Releasenotes

All notable changes to this project will be documented in this file.

The format is based on Keep a Changelog, and this project will adhere to Semantic Versioning.

We use towncrier for the generation of our release notes file.

Information about unreleased changes can be found here.

General information about release upgrades are documented at How to Upgrade to a new TAROOK release.

v11.0.5 (2026-02-05)

Changed functionality

• kubeadm manifest patch files supplied in /etc/kubernetes/kubeadm-patches are now applied on cluster initialization as well rather than Kubernetes upgrades only. (!2277)

Bugfixes

• A proper InitConfiguration is now passed to kubeadm when reconfiguring the kube-apiserver for audit logging since we noticed that under certain circumstances the kubeadm.kubernetes.io/kube-apiserver.advertise-address.endpoint annotation got altered to contain an incorrect IP which then got used as advertized endpoint (rel #844).

  The error has been observed especially in bare metal clusters. In affected clusters, at least apply-k8s-core.sh or a full rollout via apply-all.sh must be first executed before performing a Kubernetes upgrade. (!2277)

• Fixed a regression that was introduced with the refined kube-apiserver audit logging in v11.0.0 (!1956) which caused kubeadm to not consider manifest patch files which are e.g. used to configure yk8s.kubernetes.apiserver.memory_limit. (!2277)

v11.0.4 (2026-01-27)

Changed functionality

• Explicitly disable the open file descriptor limit (LimitNOFILE=infinity) for containerd since that setting is removed with version 2.0 (see https://github.com/containerd/containerd/blob/main/docs/containerd-2.0.md#limitnofile-configuration-has-been-removed).

  This change will take effect as soon as containerd is restarted. Restarting containerd is safe in general. It does at most affect incoming requests from kubelet, but not running workload. Note that containerd sets the limit on container creation and won’t update existing containers.

  You can ensure that all containers use the infinite limit by running update-kubernetes-nodes.sh or doing a Kubernetes upgrade. Both drains all nodes and restart containerd.

  (!2235)

Bugfixes

• A bug was fixed that caused issues when the same option was set in multiple places #846 (!2235)

• Dropped the max length constraint on the yk8s.vault.cluster_name that was errorneously introduced with release v10.0.0. (!2235)

• Fixed two errors that prevented the yk8s.load-balancing.lb_ports config option from being applied at all. (regression of v10.0.0) (!2235)

v11.0.3 (2025-12-09)

Bugfixes

• Fixed a bug which prevented the release migration script migrate-to-release.sh from completing successfully with Terraform disabled. (!2209)

• Fixed a bug in the release migration that left new Terraform state uncommitted. (!2209)

• Fixed a bug which prevented to rerun the release migration script migrate-to-release.sh. (!2209)

v11.0.2 (2025-10-23)

Bugfixes

• A bug in the migration script has been fixed that prevented use of Ansible playbooks directly after migration on OpenStack-based clusters. (!2179)

• Fixed the assertion that enforces either the new yk8s.infra.ansible_hosts or the old yk8s.infra.hosts_file option is set. (!2179)

• Fixed a Nix config error that prevented the use of yk8s.infra.hosts_file (when Terraform is disabled). (!2179)

• A bug has been fixed which prevented cluster creation or adding new nodes to an existing cluster if yk8s.ch-k8s-lbaas.enable_snat got disabled. (!2179)

• A bug has been fixed which caused apply-prepare-gw.sh to fail after reconfiguring yk8s.ch-k8s-lbaas.enable_snat until apply-k8s-supplements.sh (more specifically the install-ch-k8s-lbaas.yaml playbook) has been executed. (!2179)

• A file permission bug in a migration script has been fixed (!2179)

Other Tasks

• !2179

v11.0.1 (2025-10-21)

Bugfixes

• A bug in the migration script has been fixed (!2175)

v11.0.0 (2025-10-17)

Breaking changes

• Updated default version of helm chart prometheus-adapter of https://github.com/prometheus-community/helm-charts from 4.14.2 to 5.0.0 (!1997)

• Updated default version of helm chart kube-prometheus-stack of https://github.com/prometheus-community/helm-charts from 73.2.3 to 77.0.0 (!2058)

• Updated default version of helm chart kube-prometheus-stack of https://github.com/prometheus-community/helm-charts from 77.12.0 to 78.2.1 (!2156)

New Features

• Ansible hosts can now be defined and referenced via Nix. See yk8s.infra.ansible_hosts. (!1250)

• The helm chart for etcd-backup can now be configured with arbitrary values through yk8s.k8s-service-layer.etcd-backup.helm.values. (!1569)

• The helm chart url, name and version can now be configured for the nvidia device plugin through yk8s.nvidia.device_plugin.helm. (!1784)

• The helm chart for the Nvidia device plugin can now be configured with arbitrary values through yk8s.nvidia.device_plugin.helm.values. (!1784)

• The helm chart for ingress-nginx can now be configured with arbitrary values through yk8s.k8s-service-layer.ingress.helm.values. (!1810)

• An option to disable SNAT’ing for ch-k8s-lbaas has been added: yk8s.ch-k8s-lbaas.enable_snat.

  Warning

  Be aware that disabling SNAT’ing potentially has performance implications. Have a look at yk8s.ch-k8s-lbaas.enable_snat for further information.

  Warning

  Disabling yk8s.ch-k8s-lbaas.enable_snat can only be done after the release migration including executing apply-all.sh has been finished.

  . (!1943)

• The functionality of yk8s.kubernetes.apiserver.audit_logs.enabled has been refined such that the settings take effect on cluster initialization already and modifications to the settings are not applied during Kubernetes upgrades only but on normal rollouts. The settings are also reflected in the kube-system/kubeadm-config ConfigMap in the cluster now which ensures freshly provisioned control-plane nodes have the setting right away. (!1956)

Changed functionality

• Updated default version of helm chart flux2 of https://github.com/fluxcd-community/helm-charts from 2.9.2 to 2.15.0

  Warning

  This upgrades the Flux controllers from app version 2.0.1 to 2.5.1. You potentially have to adjust your deployed custom resources. Check the changelog for API adjustments:

  • https://github.com/fluxcd/flux2/releases/tag/v2.1.0

  • https://github.com/fluxcd/flux2/releases/tag/v2.2.0

  • https://github.com/fluxcd/flux2/releases/tag/v2.3.0

  • https://github.com/fluxcd/flux2/releases/tag/v2.4.0

  • https://github.com/fluxcd/flux2/releases/tag/v2.5.0

  You can upgrade more fine grained by setting the desired version via yk8s.k8s-service-layer.fluxcd.version.

  Further information can be found in the Flux releases documentation.

  . (!1698)

• Updated default version of helm chart rook-ceph of https://github.com/rook/rook from v1.16.6 to v1.17.8 (!1816)

• Updated default version of helm chart prometheus-blackbox-exporter of https://github.com/prometheus-community/helm-charts from 11.3.0 to 11.3.1 (!2061)

• Updated default version of helm chart ingress-nginx of https://github.com/kubernetes/ingress-nginx from 4.13.1 to 4.13.2 (!2070)

• Updated default version of helm chart kube-prometheus-stack of https://github.com/prometheus-community/helm-charts from 77.0.0 to 77.2.0 (!2081)

• Updated default version of helm chart kube-prometheus-stack of https://github.com/prometheus-community/helm-charts from 77.2.0 to 77.3.0 (!2087)

• Updated default version of helm chart kube-prometheus-stack of https://github.com/prometheus-community/helm-charts from 77.3.0 to 77.8.0 (!2117)

• The peering mechanism of keepalived has been changed from explicit unicast back to multicast. (!2118)

• Updated default version of helm chart kube-prometheus-stack of https://github.com/prometheus-community/helm-charts from 77.8.0 to 77.9.1 (!2119)

• The bucket management tasks have been dropped for yk8s.k8s-service-layer.etcd-backup. It is now the user’s responsibility to ensure the bucket exists. Documentation has been updated accordingly. Existing buckets are not touched. (!2120)

• Updated default version of helm chart dcgm-exporter of https://github.com/nvidia/dcgm-exporter from 4.5.0 to 4.5.2 (!2121)

• Unattended upgrades are enabled on gateways now. (!2126)

• Updated default version of helm chart kube-prometheus-stack of https://github.com/prometheus-community/helm-charts from 77.9.1 to 77.11.0 (!2133)

• Updated default version of helm chart prometheus-adapter of https://github.com/prometheus-community/helm-charts from 5.0.0 to 5.1.0 (!2138)

• Updated default version of helm chart kube-prometheus-stack of https://github.com/prometheus-community/helm-charts from 77.11.0 to 77.11.1 (!2140)

• Updated default version of helm chart kube-prometheus-stack of https://github.com/prometheus-community/helm-charts from 77.11.1 to 77.12.0 (!2141)

• Updated default version of helm chart prometheus-blackbox-exporter of https://github.com/prometheus-community/helm-charts from 11.3.1 to 11.4.0 (!2154)

• Updated default version of helm chart ingress-nginx of https://github.com/kubernetes/ingress-nginx from 4.13.2 to 4.13.3 (!2158)

• Updated default version of helm chart etcdbackup from 0.20250724.0 to 0.20250918.0 (!2160)

• Updated default version of helm chart prometheus-blackbox-exporter of https://github.com/prometheus-community/helm-charts from 11.4.0 to 11.4.1 (!2163)

• Updated default version of helm chart cert-manager of https://github.com/cert-manager/cert-manager from v1.18.2 to v1.18.3 (!2166)

Bugfixes

• The type of yk8s.kubernetes.apiserver.audit_logs.policy has been changed such that individual values can be overwritten. (!1956)

• A bug has been fixed which prevented to deploy rook-ceph in a different namespace than the default: yk8s.k8s-service-layer.rook.namespace. (!1998)

• Ansible and Helm now don’t try to use user-wide (cache) directories anymore. (!2051)

• Darwin as well as Linux on aarch64 are not supported by Tarook. Thus, they have been removed from the list of supported systems. (!2067)

• Fixed the vault_v1 Ansible role to deploy the vault-backup ServiceMonitor only when monitoring is enabled via yk8s.kubernetes.monitoring.enabled. (!2069)

• Adjust review link to new url (!2085)

• Fixed an issue where regex validation of IP patterns did not work on macOS hosts. (!2104)

• Deploying Vault on Kubernetes through yk8s.k8s-service-layer.vault requires cert-manager which is now documented and enforced at config evaluation. (!2114)

• Fixed a bug which prevented etcd-backup to be deployed in a modified namespace: yk8s.k8s-service-layer.etcd-backup.helm.release_namespace. (!2122)

• The .gitignore file of the cluster repository now includes the ‘managed by yk8s’ markers from cluster repo initialization already, not just after the first release migration. (!2131)

• SSH host certificates are now always generated using the yaook/nodes Vault approle. Previously the orchestrator’s credentials were used when USE_VAULT_IN_DOCKER=true (see Developing with Vault) was set which prevented the use of unpriviledged Vault tokens. (!2132)

Changes in the Documentation

• A note that nix (Nix) >= 2.9.0 is required has been added to Initialization. (!2063)

• Documentation generation is restricted to the latest five major versions from now on. (!2102)

• Merged the tutorials into the guides section (!2130)

Deprecations and Removals

• Importing an existing hosts file via yk8s.infra.hosts_file is deprecated. Hosts can be defined directly via Nix now. The option hosts_file will be removed at some point in the future. If you want to keep providing your own hosts file after that, convert it to YAML format (see https://docs.ansible.com/ansible/latest/inventory_guide/intro_inventory.html ) and import it like this ansible_hosts = yk8s-libs.importYAML ./hosts;. (!1250)

Other Tasks

• !1748, !1915, !1943, !1943, !2071, !2072, !2083, !2084, !2101, !2105, !2111, !2113, !2115, !2124, !2128, !2142, !2148, !2149, !2155

• The build-docs-check CI job now uses Nix to build the documentation. (!2075)

• Container images for smoke tests have been updated. (!2112)

Misc

• !2004, !2065, !2066, !2096, !2100, !2103, !2125, !2129, !2137, !2143, !2144, !2146, !2157, !2164, !2165