From 81d00f4bc32e622bb623fc32ba98797f5cb93dad Mon Sep 17 00:00:00 2001 From: Ole Markus With Date: Fri, 10 Sep 2021 13:45:02 +0200 Subject: [PATCH] Note about breaking change for apiserver files --- docs/cluster_spec.md | 8 ++++---- docs/releases/1.22-NOTES.md | 21 +++++++++++++++++++++ 2 files changed, 25 insertions(+), 4 deletions(-) diff --git a/docs/cluster_spec.md b/docs/cluster_spec.md index c23161d60c..fc29bc8388 100644 --- a/docs/cluster_spec.md +++ b/docs/cluster_spec.md @@ -376,10 +376,10 @@ spec: auditLogMaxBackups: 1 auditLogMaxSize: 100 auditLogPath: /var/log/kube-apiserver-audit.log - auditPolicyFile: /srv/kubernetes/audit/policy-config.yaml + auditPolicyFile: /srv/kubernetes/kube-apiserver/audit-policy-config.yaml fileAssets: - name: audit-policy-config - path: /srv/kubernetes/audit/policy-config.yaml + path: /srv/kubernetes/kube-apiserver/audit-policy-config.yaml roles: - Master content: | @@ -403,10 +403,10 @@ Webhook backend sends audit events to a remote API, which is assumed to be the s spec: kubeAPIServer: auditWebhookBatchMaxWait: 5s - auditWebhookConfigFile: /srv/kubernetes/audit/webhook-config.yaml + auditWebhookConfigFile: /srv/kubernetes/kube-apiserver/audit-webhook-config.yaml fileAssets: - name: audit-webhook-config - path: /srv/kubernetes/audit/webhook-config.yaml + path: /srv/kubernetes/kube-apiserver/audit-webhook-config.yaml roles: - Master content: | diff --git a/docs/releases/1.22-NOTES.md b/docs/releases/1.22-NOTES.md index db96034762..3fd52e125b 100644 --- a/docs/releases/1.22-NOTES.md +++ b/docs/releases/1.22-NOTES.md @@ -56,6 +56,27 @@ Currently this is only available using the AWS cloud provider. # Breaking changes +## kube-apiserver no longer mounts /srv/kubernetes + + For security reasons, `/srv/kubernetes` is no longer mounted in the kube-apiserver Pod. This also means the files in the default file assets path will be unavailable. If you have file assets or other files needed by kube-apiserver, you must put these into `/srv/kubernetes/kube-apiserver/`. + +For file assets, it means adding an explicit path as shown below: + +```yaml + fileAssets: + - name: audit-policy-config + path: /srv/kubernetes/kube-apiserver/audit-policy-config.yaml # make sure you add the path + roles: + - Master + content: | + apiVersion: audit.k8s.io/v1 + kind: Policy + rules: + - level: Metadat +``` + +## Other breaking changes + * Support for Kubernetes versions 1.15 and 1.16 has been removed. * The legacy addons from `https://github.com/kubernetes/kops/tree/master/addons` have been deprecated and will not be available in Kubernetes 1.23+. Use [managed addons](https://kops.sigs.k8s.io/addons) instead.