Linode Kubernetes Engine - Release Notes

Added

• Kubernetes 1.29 support (changelog).

Changed

• Rename ConfigMap kube-system/coredns to kube-system/coredns-base.

Added

• CoreDNS configuration customization capabilities via the kube-system/coredns-custom ConfigMap.

Changed

• Upgraded clusters using Kubernetes:
  • 1.27 to patch version 1.27.11.
  • 1.28 to patch version 1.28.7.
• Adjusted terminated-pod-gc-threshold:
  • Details:
    • Change: The --terminated-pod-gc-threshold setting in the kube-controller-manager has been reduced from its default value to 500 pods.
    • Context: Previously, Kubernetes kept a large number of evicted and terminated pods. This could consume unnecessary resources and limit space for new pods.
    • Impact: When the count of evicted and terminated pods exceeds 500, the oldest pods (first by eviction timestamp, then by creation timestamp) are deleted to maintain the threshold. This helps reclaim resources and improve cluster performance.
  • Resources:
    • Kubernetes: Garbage collection of Pods
    • Kubernetes: Command line reference

Changed

• Upgraded clusters using Kubernetes:
  • 1.26 to patch version 1.26.13.
  • 1.27 to patch version 1.27.10.
  • 1.28 to patch version 1.28.6.
• Upgraded CSI driver to v0.6.3.
• Upgraded LKE kernel version from v5.15 to v6.1 for new LKE nodes.

Fixed

• CVE-2024-21626 has been mitigated for newly created LKE nodes. If you have an existing LKE node, you need to recycle it to apply the mitigation.

Changed

• Upgraded CCM to v0.3.22
• Upgraded CSI driver to v0.6.2
• Upgraded Kubernetes dashboard to v3.0.0-alpha0

Changed

Upgraded clusters using Kubernetes:

• 1.26 to patch version 1.26.12
• 1.27 to patch version 1.27.9
• 1.28 to patch version 1.28.5

Changed

• Upgraded clusters using Kubernetes 1.27 to patch version 1.27.8

Added

• Kubernetes 1.28 is now available on LKE. Review the Kubernetes changelog.
• The node-mask-cidr size changed from /24 to /25. This has no impact on the max pods per node (110).

Changed

• Upgraded clusters using Kubernetes 1.26 to patch version 1.26.9

Added

• Kubernetes 1.27 is now available on LKE. Review the Kubernetes changelog and blog post.

  Kubernetes 1.27 locks the LegacyServiceAccountTokenNoAutoGeneration feature gate that enables the token controller to automatically create API server access tokens for Kubernetes service accounts. After upgrading to 1.27, customers may notice a warning message regarding these legacy tokens:

  Warning: Use tokens from the TokenRequest API or manually created secret-based tokens instead of autogenerated secret-based tokens.
  

  To fix this issue, remove any auto-generated secrets of type kubernetes.io/service-account-token in the kube-system namespace with kubectl delete secrets -n kube-system --field-selector="type==kubernetes.io/service-account-token" and regenerate the cluster’s Kubeconfig. See the Kubernetes Cluster Regenerate ( (POST /lke/clusters/{clusterId}/regenerate) endpoint.

  Customers with service accounts outside of kube-system need to delete the auto-generated service account tokens in their respective namespaces.

Changed

• Updated references for k8s.gcr.io to registry.k8s.io.

Added

• Ability to force-rotate Service Account tokens without permanently breaking the control-plane.
  • In order to manually rotate Service Account tokens used by the control-plane, delete secrets with the type kubernetes.io/service-account-token in the kube-system namespace.
  • Deleting ccm-user-token-* secrets can still result in a momentary disruption of the control-plane.
  • Deleting lke-admin-token-* secrets invalidates the current kubeconfig. Allow some time for the new token to propagate to the control-plane before downloading a new kubeconfig via the API or Cloud Manager.

Changed

• Upgraded clusters using Kubernetes 1.25 to patch version 1.25.12
• Upgraded clusters using Kubernetes 1.26 to patch version 1.26.7

Fixed

• Improvements to etcd stability.