Skip to main content
Version: 0.7

Release Notes

This page details the current supported versions of Kore Operate. Find older releases in the archive.

Release v0.7.2#


CLI#

See Get the CLI for instructions.

New features#

This release of Kore delivers the following major features:

  • Ingress
    • Kore now provides ingress controllers in your clusters, providing your teams with out-of-the-box support for exposing workloads.
    • The UI can generate example manifests to use this functionality.
    • For full details, see Ingress in the Kore Operate documentation.
  • Role-Based Access Control (RBAC)
    • Kore now includes a detailed policy engine which controls access to Kore itself and to all clusters that it manages.
    • Ensure you review the upgrade notes below if upgrading from an older release of Kore.
    • For full details, see Role Based Access Control (RBAC) in the Kore Operate documentation.
  • Cloud Account features
    • As part of delivering least privilege access to your cloud accounts, Kore now exposes a set of 'Features' for each cloud account you add to it.
    • Allows you to express how you wish Kore to use a given cloud account.
    • Scopes Kore's privileges against those cloud accounts to a set of concrete permissions required for that feature to work.
    • A new kore setup roles command manages those permissions for you in AWS (GCP and Azure support will follow in future releases).

Upgrading to v0.7.2#

Important steps you must take when upgrading to v0.7.2:

  • If Kore was installed into a namespace other than kore: This release contains several fixes for this case. Contact Kore Support for help with the upgrade process.

  • Organization and Shared Cloud Accounts: These now specify which Kore features you want to use them for. Organization accounts will have the Account Automation feature enabled by default.

    For all other features, you must edit each cloud account and enable the features you want to use that cloud account for. Kore Administrators can do this in the Kore Admin UI.

  • If you have an Azure Organization configured: This now has a separate subscription ID and tenant ID. If you have an Azure Organization configured, you must edit this after upgrading and specify a valid subscription ID, which is available within your tenant. Without this, attempting to use DNS Zone Management, Cost Imports or Cost Estimates with the Azure Organization will not work as expected.

  • If you have local users or static admin token authentication: Basic Auth and Admin Token authentication are disabled by default. If you rely on local users or static admin token authentication in your environment, you must add basicauth and/or admintoken to api.auth_plugins in your Helm values before upgrading.

  • Ensure the kubernetes authentication plugin is enabled. This is enabled by default in the helm chart, but if you are overridding the values for api.auth_plugins, append kubernetes to the list. This allows the Kore UI to successfully authenticate to the API.

Important changes in behaviour#

  • The new Role-Based Access Control (RBAC) system introduces changes in the way users access their clusters. Review the RBAC documentation and ensure your users understand the changes before deploying the release. The most important change is that users must use kore assume before performing non-read operations against their clusters using kubectl.
  • This change also removes the Cluster Users configuration from cluster plans. Access to clusters is now controlled by RBAC.
  • Basic Auth and Admin Token authentication are disabled by default. If you rely on local users or static admin token authentication in your environment, you must add basicauth and/or admintoken to api.auth_plugins in your Helm values before upgrading.
  • Namespaces now have a default deny network policy for inbound / ingress traffic. If you are running applications in Kore managed namespaces, ensure that you explictly allow the inbound network traffic required for your application to be accessed.
  • SSO Login is now the default on both CLI and UI even if you have local authentication enabled as well. To use a local user, you must now use kore login --local on the CLI or browse to https://your-kore-ui-url/login-local on the UI, otherwise SSO will always be used.

Minor changes#

  • [KO-1807] Support dns01 certificate issuer in Azure
  • [KO-1895] Kubernetes 1.18 Update
  • [KO-1915] Check API version when using the CLI
  • [KO-1956] Promote kore alpha local to kore local
  • [KO-1980] Use new resource list actions layout on all resource lists
  • [KO-1996] Stop using the admin token in Kore Portal
  • [KO-2004] Remove Local Login when not required
  • [KO-2010] Upgrade controller-runtime to 0.7
  • [KO-2028] Install Calico Network Policies by default into EKS
  • [KO-2058] Separate API endpoint and CLI command to generate robot tokens
  • [KO-2059] Support the eu-west-2 region for AWS Control Tower
  • [KO-2074] Prefix GCP resource with team name
  • [KO-2096] Do not allow clusters to be prefixed with team name
  • [KO-2098] Show the default team in 'kore profile show'
  • [KO-2099] Unmanage member account when we delete an AWS managed account
  • [KO-2109] Removal of Legacy DEX
  • [KO-2114] Increase minimum node count to two in the eks-development plan
  • [KO-2119] Allow to define complex label selectors on a Helm Application
  • [KO-2127] Use non-interactive flag in kore kubeconfig command
  • [KO-2128] Stop using the admin token for cost imports
  • [KO-2145] Consistent labeling for Kore-managed namespaces
  • [KO-2148] Assume an IAM role or use an IAM service account role for cloudinfo
  • [KO-2147] Added Fish auto-completion to Kore CLI
  • [KO-2150] Promote 'kore alpha patch' command to 'kore patch'
  • [KO-2154] Make kore namespace commands consistent
  • [KO-2159] Clarify instructions on the UI when registering a root domain
  • [KO-2169] Remove creation of container build secrets from the UI
  • [KO-2171] Always install certificate issuers, make email optional, fix issuer names
  • [KO-2175] Rework auto-refreshing resources in the UI
  • [KO-2211] Fix OpenSSL CVE 3.13.2
  • [KO-2220] Support assuming an IAM role in AWS for cloudinfo

Bug fixes#

  • [KO-976] Prefix AWS resources with team name
  • [KO-1000] UI is bombarding API with queries when trying to refresh the status but the resource was deleted
  • [KO-1869] Deleting a cloud account (UI or CLI) does not delete its allocations
  • [KO-1876] Handle a cloud being disabled in the Cloud Metadata Service correctly
  • [KO-1932] Ensure the UI / API will not allow deletion of any implicit cloudcredentials
  • [KO-1978] Cloud identity support for costs requires CostManager role but no way to set this for AWS
  • [KO-1983] Unable to delete a namespace with the same name as any team
  • [KO-2009] Kore UI should redirect from cluster page once cluster delete completes
  • [KO-2012] Duplicate CloudAccount and AWSAccounts generated
  • [KO-2019] Scheduling Anti-Affinity
  • [KO-2023] AWS Org setup says to use 'create audit user' script instead of kore setup cloudidentity
  • [KO-2024] Cloud account automation naming clash across providers
  • [KO-2026] Unable to choose eu-west-2 as a Control Tower region
  • [KO-2036] CloudIdentity auto-configured on AWS even when role not configured
  • [KO-2037] First-time startup of Kore on AWS fails due to kore-admin namespace not existing
  • [KO-2039] Do not set an invalid owner reference on services created by the object controller
  • [KO-2049] Cert-man / External DNS Azure workload identity name validation fails with multiple clusters in a team
  • [KO-2050] Azure estimated costs / cloud metadata does not work with Azure org account
  • [KO-2057] kore assume returns before policy is applied
  • [KO-2062] Kore login with a local user was showing the current user's username in the prompt
  • [KO-2064] CloudAccount api should validate any roles set
  • [KO-2067] Getting "Object 'Kind' is missing" error when applying a Secret object from file
  • [KO-2076] AWS service catalog unable to create multiple AWS accounts at the same time
  • [KO-2101] Remove the eks.privileged cluster role binding in EKS cluster
  • [KO-2105] Fix XSS vulnerability on the UI
  • [KO-2107] Secure session cookies, regenerate session after authentication
  • [KO-2113] Unable to create policy assume constrained to days of week
  • [KO-2149] When you create a new team, the team selector is loading forever on the page
  • [KO-2151] Font sizes for costs are inconsistent with the rest of the UI
  • [KO-2153] Kore CLI Select & Prompt UI Issue on Windows
  • [KO-2161] Costs UI does not work with kore installed in custom namespace
  • [KO-2173] AWS account creation or update has a stackset status of OUTDATED
  • [KO-2195] Cloud credential deletion will delete ANY referenced secret, not just kore-created ones
  • [KO-2197] Error: GCP account has no associated GCP IAM service account email
  • [KO-2215] Help text for kore completion on ZSH incorrect
  • [KO-2256] Allocations should not be looked up by an expected name
  • [KO-2380] Fix the namespace.admin role in 0.7 release
  • [KO-2384] EKS PSP ClusterRoleBinding

Release v0.6.2#


Minor bugfix release:

  • [KO-2012] - In certain scenarios duplicate CloudAccount objects could be generated when deleting and re-creating clusters on V0.6.0.
  • [KO-2024] - Refinement of cloud account automation logic to prevent issues using multiple cloud provider account automation accounts within a single team.

Release v0.6.0#


This release of Kore delivers the following major features:

  • Enable Kore Management Cluster Cloud Identity on AWS
    • This allows Kore to operate against AWS without any credentials being supplied.
    • Supporting kore setup cloudidentity command to help set this up for your organization.
  • Secrets encryption using AWS KMS
    • Supported when running with Kore with Cloud Identity on AWS
    • Allows the secrets used directly by Kore to be encrypted using an AWS KMS key, ensuring that, even with access to the underlying cluster hosting Kore, these secrets cannot be retrieved.

Minor improvements:

  • Admin visibility of managed cloud accounts
    • Kore administrators can now see managed accounts that have been created for their teams.
    • Supported in the UI (Admin > Configure > Cloud > Provider > Managed Accounts/Projects/Subscriptions) and CLI kore get cloudaccounts --all-managed
  • Removal of managed cloud accounts
  • Metric server now deployed on EKS clusters - feature-parity with GCP and Azure
  • Remove legacy CRDs and controllers for EKS, GKE and AKS credentials, account and project management which were deprecated in v0.5.0.
  • Security improvements for Kore:
    • Run Kore without full root access
    • Add Kubernetes-level authentication plugin, allowing components of Kore to authenticate securely to each other
  • AWS VPC peering improvements:
    • Tigher security groups
    • Minor fixes
  • UI upgrades:
    • Improved caching of API definitions
    • Updated frameworks to latest versions (antd, Next.JS, Node)
  • Crossplane updates:
    • Enabled by default on EKS
    • Example service updates - RDS and S3

Bug fixes:

  • [KO-1031] - Not valid status for helm chart Services when failing
  • [KO-1165] - Cluster security scans not archived on cluster deletion
  • [KO-1223] - Add Certificate Authority to Kubeconfig
  • [KO-1822] - EKS Logging trying to update when not required
  • [KO-1854] - Helm Operator Security Context
  • [KO-1889] - Consolidating the Authentication package
  • [KO-1898] - Make sure an IAM service linked role is created for RDS when using Crossplane
  • [KO-1907] - Do not delete Crossplane if there are resources left
  • [KO-1908] - AWS Cloud account in unrecoverable failed status when an AWS service catalogue product already exists
  • [KO-1944] - Automated cloud accounts/claims not reconciling after failure in underlying provider account
  • [KO-1952] - Creating clusters with different providers in the same team results in cloud account naming clash
  • [KO-1962] - Failed to update cluster in UI settings page
  • [KO-1963] - Invite links not working
  • [KO-1976] - UI posting incorrect private CIDR range when creating EKS cluster
  • [KO-1979] - Non-admin cannot create team cluster when assignable networks are used
  • [KO-1989] - Ensure unique certificate generated for clusters on build

Upgrading to v0.6.0#

Ensure you have upgraded to v0.5.0 and migrated all cloud accounts before installing v0.6.0 (see upgrading to v0.5.0 below). No special steps are required to upgrade from v0.5.0 to v0.6.0.

Release v0.5.0#


This release of Kore delivers the following major features:

  • Azure subscription automation
    • Kore can now generate and manage Azure Subscriptions on demand for teams, as per AWS and GCP.
    • Uses new common cloud account infrastructure meaning we now have common account factory logic and handling across all three supported providers.
  • Azure Costs
    • Brings feature parity with AWS and GCP for basic resource-level actual cost data being available through Kore.
    • Supports cost imports at a billing account, invoice section or subscription level.
    • Also included a significant improvement of the setup/visibility for cost configuration for all clouds.
  • Crossplane MVP - Kore's new approach to managing cloud services for teams.
    • Kore can now deliver Crossplane, configured and ready to use, into EKS clusters on AWS.
    • Delivers tightly-scoped IAM permissions into Crossplane allowing it to perform just the actions required to deliver the resources needed.
    • Two initial cloud services supported - S3 and RDS (PostgreSQL).
  • Enable Least Privilege
    • For AWS, Kore now supports least-privilege throughout the product, with defined, well-scoped, IAM roles that are, if using AWS Account automation, themselves automatically delivered by Kore.
    • Uses new common cloud account infrastructure so we can apply the same principles to other clouds as appropriate.
  • Custom managed CIDR ranges
    • Allows administrators to define allowable ranges of IP addresses to use for clusters.
    • Teams can use automatic allocation or request smaller/larger ranges within a set of allowable sizes controlled by the admin.
    • Pre-requisite for us to enable peering of networks between clusters, teams, and shared management accounts.
  • AWS private cluster endpoints and networks
    • Allows, in combination with custom CIDR ranges, fully private EKS clusters.
    • Allows Kore-delivered clusters, accounts and VPCs to be peered with management account VPCs.
  • Managed TLS
    • Deploys cert manager to provide HTTPS certificates for users' applications.
  • Consistent and generic handling of cloud organisations and accounts
    • Common logic and code for account automation on all supported cloud providers.
    • Common logic and code for delivering sessions with access to the cloud provider in a permission-scoped way.
    • Will support the replacement of cloud credentials with workload identity.
    • Supports the delivery of least privilege.
    • Reduces security/secret footprint by having a single common place to deal with the secrets and permissions.
    • Extensible to support additional cloud providers using the same codebase and business logic.

Upgrading from v0.4.0#

Before the upgrade#

  • Kore now uses Kubernetes secrets for sensitive data and will need to have these migrated:
    • Use the kubectl context for the kore management cluster.
    • Download and run the interactive script migrations/v1_secrets_migrations.sh from the kore-tools repository.

After the upgrade#

  • Kore Managed AWS Accounts are migrated when v0.5.0 starts; should existing clusters show CloudAccounts as failed, Kore can be restarted to fix:
    • Use the kubectl context for the kore management cluster.
    • kubectl -n kore rollout restart deployment kore-apiserver
  • Kore Costs now has a new configuration experience and implementation. To upgrade:
    • Run kore -t kore-admin get services and note any entries with kind 'kore-costs' or 'kore-costs-engine'.
    • For each of those services, run kore -t kore-admin delete service <name>
    • Reconfigure estimated and actual costs through the UI

Older releases#


Find information on previous releases here.

Last updated on May 24, 2021