canonical · HomayoonAlimohammadi · Dec 18, 2025 · Sep 5, 2025 · Sep 9, 2025 · Sep 12, 2025
diff --git a/.github/workflows/build-snap.yml b/.github/workflows/build-snap.yml
@@ -1,9 +1,7 @@
 name: Build and test MicroK8s snap
 
 on:
-  pull_request:
-    branches:
-      - master
+  - push
 
 jobs:
   build:
@@ -54,13 +52,13 @@ jobs:
         uses: ./.github/actions/test-prep
       - name: Running upgrade path test
         run: |
-          sudo -E UPGRADE_MICROK8S_FROM=latest/edge UPGRADE_MICROK8S_TO=$PWD/build/microk8s.snap pytest -s ./tests/test-upgrade-path.py
+          sudo -E STRICT=yes UPGRADE_MICROK8S_FROM=latest/edge/strict UPGRADE_MICROK8S_TO=$PWD/build/microk8s.snap pytest -s ./tests/test-upgrade-path.py
 
   test-addons-core:
     name: Test core addons
     runs-on: ubuntu-latest
     needs: build
-    timeout-minutes: 30
+    timeout-minutes: 60
     env:
       # Avoid truncated "ps" output
       COLUMNS: 2048
@@ -69,18 +67,20 @@ jobs:
         uses: actions/checkout@v4
       - name: Prepare test prerequisites
         uses: ./.github/actions/test-prep
-      - name: Running addons tests
+      - name: Running addons tests in strict mode
         env:
           UNDER_TIME_PRESSURE: ${{ !contains(github.event.pull_request.labels.*.name, 'run-all-tests') }}
         run: |
           set -x
-          sudo snap install build/microk8s.snap --classic --dangerous
+          sudo snap install build/microk8s.snap --dangerous
+          sudo /snap/microk8s/current/connect-all-interfaces.sh
+          sudo microk8s status --wait-ready --timeout 300
           ./tests/smoke-test.sh
           # The GitHub runner is using the 10.1.0.0/16 CIDR, which would conflict with
           # kube-ovn's default POD_CIDR. They have to be different.
+          export STRICT="yes"
           export POD_CIDR="10.200.0.0/16"
           export POD_GATEWAY="10.200.0.1"
-          export SKIP_PROMETHEUS="False"
           export UNDER_TIME_PRESSURE=${UNDER_TIME_PRESSURE@u}
           sudo -E bash -c "cd /var/snap/microk8s/common/addons/core/tests; pytest -s -ra test-addons.py"
 
@@ -100,8 +100,11 @@ jobs:
         run: |
           set -x
           sudo snap install build/microk8s.snap --classic --dangerous
+          sudo /snap/microk8s/current/connect-all-interfaces.sh
+          sudo microk8s status --wait-ready --timeout 300
           sudo microk8s enable community
           export UNDER_TIME_PRESSURE=${UNDER_TIME_PRESSURE@u}
+          export STRICT="yes"
           sudo -E bash -c "cd /var/snap/microk8s/common/addons/community/; pytest -s -ra ./tests/"
 
   test-addons-core-upgrade:
@@ -120,7 +123,8 @@ jobs:
         run: |
           set -x
           export UNDER_TIME_PRESSURE=${UNDER_TIME_PRESSURE@u}
-          sudo -E bash -c "UPGRADE_MICROK8S_FROM=latest/edge UPGRADE_MICROK8S_TO=$PWD/build/microk8s.snap pytest -s ./tests/test-upgrade.py"
+          export STRICT="yes"
+          sudo -E bash -c "UPGRADE_MICROK8S_FROM=latest/edge/strict UPGRADE_MICROK8S_TO=$PWD/build/microk8s.snap pytest -s ./tests/test-upgrade.py"
 
   test-cluster-agent:
     name: Cluster agent health check
@@ -136,6 +140,7 @@ jobs:
         run: |
           set -x
           sudo snap install build/microk8s.snap --classic --dangerous
+          sudo /snap/microk8s/current/connect-all-interfaces.sh
           sudo -E bash -c "pytest -s ./tests/test-cluster-agent.py"
 
   test-airgap:

diff --git a/build-scripts/components/cni/version.sh b/build-scripts/components/cni/version.sh
@@ -1,4 +1,4 @@
 #!/bin/bash
 
 # Match https://github.com/kubernetes/kubernetes/blob/master/build/dependencies.yaml#L20
-echo "v1.7.1"
+echo "v1.8.0"
diff --git a/build-scripts/components/containerd/build.sh b/build-scripts/components/containerd/build.sh
@@ -10,7 +10,7 @@ sed -i "s,^VERSION.*$,VERSION=${VERSION}," Makefile
 sed -i "s,^REVISION.*$,REVISION=${REVISION}," Makefile
 
 export STATIC=1
-for bin in ctr containerd containerd-shim containerd-shim-runc-v1 containerd-shim-runc-v2; do
+for bin in ctr containerd containerd-shim-runc-v2; do
   make "bin/${bin}"
   cp "bin/${bin}" "${INSTALL}/${bin}"
 done
diff --git a/...d-scripts/components/containerd/patches/v2.1.3/0001-microk8s-sideload-images-plugin.patch b/...d-scripts/components/containerd/patches/v2.1.3/0001-microk8s-sideload-images-plugin.patch
@@ -0,0 +1,174 @@
+From 7f26b3e013169510867383f09358b2d91641ad9f Mon Sep 17 00:00:00 2001
+From: Angelos Kolaitis <[email protected]>
+Date: Mon, 10 Jul 2023 12:15:34 +0300
+Subject: [PATCH] microk8s sideload images plugin
+
+---
+ cmd/containerd/builtins_microk8s.go |   6 ++
+ microk8s_plugins/sideload.go        | 142 ++++++++++++++++++++++++++++
+ 2 files changed, 148 insertions(+)
+ create mode 100644 cmd/containerd/builtins_microk8s.go
+ create mode 100644 microk8s_plugins/sideload.go
+
+diff --git a/cmd/containerd/builtins_microk8s.go b/cmd/containerd/builtins_microk8s.go
+new file mode 100644
+index 000000000..c215987fa
+--- /dev/null
++++ b/cmd/containerd/builtins_microk8s.go
+@@ -0,0 +1,6 @@
++package main
++
++// register containerd microk8s plugins here
++import (
++	_ "github.com/containerd/containerd/v2/microk8s_plugins"
++)
+diff --git a/microk8s_plugins/sideload.go b/microk8s_plugins/sideload.go
+new file mode 100644
+index 000000000..a6d97c8a3
+--- /dev/null
++++ b/microk8s_plugins/sideload.go
+@@ -0,0 +1,142 @@
++package microk8s
++
++import (
++	"fmt"
++	"os"
++	"path/filepath"
++	"time"
++
++	containerd "github.com/containerd/containerd/v2/client"
++	"github.com/containerd/containerd/v2/pkg/namespaces"
++	"github.com/containerd/containerd/v2/plugins"
++	"github.com/containerd/log"
++	"github.com/containerd/platforms"
++	"github.com/containerd/plugin"
++	"github.com/containerd/plugin/registry"
++)
++
++const pluginName = "sideload-images"
++
++var logger = log.L.WithField("plugin", pluginName)
++
++type Config struct {
++	// Interval configures how frequently the plugin will look for new images found
++	// in the sources. If set to zero, images are only loaded during initial start.
++	Interval *time.Duration `toml:"interval"`
++
++	// Sources is a list of paths to look for .tar images.
++	// For example, `/var/snap/microk8s/common/etc/sideload`
++	Sources []string `toml:"sources"`
++
++	// Namespace the images will be loaded into, e.g. "k8s.io"
++	Namespace string `toml:"namespace"`
++}
++
++func (c *Config) SetDefaults() {
++	if c.Namespace == "" {
++		c.Namespace = "k8s.io"
++	}
++	if len(c.Sources) == 0 {
++		snapCommon := os.Getenv("SNAP_COMMON")
++		if snapCommon == "" {
++			snapCommon = "/var/snap/microk8s/common"
++		}
++		c.Sources = []string{filepath.Join(snapCommon, "etc", "sideload")}
++	}
++	if c.Interval == nil {
++		t := 5 * time.Second
++		c.Interval = &t
++	}
++}
++
++func init() {
++	c := &Config{}
++	registry.Register(&plugin.Registration{
++		Type:   plugins.ServicePlugin,
++		ID:     pluginName,
++		Config: c,
++		InitFn: func(ic *plugin.InitContext) (interface{}, error) {
++			config := ic.Config.(*Config)
++			config.SetDefaults()
++
++			logger.Debugf("Loaded config %#v", config)
++
++			if len(config.Sources) == 0 {
++				return nil, fmt.Errorf("no sources configured: %w", plugin.ErrSkipPlugin)
++			}
++
++			go func() {
++				// get a containerd client
++				var (
++					cl  *containerd.Client
++					err error
++				)
++				for cl == nil {
++					select {
++					case <-ic.Context.Done():
++						return
++					default:
++					}
++
++					cl, err = containerd.New(
++						"",
++						containerd.WithDefaultNamespace(config.Namespace),
++						containerd.WithDefaultPlatform(platforms.Default()),
++						containerd.WithInMemoryServices(ic),
++						containerd.WithTimeout(2*time.Second),
++					)
++					if err != nil {
++						logger.Info("Failed to create containerd client")
++					}
++				}
++
++				for {
++				nextDir:
++					for _, dir := range c.Sources {
++						logger := logger.WithField("dir", dir)
++						logger.Debug("Looking for images")
++						files, err := filepath.Glob(filepath.Join(dir, "*.tar"))
++						if err != nil {
++							logger.WithError(err).Warn("Failed to look for images")
++							continue nextDir
++						}
++
++					nextFile:
++						for _, file := range files {
++							logger := logger.WithField("file", file)
++							r, err := os.Open(file)
++							if err != nil {
++								logger.WithError(err).Warn("Failed to open file")
++								continue nextFile
++							}
++							ctx := namespaces.WithNamespace(ic.Context, config.Namespace)
++							images, err := cl.Import(ctx, r, containerd.WithImportPlatform(platforms.DefaultStrict()))
++							if err != nil {
++								logger.WithError(err).Error("Failed to import images")
++							} else {
++								logger.Infof("Imported %d images", len(images))
++								os.Rename(file, file+".loaded")
++							}
++							if closeErr := r.Close(); closeErr != nil {
++								logger.WithError(closeErr).Error("Failed to close reader")
++							}
++						}
++					}
++
++					// retry after interval, finish if interval is zero
++					if *c.Interval == 0 {
++						logger.Info("Plugin terminating")
++						return
++					}
++					select {
++					case <-ic.Context.Done():
++						return
++					case <-time.After(*c.Interval):
++					}
++				}
++			}()
++
++			return nil, nil
++		},
++	})
++}
+-- 
+2.43.0
diff --git a/build-scripts/components/containerd/version.sh b/build-scripts/components/containerd/version.sh
@@ -1,3 +1,3 @@
 #!/bin/bash
 
-echo "v1.7.28"
+echo "v2.1.3"
diff --git a/build-scripts/components/etcd/version.sh b/build-scripts/components/etcd/version.sh
@@ -1,3 +1,3 @@
 #!/bin/bash
 
-echo "v3.6.4"
+echo "v3.6.6"
diff --git a/build-scripts/components/flannel-cni-plugin/version.sh b/build-scripts/components/flannel-cni-plugin/version.sh
@@ -1,3 +1,3 @@
 #!/bin/bash
 
-echo "v1.7.1-flannel2"
+echo "v1.8.0-flannel2"
diff --git a/build-scripts/components/flanneld/version.sh b/build-scripts/components/flanneld/version.sh
@@ -1,3 +1,3 @@
 #!/bin/bash
 
-echo "v0.27.2"
+echo "v0.27.4"
diff --git a/build-scripts/components/helm/version.sh b/build-scripts/components/helm/version.sh
@@ -1,3 +1,3 @@
 #!/bin/bash
 
-echo "v3.18.6"
+echo "v3.19.2"
diff --git a/build-scripts/components/k8s-dqlite/version.sh b/build-scripts/components/k8s-dqlite/version.sh
@@ -1,3 +1,3 @@
 #!/bin/bash
 
-echo "v1.8.0"
+echo "v1.8.1"
diff --git a/...pts/components/kubernetes/patches/v1.34.0/0002-fix-allow-node-to-get-endpointslices.patch b/...pts/components/kubernetes/patches/v1.34.0/0002-fix-allow-node-to-get-endpointslices.patch
@@ -0,0 +1,24 @@
+From dea2abd80878be1eff519216c0bad5a0e35462ec Mon Sep 17 00:00:00 2001
+From: Mateo Florido <[email protected]>
+Date: Thu, 11 Sep 2025 17:36:10 -0500
+Subject: [PATCH] fix: allow node to get endpointslices
+
+---
+ plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go
+index 447b0bc2e99..daa3bde6b1c 100644
+--- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go
++++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go
+@@ -228,6 +228,7 @@ func NodeRules() []rbacv1.PolicyRule {
+ 		// TODO: add to the Node authorizer and restrict to endpoints referenced by pods or PVs bound to the node
+ 		// Needed for glusterfs volumes
+ 		rbacv1helpers.NewRule("get").Groups(legacyGroup).Resources("endpoints").RuleOrDie(),
++		rbacv1helpers.NewRule("get", "list", "watch").Groups(discoveryGroup).Resources("endpointslices").RuleOrDie(),
+ 		// Used to create a certificatesigningrequest for a node-specific client certificate, and watch
+ 		// for it to be signed. This allows the kubelet to rotate it's own certificate.
+ 		rbacv1helpers.NewRule("create", "get", "list", "watch").Groups(certificatesGroup).Resources("certificatesigningrequests").RuleOrDie(),
+-- 
+2.48.1
+