Skip to main content

v1.29.X

Upgrade Notice

Before upgrading from earlier releases, be sure to read the Kubernetes Urgent Upgrade Notes.

VersionRelease dateKubernetesEtcdContainerdRuncMetrics-serverCoreDNSIngress-NginxHelm-controllerCanal (Default)CalicoCiliumMultus
v1.29.4+rke2r1Apr 29 2024v1.29.4v3.5.9-k3s1v1.7.11-k3s2v1.1.12v0.7.1v1.11.1nginx-1.9.6-hardened1v0.15.9Flannel v0.25.1
Calico v3.27.3
v3.27.3v1.15.4v4.0.2
v1.29.3+rke2r1Mar 20 2024v1.29.3v3.5.9-k3s1v1.7.11-k3s2v1.1.v0.6.3v1.11.1nginx-1.9.3-hardened1v0.15.9Flannel v0.24.3
Calico v3.27.2
v3.27.2v1.15.1v4.0.2
v1.29.2+rke2r1Feb 29 2024v1.29.2v3.5.9-k3s1v1.7.11-k3s2v1.1.12v0.6.3v1.11.1nginx-1.9.3-hardened1v0.15.8Flannel v0.24.2
Calico v3.27.0
v3.27.0v1.15.1v4.0.2
v1.29.1+rke2r1Feb 06 2024v1.29.1v3.5.9-k3s1v1.7.11-k3s2v1.1.12v0.6.3v1.10.1nginx-1.9.3-hardened1v0.15.8Flannel v0.23.0
Calico v3.26.3
v3.26.3v1.14.4v4.0.2
v1.29.0+rke2r1Dec 22 2023v1.29.0v3.5.9-k3s1v1.7.11-k3s1v1.1.10v0.6.3v1.10.1nginx-1.9.3-hardened1v0.15.4Flannel v0.23.0
Calico v3.26.3
v3.26.3v1.14.4v4.0.2

Release v1.29.4+rke2r1

This release updates Kubernetes to v1.29.4.

Important Note

If your server (control-plane) nodes were not started with the --token CLI flag or config file key, a randomized token was generated during initial cluster startup. This key is used both for joining new nodes to the cluster, and for encrypting cluster bootstrap data within the datastore. Ensure that you retain a copy of this token, as is required when restoring from backup.

You may retrieve the token value from any server already joined to the cluster:

cat /var/lib/rancher/rke2/server/token

Changes since v1.29.3+rke2r1:

  • Update channel server (#5631)
  • Enable apiserver to access updated encryption-config.json (#5604)
  • Delete epic github action (#5626)
  • Remove kube-proxy static pod manifest during agent bootstrap (#5619)
  • Properly handle files and sockets in extra mounts (#5621)
  • Bump flannel version (#5638)
    • Fix flannel bug to work in cluster with taints
  • Improve how flannel-windows reserves an IP for kube-proxy vip (#5661)
  • Add doc on building multi-arch images (#5670)
  • Add kine support (#5540)
  • Reenable Unit Testing in GitHub Actions (#5676)
  • Overhaul integration testing (#5679)
  • Bump ingress-nginx to 1.9.6 (#5671)
  • Rework and fix nightly install tests (#5692)
  • Update flannel to v0.25.0 (#5708)
  • Fix Windows path setting (#5698)
  • Update to Cilium v1.15.3 (#5713)
  • Bump K3s version for 2024-04 release cycle (#5714)
  • Calico and canal update (#5712)
  • Check if the kube-proxy VIP was already reserved (#5705)
    • Flannel in windows checks if a VIP was already reserved
  • Update flannel to v0.25.1 (#5747)
  • Fix subcommand mapping for rke2 certificate (#5750)
  • Bump harvester-cloud-provider v0.2.3 (#5694)
  • Bump RKE2 CCM image tag (#5751)
  • Bump metrics-server version (#5660)
    • Bump metrics server version to v0.7.1 and start using scratch as its base image
  • Update to Cilium v1.15.4 (#5764)
  • Bump vsphere csi chart to 3.1.2-rancher300 and add snapshotter image (#5755)
  • Vsphere csi bump (#5801)
  • Update Kubernetes to v1.29.4 (#5799)
  • Bump K3s version for v1.29 to pull through etcd-snapshot save fixes (#5816)
  • Bump K3s version for dbinfo fix (#5822)
  • Updated Calico and Flannel to fix ARM64 build (#5825)
  • Update rke2-canal to v3.27.3-build2024042301 (#5834)
  • Use the newer Flannel chart (#5842)
  • Bump metrics-server chart to restore legacy label (#5849)

Charts Versions

ComponentVersion
rke2-cilium1.15.400
rke2-canalv3.27.3-build2024042301
rke2-calicov3.27.300
rke2-calico-crdv3.27.002
rke2-coredns1.29.002
rke2-ingress-nginx4.9.100
rke2-metrics-server3.12.002
rancher-vsphere-csi3.1.2-rancher400
rancher-vsphere-cpi1.7.001
harvester-cloud-provider0.2.300
harvester-csi-driver0.1.1700
rke2-snapshot-controller1.7.202
rke2-snapshot-controller-crd1.7.202
rke2-snapshot-validation-webhook1.7.302

Release v1.29.3+rke2r1

This release updates Kubernetes to v1.29.3.

Important Notes

Canal uses flannel 0.24.3 which includes a bug: every 5 seconds it tries to add ipv6 iptables rules and fails if the node does not have an ipv6 address. The consequence is the log "Failed to ensure iptables rules: error setting up rules: failed to apply partial iptables-restore unable to run iptables-restore (, ): exit status 4" appears every 5 seconds in the flannel container of the canal pod.

Flannel daemonset is not tolerating node taints: "node-role.kubernetes.io/etcd:NoExecute", "node-role.kubernetes.io/control-plane:NoSchedule" and "node.cloudprovider.kubernetes.io/uninitialized:NoSchedule" which can create problems when deploying with Rancher in certain cloud-providers (e.g. vShpere or DigitalOcean).

If your server (control-plane) nodes were not started with the --token CLI flag or config file key, a randomized token was generated during initial cluster startup. This key is used both for joining new nodes to the cluster, and for encrypting cluster bootstrap data within the datastore. Ensure that you retain a copy of this token, as is required when restoring from backup.

You may retrieve the token value from any server already joined to the cluster:

cat /var/lib/rancher/rke2/server/token

Changes since v1.29.2+rke2r1:

  • Update latest to 1.27.11 (#5542)
  • Remove old docs website action (#5465)
  • Add a multus e2e test (#5483)
  • Bump vsphere csi chart to 3.1.2-rancher101 and cpi to 1.7.001 (#5553)
  • Fix DNS over TLS bug (#5552)
  • Bump multus chart version (#5575)
  • Update Calico and Canal to v3.27.2 (#5582)
  • Bump K3s version for v1.29 (#5587)
    • Fix: use correct wasm shims names
    • Bump spegel to v0.0.18-k3s3
    • Adds wildcard registry support
    • Fixes issue with excessive CPU utilization while waiting for containerd to start
    • Add env var to allow spegel mirroring of latest tag
    • Bump helm-controller/klipper-helm versions
    • Fix snapshot prune
    • Fix issue with etcd node name missing hostname
    • Fix additional corner cases in registries handling
    • RKE2 will now warn and suppress duplicate entries in the mirror endpoint list for a registry. Containerd does not support listing the same endpoint multiple times as a mirror for a single upstream registry.
  • Bump K3s version for v1.29 (#5605)
  • Update k8s to 1.29.3 and Go (#5624)
  • Actually bump k8s (#5627)

Charts Versions

ComponentVersion
rke2-cilium1.15.100
rke2-canalv3.27.2-build2024030800
rke2-calicov3.27.200
rke2-calico-crdv3.27.002
rke2-coredns1.29.002
rke2-ingress-nginx4.8.200
rke2-metrics-server2.11.100-build2023051513
rancher-vsphere-csi3.1.2-rancher101
rancher-vsphere-cpi1.7.001
harvester-cloud-provider0.2.200
harvester-csi-driver0.1.1700
rke2-snapshot-controller1.7.202
rke2-snapshot-controller-crd1.7.202
rke2-snapshot-validation-webhook1.7.302

Release v1.29.2+rke2r1

This release updates Kubernetes to v1.29.2.

Important Notes

Experimental command rke2 secrets-encrypt rotate-keys is currently broken and should not be used. Use the classic secrets encryption commands detailed here.

If your server (control-plane) nodes were not started with the --token CLI flag or config file key, a randomized token was generated during initial cluster startup. This key is used both for joining new nodes to the cluster, and for encrypting cluster bootstrap data within the datastore. Ensure that you retain a copy of this token, as is required when restoring from backup.

You may retrieve the token value from any server already joined to the cluster:

cat /var/lib/rancher/rke2/server/token

Changes since v1.29.1+rke2r1:

  • Fix validate-chart scripts (#5160)
  • Adding yml for new stale action (#5311)
  • Secrets Encryption test (#5234)
  • Bump actions/cache from 3 to 4 (#5312)
  • Update channels for January 2024 patch (#5357)
  • Only run flannel host-network CIS netpol controller when using canal CNI (#5318)
  • Create a common CNI interface and config struct (#5276)
  • Avoid race condition when deleting HNS networks (#5336)
  • Add flannel CNI plugin (#5322)
    • Flannel added as CNI plugin option
  • Bump coredns and multus/whereabouts versions (#5379)
    • Coredns, multus and whereabouts using minimal base images
  • Fix: missing 'ip link delete cilium_wg0' in rke2-killall.sh (#5274)
  • Add adr about rke2-flannel (#5145)
  • Update canal version (#5414)
  • Update Cilium to 1.15.0 (#5420)
  • Improve cni windows code (#5421)
  • Bump alpine from 3.18 to 3.19 (#5123)
  • Bump harvester-csi-driver to 0.1.17 (#5332)
  • Implement custom containerd behavior for Windows Agents, ensure supporting processes exit (#5419)
  • Update Calico to v3.27.0 (#5423)
  • Bump K3s version for v1.29 (#5458)
  • Update k8s and Go (#5470)
  • Update Cilium to v1.15.1 (#5473)
  • Bump rke2-coredns chart (#5493)
  • Bump K3s for etcd-only fix (#5501)
  • Add new network policy for ingress controller webhook (#5500)
  • Refactor netpol creation and add two new netpols for metrics-server and snapshot-validation-webhook (#5521)
  • Bump wharfie to v0.6.6 (#5517)
    • Bump wharfie to v0.6.6 to add support for bare hostname as endpoint, fix unnecessary namespace param inclusion

Charts Versions

ComponentVersion
rke2-cilium1.15.100
rke2-canalv3.27.0-build2024020601
rke2-calicov3.27.002
rke2-calico-crdv3.27.002
rke2-coredns1.29.001
rke2-ingress-nginx4.8.200
rke2-metrics-server2.11.100-build2023051513
rancher-vsphere-csi3.0.1-rancher101
rancher-vsphere-cpi1.5.100
harvester-cloud-provider0.2.200
harvester-csi-driver0.1.1700
rke2-snapshot-controller1.7.202
rke2-snapshot-controller-crd1.7.202
rke2-snapshot-validation-webhook1.7.302

Release v1.29.1+rke2r1

This release updates Kubernetes to v1.29.1.

Important Notes

Addresses the runc CVE: CVE-2024-21626 by updating runc to v1.1.12.

If your server (control-plane) nodes were not started with the --token CLI flag or config file key, a randomized token was generated during initial cluster startup. This key is used both for joining new nodes to the cluster, and for encrypting cluster bootstrap data within the datastore. Ensure that you retain a copy of this token, as is required when restoring from backup.

You may retrieve the token value from any server already joined to the cluster:

cat /var/lib/rancher/rke2/server/token

Changes since v1.29.0+rke2r1:

  • Update channels (#5172)
  • Bump actions/setup-go from 4 to 5 (#5125)
  • Use dl.k8s.io for getting kubectl (#4952)
  • Bump actions/setup-python from 4 to 5 (#5124)
  • Address Repetitive Windows Bootstrapping (#5159)
  • Unload selinux module only if container-selinux is updated from a bre… (#5157)
  • Add v1.29 to channels list (#5194)
  • Version bump of coredns chart to fix bug (#5189)
    • Fix coredns local cache when in dual stack clusters
  • Update multus chart to add optional dhcp daemonset (#5146)
  • Add e2e test for dnscache (#5190)
  • Update rke2-whereabouts to v0.6.3 and bump rke2-multus parent chart (#5232)
  • Bump sriov image build versions (#5237)
  • Enable arm64 based images for calico, multus and harvester (#5154)
  • Improve kube-proxy logging and move calico logs to a better path (#5248)
  • Bump k3s for v1.29 (#5268)
  • Update to 1.29.1 (#5296)
  • Update base image (#5305)
  • Bump K3s and runc versions for v1.29 (#5349)

Charts Versions

ComponentVersion
rke2-cilium1.14.400
rke2-canalv3.26.3-build2023110900
rke2-calicov3.26.300
rke2-calico-crdv3.26.300
rke2-coredns1.24.008
rke2-ingress-nginx4.8.200
rke2-metrics-server2.11.100-build2023051511
rancher-vsphere-csi3.0.1-rancher101
rancher-vsphere-cpi1.5.100
harvester-cloud-provider0.2.200
harvester-csi-driver0.1.1600
rke2-snapshot-controller1.7.202
rke2-snapshot-controller-crd1.7.202
rke2-snapshot-validation-webhook1.7.302

Release v1.29.0+rke2r1

This release is RKE2's first in the v1.29 line. This release updates Kubernetes to v1.29.0.

Before upgrading from earlier releases, be sure to read the Kubernetes Urgent Upgrade Notes.

Important Notes
  • The experimental secrets-encrypt rotate-keys command, used to perform an abbreviated rotation of secrets encryptions keys, has been removed from this release due to changes in the upstream implementation of configuration reloading. It will return in a subsequent release; see https://github.com/rancher/rke2/issues/5152 for more information.

Changes since v1.28.4+rke2r1:

  • Bump k3s version for v1.29 (#5153)
  • Bump k3s and kubernetes versions for v1.29.0 (#5144)
  • ⚠️ added support for amazon linux 2023 (#4973) (#4973)
  • Bump containerd to v1.7.11 (#5129)
  • Bumped containerd/runc to v1.7.10/v1.1.10 (#5117)
  • Update stable channel to v1.26.11+rke2r1 (#5099)

Charts Versions

ComponentVersion
rke2-cilium1.14.400
rke2-canalv3.26.3-build2023110900
rke2-calicov3.26.300
rke2-calico-crdv3.26.300
rke2-coredns1.24.007
rke2-ingress-nginx4.8.200
rke2-metrics-server2.11.100-build2023051511
rancher-vsphere-csi3.0.1-rancher101
rancher-vsphere-cpi1.5.100
harvester-cloud-provider0.2.200
harvester-csi-driver0.1.1600
rke2-snapshot-controller1.7.202
rke2-snapshot-controller-crd1.7.202
rke2-snapshot-validation-webhook1.7.302