Skip to main content
Version: 1.28.0

Kubernetes Fury Distribution Release v1.28.0

Welcome to KFD release v1.28.0.

The distribution is maintained with ❤️ by the team SIGHUP it is battle tested in production environments.

This release adds compatibility with Kubernetes 1.28.

New Features since v1.27.4

Core Module Updates

  • networking 📦 core module: v1.16.0
    • Updated calico to 3.27.0.
    • Updated tigera operator to 1.32.3.
    • Updated cilium to 1.15.2.
  • monitoring 📦 core module: v3.1.0
    • Updated thanos to v0.34.0.
    • Updated x509-exporter to v3.12.0.
    • Updated mimir to v2.11.0.
    • Updated minio-ha to RELEASE.2024-02-09T21-25-16Z.
  • logging 📦 core module: v3.4.0
    • Removed cerebro.
    • Updated opensearch to 2.12.0.
    • Updated opensearch-dashboards to 2.12.0.
    • Updated logging-operator to 4.5.6.
  • ingress 📦 core module: v2.3.0
    • Updated cert-manager to 1.14.2.
    • Updated external-dns to 0.14.0.
    • Updated forecastle to 1.0.136.
    • Updated nginx to 1.9.6.
  • dr 📦 core module: v2.3.0
    • Updated velero to 1.13.0.
    • Updated all plugins to 1.9.0.
  • OPA 📦 core module: v1.12.0
    • Updated gatekeeper to 3.15.1.
    • Updated gatekeeper-policy-manager to 1.0.10.
    • Updated kyverno to 1.11.4.
  • auth 📦 core module: v0.2.0
    • Updated dex to 2.38.0.
    • Updated pomerium to 0.25.0.
  • tracing 📦 core module: v1.0.3

Please refer the individual release notes for detailed information.

New features 🌟

This release add the following features:

  • New Encryption Feature on ETCD: This version introduces a feature for the OnPremises provider that allows inserting the encryption-provider-config parameter into the API server to enable encryption within the ETCD database. You can adjust the parameter using .spec.kubernetes.advanced.encryption.configuration: <string> (NOTE: For existing clusters, manual execution of the command kubeadm upgrade apply --config /etc/kubernetes/kubeadm.yml is required on all masters). An example configuration to encrypt new secrets with fallback to plaintext is:

    apiVersion: apiserver.config.k8s.io/v1
    kind: EncryptionConfiguration
    resources:
      - resources:
        - secrets
        providers:
        - aescbc:
            keys:
            - name: key1
              # example base64 encode of "passwordpassword"
              secret: cGFzc3dvcmRwYXNzd29yZAo=
        # fallback to read non encrypted secrets
        - identity: {}

  • New Encryption Parameters to Change TLS Cipher Suites in ETCD and API Server: A new parameter to customize the TLS cipher suites available in the API server and ETCD service has been added, .spec.kubernetes.advanced.encryption.tlsCipherSuites: <array of strings> (NOTE: For existing clusters, manual execution of the command kubeadm upgrade apply --config /etc/kubernetes/kubeadm.yml is required on all masters, along with a manual restart of the ETCD service).

  • Image Directive on CustomPatches on All Providers: With this release, we added the possibility to customize the image using the following configuration:

    spec:
      distribution:
        customPatches:
          images:
            - name: registry.sighup.io/fury/prometheus-operator/prometheus-operator
              newName: quay.io/prometheus-operator/prometheus-operator
              newTag: latest

  • Auto Role Setting on Workers for the OnPremises Provider: Automatic labeling of worker nodes with their name in the privileged label node-role.kubernetes.io/{{ node_role }}= has been added.

  • Replaced Gangway with Gangplank: We created a fork, Gangplank, of the open-source Gangway project archived by VMware. This new fork updates all dependencies and revamps the UI.

  • Additional Static Clients on DEX: A new parameter, additionalStaticClients, on DEX configuration can now be configured:

    spec:
      distribution:
        modules:
          auth:
            dex: 
              connectors:
                - type: ldap
                  ...
              additionalStaticClients:
                - id: test
                  redirectURIs:
                    - https://argocd.test/auth/callback
                    - https://argocd.test/auth/login
                  name: 'ArgoCD Login'
                  secret: XXXXXX

Fixes

  • Mimir Tolerations and Selectors: Tolerations and selectors on the Mimir deployment were not being honored.
  • Mimir max_global_series_per_user to Unlimited: We changed the default value of max_global_series_per_user to unlimited since Mimir, after the cluster was up and running for a while, was rejecting metrics from Prometheus.

Removals 🗑️

  • Removed Cerebro: Cerebro is an unmaintained open-source project. Due to security reasons, we decided to remove it from the logging module without replacement.

Upgrade procedure

Check the upgrade docs for the detailed procedure.