LATEST VERSION: v1.3 - RELEASE NOTES
Pivotal Container Service v1.2

PKS Release Notes

Page last updated:

This topic contains release notes for Pivotal Container Service (PKS) v1.2.x.

v1.2.10

Release Date: February 22, 2019

Product Snapshot

Element Details
Version v1.2.10
Release date February 22, 2019
Compatible Ops Manager versions v2.2.3+, v2.3.1+, v2.4.x
Stemcell version v97.57
Kubernetes version v1.11.6
On-Demand Broker version v0.24
CFCR v0.21.13
NSX-T versions v2.2, v2.3.0.2, v2.3.1
NCP version v2.3.1
Docker version v18.06.3-ce
CFCR v0.21.13

Feature Support by IaaS

AWS GCP vSphere vSphere with NSX-T
Automatic PKS control plane load balancer *
Automatic cluster load balancer
HTTP proxy
Multi-AZ storage
Per-namespace subnets
Service type:LoadBalancer **

Upgrade Path

The supported upgrade path to PKS v1.2.10 is from PKS v1.2.8 or v1.2.9. To upgrade to PKS v1.2.10, you must first upgrade to PKS v1.2.8 or later.

Follow the procedures in the PKS upgrade approach for CRITICAL CVE article in the Pivotal Support Knowledge Base to perform an upgrade to PKS v1.2.10.

For more information, see Upgrading PKS and Upgrading PKS with NSX-T.

What’s New

PKS v1.2.10 adds the following:

  • Fix: CVE-2019-5736. This release updates the version of Docker deployed by PKS to v18.06.3-ce. This Docker version addresses a runc vulnerability whereby a malicious image could run in privileged mode and elevate to root access on worker nodes. Docker v18.06.2-ce, deployed by PKS v1.2.9, did not contain the correct compiled binary. This Docker version includes the correct runc binary to address the CVE.

v1.2.9

Release Date: February 13, 2019

Product Snapshot

Element Details
Version v1.2.9
Release date February 13, 2019
Compatible Ops Manager versions v2.2.3+, v2.3.1+, v2.4.x
Stemcell version v97.47
Kubernetes version v1.11.6
On-Demand Broker version v0.24
CFCR v0.21.13
NSX-T versions v2.2, v2.3.0.2, v2.3.1
NCP version v2.3.1
Docker version v18.06.2-ce
CFCR v0.21.13

Feature Support by IaaS

AWS GCP vSphere vSphere with NSX-T
Automatic PKS control plane load balancer *
Automatic cluster load balancer
HTTP proxy
Multi-AZ storage
Per-namespace subnets
Service type:LoadBalancer **

Upgrade Path

The supported upgrade path to PKS v1.2.9 is from PKS v1.2.8. To upgrade to PKS v1.2.9, you must first upgrade to PKS v1.2.8.

Follow the procedures in the PKS upgrade approach for CRITICAL CVE article in the Pivotal Support Knowledge Base to perform an upgrade to PKS v1.2.9.

For more information, see Upgrading PKS and Upgrading PKS with NSX-T.

What’s New

PKS v1.2.9 adds the following:

  • Fix: CVE-2019-5736. This fix updates the version of Docker deployed by PKS to v18.06.2-ce. This Docker version addresses a runc vulnerability whereby a malicious image could run in privileged mode and elevate to root access on worker nodes.
  • Fix: CVE-2019-3779. This fix addresses a vulnerability where certificates signed by the Kubernetes API could be used to gain access to a PKS-deployed cluster’s etcd service.

v1.2.8

Release Date: February 8, 2019

WARNING: PKS v1.2.8 and earlier includes a critical CVE. Follow the procedures in the PKS upgrade approach for CRITICAL CVE article in the Pivotal Support Knowledge Base to perform an upgrade to PKS v1.2.9.

Product Snapshot

Element Details
Version v1.2.8
Release date February 8, 2019
Compatible Ops Manager versions v2.2.3+, v2.3.1+, v2.4.x
Stemcell version v97.47
Kubernetes version v1.11.6
On-Demand Broker version v0.24
CFCR v0.21.13
NSX-T versions v2.2, v2.3.0.2, v2.3.1
NCP version v2.3.1
Docker version 17.12.1-ce
CFCR v0.21.13

vSphere Version Requirements

If installing PKS on vSphere or vSphere with NSX‑T, please note Ops Manager and PKS support the following vSphere component versions:

Versions Editions
  • VMware vSphere 6.7 U1
  • VMware vSphere 6.7.0
  • VMware vSphere 6.5 U2
  • VMware vSphere 6.5 U1
  • vSphere Enterprise Plus
  • vSphere with Operations Management Enterprise Plus

Note: VMware vSphere 6.7 is only supported with Ops Manager v2.3.1 or later and NSX‑T v2.3.

For more information, see Upgrading vSphere in an NSX Environment in the VMware documentation.

Feature Support by IaaS

AWS GCP vSphere vSphere with NSX-T
Automatic PKS control plane load balancer *
Automatic cluster load balancer
HTTP proxy
Multi-AZ storage
Per-namespace subnets
Service type:LoadBalancer **

Upgrade Path

The supported upgrade path to PKS v1.2.8 is from PKS v1.2.7. To upgrade to PKS v1.2.8, you must first upgrade to PKS v1.2.7.

For more information, see Upgrading PKS and Upgrading PKS with NSX-T.

What’s New

PKS v1.2.8 adds the following:

Certificates for the Etcd instance for each Kubernetes cluster provisioned by PKS are generated with a four-year lifetime and signed by a new Etcd Certificate Authority (CA).

v1.2.7

Release Date: February 8, 2019

WARNING: PKS v1.2.8 and earlier includes a critical CVE. Follow the procedures in the PKS upgrade approach for CRITICAL CVE article in the Pivotal Support Knowledge Base to perform an upgrade to PKS v1.2.9.

Product Snapshot

Element Details
Version v1.2.7
Release date February 8, 2019
Compatible Ops Manager versions v2.2.3+, v2.3.1+, v2.4.x
Stemcell version v97.47
Kubernetes version v1.11.6
On-Demand Broker version v0.24
CFCR v0.21.13
NSX-T versions v2.2, v2.3.0.2, v2.3.1
NCP version v2.3.1
Docker version 17.12.1-ce
CFCR v0.21.13

vSphere Version Requirements

If installing PKS on vSphere or vSphere with NSX‑T, please note Ops Manager and PKS support the following vSphere component versions:

Versions Editions
  • VMware vSphere 6.7 U1
  • VMware vSphere 6.7.0
  • VMware vSphere 6.5 U2
  • VMware vSphere 6.5 U1
  • vSphere Enterprise Plus
  • vSphere with Operations Management Enterprise Plus

Note: VMware vSphere 6.7 is only supported with Ops Manager v2.3.1 or later and NSX‑T v2.3.

For more information, see Upgrading vSphere in an NSX Environment in the VMware documentation.

Feature Support by IaaS

AWS GCP vSphere vSphere with NSX-T
Automatic PKS control plane load balancer *
Automatic cluster load balancer
HTTP proxy
Multi-AZ storage
Per-namespace subnets
Service type:LoadBalancer **

Upgrade Path

The supported upgrade paths to PKS v1.2.7 are from PKS v1.2.6 or v1.2.5.

For more information, see Upgrading PKS and Upgrading PKS with NSX-T.

What’s New

PKS v1.2.7 adds the following:

  • Xenial Stemcell v97.47.
  • A new Certificate Authority (CA) for the Etcd instance for each Kubernetes cluster provisioned by PKS.

v1.2.6

Release Date: January 4, 2019

WARNING: PKS v1.2.8 and earlier includes a critical CVE. Follow the procedures in the PKS upgrade approach for CRITICAL CVE article in the Pivotal Support Knowledge Base to perform an upgrade to PKS v1.2.9.

Product Snapshot

Element Details
Version v1.2.6
Release date January 4, 2019
Compatible Ops Manager versions v2.2.3+, v2.3.1+, v2.4.x
Stemcell version v97.43
Kubernetes version v1.11.6
On-Demand Broker version v0.24
NSX-T versions v2.2, v2.3.0.2, v2.3.1
NCP version v2.3.1
Docker version 17.12.1-ce
CFCR v0.21.12

vSphere Version Requirements

If installing PKS on vSphere or vSphere with NSX‑T, please note Ops Manager and PKS support the following vSphere component versions:

Versions Editions
  • VMware vSphere 6.7 U1
  • VMware vSphere 6.7.0
  • VMware vSphere 6.5 U2
  • VMware vSphere 6.5 U1
  • vSphere Enterprise Plus
  • vSphere with Operations Management Enterprise Plus

Note: VMware vSphere 6.7 is only supported with Ops Manager v2.3.1 or later and NSX‑T v2.3.

For more information, see Upgrading vSphere in an NSX Environment in the VMware documentation.

Feature Support by IaaS

AWS GCP vSphere vSphere with NSX-T
Automatic PKS control plane load balancer *
Automatic cluster load balancer
HTTP proxy
Multi-AZ storage
Per-namespace subnets
Service type:LoadBalancer **

* Enter the load balancer name in the Resource Config tab to connect the load balancer to the PKS control plane. For more information, see the Resource Config section of Installing PKS on AWS.

** For more information about configuring Service type:LoadBalancer on AWS, see the Access Workloads Using an Internal AWS Load Balancer section of Deploying and Accessing Basic Workloads.

Upgrade Path

The supported upgrade paths to PKS v1.2.6 are from PKS v1.2.0 and later.

For more information, see Upgrading PKS and Upgrading PKS with NSX-T.

What’s New

PKS v1.2.6 adds support for the following:

  • Xenial Stemcell v97.43.
  • Fix: PKS v1.2.4 and v1.2.5 introduced a bug that could cause the master nodes of clusters to reach 100% of CPU and memory utilization and become unresponsive when syslog was enabled in the PKS tile. This issue is resolved.

v1.2.5

Release Date: December 28, 2018

WARNING: PKS v1.2.8 and earlier includes a critical CVE. Follow the procedures in the PKS upgrade approach for CRITICAL CVE article in the Pivotal Support Knowledge Base to perform an upgrade to PKS v1.2.9.

Product Snapshot

Element Details
Version v1.2.5
Release date December 28, 2018
Compatible Ops Manager versions v2.2.3+, v2.3.1+, v2.4.x
Stemcell version v97.42
Kubernetes version v1.11.6
On-Demand Broker version v0.24
NSX-T versions v2.2, v2.3.0.2, v2.3.1
NCP version v2.3.1
Docker version 17.12.1-ce
CFCR v0.21.12

vSphere Version Requirements

If installing PKS on vSphere or vSphere with NSX‑T, please note Ops Manager and PKS support the following vSphere component versions:

Versions Editions
  • VMware vSphere 6.7 U1
  • VMware vSphere 6.7.0
  • VMware vSphere 6.5 U2
  • VMware vSphere 6.5 U1
  • vSphere Enterprise Plus
  • vSphere with Operations Management Enterprise Plus

Note: VMware vSphere 6.7 is only supported with Ops Manager v2.3.1 or later and NSX‑T v2.3.

For more information, see Upgrading vSphere in an NSX Environment in the VMware documentation.

Feature Support by IaaS

AWS GCP vSphere vSphere with NSX-T
Automatic PKS control plane load balancer *
Automatic cluster load balancer
HTTP proxy
Multi-AZ storage
Per-namespace subnets
Service type:LoadBalancer **

* Enter the load balancer name in the Resource Config tab to connect the load balancer to the PKS control plane. For more information, see the Resource Config section of Installing PKS on AWS.

** For more information about configuring Service type:LoadBalancer on AWS, see the Access Workloads Using an Internal AWS Load Balancer section of Deploying and Accessing Basic Workloads.

Upgrade Path

The supported upgrade paths to PKS v1.2.5 are from PKS v1.2.0 and later.

For more information, see Upgrading PKS and Upgrading PKS with NSX-T.

What’s New

PKS v1.2.5 adds support for the following:

  • Fix: CVE-2018-18264 applied. This fixes the security issue related to using Kubernetes Dashboard’s service account. For more information, see pull requests #3400 and #3289 in the Kubernetes GitHub repo.
  • Kubernetes v1.11.6.
  • New certificates are now generated for UAA SAML usage with 4 year expiration.
  • New CAs for components to allow for zero-downtime certificate rotation in future PKS releases.

Known Issues

The following known issues apply to the PKS v1.2.5 release:

  • PKS v1.2.4 and v1.2.5 introduced a bug. When syslog is enabled in the PKS tile, a condition can occur that could cause the master nodes of clusters to reach 100% of CPU and memory utilization and become unresponsive. Upgrade to PKS v1.2.6 or later to resolve.

v1.2.4

Release Date: December 10, 2018

WARNING: PKS v1.2.8 and earlier includes a critical CVE. Follow the procedures in the PKS upgrade approach for CRITICAL CVE article in the Pivotal Support Knowledge Base to perform an upgrade to PKS v1.2.9.

Product Snapshot

Element Details
Version v1.2.4
Release date December 10, 2018
Compatible Ops Manager versions v2.2.3+, v2.3.1+, v2.4.x
Stemcell version v97.39
Kubernetes version v1.11.5
On-Demand Broker version v0.24
NSX-T versions v2.2, v2.3.0.2
NCP version v2.3.1
Docker version 17.12.1-ce

PKS v1.2.4 adds support for Ops Manager v2.4.x. If you want to upgrade Ops Manager to v2.4.x, you must upgrade PKS to v1.2.4 and then upgrade Ops Manager to v2.4.x. For instructions on upgrading PKS, see Upgrading PKS.

vSphere Version Requirements

If installing PKS on vSphere or vSphere with NSX‑T, please note Ops Manager and PKS support the following vSphere component versions:

Versions Editions
  • VMware vSphere 6.7 U1
  • VMware vSphere 6.7.0
  • VMware vSphere 6.5 U2
  • VMware vSphere 6.5 U1
  • vSphere Enterprise Plus
  • vSphere with Operations Management Enterprise Plus

Note: VMware vSphere 6.7 is only supported with Ops Manager v2.3.1 or later and NSX‑T v2.3.

For more information, see Upgrading vSphere in an NSX Environment in the VMware documentation.

Feature Support by IaaS

AWS GCP vSphere vSphere with NSX-T
Automatic PKS control plane load balancer *
Automatic cluster load balancer
HTTP proxy
Multi-AZ storage
Per-namespace subnets
Service type:LoadBalancer **

* Enter the load balancer name in the Resource Config tab to connect the load balancer to the PKS control plane. For more information, see the Resource Config section of Installing PKS on AWS.

** For more information about configuring Service type:LoadBalancer on AWS, see the Access Workloads Using an Internal AWS Load Balancer section of Deploying and Accessing Basic Workloads.

Upgrade Path

The supported upgrade paths to PKS v1.2.4 are from PKS v1.1.5 and later.

For more information, see Upgrading PKS and Upgrading PKS with NSX-T.

What’s New

PKS v1.2.4 adds support for the following:

  • Sink resource support in internetless environments.
  • Support for Multiple Tier-0 routers in NSX-T.
  • Support for NSX-T ODB v0.24.
  • Support for bootstrap security group, custom floating IP, and edge router selection using Network Profiles with NSX-T.
  • Fix: Log files should no longer fill the ephemeral disk on Kubernetes API instances.
  • Fix: You can now add a new plan to a tile, redeploy the tile, and then create a cluster using the new plan.
  • Fix: The command pks delete-cluster releases SNAT floating IP allocated for Kubernetes namespaces.
  • Fix: For vSphere with NSX-T, the HTTP Proxy password field supports the following special characters: <, :, ?, and +.

Known Issues

The following known issues apply to the PKS v1.2.4 release:

  • PKS v1.2.4 and v1.2.5 introduced a bug. When syslog is enabled in the PKS tile, a condition can occur that could cause the master nodes of clusters to reach 100% of CPU and memory utilization and become unresponsive. Upgrade to PKS v1.2.6 or later to resolve.
  • If creating a cluster using the pks create-cluster command results in a failed state and you want to delete the cluster, you must run the bosh -d DEPLOYMENT-NAME delete-deployment command before running the pks delete-cluster command. For more information, see Cluster Creation Fails in the Troubleshooting topic.
  • For vSphere with NSX-T, the HTTP Proxy password field does not support the following special characters: & or ;.
  • If you are upgrading to PKS v1.2.3 or later and have an existing proxy configuration, also include the following IP addresses in the No Proxy field: NSX Manager, vCenter Server, and all ESXi hosts.

v1.2.3

Release Date: November 30, 2018

WARNING: PKS v1.2.8 and earlier includes a critical CVE. Follow the procedures in the PKS upgrade approach for CRITICAL CVE article in the Pivotal Support Knowledge Base to perform an upgrade to PKS v1.2.9.

Product Snapshot

Element Details
Version v1.2.3
Release date November 30, 2018
Compatible Ops Manager versions v2.2.3+, v2.3.1+
Stemcell version v97.34
Kubernetes version v1.11.5
On-Demand Broker version v0.24
NSX-T versions v2.2, v2.3
NCP version v2.3.1

vSphere Version Requirements

If installing PKS on vSphere or vSphere with NSX‑T, please note Ops Manager and PKS support the following vSphere component versions:

Versions Editions
  • VMware vSphere 6.7 U1
  • VMware vSphere 6.7.0
  • VMware vSphere 6.5 U2
  • VMware vSphere 6.5 U1
  • vSphere Enterprise Plus
  • vSphere with Operations Management Enterprise Plus

Note: VMware vSphere 6.7 is only supported with Ops Manager v2.3.1 or later and NSX‑T v2.3.

For more information, see Upgrading vSphere in an NSX Environment in the VMware documentation.

Feature Support by IaaS

AWS GCP vSphere vSphere with NSX-T
Automatic PKS control plane load balancer *
Automatic cluster load balancer
HTTP proxy
Multi-AZ storage
Per-namespace subnets
Service type:LoadBalancer **

* Enter the load balancer name in the Resource Config tab to connect the load balancer to the PKS control plane. For more information, see the Resource Config section of Installing PKS on AWS.

** For more information about configuring Service type:LoadBalancer on AWS, see the Access Workloads Using an Internal AWS Load Balancer section of Deploying and Accessing Basic Workloads.

Upgrade Path

The supported upgrade paths to PKS v1.2.3 are from PKS v1.1.5 and later.

For more information, see Upgrading PKS and Upgrading PKS with NSX-T.

What’s New

PKS v1.2.3 adds support for the following:

  • NSX-T and vCenter IaaS proxy.
  • Large-sized NSX-T load balancer with bare metal Edge Node.
  • You can specify the size of the Pods IP Block subnet using Network Profiles.
  • Kubernetes v1.11.5.
  • On-demand-broker v0.24.
  • Xenial Stemcell v97.34.
  • Fix: Issue with mounting NFS Persistent Volumes is resolved.
  • Security Fix: addresses CVE-2018-1002105.

Known Issues

The following known issues apply to the PKS v1.2.3 release:

  • If creating a cluster using the pks create-cluster command results in a failed state and you want to delete the cluster, you must run the bosh -d DEPLOYMENT-NAME delete-deployment command before running the pks delete-cluster command.
  • If you are upgrading to PKS v1.2.3 and have an existing proxy configuration, also include the following IP addresses in the No Proxy field: NSX Manager, vCenter Server, and all ESXi hosts.
  • Special characters in the HTTP Proxy password field are not supported.

v1.2.2

Release Date: November 14, 2018

WARNING: PKS v1.2.8 and earlier includes a critical CVE. Follow the procedures in the PKS upgrade approach for CRITICAL CVE article in the Pivotal Support Knowledge Base to perform an upgrade to PKS v1.2.9.

Product Snapshot

Element Details
Version v1.2.2
Release date November 14, 2018
Compatible Ops Manager versions v2.2.3+, v2.3.1+
Stemcell version v97.17
Kubernetes version v1.11.3
On-Demand Broker version v0.23
NSX-T versions v2.2, v2.3
NCP version v2.3

vSphere Version Requirements

If installing PKS on vSphere or vSphere with NSX‑T, please note Ops Manager and PKS support the following vSphere component versions:

Versions Editions
  • VMware vSphere 6.7 U1
  • VMware vSphere 6.7.0
  • VMware vSphere 6.5 U2
  • VMware vSphere 6.5 U1
  • vSphere Enterprise Plus
  • vSphere with Operations Management Enterprise Plus

Note: VMware vSphere 6.7 is only supported with Ops Manager v2.3.1 or later and NSX‑T v2.3.

For more information, see Upgrading vSphere in an NSX Environment in the VMware documentation.

Feature Support by IaaS

AWS GCP vSphere vSphere with NSX-T
Automatic PKS control plane load balancer *
Automatic cluster load balancer
HTTP proxy
Multi-AZ storage
Per-namespace subnets
Service type:LoadBalancer **

* Enter the load balancer name in the Resource Config tab to connect the load balancer to the PKS control plane. For more information, see the Resource Config section of Installing PKS on AWS.

** For more information about configuring Service type:LoadBalancer on AWS, see the Access Workloads Using an Internal AWS Load Balancer section of Deploying and Accessing Basic Workloads.

Upgrade Path

The supported upgrade paths to PKS v1.2.2 are from PKS v1.1.5 and later.

For more information, see Upgrading PKS and Upgrading PKS with NSX-T.

What’s New

PKS v1.2.2 includes updates to the containers that underlie sink resources and Wavefront integration. These updates do not add functionality and should not impact existing functionality.

Known Issues

The following known issues apply to the PKS v1.2.2 release:

  • If creating a cluster using the pks create-cluster command results in a failed state and you want to delete the cluster, you must run the bosh -d DEPLOYMENT-NAME delete-deployment command before running the pks delete-cluster command.
  • If you are upgrading to PKS v1.2.3 and have an existing proxy configuration, also include the following IP addresses in the No Proxy field: NSX Manager, vCenter Server, and all ESXi hosts.

v1.2.1

Release Date: November 2, 2018

WARNING: PKS v1.2.8 and earlier includes a critical CVE. Follow the procedures in the PKS upgrade approach for CRITICAL CVE article in the Pivotal Support Knowledge Base to perform an upgrade to PKS v1.2.9.

Product Snapshot

Element Details
Version v1.2.1
Release date November 2, 2018
Compatible Ops Manager versions v2.2.2+, v2.3.1+
Stemcell version v97.17
Kubernetes version v1.11.3
On-Demand Broker version v0.23
NSX-T versions v2.2, v2.3
NCP version v2.3

vSphere Version Requirements

If installing PKS on vSphere or vSphere with NSX‑T, please note Ops Manager and PKS support the following vSphere component versions:

Versions Editions
  • VMware vSphere 6.7 U1
  • VMware vSphere 6.7.0
  • VMware vSphere 6.5 U2
  • VMware vSphere 6.5 U1
  • vSphere Enterprise Plus
  • vSphere with Operations Management Enterprise Plus

Note: VMware vSphere 6.7 is only supported with Ops Manager v2.3.1 or later and NSX‑T v2.3.

For more information, see Upgrading vSphere in an NSX Environment in the VMware documentation.

Feature Support by IaaS

AWS GCP vSphere vSphere with NSX-T
Automatic PKS control plane load balancer *
Automatic cluster load balancer
HTTP proxy
Multi-AZ storage
Per-namespace subnets
Service type:LoadBalancer **

* Enter the load balancer name in the Resource Config tab to connect the load balancer to the PKS control plane. For more information, see the Resource Config section of Installing PKS on AWS.

** For more information about configuring Service type:LoadBalancer on AWS, see the Access Workloads Using an Internal AWS Load Balancer section of Deploying and Accessing Basic Workloads.

Upgrade Path

The supported upgrade paths to PKS v1.2.1 are from PKS v1.1.5 and later.

For more information, see Upgrading PKS and Upgrading PKS with NSX-T.

What’s New

PKS v1.2.1 adds support for the following:

  • Routable pod networks for assigning each pod in a Kubernetes cluster a routable (public) IP address. For more information, see Routable IP Addresses for Pods in Using Network Profiles (NSX-T Only).
  • Configurable maximum number of worker nodes per Kubernetes cluster. Previously the maximum was 50 and not configurable. For more information, see the Plans section of the Installing PKS topic for your IaaS. For example, Plans in Installing PKS on vSphere.
  • Sink resources for Kubernetes clusters. For more information, see Creating Sink Resources.
  • Kubernetes v1.11.3.
  • Updated On-Demand Broker.
  • Updated UAA.

Known Issues

The following known issues apply to the PKS v1.2.1 release:

  • If creating a cluster using the pks create-cluster command results in a failed state and you want to delete the cluster, you must run the bosh -d DEPLOYMENT-NAME delete-deployment command before running the pks delete-cluster command.
  • After upgrading to PKS v1.2.1, creating a ClusterSink fails. This issue occurs only after upgrading to PKS v1.2.1 and does not apply to new installations of PKS v1.2.1 or later. For more information, see the corresponding Knowledge Base article.

v1.2.0

Release Date: September 27, 2018

WARNING: PKS v1.2.8 and earlier includes a critical CVE. Follow the procedures in the PKS upgrade approach for CRITICAL CVE article in the Pivotal Support Knowledge Base to perform an upgrade to PKS v1.2.9.

Product Snapshot

Element Details
Version v1.2.0
Release date September 27, 2018
Compatible Ops Manager versions v2.2.2+, v2.3.1+
Stemcell version v97.17
Kubernetes version v1.11.2
On-Demand Broker version v0.22
NSX-T versions v2.2, v2.3
NCP version v2.3

vSphere Version Requirements

If installing PKS on vSphere or vSphere with NSX‑T, please note Ops Manager and PKS support the following vSphere component versions:

Versions Editions
  • VMware vSphere 6.7 U1
  • VMware vSphere 6.7.0
  • VMware vSphere 6.5 U2
  • VMware vSphere 6.5 U1
  • vSphere Enterprise Plus
  • vSphere with Operations Management Enterprise Plus

Note: VMware vSphere 6.7 is only supported with Ops Manager v2.3.1 or later and NSX‑T v2.3.

For more information, see Upgrading vSphere in an NSX Environment in the VMware documentation.

Feature Support by IaaS

AWS GCP vSphere vSphere with NSX-T
Automatic PKS control plane load balancer *
Automatic cluster load balancer
HTTP proxy
Multi-AZ storage
Per-namespace subnets
Service type:LoadBalancer **

* Enter the load balancer name in the Resource Config tab to connect the load balancer to the PKS control plane. For more information, see the Resource Config section of Installing PKS on AWS.

** For more information about configuring Service type:LoadBalancer on AWS, see the Access Workloads Using an Internal AWS Load Balancer section of Deploying and Accessing Basic Workloads.

Upgrade Path

The supported upgrade paths to PKS v1.2.0 are from PKS v1.1.5 and later.

For customers who have deployed PKS v1.1.5 with NSX-T, NSX-T v2.2 is the version supported for upgrades to PKS v1.2.0.

For more information, see Upgrading PKS and Upgrading PKS with NSX-T.

What’s New

PKS v1.2.0 adds support for the following:

  • Network profiles for per-cluster customization and choice of load balancer size for PKS deployments with NSX-T. For more information, see Using Network Profiles (NSX-T Only).
  • Xenial stemcells.
  • Multi-master clusters. For more information, see the Plans section of Installing PKS for your IaaS.
  • OpenID Connect (OIDC) authentication strategy in Kubernetes. For more information, see the Configure OpenID Connect section of Installing PKS for your IaaS.
    • Cluster administrators can use LDAP users and groups in RoleBinding and ClusterRoleBinding objects. For more information, see Managing Users in PKS with UAA.
  • Namespace sinks. For more information, see Creating Sink Resources.
  • PKS can be deployed on Amazon Web Services (AWS). For more information, see the Amazon Web Services (AWS) topic.
  • You can specify the number of worker nodes to be installed in parallel. For more information, see the PKS API section of Installing PKS for your IaaS.
  • Metrics server is deployed by default. Heapster is still deployed but will be removed in a future release per Kubernetes deprecation notice.
  • Support for Horizontal Pod Autoscaling.
  • Support for the HostPort feature to allow pods to open external ports on the worker node.
  • ETCD release v3.3.9.
  • Updated admission controllers based on Kubernetes recommendations, including DefaultTolerationSeconds and ValidatingAdminssionWebhook. NamespaceExists has been removed.
  • Changed Docker storage driver from overlay to overlay2. The old images will remain on each worker in the /var/vcap/data/docker/docker/overlay directory.
  • Support for the NTLM formatted usernames for vSphere.
  • Improved drain script for large cluster upgrades.
  • Deprecated support for NSX-T v2.1.
  • Fix: vSphere credentials are not stored in the BOSH manifest.

Known Issues

The following known issues apply to the PKS v1.2.0 release:

  • If creating a cluster using the pks create-cluster command results in a failed state and you want to delete the cluster, you must run the bosh -d DEPLOYMENT-NAME delete-deployment command before running the pks delete-cluster command.
  • If you use a space in any field entry in the PKS tile, the deployment of PKS fails. Ensure your field entries in the PKS tile do not contain leading and trailing spaces or spaces between characters.
  • When the PKS tile is being redeployed (during PKS tile upgrade, for instance), the following error message may appear in the Ops Manager status log: Failed Jobs: pks-api. The workaround is to disable telemetry data collection in the Usage Data pane of the PKS tile.
  • For PKS with NSX-T, using the Generate RSA Certificate option in the Networking section of the PKS tile for generating the NSX Manager Super User Principal Identity Certificate results in the following error during deployment of PKS:

    ERROR: NSX-T Precheck failed due to error code:
    403, error message: The credentials were incorrect
    or the account specified has been locked.
    


    This error is the result of a change in the cURL version as part of the stemcell upgrade from Ubuntu v14.04 to v16.04. In Ubuntu 16.04, cURL comes with GnuTLS instead of OpenSSL. For a workaround, use the manual approach for generating the principle identity certificate and key as described in Generating and Registering the NSX Manager Superuser Principal Identity Certificate and Key.

  • Namespace sinks do not work in environments without internet access.

  • Due to a limitation with the NSX-T v2.2 scheduler component, VMware recommends that you do not use a medium-sized load balancer at this time, even if the NSX-T edge cluster has more than two edge node VMs. This limitation is addressed in NSX-T v2.3, which PKS v1.2.0 supports.

  • When using AWS, you must select a VM type under Master/ETCD VM Type, Worker VM Type, and Errand VM Type in the Plans section of the PKS tile in order to save a plan on the tile. You cannot leave the VM type on Automatic. The recommended minimum VM type is t2.medium.

  • Existing certificates will expire after a year. The certificates will be updated in a future release.

  • The External Groups Whitelist field in the UAA section of the PKS tile has a 4000 character limit due to the size limitation of JWT tokens.

  • In an internetless environment, the images for the kube-system components must be present within the environment to allow the overlay2 upgrade.

  • Kubernetes end users must manually configure their kubeconfig in order to use their LDAP credentials if OIDC is turned on.

  • UAA refresh token for OIDC authorization is currently not supported.

  • When creating a cluster with the pks create-cluster command, you cannot use the \ character in the value for --external-hostname. For more information about creating clusters, see the Create a Kubernetes Cluster section of Creating Clusters.

  • When a cluster is created, the output logs will contain the following warning: Warning: DNS address not available for the link provider instance: pivotal-container-service/[uuid]. It has no effect on the cluster creation.

  • Enabling Telemetry on environments without Internet access causes tile installation to fail.

  • When Enable UAA as OIDC Provider is selected in the UAA pane of the PKS tile, the Kubernetes Dashboard no longer works with the kubeconfig option. Currently, external identity providers and certificate-based authentication are not supported in Kubernetes.


Please send any feedback you have to pks-feedback@pivotal.io.

Create a pull request or raise an issue on the source for this page in GitHub