Release Notes and Announcements

Release Notes

Announcements

Release Notes

Product Introduction

Overview

Strengths

Architecture

Scenarios

Features

Concepts

Native Kubernetes Terms

Common High-Risk Operations

Regions and Availability Zones

Service Regions and Service Providers

Open Source Components

Purchase Guide

Purchase Instructions

Purchase a TKE General Cluster

Purchasing Native Nodes

Purchasing a Super Node

Getting Started

Beginner’s Guide

Quickly Creating a Standard Cluster

Examples

Container Application Deployment Check List

Cluster Configuration

General Cluster Overview

Cluster Management

Network Management

Storage Management

Node Management

GPU Resource Management

Remote Terminals

Application Configuration

Workload Management

Service and Configuration Management

Component and Application Management

Auto Scaling

Container Login Methods

Observability Configuration

Ops Observability

Cost Insights and Optimization

Scheduler Configuration

Scheduling Component Overview

Resource Utilization Optimization Scheduling

Business Priority Assurance Scheduling

QoS Awareness Scheduling

Security and Stability

TKE Security Group Settings

Identity Authentication and Authorization

Application Security

Multi-cluster Management

Planned Upgrade

Backup Center

Cloud Native Service Guide

Cloud Service for etcd

TMP

TKE Serverless Cluster Guide

TKE Registered Cluster Guide

Use Cases

Cluster

Serverless Cluster

Scheduling

Security

Service Deployment

Network

Release

Logs

Monitoring

OPS

Terraform

DevOps

Auto Scaling

Containerization

Microservice

Cost Management

Hybrid Cloud

Troubleshooting

Disk Full

High Workload

Memory Fragmentation

Cluster DNS Troubleshooting

Cluster kube-proxy Troubleshooting

Cluster API Server Inaccessibility Troubleshooting

Service and Ingress Inaccessibility Troubleshooting

Common Service & Ingress Errors and Solutions

Engel Ingres appears in Connechtin Reverside

CLB Ingress Creation Error

Troubleshooting for Pod Network Inaccessibility

Pod Status Exception and Handling

Authorizing Tencent Cloud OPS Team for Troubleshooting

CLB Loopback

API Documentation

History

Introduction

API Category

Making API Requests

Elastic Cluster APIs

Resource Reserved Coupon APIs

Cluster APIs

Third-party Node APIs

Relevant APIs for Addon

Network APIs

Node APIs

Node Pool APIs

TKE Edge Cluster APIs

Cloud Native Monitoring APIs

Scaling group APIs

Super Node APIs

Other APIs

Data Types

Error Codes

TKE API 2022-05-01

FAQs

TKE General Cluster

TKE Serverless Cluster

About OPS

Hidden Danger Handling

About Services

Image Repositories

About Remote Terminals

Event FAQs

Resource Management

Service Agreement

TKE Service Level Agreement

TKE Serverless Service Level Agreement

Glossary

Description of Node Changes Related to the Cluster Version

PDF

Modo Foco

Tamanho da Fonte

Última atualização: 2025-12-23 17:46:22

Tencent Kubernetes Engine (TKE) Kubernetes 1.34 Node Initialization Changes
 Cluster Registration Method for the Kubelet of Worker Nodes
Original behavior: During node initialization, the control plane issues a kubeconfig certificate that is valid for a long time to the kubelet. Its validity period is initially 20 years (updated to 30 years later).
New behavior: During node initialization, the control plane issues a bootstrap token (valid for 24 hours) to the kubelet. Upon startup, the kubelet needs to use the bootstrap token to request a certificate from the apiserver for official use.
Certificate storage path: /var/lib/kubelet/pki/.
Resource Access Permissions Granted by the kubeconfig Used by Root Users
Original behavior: During node initialization, the control plane issues the /root/.kube/config file to the root user based on the TKE_ADMIN_KUBECONFIG allowlist. Since the issued configuration grants admin permissions, it allows access to all cluster resources, posing security risks.
Allowlisted: Issue a kubeconfig file with admin permissions that is valid for a long time.
Non-allowlisted: Issue a kubeconfig file with admin permissions that is valid for 12 hours.
New behavior (suitable for TKE 1.34 or later versions): The TKE_ADMIN_KUBECONFIG allowlist mechanism  has been invalid. The control plane no longer issues a kubeconfig file with a fixed certificate. Instead, it creates a symbolic link in /root/.kube/config for the root user, which points to the kubeconfig file currently used by the kubelet. The permissions of the link match those of the kubelet, allowing operations only on resources of the current node.
﻿

Ajuda e Suporte

Esta página foi útil?

Você também pode entrar em contato com a Equipe de vendas ou Enviar um tíquete em caso de ajuda.

comentários

tencent cloud

Tencent Kubernetes Engine

Description of Node Changes Related to the Cluster Version

Tencent Kubernetes Engine (TKE) Kubernetes 1.34 Node Initialization Changes

Cluster Registration Method for the Kubelet of Worker Nodes

Resource Access Permissions Granted by the kubeconfig Used by Root Users

Ajuda e Suporte