RKE2 - v1.27.5+rke2r1

This release updates Kubernetes to v1.27.5, and fixes a number of issues.

Important Note

If your server (control-plane) nodes were not started with the --token CLI flag or config file key, a randomized token was generated during initial cluster startup. This key is used both for joining new nodes to the cluster, and for encrypting cluster bootstrap data within the datastore. Ensure that you retain a copy of this token, as is required when restoring from backup.

You may retrieve the token value from any server already joined to the cluster:

cat /var/lib/rancher/rke2/server/token

Changes since v1.27.4+rke2r1:

• Sync maintainers and PR template from K3s (#4474)
• Fix static pod UID generation and cleanup (#4508)
• Security bump to docker/distribution (#4509)
• Fix incorrect documented default value for INSTALL_RKE2_CHANNEL (#4500)
• Uninstall handle cases when directories are mounts and cannot be removed (#4470)
• Remove install_airgap_tarball grep error output (#4501)
• Update canal with resource bounds config (#4482)
• Channel server update (#4518)
• Fix default server address for rotate-ca command (#4548)
• Sync Felix and calico-node datastore (#4570)
• Update Calico and Flannel on Canal (#4535)
• Update cilium to v1.14.0 (#4585)
• Remove terraform test package (#4589)
• Bump versions for etcd, containerd, runc (#4552)
• Updated the embedded containerd to v1.7.3+k3s1
• Updated the embedded runc to v1.1.8
• Updated the embedded etcd to v3.5.9+k3s1
• Updated the rke2-snapshot-validation-webhook chart to enable VolumeSnapshotClass validation
• Update certs list for certificates test (#4597)
• Update to whereabouts v0.6.2 (#4590)
• Updated the embedded whereabouts to v0.6.2
• Fix non-working URL in issue template (#4606)
• Fix wrongly formatted files (#4605)
• Fix calico-node.log problem (#4609)
• Add support for commit installation in Windows quickstart file (#4614)
• N/A
• Use 'go list -m' instead of grep to look up versions (#4600)
• Install BGP windows packages in Windows image for tests (#4639)
• Bump k3s version to recent 1.27 (#4630)
• Bump K3s version for v1.27 (#4646)
• The version of helm used by the bundled helm controller's job image has been updated to v3.12.3
• Bumped dynamiclistener to address an issue that could cause the supervisor listener on 9345 to stop serving requests on etcd-only nodes.
• The RKE2 supervisor listener on 9345 now sends a complete certificate chain in the TLS handshake.
• Clean-up env variables and check OS env variables for felix and calico in Windows (#4640)
• Upgrade multus chart to v4.0.2-build2023081100 (#4661)
• Bug fix: Add VXLAN_VNI env var to Calico-node exec (#4670)
• Update to v1.27.5 (#4683)
• Bump K3s version for v1.27 (#4701)
• Added a new --tls-san-security option. This flag defaults to false, but can be set to true to disable automatically adding SANs to the server's TLS certificate to satisfy any hostname requested by a client.
• Add additional static pod cleanup during cluster reset (#4724)

Packaged Component Versions

| Component | Version |
| --------------- | ------------------------------------------------------------------------------------------------- |
| Kubernetes | v1.27.5 |
| Etcd | v3.5.9-k3s1 |
| Containerd | v1.7.3-k3s1 |
| Runc | v1.1.8 |
| Metrics-server | v0.6.3 |
| CoreDNS | v1.10.1 |
| Ingress-Nginx | 4.6.1 |
| Helm-controller | v0.15.4 |

Available CNIs

| Component | Version | FIPS Compliant |
| --------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------- |
| Canal (Default) | Flannel v0.22.1
Calico v3.26.1 | Yes |
| Calico | v3.26.1 | No |
| Cilium | v1.14.0 | No |
| Multus | v4.0.2 | No |

Helpful Links

As always, we welcome and appreciate feedback from our community of users. Please feel free to:
- Open issues here
- Join our Slack channel
- Check out our documentation for guidance on how to get started.