Deckhouse Kubernetes Platform 1.48-1.60 Update Summary
In this article, we'll cover the most important updates to Deckhouse Kubernetes Platform versions 1.48–1.60 that have happened in almost a year, which is how long it's been since our last review new features.
In addition to the changes listed here, each release included ongoing activities such as closing vulnerabilities of varying severity in various components and switching to distroless images for platform components. A full list of changes can be found at the links in each release.
Content
Deckhouse 1.48: Nginx Ingress High Availability Mode and Migrating User Groups to Group
Deckhouse version 1.48 was released to the Stable channel on July 25, 2023. Key changes include the addition of support for Kubernetes 1.27 and the end of support for Kubernetes 1.22.
Let's look at the changes in more detail:
Added the ability to manage the failover mode for the module ingress nginx (parameter highAvailability). This allows you to enable high availability for the Ingress Nginx control plane components when global high availability is disabled.
In the module user-authnwhich is responsible for configuring a unified authentication system integrated with Kubernetes and web interfaces, has been deprecated groups — it described the list of groups the user is a member of. Now these parameters are configured in the resource Group.
In the module admission-policy-engine new parameter added Security Policywhich allows you to fine-tune your security policies.
Added the ability to manage Istio sidecar container resources (parameter sidecar.resourcesmanagement).
Added the ability to manage the disk size for etcd data for some cloud providers (parameter etcdDiskSizeGb).
Full list of changes in version 1.48.
Deckhouse 1.49: Docker CRI deprecation and new module for creating environments
Deckhouse version 1.49 was released on the Stable update channel on August 8, 2023. The main changes include the end of support for Docker CRI and the addition of a new module multitenancy manager.
Let's take a closer look at them:
Docker support on nodes has been discontinued. You can use CRI for groups of nodes or the entire cluster choose either Containerd or NotManaged.
New module added multi-tenancy managerwhich allows you to create templated environments in a cluster using custom resources. This makes it possible to conveniently create environments in a cluster with configured restrictions on access and use of resources (example). Using this module can be useful in the following cases:
to create developer environments when testing or demonstrating code;
when deploying applications with limited access to the cluster granted to the developer;
when providing services for leasing cluster resources.
The Deckhouse installer (dhctl) has been updated with a set of preliminary checks that allow you to identify possible problems before installation: checking the availability of the localhost node, ports 6443, 2379 and 2380 on the server, and checking the ability to create an SSH tunnel.
Added control capability resource reservation for system services on the node (using the parameter resourceReservation). Reservation is enabled automatically, but this will only affect new NodeGroups.
Full list of changes in version 1.49.
Deckhouse 1.50: Kubernetes and Ingress Controller Version Update, Log Sending to Grafana Cloud
Deckhouse version 1.50 was released on the Stable update channel on August 29, 2023. The main changes include a change in Kubernetes versions to 1.25 and the Ingress controller to 1.6, as well as the appearance of a virtualization module.
Let's take a closer look:
The default Ingress Controller version has been changed from 1.1 to 1.6.
The default Kubernetes version has been changed from 1.23 to 1.25.
Improved module security extended-monitoring And monitoring kubernetes due to the use of distroless images.
The virtualization module now has the ability to specify the priority of a virtual machine (the priorityClassName parameter of the VirtualMachine resource).
Improved stability of cluster autoscaler. Implemented the use of different versions of cluster autoscaler for the corresponding versions of Kubernetes.
In the module log shipper Added support for multi-tenant loki installations for sending logs (parameter loki.tenantID resource ClusterLogDestination). Now, for example, you can send logs to Grafana Cloud.
Added alias for resource NodeGroupConfiguration — ngc. For example, now it is enough to write
kubectl get ngcinstead ofkubectl get NodeGroupConfiguration.
Full list of changes in version 1.50.
Deckhouse 1.51: Web admin interface in Enterprise version and ability to defer minor updates
Deckhouse version 1.51 was released on the Stable update channel on September 26, 2023. Among the main changes, we can note the appearance of an administrator web interface in the Enterprise version of the platform and the ability to fine-tune minor updates.
Let's look at them in more detail:
Starting with this version, the Enterprise edition of the platform now has the ability to use web user interfaceTo do this, you need to run the command
kubectl -n d8-system exec deploy/deckhouse -c deckhouse -- deckhouse-controller module enable deckhouse-adminafter making sure that the cluster uses a container image storeregistry.deckhouse.io.The module simplifies cluster management and makes the system state visual. If the public domain template
%s.example.comthen you can access the web application at the addresshttps://deckhouse-admin.example.com. Access to the interface will be limited to administrators, but non-administrators will not have access.Main features of the module:
Overview of cluster, versions, system status and updates.
Managing modules and their settings.
Node management: node configuration, scaling, update parameters.
Tenant management: projects created from templates.
Access management: authentication providers, group and user rights.
Ingress controllers: introducing traffic into the cluster.
Logging: collecting logs from nodes and pods, sending to various types of storage.
Monitoring: processing and sending metrics, creating alerts and recording rules, dashboards and data sources for Grafana, Prometheus settings and a list of burning alerts.
GitOps support: Kuberentes resources created automatically (werf, Argo CD, Helm) are specifically marked.
Metrics and monitoring across nodes, node groups, and Ingress controllers.
Status of Prometheus pods, Ingress controllers, and pods on nodes.
New parameter namespaceSelector resource ClusterAuthorizationRule has replaced the outdated parameters allowAccessToSystemNamespaces And limitNamespaces. The namespaceSelector parameter can be used to limit the list of namespaces available to a user/group.
Minor Update Improvements:
You can now delay minor Deckhouse updates for a specific amount of time using the parameter minimalNotificationTime. Previously, this parameter could only be used when specifying Webhook URLbut now it can be used independently. This can be useful if you want a new version of Deckhouse to be applied with a certain delay after it appears in the update channel (a resource will be automatically created in the cluster DeckhouseRelease). This will give you time to prepare for the update, postpone it, or apply it immediately. The parameter does not affect the update of patch versions.
Deckhouse minor updates are now always applied sequentially. Previously, minor versions could be skipped when changing modes or update channels.
Full list of changes in version 1.51.
Deckhouse 1.52: New Dashboards in Grafana and NTP Servers on Master Nodes
Deckhouse version 1.52 was released to the Stable update channel on October 17, 2023. Key changes include the continued transition to distroless images for platform components, the introduction of several new dashboards in Grafana, and the inclusion of master nodes as default NTP servers for other nodes.
Let's take a closer look at them:
Security updates include the ability to use the parameter denyVulnerableImages Prevent containers using images with High and Critical vulnerabilities from running in the cluster.
Time synchronization on nodes is now performed by default through master nodes, which act as NTP servers (module chrony).
Full list of changes in version 1.52.
Deckhouse 1.53: Kubernetes 1.28 and ALT Linux 10.0 and 10.2 support
Deckhouse version 1.53 was released to the Stable channel on November 2, 2023. The main changes include the end of support for Kubernetes 1.23 and the addition of support for Kubernetes 1.28, as well as the addition of support for ALT Linux 10.0 and 10.2.
Let's take a closer look at them:
Added support Kubernetes 1.28support removed Kubernetes 1.23.
Added support for ALT Linux 10.0, 10.2.
Removed support for AlterOS.
Full list of changes in version 1.53.
Deckhouse 1.54: Announcement of the virtualization module rework and module configuration
Deckhouse version 1.54 was released on the Stable update channel on November 21, 2023. The main changes include the announcement of the virtualization module rework and module customization.
Let's take a closer look at them:
Module virtualization is due for a major rework soon. Starting with the 1.54 Deckhouse release, the current implementation of the module will not be enabled, but can be continued to be used if it was enabled previously (changing the module configuration is also blocked).
Parameter configOverrides The InitConfiguration resource has been deprecated. Now, configuring modules during and after Deckhouse installation is done the same way – using ModuleConfig resources.
Full list of changes in version 1.54.
Deckhouse 1.55: New Security Policy, Cilium Updates
Deckhouse version 1.55 was released on the Stable update channel on December 12, 2023. The main changes include the Cilium update and security improvements.
Let's take a closer look at them:
Updated Cilium version in module cni-cilium from version 1.12 to 1.14. Important notes:
Regressions in the network subsystem are possible, including those related to network policies.
Resource consumption by Cilium agents should be reduced.
Large volumes of network policies now load faster.
Removed deprecated CiliumEgressNATPolicy and CiliumBGPLoadBalancerIPPool CRDs.
In the module istio It is now possible to set a timeout for a TCP connection between a sidecar istio and service (parameter idletimeout).
Security policy has been established (P.S.S.) by default in the cluster (controlled by a new parameter defaultPolicy module admission-policy-engine). When installing Deckhouse fresh, starting with version 1.55, the cluster will use the Baseline security policy (prevents the most known and popular methods of privilege escalation).
Added an alert about decommissioning of the Yandex Cloud availability zone ru-central1-c.
Full list of changes in version 1.55.
Deckhouse 1.56: Istio 1.19 support and ability to force cluster upgrades
Deckhouse version 1.56 was released to the Stable update channel on January 16, 2024. The main changes include the introduction of support for Istio 1.19, disabling the virtualization module, and adding the ability to force a cluster update.
Let's take a closer look at them:
Support for the current implementation of the module has been discontinued. virtualization. Virtual machines, if deployed, must be removed and the module disabled, otherwise Deckhouse will not be able to update. (New module is already available.)
The naming format of resources created by the module has changed multi-tenancy manager. Resource names have become shorter (the project prefix has been removed from the resource name).
Added support for Istio 1.19.
Ingress controller version 1.1 is now considered obsolete, it is recommended to upgrade to the current version 1.9. Added an alert about using an obsolete controller version in the cluster.
A critical vulnerability in the JWT library and 14 high-level vulnerabilities in the module libraries have been closed runtime audit engine.
Applying the Deckhouse update is now possible forcedlyskipping the installed update windows (abstract release.deckhouse.io/apply-now: “true”)
Module trivy-operatorwhich configures cluster scanning of container images for vulnerabilities, now also works when installing Deckhouse in closed loops with a registry that has a self-signed certificate.
In control policies (module admission-policy-engine) now you can configure the limitation of the number of controller replicas (parameters section) replicaLimits).
Added support for the ru-central1-d zone in Yandex Cloud.
Full list of changes in version 1.56.
Deckhouse Kubernetes Platform 1.57: End of support for the current LINSTOR implementation and a new mechanism for working with pods
DKP version 1.57 was released on the Stable update channel on February 13, 2024. At the end of December 2023, we presented the Deckhouse ecosystemand to avoid confusion with the name of the flagship product, we renamed it DKP (Deckhouse Kubernetes Platform). The main changes include the discontinuation of support for the linstor module, which we removed in version 1.59. A new mechanism for working with modules was also introduced.
Let's take a closer look at them:
The module support has been discontinued linstor. The module will be removed in the 1.59 release of Deckhouse Kubernetes Platform. It is necessary to switch to using modules sds-local-volume, sds-node-configurator And sds-replicated-volume.
The PrometheusRemoteWrite resource, which configures the transmission of monitoring data via the Prometheus remote-write protocol, can now specify a CA certificate (parameter tlsConfig.ca). This is relevant when using self-signed certificates, in closed environments, etc.
In the module upmeter A fixed data rotation period has been set – one and a half years.
Now you can connect additional modules from the module source (resource ModuleSource), which are updated independently of the Deckhouse Kubernetes Platform update (working with internal modules has not changed, they continue to be updated along with the new version of Deckhouse). When updating Deckhouse Kubernetes Platform to version 1.57, the ModuleSource deckhouse is connected automatically.
You can manage module updates using the resource ModuleUpdatePolicywhich is created automatically and configured by default according to the current Deckhouse Kubernetes Platform update mode in the cluster.
Some commands to:
get a list of modules available in the ModuleSource deckhouse:
kubectl get ms deckhouse -o yaml;get release history and available module updates:
kubectl get mr;view module update mode (for ModuleSource deckhouse):
kubectl get mup deckhouse -o yaml.
The list of modules and documentation are available on the Deckhouse Kubernetes Platform website under Documentation → Modules.
Full list of changes in version 1.57.
Deckhouse Kubernetes Platform 1.58: Kubernetes 1.29 and VMware Cloud Director Support
DKP version 1.58 was released to the Stable update channel on March 26, 2024. The main changes include the addition of support for Kubernetes 1.29 and VMware Cloud Director.
Let's take a closer look at them:
Added support for working with VMware Cloud Director. The corresponding one is actively being developed cloud provider.
Changes when working with projects (module multi-tenancy manager):
The project is described by resources ProjectTemplate (project template, new resource) and Project (project instance). The ProjectType resource is deprecated and will be removed in a future release.
Three pre-configured project templates have been added: Basic, Secure, and Secure with Dedicated Nodes. Now, to create a project, you just need to create a Project resource (example). Read more about the available project templates in documentation.
The WithNATInstance deployment scheme, a provider for Yandex Cloud, now includes a section for managing NAT instance resources (parameter natInstanceResources).
Full list of changes in version 1.58.
Deckhouse Kubernetes Platform 1.59: New SE and BE Editions and New Grafana
DKP version 1.59 was released on the Stable update channel on May 15, 2024. The main changes include the introduction of new platform editions and an update to Grafana.
Let's take a closer look at them:
The module has been discontinued linstor. Deckhouse Kubernetes Platform will not update if the module linstor enabled. Before updating the DKP, you must go to to use the module sds-replicated-volume.
Added BE and SE editions of Deckhouse Kubernetes Platform. Version summary:
Community Edition is a free-to-use version of the platform.
Basic Edition — an edition with support for Russian operating systems for deployment in Public Cloud or On-Premise with Internet access.
Standard Edition — for non-critical environments without dynamic scaling and increased security requirements, including in closed environments without Internet access.
Enterprise Edition — for productive environments in private clouds and On-Premise, including multi-data center and multi-cloud installations, with increased security requirements.
Certified Security Edition — a version certified by FSTEC of Russia for protecting confidential information in information systems will be available in Q2 2024.
You can also see the summary table by edition:
Added high availability mode for Deckhouse. In clusters with more than one master node, the DKP core will now, like many other components, automatically run in multiple replicas. High availability mode can be controlled globally or at the module level (parameter highAvailability module).
Added aggregating proxy for monitoring metrics (based on promxy and mimir). This will allow using a single data source in Grafana (datasource), which will contain combined data from all Prometheus Main and Prometheus Longterm replicas.
Added Grafana v10:
A separate domain has been allocated for the new Grafana — grafana-v10 (according to the one installed in the cluster name template), but in the future the new Grafana will replace the current version at the usual address.
Some dashboards will not work in Grafana v10 without fixes, so for some time there will be two Grafana running in the cluster.
Added alerts for dashboards that require migration due to unsupported plugins or alerts. The alerts will provide details on the steps needed to migrate to Grafana v10.
Full list of changes in version 1.59.
Deckhouse Kubernetes Platform 1.60: Installer Configuration Files and Route Calculation Method on Nodes for OpenStack
DKP version 1.60 was released on the Stable update channel on June 5, 2024. The main changes include the ability to split the DKP installer configuration into any number of files, as well as an update to the method for calculating routes on nodes for the OpenStack provider.
Let's take a closer look at them:
The DKP installer configuration (dhctl utility) can be split into any number of files by specifying them through multiple use of the parameter
--config. The installer will determine the required order of resource application. Parameter--resourcesis considered deprecated and will be removed in future releases.For the Yandex Cloud provider, support for high-performance SSD drives with the network-ssd-io-m3 type has been added.
The OpenStack provider has updated the method for calculating routes on nodes. Now new nodes with multiple network interfaces on Ubuntu 22.04 and above are configured correctly.
Fixed a bug where DKP could roll back to a lower version after installation.
Full list of changes in version 1.60.
Conclusion
Deckhouse Kubernetes Platform is actively evolving and being developed. In this article, we tried to briefly review the history of changes that have occurred with the platform over the past year.
To get acquainted with the Deckhouse platform, we recommend that you study the section “Fast start” (available in Russian and English).
Useful links to project resources:
P.S.
Read also in our blog:
