Kubermatic Kubernetes Platform (KKP) 2.12 ships with cert-manager 0.10, which changed the api versions for its manifests. This requires manual intervention and a short time frame where no certificates can be created when upgrading. Before upgrading, create a backup of all cert-manager resources (certificates, issuers, …) because their CRDs will have to be recreated.
After creating the backup, delete the cert-manager chart, delete the CRDs and re-install the chart (which also re-installs the CRDs):
helm --tiller-namespace kubermatic-installer delete --purge cert-manager
kubectl get crd | awk '/certmanager/ {print $1}' | xargs kubectl delete crd
cd kubermatic-installer/charts/cert-manager
helm --tiller-namespace kubermatic-installer upgrade --install --namespace cert-manager --values YOUR_VALUES_YAML_HERE cert-manager .
The default backup schedules for the monitoring, logging and minio namespaces have been removed. In order
to continue these backups, dump the schedules and re-import them after updating the Helm chart like so:
kubectl -n velero get schedules.velero.io -o yaml > schedules.yaml
helm --tiller-namespace kubermatic-installer upgrade --install --namespace velero --values YOUR_VALUES_YAML_HERE velero config/backup/velero
kubectl apply -f schedules.yaml
This change does not affect user cluster etcds, which are stilled backed up regularly.
In v2.12, we are upgrading Flannel to v0.11.0 which lead to NetworkPolicies not working properly. Flannel doesn’t detect some iptables rules and flush the appropriate rules.
To avoid any failures on the cluster, you need to apply on each node of the user clusters the following two commands, assuming the Pods CIDR is 172.25.0.0/16:
iptables -t nat -D POSTROUTING -s 172.25.0.0/16 ! -d 224.0.0.0/4 -j MASQUERADE
iptables -t nat -D POSTROUTING ! -s 172.25.0.0/16 -d 172.25.0.0/16 -j MASQUERADE
For more details about this issue, please check the following link