Merge pull request #3999 from justinsb/relnotes

Release notes for 1.8.0

docs/releases/1.8-NOTES.md

@@ -1,4 +1,3 @@
-_This is a WIP document describing changes to the upcoming kops 1.8 release_
 
 # Significant changes
 
@@ -7,6 +6,21 @@ is not recommended, but will be the default value for existing clusters or clust
   `kops create cluster` with `--networking flannel` will use `vxlan`, `--networking flannel-vxlan`
   or `--networking flannel-udp` can be specified to explicitly choose a backend mode.
 
+* IAM lockdown on new clusters: we define the existing policy as `legacy`, it defaults to true for existing clusters;
+  new clusters will have `legacy: false` which will mean that only IAM policies needed by kops / k8s are guaranteed to be
+  set.  If you are using IAM credentials for your application workload, please either set `legacy: true`, or use your own
+  IAM roles (direct credentials or kube2iam)
+
+* New AWS instance types: P3, C5, M5, H1.  Please note that NVME volumes are not supported on the default jessie
+  image, so masters will not boot on M5 and C5 instance types unless a stretch image is chosen (change stretch to jessie in the image name).
+  Also note that kubernetes will not support mounting persistent volumes on NVME instances until Kubernetes 1.9.
+
+* While Aggregated API Servers are supported, there are known issues in kubernetes
+  such as (#55022)[https://github.com/kubernetes/kubernetes/issues/55022].  Note that this includes metrics-server and kopeio
+  authentication.  Please consider waiting for 1.8.5 / 1.9.0 before deploying into production.
+
+* Includes fix for kube-dns CVE-2017-14491 (was also included in kops 1.7.1)
+
 # Required Actions
 
 * Existing Calico users on clusters that were created prior to kops 1.8.0
@@ -22,10 +36,77 @@ or `--networking flannel-udp` can be specified to explicitly choose a backend mo
   5. Confirm cluster is back up and all canal pods are running successfully: `kops validate cluster` (this may take a few minutes for the cluster to fully validate)
   6. Delete the upgrade job as it is no longer required: `kubectl delete job calico-upgrade-v2.5` (you can also safely delete the `clusterrole`, `clusterrolebinding` and `serviceaccount` resources that were created by the above manifest file)
 
-# Full changelist
+# Highlighted changes
 
-* ExperimentalCriticalPodAnnotation feature gate is now enabled by default in kubelet [@andreychernih](https://github.com/andreychernih) [#3345](https://github.com/kubernetes/kops/pull/3345)
+* Support for etcd3 for new clusters, also allow etcd TLS to be enabled for new clusters.  etcd peer port is also locked down.
-* Upgrade Calico to v2.4.1 (thanks @tmjd)
+
+* Support for custom metrics.  Please exercise caution enabling before kubernetes 1.8.5 due to aggregation known issues.
+
+* Add `kops create secret dockerconfig`
+
+* `kops replace --create` will now replace-or-create, which is useful for CI / automated workflows
+
+* `--watch-ingress` flag on dns-controller can now be configured through `cluster.spec.externalDns.watchIngress: true`
+
+* kubelet security can be enabled with `cluster.spec.kubelet.anonymousAuth: true`.  Will likely be default in kops 1.9
+
+* Improved logic around when a rolling-update is needed
+
+* Better support and [documentation](../node_resource_handling.md) for node resources
+
+* Enhanced cluster hooks support
+
+* Support for clusters where network access must use an HTTP proxy
+
+* We now automatically add a default NodeLabel with the InstanceGroup name
+
+* Addons: added external-dns, kube-state-metrics addon.  Updates for autoscaler, dashboard, heapster, 
+
+* Networking: initial support or kube-router & romana.  Updates for weave, kopeio-networking, flannel, canal, calico.
+
+* Docker: Docker 1.13.1 will be used with kubernetes 1.8 (overrides for 17.03.2 and 17.09 possible).
+
+* Debian 9 (stretch) now supported.  AMIs updated with 4.4.102 kernel.  A stretch based AMI is available, but jessie
+remains the default.  We will likely change the default to stretch in kops 1.9 or kops 1.10.
+
+* CoreOS: logrotate support & docker fixes
+
+* Don't store unneeded secrets on the node
+
+* ExperimentalCriticalPodAnnotation now enabled by default.  Updated critical pod annotations to avoid eviction of system pods
+
+* Ensure iptables forwarding is enabled, avoiding breaking CNI plugins if Docker or the OS sets a different default.
+
+*AWS*:
+
+* New instance types: P3, C5, M5, H1.  Please note that NVME volumes are not supported on the default jessie
+image, so masters will not boot on M5 and C5 instance types unless a stretch image is chosen (change stretch to jessie in the image name).
+Also kubernetes will not support mounting persistent volumes on NVME instances until Kubernetes 1.9.
+* Support for root provisioned IOPS.
+* Properly tag public and private subnets for ELB creation in advanced network topologies
+* Use SSL in ELB API server health check
+
+*GCE*:
+
+* Checks that networks are in auto mode, not legacy mode.  You can either switch your network (`gcloud compute networks switch-mode`)
+or specify a different network (current using `--vpc` flag)
+* Supports rolling updates and the containerized mounter.
+* Sets bucket permissions, so your state bucket and compute can be in different projects.
+
+*Early support for*:
+
+* DigitalOcean
+* OpenStack
+* Templating with `kops toolbox template`
+* cloud-controller-manager
+* encryption-at-rest for the kube-apiserver
+* Mirroring assets to a private S3 bucket, for airgapped installs
+* Mirroring configuration so that kops-state store need not be cluster-accessible (for use with kops-server)
+* Phases, to allow separation of networking, security & compute management
+* Audit Policy
+* CA keypair rotation
+* Additional Subject Alternate Names
+* building code using bazel
 
 
 # All PRs

docs/releases/1.9-NOTES.md

@@ -0,0 +1,14 @@
+## This document will be used to build the release notes for kops 1.9
+
+
+# Significant changes
+
+
+# Required Actions
+
+
+# Highlighted changes
+
+# Full change list
+
+(will be populated from git log)