Release notes for kops 1.16 series

Significant changes

To address the issue of IPv4 only clusters being susceptible to MitM attacks via IPv6 rogue router advertisements, the affected components have been upgraded as follows:
- Docker version 19.03.11 - CVE-2020-13401 (optional)
- CNI plugins 0.8.6 - CVE-2020-10749
- Calico 3.9.6 - CVE-2020-13597
- Weave Net 2.6.5 - CVE-2020-11091
If upgrading from 1.11 or earlier, please see the notes in previous releases about upgrading through kubernetes 1.12, with the etcd3 upgrade.
A new component runs on the master nodes now: kops-controller. kops-controller currently labels nodes, but will likely perform additional functionality in future releases.

Breaking changes

Support for Docker versions 1.11, 1.12 and 1.13 has been removed because of the dockerproject.org shut down. Those affected must upgrade to a newer Docker version.
Please see the notes in the 1.15 release about the apiGroup changing from kops to kops.k8s.io
A controller is now used to apply labels to nodes. If you are not using AWS, GCE or OpenStack your (non-master) nodes may not have labels applied correctly.

Required Actions

If either a kOps 1.16 alpha release or a custom kOps build was used on a cluster, a kops-controller Deployment may have been created that should get deleted. Run kubectl -n kube-system delete deployment kops-controller after upgrading to kOps 1.16.0-beta.1 or later.
Kubernetes 1.9 users will need to enable the PodPriority feature gate. This is required for newer versions of kOps.

To enable the Pod priority feature, follow these steps:
```
kops edit cluster
# Add the following section
spec:
  kubelet:
    featureGates:
      PodPriority: "true"
```

Deprecations

Support for Kubernetes releases prior to 1.9 is deprecated and will be removed in kops 1.18.
The kops/v1alpha1 API is deprecated and will be removed in kops 1.18. Users of kops replace will need to supply v1alpha2 resources.

Full change list since 1.15.0 release

1.15.0-alpha.1 to 1.16.0-alpha.1

Update release notes for 1.15.0-alpha.1 @justinsb #7535
When fast-building, copy a newer version of utils.tar.gz @justinsb #7536
Bootstrap: protokube labels its own node with node-role label @justinsb #7537
Update copyright notices @mikesplain #7542
Add a few docs comments on gomod and bazel @mikesplain #7541
Calico update and typha @gjtempleton,@mikesplain #7528
"Force" k8s 1.11.10 @justinsb #7423
Log more sensibly when we can't get sha256 @justinsb #7555
[Feature] CoreDNS: External CoreFile option @gjtempleton,@mikesplain #7376
Fix gomod errors @mikesplain #7571
Add horizontalPodAutoscalerDownscaleStabilization @mikesplain #7573
Associate subnets to port within OpenStack @mitch000001 #7578
Fix kops for us-gov-east-1 #7564 @ibrf #7565
Promote 1.13 AMI from alpha to stable @rifelpet #7590
Add myself @rifelpet as a reviewer @rifelpet #7587
Fix mkdocs @mikesplain #7591
Add missing OpenStack reference @marsavela #7567
Fix Dropped Errors in upup @alrs #7586
Promote 2019-08-16 AMIs from alpha -> stable @justinsb #7594
hack/update-expected.sh: mask development env vars @justinsb #7595
"Force" k8s 1.11.10 in stable channel @justinsb #7596
add cilium in error message @PascalBourdier #7601
Clean security groups if api/ssh ips are removed from config @zetaab #7561
[DO-7442] Digital Ocean add consistent volume and droplet tags for multi master feature @srikiz #7566
Expose API Server flags needed for AWS pod identities @rifelpet #7610
Add logrotate for etcd/etcd-events.log @mikesplain #7614
Updated container-selinux url to point to the right path @igarcia-sugarcrm,@mikesplain #7609
Check the HTTP response code when downloading URLs @rifelpet #7611
Update rules_go with some fixes @mikesplain #7625
Change Cilium templates to standalone version @nebril,@olemarkus #7474
Skip Docker install @austinmoore- #6957
Add --wait argument to kops validate @justinsb #7371
Fixed "NeedsUpdate" status of nodes in mixedinstancegroups after rolling update @hippolin #7445
fix instance name @zetaab #7641
Use without external router (OpenStack) @zetaab #7644
Openstack: value if spec does not associate public ips @mitch000001 #7649
Updating master IAM policies. @michalschott #7580
Machine types g4dn @mikesplain #7653
OpenStack: Additional security groups for instances @mitch000001 #7581
Add arg min-port=1024 to dnsmasq container in kube-dns @nr17 #7020
Release notes for 1.13.1 @justinsb #7666
Pull centos.org packages from the vault @justinsb #7674
fix-typo @tanjunchen #7669
Align AWS and kops validation for spot allocation strategy @coufalja #7660
Add relnotes for 1.13.2 @justinsb #7681
Fix some bugs reported by staticcheck @rifelpet #7663
Bump k8s versions in alpha channel @olemarkus #7647
Misleading description for KubeProxy MetricsBindAddress @RmMsr #7672
Fix for tarball image names after 1.16 @justinsb #7686
Cilium standalone continuation @olemarkus #7646
Limit calico cpu request to 100m @justinsb #7688
fix-up some spelling mistakes in /pkg @tanjunchen #7684
kops-controller @justinsb #7496
OpenStack: use InstanceGroup zones to populate availability zone @mitch000001 #7690
alpha channel: image for 1.15 and general update @justinsb #7665
Calico: upgrade pod2daemon (only) @justinsb #7689
Add verify-staticcheck script @rifelpet #7687
Create tools/sha1 and sha256 helpers, simply Makefile @justinsb #7702
kops-controller version should match version of kops @justinsb #7700
Publish kops-controller container dump to S3/GCS @justinsb #7701
Change from float -> resource.Quantity @justinsb #7708
More staticcheck bugfixes and cleanup @rifelpet #7696
Correct word misspelling @yuxiaobo96 #7705
fix-up some spelling mistakes @tanjunchen #7704
Add calico 3.9.1 @mikesplain #7694
Allow to use custom rootCAs @zetaab #7643
cleanup code to cancel some staticcheck warnings @beautytiger #7661
Use helpers to move gzip & sha from makefile to bazel @justinsb #7703
Update etcd-manager with OpenStack fixes @justinsb #7710
Update etcd-manager backup image @justinsb #7713
Update DigitalOcean CCM to v0.1.20 @timoreimann #7714
ineffectual assignment to @tanjunchen #7560
remove duplicated entry in notes @beautytiger #7715
docs: fix spelling mistakes @hwdef #7709
Docs: Adding a doc on how to propose a cherry-pick @justinsb #7717
relnotes for 1.14.0 @justinsb #7725
bazel: fix hashes rule to generate outputs @justinsb #7724
remove the repeat word in docs/authentication.md b/docs/authentication.md @tanjunchen #7729
Rollback alpha channels 1.14.7 @mikesplain #7734
Openstack block device mapping support @Shonei #7652
Update controller-tools and CRDs @rifelpet #7634
Upgrade bazel's rules_go and rules_docker @rifelpet #7727
simplfy code @tanjunchen #7745
fix-up some staticcheck error @tanjunchen #7744
nodeup download: try to use compression @justinsb #7751
Add optional RBE support for kops @fejta #7756
Update readme for 1.14 @mikesplain #7757
Add a BAZEL_CONFIG Makefile arg to bazel commands @fejta #7758
Memberlist gossip implementation @jacksontj #7521
bazel: comment out shallow_since as fails to build with bazel 1.0 @justinsb #7771
kOps controller support for OpenStack @zetaab #7692
Upgrade Amazon VPC CNI plugin to 1.5.4 @rifelpet #7398
Add documentation for updating CRDs when making API changes @rifelpet #7728
Kubelet configuration: Maximum pods flag is miscalculated when using Amazon VPC CNI @liranp #7539
Add event ttl flag @tioxy #7487
docs: document state store configuration @mitch000001 #7750
Add artifacts.k8s.io to mirror list @justinsb #7378
fix-up gosimple check error @tanjunchen #7754
fix-up staticcheck error @tanjunchen #7755
remove the unnecessary newline and unused vars @tanjunchen #7760
Upload dns-controller archive, use in KOPS_BASE_URL @justinsb #7777
Move kops-controller to use a yaml configuration file @justinsb #7774
fix(apiserver): allow multiple service-account-key-file @hatappi #7781
Move kops-controller to daemonset @justinsb #7783
Change default port for memberlist from 3997 @justinsb #7778
bazel: remove deprecated stamp attribute from container building @justinsb #7779
Promote alpha to stable, bump alpha @mikesplain #7795
Fix network changed in openstack ports @zetaab #7807
Upgrade go version to 1.12.11 @rifelpet #7811
Rename upload command variable in Makefile @bittopaz #7798
fix-up bug in nodeup/pkg/model @tanjunchen #7793
fix string trim func in main @beautytiger #7801
Alicloud: add OSS as upload dest @bittopaz #7802
Alicloud: fix status discovery @bittopaz #7804
Alicloud: add hostname override @bittopaz #7803
Alicloud: fix error msg when check hostname @bittopaz #7814
replace slice loop with append for simple and clear @beautytiger #7759
dnsprovider,nodeup: fix static check @hwdef #7818
pkg: fix static check @hwdef #7819
Add relnotes for 1.15.0-beta.1 @justinsb #7797
Docs cleanup / mkdocs migration @mikesplain #7593
Allow for override of CoreDNS version @gjtempleton #7794
Add netlify config @mikesplain #7823
Update etcd-manager to 3.0.20191025 @justinsb #7822
Document eventTTL @tioxy #7826
use existing network and subnet in OpenStack @zetaab #7699
fix static check @hwdef #7831
fix firewalls for OpenStack @zetaab #7829
Set default image for OpenStack CCM @zetaab #7773
Add protocol rules to master as well @zetaab #7834
Fix permalink @mikesplain #7836
Remove extraneous document separator causing failures applying addons @ripta #7857
docs(addons): fix broken links @mitch000001 #7846
Fix extraneous whitespace in warning message @johngmyers #7869
Revert "Upgrade Amazon VPC CNI plugin to 1.5.4" @rifelpet #7847
mark weavenet-pod as system-critical @jochen42 #7874
increase retry count @zetaab #7881
awsup: fix shadowed var when looking for etcd cluster name @diversario #7868
Add back calico metrics options @mikesplain #7885
Fix kops upgrade cluster link @flackdl #7887
Fix doc linkages to addons @s3than,@justinsb #7830
Alicloud: remove unnecessary if when evaluateHostnameOverride @bittopaz #7850
Alicloud: split ProviderID with "." @bittopaz #7852
Fix behavior of mock DescribeAutoScalingGroups when no names supplied @johngmyers #7867
Update "Guide" links for DigitalOcean & OpenStack @jcodybaker #7884
Add ci postsubmit script for pushing images to staging @justinsb #7697
remove the unnecessary break @tanjunchen #7791
[DO-7442] Add gossip cluster implementation for Digital Ocean cloud provider @srikiz #7838
fix-up static-check @tanjunchen #7841
remove myself from OWNERS @andrewsykim #7888
Cleanup make targets @rifelpet #7863
fix golint failures @FayerZhang #7854
Recommend kops 1.11.1 @justinsb #7892
fix-up staticcheck problems @tanjunchen #7839
Add hint how to determine mount path of etcd data @FuriKuri #7735
stable channel: promote default AMIs from alpha -> stable @justinsb #7893
Release notes for 1.14.1 @justinsb #7895

1.16.0-alpha.1 to 1.16.0-alpha.2

Add release notes for 1.16.0-alpha.1 @justinsb #7896
stable channel: promote kubernetes 1.13.12, 1.14.8 etc @justinsb #7891
Don't update first node in instancegroup if cluster fails validation @johngmyers,@justinsb #7872
add missing priorityClassName to flannel DaemonSet @EladDolev #7842
fix broken links @dj80hd #7901
Fix rendering of the Node Authorizer template @KashifSaadat #7916
Fix fork bomb in Makefile @johngmyers #7935
Unhide docs make logging @mikesplain #7936
Upgrade AWS VPC CNI to 1.5.5 @rifelpet #7938
Correct spelling mistakes @yuxiaobo96 #7922
Fix flannel CNI version to use 0.2.0 @srikiz #7924
Update vendoring documentation for go modules @rifelpet #7937
Remove duplication and update release details @mikesplain #7939
Updated documentation on how to move from single to multi master @mccare #7439
Create PodDisruptionBudget for kube-dns in kube-system namespace @hakman #7856
Add support for newer Docker versions @hakman #7860
Machine types updates @mikesplain #7947
fix 404 urls in docs @tanjunchen #7943
Fix generation of documentation /sitemap.xml file @aledbf #7949
kOps site link @mikesplain #7950
Fix netlify mixed content @mikesplain #7953
Fix goimports errors @rifelpet #7955
Upate Lyft CNI to v0.5.1 @maruina #7402

1.16.0-alpha.2 to 1.16.0-beta.1

Complete support for Flatcar @mazzy89 #7545
Fix mounting Calico "flexvol-driver-host" in CoreOS @hakman #8062
fix(openstack): fix additional security groups on instance groups @mitch000001 #8004
Cloud controller template function @DavidSie #7992
Add CapacityOptimized to list of supported spot allocation strategies @gjtempleton #7406
Add inf1 isntances @mikesplain #8128
Openstack: Fix cluster floating ips @mitch000001 #8115
[Issue-7870] kops controller support for digital ocean @srikiz #7961
Fix Handling of LaunchTemplate Versions for MixedInstancePolicy @granular-ryanbonham #8038
Bump cilium version to 1.6.4 @olemarkus #8022
Update copyrights for 2020 @johngmyers #8241
cilium: don't try to mount sys/fs/bpf if already mounted @justinsb #7832
Fix protokube osx build @mikesplain #8263
Add deprecation warning for older k8s versions @rifelpet #8176
Remove kops-controller deployment @rifelpet #8273
Promote peter & ryan & zetaab to approvers @justinsb #7983
Fix crossbuild-nodeup-in-docker @johngmyers #8343
Add release notes for deleting the kops-controller deployment @rifelpet #8321
Configuration to specify no SSH key @austinmoore- #7096
Set CLUSTER_NAME env var on amazon-vpc-cni pods @rifelpet #8274
Don't output empty sections in the manifests @justinsb #8317
Fix issues with older versions of k8s for basic clusters @hakman,@rifelpet #8248
Backport the k8s 1.9 required action release note @johngmyers #8378
Fix scheduler policy configmap args @vvbogdanov87 #8386
Use IAMPrefix() for hostedzone @lazzarello #8366
Add Cilium.EnablePolicy back into templates @olemarkus #8379
CoreDNS default image bump to 1.6.6 to resolve CVE @gjtempleton #8333
Don't load nonexistent calico-client cert when CNI is Cilium @johngmyers #8338
kOps releases - prefix git tags with v @rifelpet #8373
EBS Root Volume Termination @tioxy #7865
Announce impending removal of v1alpha1 API @johngmyers #8064
Add missing priorityClassName for critical pods @johngmyers #8200

1.16.0-beta.1 to 1.16.0-beta.2

Fix Github download url for nodeup @adri,@justinsb #8468
GCS: Don't try to set ACLs if bucket-policy only is set @justinsb #8493
Alicloud: allow use RAM role for OSS client @bittopaz #8025
Cilium - Add missing Identity Allocation Mode to Operator Template @daviddyball #8445
Make it possible to enable Prometheus metrics for Cilium @olemarkus #8433
Update cilium to 1.6.6 @olemarkus #8484

1.16.0-beta.2 to 1.16.0

Stabilize sequence of "export xx=xxx" statements @bittopaz #8247
Add events RBAC permissions to kops-controller @rifelpet #8535
Update AWS IAM Authenticator to 0.5.0 @rifelpet #8423
Update IAM permissions for amazon-vpc-cni-k8s 1.6.0 @rifelpet #8548
Update amazon-vpc-cni-k8s to v1.6.0 @hakman #8538
Switch AWS IAM Authenticator to use non-scratch image @rifelpet #8555
Fix DNS loop on Ubuntu 18.04 (Bionic) @hakman #8353
Revert update of AWS IAM Authenticator to 0.5.0 for 1.16 @rifelpet #8583
add s3 region @zetaab #8592
Update coredns to 1.6.7 @maruina #8602
Cilium fix bpffs check @olemarkus #8599
Fix periodic e2e test for Ubuntu 16.04 @hakman #8160

1.16.0 to 1.16.1

Add indent template function and use it to fix KubeDNS.ExternalCoreFile rendering @rochacon #7979
Bump Cilium to 1.7 for k8s 1.12+ @olemarkus #8589
Implementing audit dynamic configuration (#7392) @mmerrill3 #7424
Revert "Automated cherry pick of #8589: Bump Cilium to 1.7 for k8s 1.12+ #8591: Fix typo in the cilium default version" @olemarkus #8677
Use latest patch release for Calico, Canal and Cilium @hakman #8698
Fix uploading of file assets @johngmyers #8694
Tag EBS volumes when using launch templates with AWS API target @johngmyers,@hakman #8462
Fix RollingUpdate behaviour when using LaunchTemplates for both kops & terraform spec updates @KashifSaadat,@qqshfox #8261
Enable stamping on bazel image builds @rifelpet #8835
Update lyft CNI to 0.6.0 @maruina #8757
Remove support for Docker 1.11, 1.12 and 1.13 @hakman #8855
Fix kuberouter for k8s 1.16+ @UnderMyBed,@hakman #8697
Fix tests for obsolete Docker versions in 1.16 @hakman #8890
Load the correct certificate before deleting @olemarkus #8945
Use non-experimental version of encryption provider config flag in 1.13+ @zacblazic #7900

1.16.1 to 1.16.2

Add support for Ubuntu 20.04 (Focal) @hakman #8925
feat(openstack): propagate cloud labels to machines @mitch000001 #9013
Back-port well known owner aliases and SSH users to 1.16 @hakman #9036
Use Ubuntu 18.04 Docker packages for Ubuntu 20.04 setups @hakman #9046
Make cilium operator health check go against localhost IP @olemarkus #9045
Update to etcd-manager 3.0.20200428 @justinsb #9042

1.16.2 to 1.16.3

Revert "Automated cherry pick of #8999: feat(openstack): propagate cloud labels to machines" @zetaab #9089
Reduce the number of TravisCI jobs for release branch @hakman #9081
Fix zsh completion @olemarkus #9108
Allow cluster maintenance when channel is unavailable @johngmyers #9053
Upgrade amazon vpc cni to 1.6.1 @rifelpet #9020
Use systemd-timesyncd for Ubuntu 20.04 @hakman #9182
Remove all versions of a file from the S3 bucket @hakman #9171
Allow listing versions for objects in the S3 bucket @hakman #9205

1.16.3 to 1.16.4

Update etcd-manager to 3.0.20200531 @hakman #9237
Use CNI 0.8.6 for Kubernetes 1.15+ @hakman #9256
Use Docker 19.03.11 for Kubernetes 1.17+ @hakman #9314
Fix missing changes in Weave manifest @hakman #8965
Update Weave Net to 2.6.5 @hakman #9330
Update Calico for CVE-2020-13597 @hakman #9331
Add support for c5a aws ec2 instance types @coolstang #9386