster immediately following a cluster-reset/restore, if they were queued for removal at the time the snapshot was taken.
  • Use IPv6 in case is the first configured IP with dualstack (#​8599)
  • Backports for 2023-10 release (#​8617)
  • Update kube-router package in build script (#​8636)
  • Add etcd-only/control-plane-only server test and fix control-plane-only server crash (#​8644)
  • Windows agent support (#​8646)
  • Use version.Program not K3s in token rotate logs (#​8654)
  • Add --image-service-endpoint flag (#​8279) (#​8664)
    • Add --image-service-endpoint flag to specify an external image service socket.
  • Backport etcd fixes (#​8692)
    • Re-enable etcd endpoint auto-sync
    • Manually requeue configmap reconcile when no nodes have reconciled snapshots
  • Update to v1.25.15 and Go to v1.20.10 (#​8679)
  • Fix s3 snapshot restore (#​8735)

Embedded Component Versions

Component Version
Kubernetes v1.25.15
Kine v0.10.3
SQLite 3.42.0
Etcd v3.5.3-k3s1
Containerd v1.7.7-k3s1
Runc v1.1.8
Flannel v0.22.2
Metrics-server v0.6.3
Traefik v2.10.5
CoreDNS v1.10.1
Helm-controller v0.15.4
Local-path-provisioner v0.0.24

Helpful Links

As always, we welcome and appreciate feedback from our community of users. Please feel free to:

v1.25.15+k3s2: v1.25.15+k3s2

Compare Source

This release updates Kubernetes to v1.25.15, and fixes a number of issues.

For more details on what's new, see the Kubernetes release notes.

Changes since v1.25.15+k3s1:

  • E2E Domain Drone Cleanup (#​8584)
  • Fix SystemdCgroup in templates_linux.go (#​8767)
    • Fixed an issue with identifying additional container runtimes
  • Update traefik chart to v25.0.0 (#​8777)
  • Update traefik to fix registry value (#​8791)

Embedded Component Versions

Component Version
Kubernetes v1.25.15
Kine v0.10.3
SQLite 3.42.0
Etcd v3.5.3-k3s1
Containerd v1.7.7-k3s1
Runc v1.1.8
Flannel v0.22.2
Metrics-server v0.6.3
Traefik v2.10.5
CoreDNS v1.10.1
Helm-controller v0.15.4
Local-path-provisioner v0.0.24

Helpful Links

As always, we welcome and appreciate feedback from our community of users. Please feel free to:

v1.25.14+k3s1: v1.25.14+k3s1

Compare Source

This release updates Kubernetes to v1.25.14, and fixes a number of issues.

For more details on what's new, see the Kubernetes release notes.

Changes since v1.25.13+k3s1:

  • Bump kine to v0.10.3 (#​8326)
  • Update Kubernetes to v1.25.14 and go to 1.20.8 (#​8350)
  • Backport containerd bump and and test fixes (#​8384)
    • Bump embedded containerd to v1.7.6
    • Bump embedded stargz-snapshotter plugin to latest
    • Fixed intermittent drone CI failures due to race conditions in test environment setup scripts
    • Fixed CI failures due to changes to api discovery changes in Kubernetes 1.28

Embedded Component Versions

Component Version
Kubernetes v1.25.14
Kine v0.10.3
SQLite 3.42.0
Etcd v3.5.3-k3s1
Containerd v1.7.6-k3s1
Runc v1.1.8
Flannel v0.22.2
Metrics-server v0.6.3
Traefik v2.9.10
CoreDNS v1.10.1
Helm-controller v0.15.4
Local-path-provisioner v0.0.24

Helpful Links

As always, we welcome and appreciate feedback from our community of users. Please feel free to:

v1.25.13+k3s1: v1.25.13+k3s1

Compare Source

This release updates Kubernetes to v1.25.13, and fixes a number of issues.

️ IMPORTANT: This release includes support for remediating CVE-2023-32187, a potential Denial of Service attack vector on K3s servers. See https://github.com/k3s-io/k3s/security/advisories/GHSA-m4hf-6vgr-75r2 for more information, including mandatory steps necessary to harden clusters against this vulnerability.

For more details on what's new, see the Kubernetes release notes.

Changes since v1.25.12+k3s1:

  • Update flannel and plugins (#​8076)
  • Fix tailscale bug with ip modes (#​8098)
  • Etcd snapshots retention when node name changes (#​8123)
  • August Test Backports (#​8127)
  • Backports for 2023-08 release (#​8132)
    • K3s's external apiserver listener now declines to add to its certificate any subject names not associated with the kubernetes apiserver service, server nodes, or values of the --tls-san option. This prevents the certificate's SAN list from being filled with unwanted entries.
    • K3s no longer enables the apiserver's enable-aggregator-routing flag when the egress proxy is not being used to route connections to in-cluster endpoints.
    • Updated the embedded containerd to v1.7.3+k3s1
    • Updated the embedded runc to v1.1.8
    • User-provided containerd config templates may now use {{ template "base" . }} to include the default K3s template content. This makes it easier to maintain user configuration if the only need is to add additional sections to the file.
    • Bump docker/docker module version to fix issues with cri-dockerd caused by recent releases of golang rejecting invalid host headers sent by the docker client.
    • Updated kine to v0.10.2
  • K3s etcd-snapshot delete fail to delete local file when called with s3 flag (#​8145)
  • Fix for cluster-reset backup from s3 when etcd snapshots are disabled (#​8169)
  • Fixed the etcd retention to delete orphaned snapshots based on the date (#​8190)
  • Additional backports for 2023-08 release (#​8213)
    • The version of helm used by the bundled helm controller's job image has been updated to v3.12.3
    • Bumped dynamiclistener to address an issue that could cause the apiserver/supervisor listener on 6443 to stop serving requests on etcd-only nodes.
    • The K3s external apiserver/supervisor listener on 6443 now sends a complete certificate chain in the TLS handshake.
  • Move flannel to 0.22.2 (#​8223)
  • Update to v1.25.13 (#​8241)
  • Fix runc version bump (#​8246)
  • Add new CLI flag to enable TLS SAN CN filtering (#​8259)
    • Added a new --tls-san-security option. This flag defaults to false, but can be set to true to disable automatically adding SANs to the server's TLS certificate to satisfy any hostname requested by a client.
  • Add RWMutex to address controller (#​8275)

Embedded Component Versions

Component Version
Kubernetes v1.25.13
Kine v0.10.2
SQLite 3.42.0
Etcd v3.5.3-k3s1
Containerd v1.7.3-k3s1
Runc v1.1.8
Flannel v0.22.2
Metrics-server v0.6.3
Traefik v2.9.10
CoreDNS v1.10.1
Helm-controller v0.15.4
Local-path-provisioner v0.0.24

Helpful Links

As always, we welcome and appreciate feedback from our community of users. Please feel free to:

v1.25.12+k3s1: v1.25.12+k3s1

Compare Source

This release updates Kubernetes to v1.25.12, and fixes a number of issues.
​ For more details on what's new, see the Kubernetes release notes. ​

Changes since v1.25.11+k3s1:

  • Remove file_windows.go (#​7856)
  • Fix code spell check (#​7860)
  • Allow k3s to customize apiServerPort on helm-controller (#​7873)
  • Check if we are on ipv4, ipv6 or dualStack when doing tailscale (#​7883)
  • Support setting control server URL for Tailscale. (#​7894)
  • S3 and Startup tests (#​7886)
  • Fix rootless node password (#​7900)
  • Backports for 2023-07 release (#​7909)
    • Resolved an issue that caused agents joined with kubeadm-style bootstrap tokens to fail to rejoin the cluster when their node object is deleted.
    • The k3s certificate rotate-ca command now supports the data-dir flag.
  • Adding cli to custom klipper helm image (#​7915)
    • The default helm-controller job image can now be overridden with the --helm-job-image CLI flag
  • Generation of certs and keys for etcd gated if etcd is disabled (#​7945)
  • Don't use zgrep in check-config if apparmor profile is enforced (#​7954)
  • Fix image_scan.sh script and download trivy version (#​7950) (#​7969)
  • Adjust default kubeconfig file permissions (#​7984)
  • Update to v1.25.12 (#​8021)

Embedded Component Versions

Component Version
Kubernetes v1.25.12
Kine v0.10.1
SQLite 3.39.2
Etcd v3.5.3-k3s1
Containerd v1.7.1-k3s1
Runc v1.1.7
Flannel v0.22.0
Metrics-server v0.6.3
Traefik v2.9.10
CoreDNS v1.10.1
Helm-controller v0.15.2
Local-path-provisioner v0.0.24

Helpful Links

As always, we welcome and appreciate feedback from our community of users. Please feel free to:

v1.25.11+k3s1: v1.25.11+k3s1

Compare Source

This release updates Kubernetes to v1.25.11, and fixes a number of issues.

For more details on what's new, see the Kubernetes release notes.

Changes since v1.25.10+k3s1:

  • Update flannel version (#​7649)
  • Bump vagrant libvirt with fix for plugin installs (#​7659)
  • E2E Backports - June (#​7705)
    • Shortcircuit commands with version or help flags #​7683
    • Add Rotation certification Check, remove func to restart agents #​7097
    • E2E: Sudo for RunCmdOnNode #​7686
  • Add private registry e2e test (#​7722)
  • VPN integration (#​7728)
  • Fix spelling test (#​7752)
  • Remove unused libvirt config (#​7758)
  • Backport version bumps and bugfixes (#​7718)
    • The bundled metrics-server has been bumped to v0.6.3, and now uses only secure TLS ciphers by default.
    • The coredns-custom ConfigMap now allows for *.override sections to be included in the .:53 default server block.
    • The K3s core controllers (supervisor, deploy, and helm) no longer use the admin kubeconfig. This makes it easier to determine from access and audit logs which actions are performed by the system, and which are performed by an administrative user.
    • Bumped klipper-lb image to v0.4.4 to resolve an issue that prevented access to ServiceLB ports from localhost when the Service ExternalTrafficPolicy was set to Local.
    • Make LB image configurable when compiling k3s
    • K3s now allows nodes to join the cluster even if the node password secret cannot be created at the time the node joins. The secret create will be retried in the background. This resolves a potential deadlock created by fail-closed validating webhooks that block secret creation, where the webhook is unavailable until new nodes join the cluster to run the webhook pod.
    • The bundled containerd's aufs/devmapper/zfs snapshotter plugins have been restored. These were unintentionally omitted when moving containerd back into the k3s multicall binary in the previous release.
    • The embedded helm controller has been bumped to v0.15.0, and now supports creating the chart's target namespace if it does not exist.
  • Add format command on Makefile (#​7763)
  • Fix logging and cleanup in Tailscale (#​7784)
  • Update Kubernetes to v1.25.11 (#​7788)
  • Path normalization affecting kubectl proxy conformance test for /api endpoint (#​7818)

Embedded Component Versions

Component Version
Kubernetes v1.25.11
Kine v0.10.1
SQLite 3.39.2
Etcd v3.5.3-k3s1
Containerd v1.7.1-k3s1
Runc v1.1.7
Flannel v0.22.0
Metrics-server v0.6.3
Traefik v2.9.10
CoreDNS v1.10.1
Helm-controller v0.15.0
Local-path-provisioner v0.0.24

Helpful Links

As always, we welcome and appreciate feedback from our community of users. Please feel free to:

v1.25.10+k3s1: v1.25.10+k3s1

Compare Source

This release updates Kubernetes to v1.25.10, and fixes a number of issues.

For more details on what's new, see the Kubernetes release notes.

Changes since v1.25.9+k3s1:

  • Ensure that klog verbosity is set to the same level as logrus (#​7361)
  • Add E2E testing in Drone (#​7375)
  • Add integration tests for etc-snapshot server flags #​7377 (#​7378)
  • CLI + Config Enhancement (#​7404)
    • --Tls-sans now accepts multiple arguments: --tls-sans="foo,bar"
    • Prefer-bundled-bin: true now works properly when set in config.yaml.d files
  • Migrate netutil methods into /utils/net.go (#​7433)
  • Bump Runc + Containerd + Docker for CVE fixes (#​7452)
  • Bump kube-router version to fix a bug when a port name is used (#​7461)
  • Kube flags and longhorn storage tests 1.25 (#​7466)
  • Local-storage: Fix permission (#​7473)
  • Backport version bumps and bugfixes (#​7515)
    • K3s now retries the cluster join operation when receiving a "too many learners" error from etcd. This most frequently occurred when attempting to add multiple servers at the same time.
    • K3s once again supports aarch64 nodes with page size > 4k
    • The packaged Traefik version has been bumped to v2.9.10 / chart 21.2.0
    • K3s now prints a more meaningful error when attempting to run from a filesystem mounted noexec.
    • K3s now exits with a proper error message when the server token uses a bootstrap token id.secret format.
    • Fixed an issue where Addon, HelmChart, and HelmChartConfig CRDs were created without structural schema, allowing the creation of custom resources of these types with invalid content.
    • Servers started with the (experimental) --disable-agent flag no longer attempt to run the tunnel authorizer agent component.
    • Fixed an regression that prevented the pod and cluster egress-selector modes from working properly.
    • K3s now correctly passes through etcd-args to the temporary etcd that is used to extract cluster bootstrap data when restarting managed etcd nodes.
    • K3s now properly handles errors obtaining the current etcd cluster member list when a new server is joining the managed etcd cluster.
    • The embedded kine version has been bumped to v0.10.1. This replaces the legacy lib/pq postgres driver with pgx.
    • The bundled CNI plugins have been upgraded to v1.2.0-k3s1. The bandwidth and firewall plugins are now included in the bundle.
    • The embedded Helm controller now supports authenticating to chart repositories via credentials stored in a Secret, as well as passing repo CAs via ConfigMap.
  • Bump containerd/runc to v1.7.1-k3s1/v1.1.7 (#​7535)
    • The bundled containerd and runc versions have been bumped to v1.7.1-k3s1/v1.1.7
  • Wrap error stating that it is coming from netpol (#​7548)
  • Add '-all' flag to apply to inactive units (#​7574)
  • Update to v1.25.10-k3s1 (#​7582)

Embedded Component Versions

Component Version
Kubernetes v1.25.10
Kine v0.10.1
SQLite 3.39.2
Etcd v3.5.3-k3s1
Containerd v1.7.1-k3s1
Runc v1.1.7
Flannel v0.21.4
Metrics-server v0.6.2
Traefik v2.9.10
CoreDNS v1.10.1
Helm-controller v0.14.0
Local-path-provisioner v0.0.24

Helpful Links

As always, we welcome and appreciate feedback from our community of users. Please feel free to:

v1.25.9+k3s1: v1.25.9+k3s1

Compare Source

This release updates Kubernetes to v1.25.9, and fixes a number of issues.

For more details on what's new, see the Kubernetes release notes.

Changes since v1.25.8+k3s1:

  • Enhance check-config (#​7164)
  • Remove deprecated nodeSelector label beta.kubernetes.io/os (#​6970) (#​7121)
  • Backport version bumps and bugfixes (#​7228)
    • The bundled local-path-provisioner version has been bumped to v0.0.24
    • The bundled runc version has been bumped to v1.1.5
    • The bundled coredns version has been bumped to v1.10.1
    • When using an external datastore, K3s now locks the bootstrap key while creating initial cluster bootstrap data, preventing a race condition when multiple servers attempted to initialize the cluster simultaneously.
    • The client load-balancer that maintains connections to active server nodes now closes connections to servers when they are removed from the cluster. This ensures that agent components immediately reconnect to a current cluster member.
    • Fixed a race condition during cluster reset that could cause the operation to hang and time out.
  • Updated kube-router to move the default ACCEPT rule at the end of the chain (#​7221)
    • The embedded kube-router controller has been updated to fix a regression that caused traffic from pods to be blocked by any default drop/deny rules present on the host. Users should still confirm that any externally-managed firewall rules explicitly allow traffic to/from pod and service networks, but this returns the old behavior that was relied upon by some users.
  • Update klipper lb and helm-controller (#​7240)
  • Update Kube-router ACCEPT rule insertion and install script to clean rules before start (#​7276)
    • The embedded kube-router controller has been updated to fix a regression that caused traffic from pods to be blocked by any default drop/deny rules present on the host. Users should still confirm that any externally-managed firewall rules explicitly allow traffic to/from pod and service networks, but this returns the old behavior that was relied upon by some users.
  • Update to v1.25.9-k3s1 (#​7283)

Embedded Component Versions

Component Version
Kubernetes v1.25.9
Kine v0.9.9
SQLite 3.39.2
Etcd v3.5.3-k3s1
Containerd v1.6.19-k3s1
Runc v1.1.5
Flannel v0.21.4
Metrics-server v0.6.2
Traefik v2.9.4
CoreDNS v1.10.1
Helm-controller v0.13.3
Local-path-provisioner v0.0.24

Helpful Links

As always, we welcome and appreciate feedback from our community of users. Please feel free to:

v1.25.8+k3s1: v1.25.8+k3s1

Compare Source

This release updates Kubernetes to v1.25.8, and fixes a number of issues.

For more details on what's new, see the Kubernetes release notes.

Changes since v1.25.7+k3s1:

  • Update flannel and kube-router (#​7061)
  • Bump various dependencies for CVEs (#​7043)
  • Enable dependabot (#​7045)
  • Wait for kubelet port to be ready before setting (#​7064)
    • The agent tunnel authorizer now waits for the kubelet to be ready before reading the kubelet port from the node object.
  • Adds a warning about editing to the containerd config.toml file (#​7075)
  • Improve support for rotating the default self-signed certs (#​7079)
    • The k3s certificate rotate-ca checks now support rotating self-signed certificates without the --force option.
  • Update to v1.25.8-k3s1 (#​7106)
  • Update flannel to fix NAT issue with old iptables version (#​7138)

Embedded Component Versions

Component Version
Kubernetes v1.25.8
Kine v0.9.9
SQLite 3.39.2
Etcd v3.5.3-k3s1
Containerd v1.6.19-k3s1
Runc v1.1.4
Flannel v0.21.4
Metrics-server v0.6.2
Traefik v2.9.4
CoreDNS v1.9.4
Helm-controller v0.13.1
Local-path-provisioner v0.0.23

Helpful Links

As always, we welcome and appreciate feedback from our community of users. Please feel free to:

v1.25.7+k3s1: v1.25.7+k3s1

Compare Source

This release updates Kubernetes to v1.25.7, and fixes a number of issues.

For more details on what's new, see the Kubernetes release notes.

Changes since v1.25.6+k3s1:

  • Add jitter to scheduled snapshots and retry harder on conflicts (#​6782)
    • Scheduled etcd snapshots are now offset by a short random delay of up to several seconds. This should prevent multi-server clusters from executing pathological behavior when attempting to simultaneously update the snapshot list ConfigMap. The snapshot controller will also be more persistent in attempting to update the snapshot list.
  • Bump cri-dockerd (#​6798)
    • The embedded cri-dockerd has been updated to v0.3.1
  • Bugfix: do not break cert-manager when pprof is enabled (#​6837)
  • Wait for cri-dockerd socket (#​6853)
  • Bump vagrant boxes to fedora37 (#​6858)
  • Fix cronjob example (#​6864)
  • Ensure flag type consistency (#​6867)
  • Consolidate E2E tests (#​6887)
  • Ignore value conflicts when reencrypting secrets (#​6919)
  • Use default address family when adding kubernetes service address to SAN list (#​6904)
    • The apiserver advertised address and IP SAN entry are now set correctly on clusters that use IPv6 as the default IP family.
  • Allow ServiceLB to honor ExternalTrafficPolicy=Local (#​6907)
    • ServiceLB now honors the Service's ExternalTrafficPolicy. When set to Local, the LoadBalancer will only advertise addresses of Nodes with a Pod for the Service, and will not forward traffic to other cluster members.
  • Fix issue with servicelb startup failure when validating webhooks block creation (#​6916)
    • The embedded cloud controller manager will no longer attempt to unconditionally re-create its namespace and serviceaccount on startup. This resolves an issue that could cause a deadlocked cluster when fail-closed webhooks are in use.
  • Backport user-provided CA cert and kubeadm bootstrap token support (#​6929)
    • K3s now functions properly when the cluster CA certificates are signed by an existing root or intermediate CA. You can find a sample script for generating such certificates before K3s starts in the github repo at contrib/util/certs.sh.
    • K3s now supports kubeadm style join tokens. k3s token create now creates join token secrets, optionally with a limited TTL.
    • K3s agents joined with an expired or deleted token stay in the cluster using existing client certificates via the NodeAuthorization admission plugin, unless their Node object is deleted from the cluster.
  • Fix access to hostNetwork port on NodeIP when egress-selector-mode=agent (#​6936)
    • Fixed an issue that would cause the apiserver egress proxy to attempt to use the agent tunnel to connect to service endpoints even in agent or disabled mode.
  • Updated flannel version to v0.21.1 (#​6915)
  • Allow for multiple sets of leader-elected controllers (#​6941)
    • Fixed an issue where leader-elected controllers for managed etcd did not run on etcd-only nodes
  • Fix etcd and ca-cert rotate issues (#​6954)
  • Fix ServiceLB dual-stack ingress IP listing (#​6987)
    • Resolved an issue with ServiceLB that would cause it to advertise node IPv6 addresses, even if the cluster or service was not enabled for dual-stack operation.
  • Bump kine to v0.9.9 (#​6975)
    • The embedded kine version has been bumped to v0.9.9. Compaction log messages are now omitted at info level for increased visibility.
  • Update to v1.25.7-k3s1 (#​7010)

Embedded Component Versions

Component Version
Kubernetes v1.25.7
Kine v0.9.9
SQLite 3.39.2
Etcd v3.5.3-k3s1
Containerd v1.6.15-k3s1
Runc v1.1.4
Flannel v0.21.1
Metrics-server v0.6.2
Traefik v2.9.4
CoreDNS v1.9.4
Helm-controller v0.13.1
Local-path-provisioner v0.0.23

Helpful Links

As always, we welcome and appreciate feedback from our community of users. Please feel free to:

v1.25.6+k3s1: v1.25.6+k3s1

Compare Source

This release updates Kubernetes to v1.25.6, and fixes a number of issues.

For more details on what's new, see the Kubernetes release notes.

Changes since v1.25.5+k3s2:

  • Pass through default tls-cipher-suites (#​6730)
    • The K3s default cipher suites are now explicitly passed in to kube-apiserver, ensuring that all listeners use these values.
  • Bump containerd to v1.6.15-k3s1 (#​6735)
    • The embedded containerd version has been bumped to v1.6.15-k3s1
  • Bump action/download-artifact to v3 (#​6747)
  • Backport dependabot/updatecli updates (#​6761)
  • Fix Drone plugins/docker tag for 32 bit arm (#​6768)
  • Update to v1.25.6+k3s1 (#​6775)

Embedded Component Versions

Component Version
Kubernetes v1.25.6
Kine v0.9.6
SQLite 3.39.2
Etcd v3.5.3-k3s1
Containerd v1.6.15-k3s1
Runc v1.1.4
Flannel v0.20.2
Metrics-server v0.6.2
Traefik v2.9.4
CoreDNS v1.9.4
Helm-controller v0.13.1
Local-path-provisioner v0.0.23

Helpful Links

As always, we welcome and appreciate feedback from our community of users. Please feel free to:

v1.25.5+k3s1: v1.25.5+k3s1

Compare Source

️ WARNING

This release is affected by https://github.com/containerd/containerd/issues/7843, which causes the kubelet to restart all pods whenever K3s is restarted. For this reason, we have removed this K3s release from the channel server. Please use v1.25.5+k3s2 instead.

This release updates Kubernetes to v1.25.5, and fixes a number of issues.

Breaking Change: K3s no longer includes swanctl and charon binaries. If you are using the ipsec flannel backend, please ensure that the strongswan swanctl and charon packages are installed on your node before upgrading K3s to this release.

For more details on what's new, see the Kubernetes release notes.

Changes since v1.25.4+k3s1:

  • Fix log for flannelExternalIP use case (#​6531)
  • Fix Carolines github id (#​6464)
  • Github CI Updates (#​6522)
  • Add new prefer-bundled-bin experimental flag (#​6420)
    • Added new prefer-bundled-bin flag which force K3s to use its bundle binaries over that of the host tools
  • Bump containerd to v1.6.10 (#​6512)
    • The embedded containerd version has been updated to v1.6.10-k3s1
  • Stage the Traefik charts through k3s-charts (#​6519)
  • Make rootless settings configurable (#​6498)
    • The rootless port-driver, cidr, mtu, enable-ipv6, and disable-host-loopback settings can now be configured via environment variables.
  • Remove stuff which belongs in the windows executor implementation (#​6517)
  • Mark v1.25.4+k3s1 as stable (#​6534)
  • Add prefer-bundled-bin as an agent flag (#​6545)
  • Bump klipper-helm and klipper-lb versions (#​6549)
    • The embedded Load-Balancer controller image has been bumped to klipper-lb:v0.4.0, which includes support for the LoadBalancerSourceRanges field.
    • The embedded Helm controller image has been bumped to klipper-helm:v0.7.4-build20221121
  • Switch from Google Buckets to AWS S3 Buckets (#​6497)
  • Fix passing AWS creds through Dapper (#​6567)
  • Fix artifact upload with aws s3 cp (#​6568)
  • Disable CCM metrics port when legacy CCM functionality is disabled (#​6572)
    • The embedded cloud-controller-manager's metrics listener on port 10258 is now disabled when the --disable-cloud-controller flag is set.
  • Sync packaged component Deployment config (#​6552)
    • Deployments for K3s packaged components now have consistent upgrade strategy and revisionHistoryLimit settings, and will not override scaling decisions by hardcoding the replica count.
    • The packaged metrics-server has been bumped to v0.6.2
  • Mark secrets-encryption flag as GA (#​6582)
  • Bump k3s root to v0.12.0 and remove strongswan binaries (#​6400)
    • The embedded k3s-root version has been bumped to v0.12.0, based on buildroot 2022.08.1.
    • The embedded swanctl and charon binaries have been removed. If you are using the ipsec flannel backend, please ensure that the strongswan swanctl and charon packages are installed on your node before upgrading k3s.
  • Update flannel to v0.20.2 (#​6588)
  • Add ADR for security bumps automation (#​6559)
  • Update node12->node16 based GH actions (#​6593)
  • Updating rel docs (#​6237)
  • Update install.sh to recommend current version of k3s-selinux (#​6453)
  • Update to v1.25.5-k3s1 (#​6622)
  • Bump containerd to v1.6.12-k3s1 (#​6631)
    • The embedded containerd version has been bumped to v1.6.12
  • Preload iptable_filter/ip6table_filter (#​6646)

Embedded Component Versions

Component Version
Kubernetes v1.25.5
Kine v0.9.6
SQLite 3.39.2
Etcd v3.5.3-k3s1
Containerd v1.6.12-k3s1
Runc v1.1.4
Flannel v0.20.2
Metrics-server v0.6.2
Traefik v2.9.4
CoreDNS v1.9.4
Helm-controller v0.13.1
Local-path-provisioner v0.0.23

Helpful Links

As always, we welcome and appreciate feedback from our community of users. Please feel free to:

v1.25.5+k3s2: v1.25.5+k3s2

Compare Source

This release updates containerd to v1.6.14 to resolve an issue where pods would lose their CNI information when containerd was restarted.

Changes since v1.25.5+k3s1:

  • Bump containerd to v1.6.14-k3s1 (#​6694)
    • The embedded containerd version has been bumped to v1.6.14-k3s1. This includes a backported fix for containerd/7843 which caused pods to lose their CNI info when containerd was restarted, which in turn caused the kubelet to recreate the pod.

Embedded Component Versions

Component Version
Kubernetes v1.25.5
Kine v0.9.6
SQLite 3.39.2
Etcd v3.5.3-k3s1
Containerd v1.6.14-k3s1
Runc v1.1.4
Flannel v0.20.2
Metrics-server v0.6.2
Traefik v2.9.4
CoreDNS v1.9.4
Helm-controller v0.13.1
Local-path-provisioner v0.0.23

Helpful Links

As always, we welcome and appreciate feedback from our community of users. Please feel free to:

v1.25.4+k3s1: v1.25.4+k3s1

Compare Source

This release updates Kubernetes to v1.25.4, and fixes a number of issues.

For more details on what's new, see the Kubernetes release notes.

Changes since v1.25.3+k3s1:

  • Add the gateway parameter in netplan (#​6292)
  • Bumped dynamiclistener library to v0.3.5 (#​6300)
  • Update kube-router to v1.5.1 with extra logging (#​6345)
  • Update maintainers (#​6298)
  • Bump testing to opensuse Leap 15.4 (#​6337)
  • Update E2E docs with more info on ubuntu 22.04 (#​6316)
  • Netpol test for podSelector & ingress (#​6247)
  • Bump all alpine images to 3.16 (#​6334)
  • Bump kine to v0.9.6 / sqlite3 v3.39.2 (CVE-2022-35737) (#​6317)
  • Add hardened cluster and upgrade tests (#​6320)
  • The bundled Traefik helm chart has been updated to v18.0.0 (#​6353)
  • Mark v1.25.3+k3s1 as stable (#​6338)
  • The embedded helm controller has been bumped to v0.13.0 (#​6294)
  • Fixed an issue that would prevent the deploy controller from handling manifests that include resource types that are no longer supported by the apiserver. (#​6295)
  • Replace fedora-coreos with fedora 36 for install tests (#​6315)
  • Convert containerd config.toml.tmpl Linux template to v2 syntax (#​6267)
  • Add test for node-external-ip config parameter (#​6359)
  • Use debugger-friendly compile settings if DEBUG is set (#​6147)
  • update e2e tests (#​6354)
  • Remove unused vagrant development scripts (#​6395)
  • The bundled Traefik has been updated to v2.9.4 / helm chart v18.3.0 (#​6397)
  • None (#​6371)
  • Fix incorrect defer usage (#​6296)
  • Add snapshot restore e2e test (#​6396)
  • Fix sonobouy tests on v1.25 (#​6399)
  • Bump packaged component versions
  • The packaged traefik helm chart has been bumped to v19.0.0, enabling ingressClass support by default.
  • The packaged local-path-provisioner has been bumped to v0.0.23
  • The packaged coredns has been bumped to v1.9.4 (#​6408)
  • log kube-router version when starting netpol controller (#​6405)
  • Add Kairos to ADOPTERS (#​6417)
  • Update Flannel to 0.20.1 (#​6388)
  • Avoid wrong config for flannel-external-ip and add warning if unencrypted backend (#​6403)
  • Fix test-mods to allow for pinning version from k8s.io (#​6413)
  • Fix for metrics-server in the multi-cloud cluster env (#​6386)
  • K3s now indicates specifically which cluster-level configuration flags are out of sync when critical configuration differs between server nodes. (#​6409)
  • Convert test output to JSON format (#​6410)
  • Pull traefik helm chart directly from GH (#​6468)
  • Nightly test fix (#​6475)
  • Update to v1.25.4 (#​6477)
  • Remove stuff which belongs in the windows executor implementation (#​6492)
  • The packaged traefik helm chart has been bumped to 19.0.4 (#​6494)
  • Move traefik chart repo again (#​6508)

Embedded Component Versions

Component Version
Kubernetes v1.25.4
Kine v0.9.6
SQLite 3.39.2
Etcd v3.5.3-k3s1
Containerd v1.6.8-k3s1
Runc v1.1.4
Flannel v0.20.1
Metrics-server v0.6.1
Traefik v2.9.4
CoreDNS v1.9.4
Helm-controller v0.13.0
Local-path-provisioner v0.0.23

Helpful Links

As always, we welcome and appreciate feedback from our community of users. Please feel free to:

v1.25.3+k3s1: v1.25.3+k3s1

Compare Source

This release updates Kubernetes to v1.25.3, and fixes a number of issues.

For more details on what's new, see the Kubernetes release notes.

Changes since v1.25.2+k3s1:

  • E2E: Groundwork for MR runs (#​6131)
  • Fix flannel for deployments of nodes which do not belong to the same network and connect using their public IP (#​6180)
  • Mark v1.24.6+k3s1 as stable (#​6193)
  • Add cluster reset test (#​6161)
  • The embedded metrics-server version has been bumped to v0.6.1 (#​6151)
  • The ServiceLB (klipper-lb) service controller is now integrated into the K3s stub cloud controller manager. (#​6181)
  • Events recorded to the cluster by embedded controllers are now properly formatted in the service logs. (#​6203)
  • Fix error dialing backend errors in apiserver network proxy (#​6216)
    • Fixed an issue with the apiserver network proxy that caused kubectl exec to occasionally fail with error dialing backend: EOF
    • Fixed an issue with the apiserver network proxy that caused kubectl exec and kubectl logs to fail when a custom kubelet port was used, and the custom port was blocked by firewall or security group rules.
  • Fix the typo in the test (#​6183)
  • Use setup-go action to cache dependencies (#​6220)
  • Add journalctl logs to E2E tests (#​6224)
  • The embedded Traefik version has been bumped to v2.9.1 / chart 12.0.0 (#​6223)
  • Fix flakey etcd test (#​6232)
  • Replace deprecated ioutil package (#​6230)
  • Fix dualStack test (#​6245)
  • Add ServiceAccount for svclb pods (#​6253)
  • Update to v1.25.3-k3s1 (#​6269)
  • Return ProviderID in URI format (#​6284)
  • Corrected CCM RBAC to allow for removal of legacy service finalizer during upgrades. (#​6306)
  • Added a new --flannel-external-ip flag. (#​6321)
    • When enabled, Flannel traffic will now use the nodes external IPs, instead of internal.
    • This is meant for use with distributed clusters that are not all on the same local network.

Embedded Component Versions

Component Version
Kubernetes v1.25.3
Kine v0.9.3
SQLite 3.36.0
Etcd v3.5.3-k3s1
Containerd v1.6.8-k3s1
Runc v1.1.4
Flannel v0.19.2
Metrics-server v0.6.1
Traefik v2.9.1
CoreDNS v1.9.1
Helm-controller v0.12.3
Local-path-provisioner v0.0.21

Helpful Links

As always, we welcome and appreciate feedback from our community of users. Please feel free to:

v1.25.2+k3s1: v1.25.2+k3s1

Compare Source

This release updates Kubernetes to v1.25.2, and fixes a number of issues.

For more details on what's new, see the Kubernetes release notes.

Changes since v1.25.0+k3s1:

Embedded Component Versions

Component Version
Kubernetes v1.25.2
Kine v0.9.3
SQLite 3.36.0
Etcd v3.5.3-k3s1
Containerd v1.6.8-k3s1
Runc v1.1.4
Flannel v0.19.2
Metrics-server v0.5.2
Traefik v2.6.2
CoreDNS v1.9.1
Helm-controller v0.12.3
Local-path-provisioner v0.0.21

Helpful Links

As always, we welcome and appreciate feedback from our community of users. Please feel free to:

v1.25.0+k3s1: v1.25.0+k3s1

Compare Source

This release is K3S's first in the v1.25 line. This release updates Kubernetes to v1.25.0.

Before upgrading from earlier releases, be sure to read the Kubernetes Urgent Upgrade Notes.

Important Note: Kubernetes v1.25 removes the beta PodSecurityPolicy admission plugin. Please follow the upstream documentation to migrate from PSP if using the built-in PodSecurity Admission Plugin, prior to upgrading to v1.25.0+k3s1.

Changes since v1.24.4+k3s1:

  • Update Kubernetes to v1.25.0 (#​6040)
  • Remove --containerd flag from windows kubelet args (#​6028)
  • E2E: Add support for CentOS 7 and Rocky 8 (#​6015)
  • Convert install tests to run MR build of k3s (#​6003)
  • CI: update Fedora 34 -> 35 (#​5996)
  • Fix dualStack test and change ipv6 network prefix (#​6023)
  • Fix e2e tests (#​6018)
  • Update README.md (#​6048)
  • Remove wireguard interfaces when deleting the cluster (#​6055)
  • Add validation check to confirm correct golang version for Kubernetes (#​6050)
  • Expand startup integration test (#​6030)
  • Update go.mod version to 1.19 (#​6049)
  • Usage of --cluster-secret, --no-deploy, and --no-flannel is no longer supported. Attempts to use these flags will cause fatal errors. See the docs for their replacement. (#​6069)
  • Update Flannel version to fix older iptables version issue. (#​6090)
  • The bundled version of runc has been bumped to v1.1.4 (#​6071)
  • The embedded containerd version has been bumped to v1.6.8-k3s1 (#​6078)
  • Fix deprecation message (#​6112)
  • Added warning message for flannel backend additional options deprecation (#​6111)

Embedded Component Versions

Component Version
Kubernetes v1.25.0
Kine v0.9.3
SQLite 3.36.0
Etcd v3.5.3-k3s1
Containerd v1.5.13-k3s2
Runc v1.1.3
Flannel v0.19.1
Metrics-server v0.5.2
Traefik v2.6.2
CoreDNS v1.9.1
Helm-controller v0.12.3
Local-path-provisioner v0.0.21

Helpful Links

As always, we welcome and appreciate feedback from our community of users. Please feel free to:

v1.24.17+k3s1: v1.24.17+k3s1

Compare Source

This release updates Kubernetes to v1.24.17, and fixes a number of issues.

️ IMPORTANT: This release includes support for remediating CVE-2023-32187, a potential Denial of Service attack vector on K3s servers. See https://github.com/k3s-io/k3s/security/advisories/GHSA-m4hf-6vgr-75r2 for more information, including mandatory steps necessary to harden clusters against this vulnerability.

For more details on what's new, see the Kubernetes release notes.

Changes since v1.24.16+k3s1:

  • Update cni plugins version to v1.3.0 (#​8087)
  • Etcd snapshots retention when node name changes (#​8124)
  • August Test Backports (#​8128)
  • Backports for 2023-08 release (#​8135)
    • K3s's external apiserver listener now declines to add to its certificate any subject names not associated with the kubernetes apiserver service, server nodes, or values of the --tls-san option. This prevents the certificate's SAN list from being filled with unwanted entries.
    • K3s no longer enables the apiserver's enable-aggregator-routing flag when the egress proxy is not being used to route connections to in-cluster endpoints.
    • Updated the embedded containerd to v1.7.3+k3s1
    • Updated the embedded runc to v1.1.8
    • User-provided containerd config templates may now use {{ template "base" . }} to include the default K3s template content. This makes it easier to maintain user configuration if the only need is to add additional sections to the file.
    • Bump docker/docker module version to fix issues with cri-dockerd caused by recent releases of golang rejecting invalid host headers sent by the docker client.
    • Updated kine to v0.10.2
  • K3s etcd-snapshot delete fail to delete local file when called with s3 flag (#​8146)
  • Fix for cluster-reset backup from s3 when etcd snapshots are disabled (#​8168)
  • Fixed the etcd retention to delete orphaned snapshots based on the date (#​8191)
  • Additional backports for 2023-08 release (#​8214)
    • The version of helm used by the bundled helm controller's job image has been updated to v3.12.3
    • Bumped dynamiclistener to address an issue that could cause the apiserver/supervisor listener on 6443 to stop serving requests on etcd-only nodes.
    • The K3s external apiserver/supervisor listener on 6443 now sends a complete certificate chain in the TLS handshake.
  • Fix runc version bump (#​8243)
  • Update to v1.24.17 (#​8240)
  • Add new CLI flag to enable TLS SAN CN filtering (#​8260)
    • Added a new --tls-san-security option. This flag defaults to false, but can be set to true to disable automatically adding SANs to the server's TLS certificate to satisfy any hostname requested by a client.
  • Add RWMutex to address controller (#​8276)

Embedded Component Versions

Component Version
Kubernetes v1.24.17
Kine v0.10.2
SQLite 3.42.0
Etcd v3.5.3-k3s1
Containerd v1.7.3-k3s1
Runc v1.1.8
Flannel v0.21.3-k3s1.23
Metrics-server v0.6.3
Traefik v2.9.10
CoreDNS v1.10.1
Helm-controller v0.15.4
Local-path-provisioner v0.0.24

Helpful Links

As always, we welcome and appreciate feedback from our community of users. Please feel free to:

v1.24.16+k3s1: v1.24.16+k3s1

Compare Source

This release updates Kubernetes to v1.24.16, and fixes a number of issues.

For more details on what's new, see the Kubernetes release notes.

Changes since v1.24.14+k3s1:

  • Fix code spell check (#​7861)
  • Remove file_windows.go (#​7857)
  • Allow k3s to customize apiServerPort on helm-controller (#​7872)
  • Fix rootless node password (#​7899)
  • Backports for 2023-07 release (#​7910)
    • Resolved an issue that caused agents joined with kubeadm-style bootstrap tokens to fail to rejoin the cluster when their node object is deleted.
    • The k3s certificate rotate-ca command now supports the data-dir flag.
  • Adding cli to custom klipper helm image (#​7916)
    • The default helm-controller job image can now be overridden with the --helm-job-image CLI flag
  • Generation of certs and keys for etcd gated if etcd is disabled (#​7946)
  • Don't use zgrep in check-config if apparmor profile is enforced (#​7955)
  • Fix image_scan.sh script and download trivy version (#​7950) (#​7970)
  • Adjust default kubeconfig file permissions (#​7985)
  • Update to v1.24.16 (#​8023)

Embedded Component Versions

Component Version
Kubernetes v1.24.16
Kine v0.10.1
SQLite 3.39.2
Etcd v3.5.3-k3s1
Containerd v1.7.1-k3s1
Runc v1.1.7
Flannel v0.21.3-k3s1.23
Metrics-server v0.6.3
Traefik v2.9.10
CoreDNS v1.10.1
Helm-controller v0.15.2
Local-path-provisioner v0.0.24

Helpful Links

As always, we welcome and appreciate feedback from our community of users. Please feel free to:

v1.24.15+k3s1: v1.24.15+k3s1

Compare Source

This release updates Kubernetes to v1.24.15, and fixes a number of issues.

For more details on what's new, see the Kubernetes release notes.

Changes since v1.24.14+k3s1:

  • E2E Backports - June (#​7726)
    • Shortcircuit commands with version or help flags #​7683
    • Add Rotation certification Check, remove func to restart agents #​7097
    • E2E: Sudo for RunCmdOnNode #​7686
  • Fix spelling check (#​7753)
  • Backport version bumps and bugfixes (#​7719)
    • The bundled metrics-server has been bumped to v0.6.3, and now uses only secure TLS ciphers by default.
    • The coredns-custom ConfigMap now allows for *.override sections to be included in the .:53 default server block.
    • The K3s core controllers (supervisor, deploy, and helm) no longer use the admin kubeconfig. This makes it easier to determine from access and audit logs which actions are performed by the system, and which are performed by an administrative user.
    • Bumped klipper-lb image to v0.4.4 to resolve an issue that prevented access to ServiceLB ports from localhost when the Service ExternalTrafficPolicy was set to Local.
    • Make LB image configurable when compiling k3s
    • K3s now allows nodes to join the cluster even if the node password secret cannot be created at the time the node joins. The secret create will be retried in the background. This resolves a potential deadlock created by fail-closed validating webhooks that block secret creation, where the webhook is unavailable until new nodes join the cluster to run the webhook pod.
    • The bundled containerd's aufs/devmapper/zfs snapshotter plugins have been restored. These were unintentionally omitted when moving containerd back into the k3s multicall binary in the previous release.
    • The embedded helm controller has been bumped to v0.15.0, and now supports creating the chart's target namespace if it does not exist.
  • Remove unused libvirt config (#​7759)
  • Add format command on Makefile (#​7764)
  • Update Kubernetes to v1.24.15 (#​7785)

Embedded Component Versions

Component Version
Kubernetes v1.24.15
Kine v0.10.1
SQLite 3.39.2
Etcd v3.5.3-k3s1
Containerd v1.7.1-k3s1
Runc v1.1.7
Flannel v0.21.3-k3s1.23
Metrics-server v0.6.3
Traefik v2.9.10
CoreDNS v1.10.1
Helm-controller v0.15.0
Local-path-provisioner v0.0.24

Helpful Links

As always, we welcome and appreciate feedback from our community of users. Please feel free to:

v1.24.14+k3s1: v1.24.14+k3s1

Compare Source

This release updates Kubernetes to v1.24.14, and fixes a number of issues.

For more details on what's new, see the Kubernetes release notes.

Changes since v1.24.13+k3s1:

  • Add E2E testing in Drone (#​7376)
  • Add integration tests for etc-snapshot server flags (#​7379)
  • CLI + Config Enhancement (#​7407)
    • --Tls-sans now accepts multiple arguments: --tls-sans="foo,bar"
    • Prefer-bundled-bin: true now works properly when set in config.yaml.d files
  • Migrate netutil methods into /utils/net.go (#​7435)
  • Bump Runc + Containerd + Docker for CVE fixes (#​7453)
  • Bump kube-router version to fix a bug when a port name is used (#​7462)
  • Kube flags and longhorn tests 1.24 (#​7467)
  • Local-storage: Fix permission (#​7472)
  • Backport version bumps and bugfixes (#​7516)
    • K3s now retries the cluster join operation when receiving a "too many learners" error from etcd. This most frequently occurred when attempting to add multiple servers at the same time.
    • K3s once again supports aarch64 nodes with page size > 4k
    • The packaged Traefik version has been bumped to v2.9.10 / chart 21.2.0
    • K3s now prints a more meaningful error when attempting to run from a filesystem mounted noexec.
    • K3s now exits with a proper error message when the server token uses a bootstrap token id.secret format.
    • Fixed an issue where Addon, HelmChart, and HelmChartConfig CRDs were created without structural schema, allowing the creation of custom resources of these types with invalid content.
    • Servers started with the (experimental) --disable-agent flag no longer attempt to run the tunnel authorizer agent component.
    • Fixed an regression that prevented the pod and cluster egress-selector modes from working properly.
    • K3s now correctly passes through etcd-args to the temporary etcd that is used to extract cluster bootstrap data when restarting managed etcd nodes.
    • K3s now properly handles errors obtaining the current etcd cluster member list when a new server is joining the managed etcd cluster.
    • The embedded kine version has been bumped to v0.10.1. This replaces the legacy lib/pq postgres driver with pgx.
    • The bundled CNI plugins have been upgraded to v1.2.0-k3s1. The bandwidth and firewall plugins are now included in the bundle.
    • The embedded Helm controller now supports authenticating to chart repositories via credentials stored in a Secret, as well as passing repo CAs via ConfigMap.
  • Bump containerd/runc to v1.7.1-k3s1/v1.1.7 (#​7536)
    • The bundled containerd and runc versions have been bumped to v1.7.1-k3s1/v1.1.7
  • Wrap error stating that it is coming from netpol (#​7549)
  • Update to v1.24.14-k3s1 (#​7577)

Embedded Component Versions

Component Version
Kubernetes v1.24.14
Kine v0.10.1
SQLite 3.39.2
Etcd v3.5.3-k3s1
Containerd v1.7.1-k3s1
Runc v1.1.7
Flannel v0.21.3-k3s1.23
Metrics-server v0.6.2
Traefik v2.9.10
CoreDNS v1.10.1
Helm-controller v0.14.0
Local-path-provisioner v0.0.24

Helpful Links

As always, we welcome and appreciate feedback from our community of users. Please feel free to:

v1.24.13+k3s1: v1.24.13+k3s1

Compare Source

This release updates Kubernetes to v1.24.13, and fixes a number of issues.

For more details on what's new, see the Kubernetes release notes.

Changes since v1.24.12+k3s1:

  • Enhance check-config (#​7165)
  • Remove deprecated nodeSelector label beta.kubernetes.io/os (#​6970) (#​7122)
  • Backport version bumps and bugfixes (#​7229)
    • The bundled local-path-provisioner version has been bumped to v0.0.24
    • The bundled runc version has been bumped to v1.1.5
    • The bundled coredns version has been bumped to v1.10.1
    • When using an external datastore, K3s now locks the bootstrap key while creating initial cluster bootstrap data, preventing a race condition when multiple servers attempted to initialize the cluster simultaneously.
    • The client load-balancer that maintains connections to active server nodes now closes connections to servers when they are removed from the cluster. This ensures that agent components immediately reconnect to a current cluster member.
    • Fixed a race condition during cluster reset that could cause the operation to hang and time out.
  • Updated kube-router to move the default ACCEPT rule at the end of the chain (#​7222)
    • The embedded kube-router controller has been updated to fix a regression that caused traffic from pods to be blocked by any default drop/deny rules present on the host. Users should still confirm that any externally-managed firewall rules explicitly allow traffic to/from pod and service networks, but this returns the old behavior that was relied upon by some users.
  • Update klipper lb and helm-controller (#​7241)
  • Update Kube-router ACCEPT rule insertion and install script to clean rules before start (#​7277)
    • The embedded kube-router controller has been updated to fix a regression that caused traffic from pods to be blocked by any default drop/deny rules present on the host. Users should still confirm that any externally-managed firewall rules explicitly allow traffic to/from pod and service networks, but this returns the old behavior that was relied upon by some users.
  • Update to v1.24.13-k3s1 (#​7284)

Embedded Component Versions

Component Version
Kubernetes v1.24.13
Kine v0.9.9
SQLite 3.39.2
Etcd v3.5.3-k3s1
Containerd v1.6.19-k3s1
Runc v1.1.5
Flannel v0.21.3-k3s1.23
Metrics-server v0.6.2
Traefik v2.9.4
CoreDNS v1.10.1
Helm-controller v0.13.3
Local-path-provisioner v0.0.24

Helpful Links

As always, we welcome and appreciate feedback from our community of users. Please feel free to:

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever MR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this MR and you won't be reminded about this update again.

  • If you want to rebase/retry this MR, check this box

This MR has been generated by Renovate Bot.

Edited by Renovate Bot

Merge request reports