Skip to main content
Version: 0.8

Release Notes

Supported versions#

This page provides release notes for supported versions of Kore Operate. Find older release notes in the Archive page.

For information on Kore Operate release cadence and support lifecycle, see:

Release v0.8.1#


CLI#

See Get the CLI for instructions.

New Features#

  • Azure Spot Instance support:
    • You can now specify to use Azure spot instances on an additional node pool for Azure AKS clusters. This gives potential cost savings where your workloads can tolerate disruptions.
    • Cost estimations for Azure when using spot instances show you the current spot price.
  • Accessing clusters from the CLI has been simplified with the new command kore access.
    • kore assume no longer updates your kubectl config context.

Upgrading to v0.8#

Important notes when upgrading to v0.8:

  • You must remove basicauth, if present, before upgrading.
    • Remove the value basicauth from api.auth_plugins in your Helm values before upgrading.
    • "Basic Auth" authentication is not supported and Kore will fail to start with error log unknown plugin.
    • Local users still work—JWT tokens are used after initial login.
  • The way allocations of cloud accounts are represented internally has changed. Existing resources will be automatically migrated by Kore, and if you use the CLI and UI to manage your cloud accounts, no action is required. If you are managing CloudAccount and Allocation objects using CRDs in YAML (e.g. via kore apply), you will need to add the allocation field to the CloudAccount spec and drop the Allocation CR.
  • When building a cluster using kore create cluster you must specify the name of a cloud account instead of the name of an allocation. Team members can use kore get cloudaccounts -t teamname to list the accounts allocated to the team. See Creating Clusters.
  • The docker images for Kore have moved from quay.io/appvia/<image> to quay.io/kore/<image>. If you are overriding any images (for example the auth proxy) in the helm values, please ensure you adjust the location of the images.

Minor Changes#

  • [KO-2475] Assigned Policies to robot account should be deleted when robot removed
  • [KO-2473] Improve messaging on authentication proxy access errors
  • [KO-2459] UI - make final changes for creating of robots to be inline with wireframes
  • [KO-2451] Add warning to UI, that Crossplane is not ready for production use
  • [KO-2399] Update Kubernetes Controller to create robot account
  • [KO-2398] The UI needs to use the same login flow as the CLI
  • [KO-2388] Deploy service catalog in clusters using an immutable Docker image
  • [KO-2377] Move Client Token Refreshing into the pkg/client package
  • [KO-2376] Remove Legacy OpenID Providers
  • [KO-2352] Fix Robot Account Caching Issue on token regeneration
  • [KO-2335] Clean up aws IAM roles with new option kore setup --remove for roles
  • [KO-2334] Clean up aws IAM user with new option kore setup --remove for cloudidentity
  • [KO-2328] by categories relevant to a robot
  • [KO-2326] We need to validate the certificate authority provided to Kore
  • [KO-2320] Allow users to use customer managed keys in their RDS & S3
  • [KO-2306] Upgrade Crossplane and provider-aws to latest stable version
  • [KO-2289] Allow 'Uptime SLA' to be turned off for AKS
  • [KO-2287] Remove the kubeconfig step in the "Configure access" on UI
  • [KO-2286] Secure processes for production artifacts, ensure integrity of production artifacts in our applications
  • [KO-2257] Remove allocations, replace with field on CloudAccount CRD
  • [KO-2247] Allow for creation of robot tokens in the UI
  • [KO-2218] Warn user if cloud account allocated to teams but Provisioning feature not enabled
  • [KO-2184] API Rate Limiting
  • [KO-2134] kore setup cloudidentity for Azure
  • [KO-2132] Create Azure Cloud Identity on startup
  • [KO-1940] Support minor versions in AKS plans
  • [KO-1939] UI to guide user to use 'kore setup cloudidentity' for creating cloud credentials
  • [KO-1938] Enable a single AWS Cloud Credential for AWS Access
  • [KO-1838] Add trigger and automation for version upgrade / check in E2E
  • [KO-1019] Allow to edit/delete resources on the UI while in pending/deleting/etc state

Bug Fixes#

  • [KO-2480] Cannot edit cluster from v0.7 on v0.8 due to deprecated fields
  • [KO-2467] Network Enforcement Policy Broken
  • [KO-2430] Kore assume/access doesn't create a new session, if the session exists but it's expired
  • [KO-2429] AKS node pool Kubernetes version is used as underlying VM image
  • [KO-2413] kore login should error if used with -a but no profile name
  • [KO-2402] Adding UI Hostname to the list of whitelisted oauth callback urls
  • [KO-2396] Enforcement policies applied before the service is available
  • [KO-2391] No RBAC for crossplanedeployment
  • [KO-2390] When creating a robot account for a build on the UI, KORE_TOKEN is shown base64 encoded
  • [KO-2389] Robot accounts UI improvement: it's easy to copy only part of the robot token by mistake
  • [KO-2381] Fix the example text in the configmap command
  • [KO-2378] Add a non-interactive flag to the create namespace command
  • [KO-2325] 0.6.2 to 0.7.0 - UI/CLI shows intermittent "A technical problem occurred, please try again later."
  • [KO-2322] As a user I can't enable container registry management for a shared AWS cloud account
  • [KO-2276] When hitting control-c during kore assign policy an incomplete plan can be created
  • [KO-2255] Do not allow to delete a cloud account if there is a DNS zone configured for it
  • [KO-2241] UI: When editing an existing Azure CostImport, the value of Import Scope is empty
  • [KO-2226] UI: on the domain view drawer the value of "Cloud Account / Project" is constantly changing to the loading icon and back
  • [KO-2217] Don't allow more than one cloud account to point to the same actual cloud account
  • [KO-2141] Assume should only work for a single cluster
  • [KO-1941] EKS cluster status goes back to 'Success' on deletion

Release v0.7.2#


CLI#

See Get the CLI for instructions.

New features#

This release of Kore delivers the following major features:

  • Ingress
    • Kore now provides ingress controllers in your clusters, providing your teams with out-of-the-box support for exposing workloads.
    • The UI can generate example manifests to use this functionality.
    • For full details, see Ingress in the Kore Operate documentation.
  • Role-Based Access Control (RBAC)
    • Kore now includes a detailed policy engine which controls access to Kore itself and to all clusters that it manages.
    • Ensure you review the upgrade notes below if upgrading from an older release of Kore.
    • For full details, see Role Based Access Control (RBAC) in the Kore Operate documentation.
  • Cloud Account features
    • As part of delivering least privilege access to your cloud accounts, Kore now exposes a set of 'Features' for each cloud account you add to it.
    • Allows you to express how you wish Kore to use a given cloud account.
    • Scopes Kore's privileges against those cloud accounts to a set of concrete permissions required for that feature to work.
    • A new kore setup roles command manages those permissions for you in AWS (GCP and Azure support will follow in future releases).

Upgrading to v0.7.2#

Important steps you must take when upgrading to v0.7.2:

  • If Kore was installed into a namespace other than kore: This release contains several fixes for this case. Contact Kore Support for help with the upgrade process.

  • Organization and Shared Cloud Accounts: These now specify which Kore features you want to use them for. Organization accounts will have the Account Automation feature enabled by default.

    For all other features, you must edit each cloud account and enable the features you want to use that cloud account for. Kore Administrators can do this in the Kore Admin UI.

  • If you have an Azure Organization configured: This now has a separate subscription ID and tenant ID. If you have an Azure Organization configured, you must edit this after upgrading and specify a valid subscription ID, which is available within your tenant. Without this, attempting to use DNS Zone Management, Cost Imports or Cost Estimates with the Azure Organization will not work as expected.

  • If you have local users or static admin token authentication: Basic Auth and Admin Token authentication are disabled by default. If you rely on local users or static admin token authentication in your environment, you must add basicauth and/or admintoken to api.auth_plugins in your Helm values before upgrading.

  • Ensure the kubernetes authentication plugin is enabled. This is enabled by default in the helm chart, but if you are overridding the values for api.auth_plugins, append kubernetes to the list. This allows the Kore UI to successfully authenticate to the API.

Important changes in behaviour#

  • The new Role-Based Access Control (RBAC) system introduces changes in the way users access their clusters. Review the RBAC documentation and ensure your users understand the changes before deploying the release. The most important change is that users must use kore assume before performing non-read operations against their clusters using kubectl.
  • This change also removes the Cluster Users configuration from cluster plans. Access to clusters is now controlled by RBAC.
  • Basic Auth and Admin Token authentication are disabled by default. If you rely on local users or static admin token authentication in your environment, you must add basicauth and/or admintoken to api.auth_plugins in your Helm values before upgrading.
  • Namespaces now have a default deny network policy for inbound / ingress traffic. If you are running applications in Kore managed namespaces, ensure that you explictly allow the inbound network traffic required for your application to be accessed.
  • SSO Login is now the default on both CLI and UI even if you have local authentication enabled as well. To use a local user, you must now use kore login --local on the CLI or browse to https://your-kore-ui-url/login-local on the UI, otherwise SSO will always be used.

Minor changes#

  • [KO-1807] Support dns01 certificate issuer in Azure
  • [KO-1895] Kubernetes 1.18 Update
  • [KO-1915] Check API version when using the CLI
  • [KO-1956] Promote kore alpha local to kore local
  • [KO-1980] Use new resource list actions layout on all resource lists
  • [KO-1996] Stop using the admin token in Kore Portal
  • [KO-2004] Remove Local Login when not required
  • [KO-2010] Upgrade controller-runtime to 0.7
  • [KO-2028] Install Calico Network Policies by default into EKS
  • [KO-2058] Separate API endpoint and CLI command to generate robot tokens
  • [KO-2059] Support the eu-west-2 region for AWS Control Tower
  • [KO-2074] Prefix GCP resource with team name
  • [KO-2096] Do not allow clusters to be prefixed with team name
  • [KO-2098] Show the default team in 'kore profile show'
  • [KO-2099] Unmanage member account when we delete an AWS managed account
  • [KO-2109] Removal of Legacy DEX
  • [KO-2114] Increase minimum node count to two in the eks-development plan
  • [KO-2119] Allow to define complex label selectors on a Helm Application
  • [KO-2127] Use non-interactive flag in kore kubeconfig command
  • [KO-2128] Stop using the admin token for cost imports
  • [KO-2145] Consistent labeling for Kore-managed namespaces
  • [KO-2148] Assume an IAM role or use an IAM service account role for cloudinfo
  • [KO-2147] Added Fish auto-completion to Kore CLI
  • [KO-2150] Promote 'kore alpha patch' command to 'kore patch'
  • [KO-2154] Make kore namespace commands consistent
  • [KO-2159] Clarify instructions on the UI when registering a root domain
  • [KO-2169] Remove creation of container build secrets from the UI
  • [KO-2171] Always install certificate issuers, make email optional, fix issuer names
  • [KO-2175] Rework auto-refreshing resources in the UI
  • [KO-2211] Fix OpenSSL CVE 3.13.2
  • [KO-2220] Support assuming an IAM role in AWS for cloudinfo

Bug fixes#

  • [KO-976] Prefix AWS resources with team name
  • [KO-1000] UI is bombarding API with queries when trying to refresh the status but the resource was deleted
  • [KO-1869] Deleting a cloud account (UI or CLI) does not delete its allocations
  • [KO-1876] Handle a cloud being disabled in the Cloud Metadata Service correctly
  • [KO-1932] Ensure the UI / API will not allow deletion of any implicit cloudcredentials
  • [KO-1978] Cloud identity support for costs requires CostManager role but no way to set this for AWS
  • [KO-1983] Unable to delete a namespace with the same name as any team
  • [KO-2009] Kore UI should redirect from cluster page once cluster delete completes
  • [KO-2012] Duplicate CloudAccount and AWSAccounts generated
  • [KO-2019] Scheduling Anti-Affinity
  • [KO-2023] AWS Org setup says to use 'create audit user' script instead of kore setup cloudidentity
  • [KO-2024] Cloud account automation naming clash across providers
  • [KO-2026] Unable to choose eu-west-2 as a Control Tower region
  • [KO-2036] CloudIdentity auto-configured on AWS even when role not configured
  • [KO-2037] First-time startup of Kore on AWS fails due to kore-admin namespace not existing
  • [KO-2039] Do not set an invalid owner reference on services created by the object controller
  • [KO-2049] Cert-man / External DNS Azure workload identity name validation fails with multiple clusters in a team
  • [KO-2050] Azure estimated costs / cloud metadata does not work with Azure org account
  • [KO-2057] kore assume returns before policy is applied
  • [KO-2062] Kore login with a local user was showing the current user's username in the prompt
  • [KO-2064] CloudAccount api should validate any roles set
  • [KO-2067] Getting "Object 'Kind' is missing" error when applying a Secret object from file
  • [KO-2076] AWS service catalog unable to create multiple AWS accounts at the same time
  • [KO-2101] Remove the eks.privileged cluster role binding in EKS cluster
  • [KO-2105] Fix XSS vulnerability on the UI
  • [KO-2107] Secure session cookies, regenerate session after authentication
  • [KO-2113] Unable to create policy assume constrained to days of week
  • [KO-2149] When you create a new team, the team selector is loading forever on the page
  • [KO-2151] Font sizes for costs are inconsistent with the rest of the UI
  • [KO-2153] Kore CLI Select & Prompt UI Issue on Windows
  • [KO-2161] Costs UI does not work with kore installed in custom namespace
  • [KO-2173] AWS account creation or update has a stackset status of OUTDATED
  • [KO-2195] Cloud credential deletion will delete ANY referenced secret, not just kore-created ones
  • [KO-2197] Error: GCP account has no associated GCP IAM service account email
  • [KO-2215] Help text for kore completion on ZSH incorrect
  • [KO-2256] Allocations should not be looked up by an expected name
  • [KO-2380] Fix the namespace.admin role in 0.7 release
  • [KO-2384] EKS PSP ClusterRoleBinding

Release v0.6.2#


Minor bugfix release:

  • [KO-2012] - In certain scenarios duplicate CloudAccount objects could be generated when deleting and re-creating clusters on V0.6.0.
  • [KO-2024] - Refinement of cloud account automation logic to prevent issues using multiple cloud provider account automation accounts within a single team.

Release v0.6.0#


This release of Kore delivers the following major features:

  • Enable Kore Management Cluster Cloud Identity on AWS
    • This allows Kore to operate against AWS without any credentials being supplied.
    • Supporting kore setup cloudidentity command to help set this up for your organization.
  • Secrets encryption using AWS KMS
    • Supported when running with Kore with Cloud Identity on AWS
    • Allows the secrets used directly by Kore to be encrypted using an AWS KMS key, ensuring that, even with access to the underlying cluster hosting Kore, these secrets cannot be retrieved.

Minor improvements:

  • Admin visibility of managed cloud accounts
    • Kore administrators can now see managed accounts that have been created for their teams.
    • Supported in the UI (Admin > Configure > Cloud > Provider > Managed Accounts/Projects/Subscriptions) and CLI kore get cloudaccounts --all-managed
  • Removal of managed cloud accounts
  • Metric server now deployed on EKS clusters - feature-parity with GCP and Azure
  • Remove legacy CRDs and controllers for EKS, GKE and AKS credentials, account and project management which were deprecated in v0.5.0.
  • Security improvements for Kore:
    • Run Kore without full root access
    • Add Kubernetes-level authentication plugin, allowing components of Kore to authenticate securely to each other
  • AWS VPC peering improvements:
    • Tigher security groups
    • Minor fixes
  • UI upgrades:
    • Improved caching of API definitions
    • Updated frameworks to latest versions (antd, Next.JS, Node)
  • Crossplane updates:
    • Enabled by default on EKS
    • Example service updates - RDS and S3

Bug fixes:

  • [KO-1031] - Not valid status for helm chart Services when failing
  • [KO-1165] - Cluster security scans not archived on cluster deletion
  • [KO-1223] - Add Certificate Authority to Kubeconfig
  • [KO-1822] - EKS Logging trying to update when not required
  • [KO-1854] - Helm Operator Security Context
  • [KO-1889] - Consolidating the Authentication package
  • [KO-1898] - Make sure an IAM service linked role is created for RDS when using Crossplane
  • [KO-1907] - Do not delete Crossplane if there are resources left
  • [KO-1908] - AWS Cloud account in unrecoverable failed status when an AWS service catalogue product already exists
  • [KO-1944] - Automated cloud accounts/claims not reconciling after failure in underlying provider account
  • [KO-1952] - Creating clusters with different providers in the same team results in cloud account naming clash
  • [KO-1962] - Failed to update cluster in UI settings page
  • [KO-1963] - Invite links not working
  • [KO-1976] - UI posting incorrect private CIDR range when creating EKS cluster
  • [KO-1979] - Non-admin cannot create team cluster when assignable networks are used
  • [KO-1989] - Ensure unique certificate generated for clusters on build

Upgrading to v0.6.0#

Ensure you have upgraded to v0.5.0 and migrated all cloud accounts before installing v0.6.0 (see upgrading from v0.4.0 to v0.5.0). No special steps are required to upgrade from v0.5.0 to v0.6.0.

Last updated on Jun 24, 2021