chore(deps): update helm release rancher to v2.11.1 #73
+1
−1
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
![renovate[bot]](https://avatars.githubusercontent.com/in/2740?s=60&v=4){kind=small}
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/rancher-2.x
branch
from
ae35b49 to
3dd89bf
Compare
renovate
bot
force-pushed
the
renovate/rancher-2.x
branch
from
3dd89bf to
bf428bc
Compare
renovate
bot
changed the title
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/rancher-2.x
branch
from
bf428bc to
3a2a673
Compare
renovate
bot
force-pushed
the
renovate/rancher-2.x
branch
from
3a2a673 to
669c3b1
Compare
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/rancher-2.x
branch
from
669c3b1 to
d2e6fc0
Compare
renovate
bot
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
2.9.2->2.11.1Release Notes
rancher/rancher (rancher)
v2.11.1Compare Source
Release v2.11.1
Rancher v2.11.1 is the latest patch release of Rancher. This is a Community and Prime version release that introduces maintenance updates and bug fixes. To learn more about Rancher Prime, see our page on the Rancher Prime Platform.
For more information on new features in the general minor release see the v2.11.0 release notes.
Changes Since v2.11.0
See the full list of changes.
Security Fixes for Rancher Vulnerabilities
This release addresses the following Rancher security issues:
insecureSkipHostKeyChecksvalue for thefleetHelm chart. The default value is set totrue(opt-in) for Rancher v2.9 - v2.11 for backward compatibility. The default value will be set tofalse(opt-out) for Rancher v2.12 and later, and Fleet v0.13 and later.insecureSkipHostKeyChecksis set totrue, then not finding any matchingknown_hostsentry for an SSH host will not lead to any error.insecureSkipHostKeyChecksis set tofalse, then strict host key checks are enabled. When enabled, the checks ensure that when using SSH, Fleet rejects connection attempts to hosts not matching any entry found in (decreasing order of precedence):GitRepowhich is located in the sameGitRepo'snamespace.gitcredentialsecret located in the same namespace.known-hostsConfigMap, created during the Fleet chart installation time and located in the namespacecattle-fleet-system.For more information, see CVE-2025-23390.
BackingNampespace, which represents the namespace created for a project containing all resources needed for project operations. This includes resources such as ProjectRoleTemplateBindings, project-scoped secrets and workloads.<clusterID>-<project.Name>. For example, if your project is namedproject-abc123in a cluster with IDcluster-xyz789, then the project will have theBackingNampespace:cluster-xyz789-project-abc123. Existing projects will not be migrated and only newly created projects will have the new namespace naming convention.For more information, see CVE-2025-22031.
ui-offline-preferredis set toremote. This release introduces a patch, and the malicious user can no longer serve their own UI. If users can't upgrade, please make sure that only trustable users have access to create a service in the local cluster. For more information, see CVE-2025-32198.For more details, see the Security Advisories and CVEs page in Rancher's documentation or in Rancher's GitHub repo.
Announcements
Rancher Kubernetes API
Rancher v2.8.0 introduced the Rancher Kubernetes API (RK-API). Our new RK-API
lets you manage Rancher in the same way you manage Kubernetes. You can
now use the RK-API to interact with Rancher CRDs via
Kubernetes tooling. This includes convenient documentation via the
kubectl explaincommand. A limited set of our most widely-used CRDs arealready supported, and our team is working to add more features on a
continuous basis. For more information on RK-API, see the RK-API quick start and reference guide.
Note that while the previous v3 Rancher API is still available:
Support for UI plugins for cluster and node drivers based on the legacy Ember
UI has been deprecated and will be removed in a future release. These UI plugins should be migrated to the new UI Extensions mechanism. Follow this link for more UI Extensions information.
Frameworks
Major Bug Fixes
Observability and Backup
Major Bug Fixes
prometheus-federatorchart. These values are important during pod startup and default values are provided. In case of a timeout error occurring during pod initialization you may need to adjust the values under namespaceRegistration as documented in the chart itself. See #48175.Install/Upgrade Notes
Upgrade Requirements
NO_PROXY. See the documentation and issue #2725.registries.yamlfile to thedocker runcommand, as shown in the K3s documentation. If the registry has certificates, then you'll also need to supply those. See #28969.privilegedflag. See documentation.Versions
Please refer to the README for the latest and stable Rancher versions.
Please review our version documentation for more details on versioning and tagging conventions.
Images
Tools
Kubernetes Versions for RKE
Kubernetes Versions for RKE2/K3s
Rancher Helm Chart Versions
In Rancher v2.6.0 and later, in the Apps & Marketplace UI, many Rancher Helm charts are named with a major version that starts with 100. This avoids simultaneous upstream changes and Rancher changes from causing conflicting version increments. This also complies with semantic versioning (SemVer), which is a requirement for Helm. You can see the upstream version number of a chart in the build metadata, for example:
100.0.0+up2.1.0. See #32294.Other Notes
Experimental Features
Rancher now supports the ability to use an OCI Helm chart registry for Apps & Marketplace. View documentation on using OCI based Helm chart repositories and note this feature is in an experimental stage. See #29105 and #45062
Deprecated Upstream Projects
In June 2023, Microsoft deprecated the Azure AD Graph API that Rancher had been using for authentication via Azure AD. When updating Rancher, update the configuration to make sure that users can still use Rancher with Azure AD. See the documentation and issue #29306 for details.
Removed Legacy Features
Apps functionality in the cluster manager has been deprecated as of the Rancher v2.7 line. This functionality has been replaced by the Apps & Marketplace section of the Rancher UI.
Also,
rancher-external-dnsandrancher-global-dnshave been deprecated as of the Rancher v2.7 line.The following legacy features have been removed as of Rancher v2.7.0. The deprecation and removal of these features was announced in previous releases. See #6864.
UI and Backend
UI
Previous Rancher Behavior Changes
Previous Rancher Behavior Changes - Rancher General
Previous Rancher Behavior Changes - Rancher App (Global UI)
Previous Rancher Behavior Changes - Cluster Provisioning
cluster.management.cattle.io) for both the initial creation and the updates (POST and PUT API calls respectively). See #13151.Previous Rancher Behavior Changes - RKE2/K3s Provisioning
etcdsnapshotfile.k3s.cattle.ioresources in the downstream cluster instead of periodically scraping the CLI andrke2/k3s-etcd-snapshotsconfigmap. See #44452.Previous Rancher Behavior Changes - Rancher CLI
globaldnswas removed from the Rancher CLI. See #48129.Previous Rancher Behavior Changes - Role-Based Access Control (RBAC)
Restricted Adminrole has been removed. Existing users with theRestricted Adminrole will have privileges associated with this role revoked upon upgrade. See #47875.Previous Rancher Behavior Changes - Continuous Delivery (Fleet)
Fleet now honors custom certificate authority (CA) bundles configured in Rancher.
This prevents you from needing to copy your CA bundles to all
GitReposand/or Helm secrets referenced by thoseGitRepos. Instead, you can configure those bundles directly through a single secret already known by Rancher, which Fleet will transparently use as a fallback option.See the Fleet documentation and fleet#2750.
Since the move from StatefulSet to a Deployment and the introduction of leader election for the agents, agent failover has improved. When failover has been tested by shutting down a node with a fleet agent, we observed the pods from that node to stay in the
terminatingstate. We want to make sure that it is clear to our users, that this is not a problem of Fleet, nor is it Fleet related. This is how Kubernetes behaves when the node becomes unreachable. Failover works correctly, even if those pods are kept in theterminatingstate. See fleet#3096 and kubernetes/kubernetes#72226.Previous Rancher Behavior Changes - Apps & Marketplace
Rancher v2.11.0:
The Catalog v1, Multi-Cluster App (MCA) legacy feature has been removed. If upgrading from a previous Rancher version to v2.11 then the MCA associated CRD's and their instances will still exist in the cluster and can be manually deleted by using the following command:
See #39525.
Previous Rancher Behavior Changes - Monitoring
rancher-alerting-driversapp now usesrancher/kuberlr-kubectl, improving how alerts are sent and received. See #48849.Long-standing Known Issues
Long-standing Known Issues - Cluster Provisioning
Not all cluster tools can be installed on a hardened cluster.
Rancher v2.8.1:
[ERROR] 000 received while downloading Rancher connection information. Sleeping for 5 seconds and trying again. As a workaround, you can unpause the cluster by runningkubectl edit clusters.cluster clustername -n fleet-defaultand setspec.unpausedtofalse. See #43735.Rancher v2.7.2:
Long-standing Known Issues - RKE Provisioning
Long-standing Known Issues - RKE2 Provisioning
provisioning.cattle.io/allow-dynamic-schema-dropannotation through the cluster config UI, the annotation disappears before adding the value field. When viewing the YAML, the respective value field is not updated and is displayed as an empty string. As a workaround, when creating the cluster, set the annotation by using the Edit Yaml option located in the dropdown ⋮ attached to your respective cluster in the Cluster Management view. See #13655.Activestatus after a migration. If you see that a downstream cluster is still updating or in an error state immediately after a migration, please let it attempt to resolve itself. This might take up to an hour to complete. See #34518 and #42834.spec.rkeConfig.machineGlobalConfig.profileis set tonull, which is an invalid configuration. See #8480.Long-standing Known Issues - K3s Provisioning
Updatingstate even when they contain nodes in anErrorstate. See #39164.Long-standing Known Issues - Rancher App (Global UI)
_in theCluster Namefield. See #9416.Long-standing Known Issues - Hosted Rancher
Long-standing Known Issues - EKS
Long-standing Known Issues - Authentication
[projectroletemplatebindings.management.cattle.io](http://projectroletemplatebindings.management.cattle.io/) is forbidden: User "u-gcxatwsnku" cannot create resource "projectroletemplatebindings" in API group "[management.cattle.io](http://management.cattle.io/)" in the namespace "p-9t5pg". However, the project is still created. See #46106.Long-standing Known Issues - Rancher Webhook
Long-standing Known Issues - Harvester
Long-standing Known Issues - Backup/Restore
When migrating to a cluster with the Rancher Backup feature, the server-url cannot be changed to a different location. It must continue to use the same URL.
Rancher v2.7.7:
Activestatus after a migration. If you see that a downstream cluster is still updating or in an error state immediately after a migration, please let it attempt to resolve itself. This might take up to an hour to complete. See #34518 and #42834.v2.10.3Compare Source
Release v2.10.3
Rancher v2.10.3 is the latest patch release of Rancher. This is a Community and Prime version release that introduces maintenance updates and bug fixes.
For more information on new features in the general minor release see the v2.10.0 release notes.
Security Fixes for Rancher Vulnerabilities
This release addresses the following Rancher security issues:
GETmethod for the public/v3-public/authProvidersendpoint. For more information, see CVE-2025-23388 and #48608.GETandDELETEmethods for the public/v3-public/authTokensendpoint. For more information, see CVE-2025-23387 and #48616.For more details, see the Security Advisories and CVEs page in Rancher's documentation or in Rancher's GitHub repository.
Rancher App (Global UI)
Known Issues
Changes Since v2.10.2
See the full list of issues addressed.
Install/Upgrade Notes
Upgrade Requirements
NO_PROXY. See the documentation and issue #2725.registries.yamlfile to thedocker runcommand, as shown in the K3s documentation. If the registry has certificates, then you'll also need to supply those. See #28969.privilegedflag. See documentation.Versions
Please refer to the README for the latest and stable Rancher versions.
Please review our version documentation for more details on versioning and tagging conventions.
Important: With the release of Rancher Kubernetes Engine (RKE) v1.6.0, we are informing customers that RKE is now deprecated. RKE will be maintained for two more versions, following our deprecation policy.
Please note, EOL for RKE is July 31st, 2025. Prime customers must replatform from RKE to RKE2 or K3s.
RKE2 and K3s provide stronger security, and move away from upstream-deprecated Docker machine. Learn more about replatforming here.
Images
Tools
Kubernetes Versions for RKE
Kubernetes Versions for RKE2/K3s
Rancher Helm Chart Versions
In Rancher v2.6.0 and later, in the Apps & Marketplace UI, many Rancher Helm charts are named with a major version that starts with 100. This avoids simultaneous upstream changes and Rancher changes from causing conflicting version increments. This also complies with semantic versioning (SemVer), which is a requirement for Helm. You can see the upstream version number of a chart in the build metadata, for example:
100.0.0+up2.1.0. See #32294.Other Notes
Experimental Features
Rancher now supports the ability to use an OCI Helm chart registry for Apps & Marketplace. View documentation on using OCI based Helm chart repositories and note this feature is in an experimental stage. See #29105 and #45062
Deprecated Upstream Projects
In June 2023, Microsoft deprecated the Azure AD Graph API that Rancher had been using for authentication via Azure AD. When updating Rancher, update the configuration to make sure that users can still use Rancher with Azure AD. See the documentation and issue #29306 for details.
Removed Legacy Features
Apps functionality in the cluster manager has been deprecated as of the Rancher v2.7 line. This functionality has been replaced by the Apps & Marketplace section of the Rancher UI.
Also,
rancher-external-dnsandrancher-global-dnshave been deprecated as of the Rancher v2.7 line.The following legacy features have been removed as of Rancher v2.7.0. The deprecation and removal of these features was announced in previous releases. See #6864.
UI and Backend
UI
Previous Rancher Behavior Changes
Previous Rancher Behavior Changes - Rancher General
field.cattle.io/creator-principal-namewas introduced in addition to the existingfield.cattle.io/creatorIdthat allows specifying the creator's principal name when creating a cluster or a project. If this annotation is used, theuserPrincipalNamefield of the correspondingClusterRoleTemplateBindingorProjectRoleTemplateBindingwill be set to the specified principal. The principal should belong to the creator's user, which is enforced by the webhook. See #46828.lastUsedAtfield. If the Authorized Cluster Endpoint is enabled and used on a downstream cluster Rancher captures the last used time in theClusterAuthTokenobject and makes the best effort to sync it back to the corresponding Token in the upstream. See #45732.Previous Rancher Behavior Changes - Rancher CLI
globaldnswas removed from the Rancher CLI. See #48127.Previous Rancher Behavior Changes - Rancher App (Global UI)
This release includes a major upgrade to the Dashboard (Cluster Explorer) Vue framework from Vue 2 to Vue 3. Please view our documentation on updating existing UI extensions to be compliant with the Rancher v2.10 UI framework in the v2.10.0 UI extension changelog. If experiencing a page that fails to load please file an issue via the Dashboard repository and choose the "Bug report" option for us to further investigate. See #7653.
The performance of the Clusters lists in the Home page and the Side Menu has greatly improved when there are hundreds of clusters. See #11995 and #11993.
The previous Dashboard Ember UI (Cluster Manager) will no longer be directly accessible. The relative pages that rely on the previous UI will continue to be embedded in the new Vue UI (Cluster Explorer). See #11371.
Updated the data directory configuration by replacing the checkbox option with 3 user input options below:
Use default data directory configurationUse a common base directory for data directory configuration (sub-directories will be used for the system-agent, provisioning and distro paths)- This option displays a text input where users can enter a base directory for all 3 subdirectories which Rancher programmatically appends to the correct subdirectories.Use custom data directories- This option displays 3 text inputs, one for each subdirectory type where users can input each path individually.See #11560.
Previous Rancher Behavior Changes - RKE Provisioning
With the release of Rancher Kubernetes Engine (RKE) v1.6.0, we are informing customers that RKE is now deprecated. RKE will be maintained for two more versions, following our deprecation policy.
Please note, End-of-Life (EOL) for RKE is July 31st, 2025. Prime customers must replatform from RKE to RKE2 or K3s.
RKE2 and K3s provide stronger security, and move away from upstream-deprecated Docker machine. Learn more about replatforming here.
Previous Rancher Behavior Changes - Virtualization (Harvester)
Previous Rancher Behavior Changes - Windows
Rancher v2.10.0 includes changes to how Windows nodes behave post node reboot, as well as provides two new settings to control how Windows services created by Rancher behave on startup.
Two new agent environment variables have been added for Windows nodes,
CATTLE_ENABLE_WINS_SERVICE_DEPENDENCYandCATTLE_ENABLE_WINS_DELAYED_START. These changes can be configured in the Rancher UI, and will be respected by all nodes runningrancher-winsversionv0.4.20or greater.CATTLE_ENABLE_WINS_SERVICE_DEPENDENCYdefines a service dependency between RKE2 andrancher-wins, ensuring RKE2 will not start beforerancher-wins.CATTLE_ENABLE_WINS_DELAYED_STARTchanges the start type ofrancher-winstoAUTOMATIC (DELAYED), ensuring it starts after other Windows services.Additionally, Windows nodes will now attempt to execute plans multiple times if the initial application fails, up to 5 times. This change, as well as appropriate use of the above two agent environment variables, aims to address plan failures for Windows nodes after a node reboot.
See #42458.
A change was made starting with RKE2 versions
v1.28.15,v1.29.10,v1.30.6andv1.31.2on Windows which allows the user to configure*_PROXYenvironment variables on therke2service after the node has already been provisioned.Previously any attempt to do so would be a no-op. With this change, If the
*_PROXYenvironment variables are set on the cluster after a Windows node is provisioned, they can be automatically removed from therke2service. However, if the variables are set before the node is provisioned, they cannot be removed.More information can be found here. A workaround is to remove the environment variables from the
rancher-winsservice and restart the service or node. At which point*_PROXYenvironment variables will no longer be set on either service.See #47544.
Long-standing Known Issues
Long-standing Known Issues - Cluster Provisioning
Not all cluster tools can be installed on a hardened cluster.
Rancher v2.8.1:
[ERROR] 000 received while downloading Rancher connection information. Sleeping for 5 seconds and trying again. As a workaround, you can unpause the cluster by runningkubectl edit clusters.cluster clustername -n fleet-defaultand setspec.unpausedtofalse. See #43735.Rancher v2.7.2:
Long-standing Known Issues - RKE Provisioning
Long-standing Known Issues - RKE2 Provisioning
provisioning.cattle.io/allow-dynamic-schema-dropannotation through the cluster config UI, the annotation disappears before adding the value field. When viewing the YAML, the respective value field is not updated and is displayed as an empty string. As a workaround, when creating the cluster, set the annotation by using the Edit Yaml option located in the dropdown ⋮ attached to your respective cluster in the Cluster Management view. See #11435.Activestatus after a migration. If you see that a downstream cluster is still updating or in an error state immediately after a migration, please let it attempt to resolve itself. This might take up to an hour to complete. See #34518 and #42834.spec.rkeConfig.machineGlobalConfig.profileis set tonull, which is an invalid configuration. See #8480.Long-standing Known Issues - K3s Provisioning
Updatingstate even when they contain nodes in anErrorstate. See #39164.Long-standing Known Issues - Rancher CLI
Long-standing Known Issues - Rancher App (Global UI)
_in theCluster Namefield. See #9416.Long-standing Known Issues - Hosted Rancher
Long-standing Known Issues - EKS
Long-standing Known Issues - Authentication
[projectroletemplatebindings.management.cattle.io](http://projectroletemplatebindings.management.cattle.io/) is forbidden: User "u-gcxatwsnku" cannot create resource "projectroletemplatebindings" in API group "[management.cattle.io](http://management.cattle.io/)" in the namespace "p-9t5pg". However, the project is still created. See #46106.Long-standing Known Issues - Rancher Webhook
Long-standing Known Issues - Harvester
Long-standing Known Issues - Backup/Restore
When migrating to a cluster with the Rancher Backup feature, the server-url cannot be changed to a different location. It must continue to use the same URL.
Rancher v2.7.7:
Activestatus after a migration. If you see that a downstream cluster is still updating or in an error state immediately after a migration, please let it attempt to resolve itself. This might take up to an hour to complete. See #34518 and #42834.Long-standing Known Issues - Continuous Delivery (Fleet)
v2.10.2Compare Source
Release v2.10.2
Rancher v2.10.2 is the latest patch release of Rancher. This is a Community and Prime version release that introduces maintenance updates and bug fixes.
For more information on new features in the general minor release see the v2.10.0 release notes.
Cluster Provisioning
Major Bug Fixes
cattle-impersonation-systemnamespace. See [#48313](https://redirect.github.com/rancherConfiguration
📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.