check-circle-line exclamation-circle-line close-line

VMware Pivotal Container Service 1.2 Release Notes

VMware Pivotal Container Service | 10 DEC 2018 

Check for additions and updates to these release notes.

VMware Pivotal Container Service (PKS) is used to create and manage on-demand Kubernetes clusters using the PKS CLI.

Versions:

v1.2.4

Release Date: December 10, 2018

Release Snapshot

Component Details
PKS version v1.2.4
Ops Manager version(s) v2.2.2+, v2.3.1+
Stemcell version v97.34
Kubernetes version v1.11.5
On-Demand Broker version v0.24
NSX-T version(s) v2.2, v2.3.0.2
NCP version v2.3.1
vSphere verion(s)

v6.7.0 (with Ops Manager v2.3 and NSX-T v2.3)

v6.5 (U2, U1)

Features

PKS v1.2.4 adds support for the following:

  • Sink resources in internetless environments.
  • Multiple Tier-0 routers in NSX-T.
  • Bootstrap security group, custom floating IP, and edge router selection using Network Profiles with NSX-T.
  • NSX-T ODB v0.24.
  • Fix: Log files should no longer fill the ephemeral disk on Kubernetes API instances.
  • Fix: It is now possible to add a new plan to a tile, redeploy the tile and then create a cluster with this plan.
  • Fix: The command "pks delete-cluster" releases SNAT floating IP allocated for Kubernetes namespaces.
  • Fix: Special characters  "<", ":", "?", and "+" are now supported in the HTTP Proxy password field.

To use the new NSX-T networking features in PKS v1.2.4:

  • Use the official NSX-T v2.3 build: VMware NSX-T Data Center 2.3 | 18 SEP 2018 | Build 10085361
  • Apply the NSX-T v2.3.0.2 hot-patch. For more information and instructions, see KB article 60293 at the VMware Knowledge Base.

Upgrade

The supported upgrade paths to PKS v1.2.4 are from v1.1.5 and later.

Known Issues

PKS v1.2.4 has the following known issues:

  • Special characters "&" and ";" do not work in the HTTP Proxy password field.
  • For vSphere with NSX-T installations, if you are upgrading to PKS v1.2.3 and have an existing proxy configuration, also include the following IP addresses in the No Proxy field of the PKS tile: NSX Manager, vCenter Server, and all ESXi hosts.

v1.2.3

Release Date: November 30, 2018

Release Snapshot

Component Details
PKS version v1.2.3
Ops Manager version(s) v2.2.2+, v2.3.1+
Stemcell version v97.34
Kubernetes version v1.11.5
On-Demand Broker version v0.24
NSX-T version(s) v2.2, v2.3
NCP version v2.3
vSphere verion(s)

v6.7.0 (with Ops Manager v2.3 and NSX-T v2.3)

v6.5 (U2, U1)

Features

PKS v1.2.3 includes the following:

  • Adds support for the NSX-T and vCenter IaaS Proxy.
  • Adds support for the NSX-T large size load balancer with bare metal Edge Node.
  • Adds support for specifying the size of the Pods IP Block subnet using Network Profiles.
  • Updates Kubernetes to v1.11.5.
  • Updates On-Demand Broker to v0.24.
  • Updates Xenial Stemcell v97.34.
  • Fixes issue with mounting NFS Persistent Volumes.
  • Security Fix: addresses CVE-2018-1002105.

Upgrade

The supported upgrade paths to PKS v1.2.3 are from v1.1.5 and later.

Known Issues

PKS v1.2.3 has the following known issues:

  • Special characters are not supported in the HTTP Proxy password field.
  • For vSphere with NSX-T installations, if you are upgrading to PKS v1.2.3 and have an existing proxy configuration, also include the following IP addresses in the No Proxy field of the PKS tile: NSX Manager, vCenter Server, and all ESXi hosts.

v1.2.2

Release Date: November 14, 2018

Release Snapshot

Component Details
PKS version v1.2.2
Ops Manager version(s) v2.2.2+, v2.3.1+
Stemcell version v97.17
Kubernetes version v1.11.3
On-Demand Broker version v0.23
NSX-T version(s) v2.2, v2.3
NCP version v2.3
vSphere verion(s)

v6.7.0 (with Ops Manager v2.3 and NSX-T v2.3)

v6.5 (U2, U1)

Features

PKS v1.2.2 includes updates to the containers that underlie sink resources and Wavefront integration. These updates do not add functionality and should not impact existing functionality.

Upgrade

The supported upgrade paths to PKS v1.2.2 are from v1.1.5 and later.

Known Issues

There are no known issues.

v1.2.1

Release Date: November 2, 2018

Release Snapshot

Component Details
PKS version v1.2.1
Ops Manager version(s) v2.2.2+, v2.3.1+
Stemcell version v97.17
Kubernetes version v1.11.3
On-Demand Broker version v0.22
NSX-T version(s) v2.2, v2.3
NCP version v2.3
vSphere verion(s)

v6.7.0 (with Ops Manager v2.3 and NSX-T v2.3)

v6.5 (U2, U1)

Features

PKS 1.2.1 adds support for:

  • Routable pod networks for assigning each pod in a Kubernetes cluster a routable (public) IP address.
  • Configurable maximum number of worker nodes per Kubernetes cluster. Previously the maximum was 50 and not configurable. Note: Clusters with more than 200 worker nodes have not been validated.
  • Sink resources for Kubernetes clusters.
  • Kubernetes v1.11.3.

Upgrade

The supported upgrade paths to PKS v1.2.1 are from v1.1.5, v1.1.6, and v1.2.0.

Known Issues

There is a known issue including spaces in the configurable fields of the PKS tile of Ops Manager. You must not insert spaces in between characters as well as leading and trailing spaces, otherwise the PKS deployment will fail. This known issue also applies to PKS 1.1.x.

v1.2.0

Release Date: September 27, 2018

Release Snapshot

Component Details
PKS version v1.2.0
Ops Manager version(s) v2.2.2+, v2.3.1+
Stemcell version v97.17
Kubernetes version v1.11.2
On-Demand Broker version v0.22
NSX-T version(s) v2.2, v2.3
NCP version v2.3
vSphere verion(s)

v6.7.0 (with Ops Manager v2.3 and NSX-T v2.3)

v6.5 U2, U1 (with Ops Manager v2.2 and NSX-T 2.2)

Features

PKS 1.2.0 includes the following new features:

  • Network Profiles for per-cluster customization and choice of load balancer size. For more information, see the topic "Using Network Profiles (NSX-T Only)."
  • Support for Xenial stemcells.
  • Multi-master clusters. For more information, see the "Plans" section of the "Installing PKS" topic for your IaaS.
  • OpenID Connect (OIDC) authentication strategy in Kubernetes. For more information, see the "Configure OpenID Connect" section of the "Installing PKS" topic for your IaaS.
  • Cluster administrators can use LDAP users and groups in RoleBinding and ClusterRoleBinding objects. For more information, see the topic "Managing Users in PKS with UAA."
  • Namespace sinks. For more information, see the topic "Creating Sink Resources."
  • PKS can be deployed on Amazon Web Services (AWS). For more information, see the topic "Amazon Web Services (AWS)."
  • Support for specifying the number of worker nodes to be installed in parallel. For more information, see the "PKS API" section of the "Installing PKS" topic for your IaaS.
  • Metrics server is deployed by default. Heapster is still deployed but will be removed in a future release per Kubernetes deprecation notice.
  • Support for Horizontal Pod Autoscaling.
  • Support for the HostPort feature to allow pods to open external ports on the worker node.
  • ETCD release v3.3.9.
  • Updated admission-controllers based on Kubernetes recommendations including DefaultTolerationSeconds and ValidatingAdminssionWebhook. NamespaceExists has been removed.
  • Changed Docker storage driver from overlay to overlay2. The old images will remain on each worker in the '/var/vcap/data/docker/docker/overlay' directory.
  • Support for the NTLM formatted usernames for vSphere.
  • Improved drain script for large cluster upgrades.
  • Deprecated support for NSX-T v2.1.
  • vSphere credentials are not stored in the BOSH manifest (fix).

Upgrade

The supported upgrade paths to PKS v1.2.0 are from PKS v1.1.5 and later. For customers who have deployed PKS v1.1.5 with NSX-T, NSX-T 2.2 is the version supported for upgrades to PKS v1.2.0. See Upgrade PKS with NSX-T for upgrade instructions. See also Release Details > Upgrades From at the PKS download page on Pivotal Network.

Known Issues

The following known issues pertain to PKS 1.2.0.

  • Using the Copy function in the VMware edition of the PKS documentation does not work when pasting into a command session because tab delimiters used for formatting are preserved in the copied contents. To copy/paste commands from the documentation, please use the Pivotal edition of the PKS documentation: https://docs.pivotal.io/runtimes/pks/1-2/index.html.
  • When the PKS tile is being redeployed (during PKS tile upgrade, for instance), the following error message may appear in the Ops Manager status log: "Failed Jobs: pks-api." The workaround is to disable telemetry data collection in the Usage Data pane of the PKS tile
  • For PKS with NSX-T, using the "Generate RSA Certificate" option in the Networking tab of the PKS tile for generating the NSX Manager Super User Principal Identity Certificate results in the following error during deployment of PKS: "ERROR: NSX-T Precheck failed due to error code: 403, error message: The credentials were incorrect or the account specified has been locked." This error is the result of a change in the cURL version as part of the stemcell upgrade from Ubuntu v14.04 to v16.04. In Ubuntu 16.04, cURL comes with GnuTLS instead of OpenSSL. The workaround is to use the manual approach for generating the principle identity certificate and key as described in Generating and Registering certificates.
  • Namespace sinks do not work in environments without internet access.
  • Due to a limitation with the NSX-T 2.2 scheduler component, VMware recommends not using the medium size load balancer at this time (even if the NSX-T edge cluster has more than 2 edge node VMs). This limitation is addressed in NSX-T 2.3, which PKS 1.2.0 supports.
  • When using AWS, in order to save a plan on the tile, the Master/ETCD, Worker and Errand VM Type must be selected and not left on Automatic. The recommended minimum type is t2.medium.
  • Existing certificates will expire after a year. The certificates will be updated in a future release.
  • The External Groups Whitelist has a 4000 character limit due to the size limitation of JWT tokens.
  • In an internetless environment, the images for the kube system components must be present within the environment to allow the overlay2 upgrade.
  • Kubernetes end users must manually configure their kubeconfig in order to use their LDAP credentials if OIDC is turned on.
  • UAA refresh token for OIDC authorization is currently not supported.
  • The '\' character cannot be used in the external hostname.
  • When a cluster is created, the output logs will contain the following warning: `Warning: DNS address not available for the link provider instance: pivotal-container-service/[uuid]`. It has no effect on the cluster creation.