v2.8.0 Breaking Changes
ManagedCluster property .spec.properties.windowsProfile.adminPassword is now a SecretReference rather than a string
The spec.properties.windowsProfile.adminPassword
on ManagedCluster
has been changed from a string to a
SecretReference
.
We try to avoid breaking changes, but in this case, allowing raw passwords in the spec is a security problem and as such we’ve decided to make a break to correct this issue.
Action required: If the containerservice.azure.com/ManagedCluster
resource is used in your cluster
and the spec.properties.windowsProfile.adminPassword
property is set, do the
following before upgrading ASO:
- Annotate the resource with
serviceoperator.azure.com/reconcile-policy: skip
to prevent ASO from trying to reconcile the resource while you are upgrading. - Save the current YAML for the resource using
kubectl
if you don’t have it elsewhere. - Create a kubernetes secret containing the value from
spec.properties.windowsProfile.adminPassword
. - Edit the resource YAML in step 2, and add a secret key and name reference. Example here.
- Delete the resource from your cluster using
kubectl delete
. Your Azure resource will be left untouched because of thereconcile-policy
annotation you added above. - Upgrade ASO in your cluster.
- Apply the updated YAML to your cluster using
kubectl apply
. If any errors occur, address them. - If the
reconcile-policy
annotation is still present, remove it from the resource.
Use “never” rather than "" to prevent syncing for AZURE_SYNC_PERIOD
The documentation always said that an AZURE_SYNC_PERIOD
of ""
meant to use the default value (15m
), but
in actuality in the code ""
meant never sync. This corrects the behavior to be as documented. After this release,
the behavior is as follows:
AZURE_SYNC_PERIOD | Meaning |
---|---|
omitted/not set | Use default value (15m) |
"" | Use default value (15m) |
“never” | Do not sync |
If you intend to prevent ASO from periodically syncing with Azure, set AZURE_SYNC_PERIOD
to "never"
.
For more information, see #3965.
Upcoming breaking changes
v20230202preview ManagedCluster will be removed, due to underlying Azure API version deprecation
Other versions will continue to be supported. We recommend you move to use a different CRD version to avoid seeing errors from Azure due to the 2023-02-02-preview API being deprecated.