D2iQ® Konvoy® version 1.7.0 was released on 10 February, 2021.
This release provides new features and enhancements to improve the user experience, fix reported issues, integrate changes from previous releases, and maintain compatibility and support for other packages used in Konvoy.
New features and capabilities
FIPS 140-2 Support
Konvoy 1.7 introduces support for FIPS 140-2 encryption ciphers according to the NIST FIPS 140-2 standard.
In this release:
- Control plane Kubernetes components use FIPS-approved ciphers.
- A verification tool shows whether select Kubernetes objects in a cluster are using approved ciphers, and which ciphers are in use.
konvoy up --mode fipscommand to create a new
cluster.yamlwith the required configuration to create a FIPS-approved cluster.
konvoy check fipscommand to verify the cluster is using FIPS-approved ciphers.
Security Vulnerability Scanning and Reporting
Konvoy now scans for common vulnerabilities and exposures (CVE) and reports them publicly. For more information on the most current Konvoy CVE scans, see Security Updates.
Support for VMWare vSphere
- Konvoy now supports
vsphereas a provisioner to create clusters in your VMware vSphere environment. For more information, see the Konvoy vSphere topic.
- The Nvidia GPU driver now runs on the host system by default. See Konvoy GPU docs for details.
- Fixed a bug that prevented upgrades when the
kommanderaddon was not installed.
- Added retries when adding iptable rules to avoid errors when another program may have a lock on the table.
- Re-enabled coredns caching to reduce unnecessary load on API server.
- Retry ssh-connections that could cause
unreachablefailures when using a bastion node.
- Better verification of when a machine is ready before trying to run Ansible.
- Fix a regression with old versions of
ip routethat could result in an error when
keepalivedis enabled. (COPS-6791)
- Wait for an addon to be deleted before printing
- Clean up dangling docker container
- Fail if root volume disk usage exceeds 85%.
- Fail if machines do nothave 2 CPUs or 2GB of Memory.
- Remove support for Kubernetes
clusterConfiguration.spec.kubernetes.apiserver.targetRamMBto configure the
targetRamMBvalue of the
kube-apiserver. This option is only valid for Kubernetes versions
v1.17.x, this field will be removed in a future version.
clusterConfiguration.spec.loggingOptionsto configure systemd-journald settings.
- The way
clusterConfiguration.containerRuntime.datainformation is merged was changed so that nested data is now properly merged without requiring to add all parent configuration.
clusterConfiguration.spec.autoProvisioning.disabledto disable the deployment of auto-provisioning.
- Fixed a regression that prevented adding new tags to EC2 instances after an initial provision run. (COPS-6687)
- Tag AWS key pairs created by Konvoy.
- Fixed the
kube-apiserverbeing spammed by a handshake TLS errors by using an HTTPs instead of a TCP health probe on the
- Fix an issue when setting
machine.aws.iam.instanceProfilevalue to 0 bastion nodes would cause a Terraform failure.
spec.nodePools.machine.aws.kmsKeyIDto specify a KMS encryption key for the AWS instance block volumes created by Konvoy.
- Decrease the default number of nodes to 4. (COPS-6770)
- Added a new flag,
--filter-files, which is a comma separated list of regular expressions of files that should not be included in the diagnostics bundle.
- Collect diagnostics from bastion machines.
- Collect diagnostics from
- Ensure AWS & Azure credentials are valid before saving them.
- Removed leader election for the
kubeaddon-controllerdeployment to avoid the pod being terminated in the middle of an install operation.
- Added a Helm flag to limit the number of Helm releases. Prior to this, the large number of releases could lead to a slowdown in etcd.
- Disabled color output when running without a tty.
- Instance ID changes are no longer ignored by Terraform for the 2nd volume attachment.
- Added support for SUSE 15.
Upstream industry changes
The following sections refer to recent changes in the Open Source software used by DKP that may require action on your part as part of an upgrade or installation of D2iQ software.
Docker hub rate limiting
Docker Hub announced an update to their image pull policies in August, 2020. The change results in the need to change cluster configurations to accommodate new account structures that enable image pull rate limiting.
Rate limiting happens on a per-pull basis regardless of whether the pulled image is owned by a paid user. This means D2iQ, as owner of most images used in Konvoy, does not have any influence as to whether your current address is rate-limited or not. Konvoy does not have a strict dependency on Docker Hub accounts or plans.
For more information on addressing this limit, see Docker hub rate limits.
KUDO Spark Operator Upgrade Prior to Konvoy Upgrade or Install
Custom Resource Definitions of KUDO Spark Operator versions prior to 3.0.0-1.1.0 do not specify default values for
x-kubernetes-list-map-keys properties and will fail validation on Kubernetes versions 1.18.x and later.
Perform these steps prior to upgrading or installing Konvoy to prevent or mitigate disruption of currently-running Spark jobs and invalidating Spark CRDs:
- Wait for the KUDO Spark Operator jobs to finish, or terminate the running jobs.
- Uninstall the KUDO Spark Operator.
- Install the new KUDO Spark version.
- Upgrade or install Konvoy.
- Ansible 22.214.171.124
- Calico 3.17.1
- Cluster-autoscaler v0.4.0
- Containerd v1.3.9
- Docker v19.03.14
- Go 1.15.6
- Helm v3.3.4
- kubeaddons-dispatch stable-1.19-1.4.0
- kubeaddons-kommander stable-1.19-1.3.0
- kubernetes-base-addons stable-1.19-3.2.0
- Kubernetes v1.19.7
- Kubeaddons v0.23.7
- Mitogen a60c6c14a2473c895162a1b58a81bad0e63d1718
- Terraform v0.13.5
- Terraform AWS plugin ~> 3.0
- Terraform Azure plugin ~> 2.31
- Terraform GCP plugin ~> 3.42
For information about working with native Kubernetes, see the Kubernetes documentation.