Home Explore Blog CI



kubernetes

1st chunk of `content/en/blog/_posts/2017-10-00-Kubeadm-V18-Released.md`
7f6e0affd7db7b4ad76dd0eb28fe7a54619117e4b1563db7000000010000129d
---
title: "  kubeadm v1.8 Released: Introducing Easy Upgrades for Kubernetes Clusters "
date: 2017-10-25
slug: kubeadm-v18-released
url: /blog/2017/10/Kubeadm-V18-Released
author: >
  Lucas Käldström (Weaveworks)
---
_**Editor's note:** this post is part of a [series of in-depth articles](/blog/2017/10/five-days-of-kubernetes-18) on what's new in Kubernetes 1.8._

Since its debut in [September 2016](https://kubernetes.io/blog/2016/09/how-we-made-kubernetes-easy-to-install), the Cluster Lifecycle Special Interest Group (SIG) has established kubeadm as the easiest Kubernetes bootstrap method. Now, we’re releasing kubeadm v1.8.0 in tandem with the release of [Kubernetes v1.8.0](https://kubernetes.io/blog/2017/09/kubernetes-18-security-workloads-and). In this blog post, I’ll walk you through the changes we’ve made to kubeadm since the last update, the scope of kubeadm, and how you can contribute to this effort.  


## Security first: kubeadm v1.6 & v1.7
Previously, we discussed [planned updates for kubeadm v1.6](https://kubernetes.io/blog/2017/01/stronger-foundation-for-creating-and-managing-kubernetes-clusters). Our primary focus for v1.6 was security. We started enforcing role based access control (RBAC) as it graduated to beta, gave unique identities and locked-down privileges for different system components in the cluster, disabled the insecure `localhost:8080` API server port, started authorizing all API calls to the kubelets, and [improved the token discovery](https://github.com/kubernetes/community/blob/master/contributors/design-proposals/cluster-lifecycle/bootstrap-discovery.md) method used formerly in v1.5. Token discovery (aka Bootstrap Tokens) graduated to beta in v1.8.  

In number of features, kubeadm v1.7.0 was a much smaller release compared to v1.6.0 and v1.8.0. The main additions were enforcing [the Node Authorizer](https://github.com/kubernetes/community/blob/master/contributors/design-proposals/node/kubelet-authorizer.md), which significantly reduces the attack surface for a Kubernetes cluster, and initial, limited upgrading support from v1.6 clusters.  


## Easier upgrades, extensibility, and stabilization in v1.8

We had eight weeks between Kubernetes v1.7.0 and our stabilization period (code freeze) to implement new features and to stabilize the upcoming v1.8.0 release. Our goal for kubeadm v1.8.0 was to make it more extensible. We wanted to add a lot of new features and improvements in this cycle, and we succeeded.Upgrades along with better introspectability. The most important update in kubeadm v1.8.0 (and my favorite new feature) is **one-command upgrades** of the control plane. While v1.7.0 had the ability to upgrade clusters, the user experience was far from optimal, and the process was risky.  

Now, you can easily check to see if your system can handle an upgrade by entering:  



 ```  
$ kubeadm upgrade plan
  ```


This gives you information about which versions you can upgrade to, as well as the health of your cluster.  

You can examine the effects an upgrade will have on your system by specifying the --dry-run flag. In previous versions of kubeadm, upgrades were essentially blind in that you could only make assumptions about how an upgrade would impact your cluster. With the new dry run feature, there is no more mystery. You can see exactly what applying an upgrade would do before applying it.  

After checking to see how an upgrade will affect your cluster, you can apply the upgrade by typing:  



 ```  
$ kubeadm upgrade apply v1.8.0
  ```


This is a much cleaner and safer way of performing an upgrade than the previous version. As with any type of upgrade or downgrade, it’s a good idea to backup your cluster first using your preferred solution.  


## Self-hosting
Self-hosting in this context refers to a specific way of setting up the control plane. The self-hosting concept was initially developed by CoreOS in their [bootkube](https://github.com/kubernetes-incubator/bootkube) project. The long-term goal is to move this functionality (currently in an alpha stage) to the generic kubeadm toolbox. Self-hosting means that the control plane components, the API Server, Controller Manager and Scheduler are workloads themselves in the cluster they run. This means the control plane components can be managed using Kubernetes primitives, which has numerous advantages. For instance, leader-elected components like the scheduler and controller-manager will automatically be run on all masters when HA is implemented if they are run in a DaemonSet. Rolling upgrades in Kubernetes can be used for upgrades of the control plane components, and next to no extra code has to be written for that to work; it’s one of Kubernetes’ built-in primitives!  

Title: Kubeadm v1.8 Released: Easy Upgrades for Kubernetes Clusters
Summary
Kubeadm v1.8.0 introduces one-command upgrades for the control plane, making it easier and safer to upgrade Kubernetes clusters. It also includes improvements in security, extensibility, and stabilization. The release builds on the security enhancements in v1.6 and v1.7, such as RBAC enforcement and Node Authorizer. Additionally, kubeadm v1.8.0 focuses on extensibility and features initial support for self-hosting, where control plane components run as workloads within the cluster.