What is the feature/update/fix?

Major Release: Kubernetes 1.33 Infrastructure Upgrade with Enhanced Container Security and Cloud Provider Improvements

This release introduces critical infrastructure updates and new features:

1. Core Infrastructure Upgrades:

   • Kubernetes upgraded to v1.33 - Latest stable Kubernetes release with improved performance and security
   • Golang upgraded to v1.24 - Enhanced runtime performance and security for rack components
   • BuildKit upgraded to v0.25.1 - Latest container build engine with improved build performance
   • EBS CSI Driver upgraded to v1.51.1-eksbuild.1 - Enhanced EBS volume management and stability
   • CoreDNS upgraded to v1.12.4-eksbuild.1 - Improved DNS resolution and cluster networking
   • EFS CSI Driver upgraded to v2.1.13-eksbuild.1 - Better EFS mount performance and reliability
   • Kube-proxy upgraded to v1.33.3-eksbuild.10 - Updated network proxy with performance improvements
   • VPC CNI upgraded to v1.20.4-eksbuild.1 - Enhanced pod networking and IP management

2. Feature: Disable Host Users for Linux Containers

   • New security feature allowing you to disable host user mapping in Linux containers
   • Configurable per service in convox.yml for enhanced container isolation

3. Fix: Azure 4MB Source Upload Issue

   • Resolved critical issue with Azure file uploads over 4MB
   • Implemented chunked upload using Azure Put Range API
   • Azure module upgraded to v4.51 for improved compatibility

4. Update: GKE Extended Release Channel Support

   • Switched to GKE extended release channel for better version control
   • Prevents unexpected control plane upgrades by Google Cloud Platform
   • Ensures node and control plane version synchronization

Why is this important?

Kubernetes 1.33 and Core Component Updates:

• Security Enhancements - Critical security patches and vulnerability fixes across all components
• Performance Improvements - Kubernetes 1.33 brings significant improvements to pod scheduling and resource management
• API Stability - Updated API versions ensure compatibility with modern workloads
• Extended Support - Kubernetes 1.33 is a stable release with long-term community support
• BuildKit v0.25.1 - Faster builds with improved layer caching and reduced memory usage

Enhanced Container Security with Host User Isolation:

• Improved Security Posture - Disabling host users prevents potential privilege escalation attacks
• Container Isolation - Ensures containers run with minimal host system access
• Compliance Ready - Meets security requirements for regulated industries
• Per-Service Control - Granular configuration allows you to enable this only where needed

Azure Platform Improvements:

• Large File Support - Fixes critical upload failures for applications with assets over 4MB
• Reliable Deployments - Ensures consistent source code uploads regardless of file size
• Azure Module v4.51 - Access to latest Azure features and performance improvements

GKE Version Management:

• Predictable Updates - Control when your cluster upgrades happen through Convox
• Version Consistency - Prevents control plane/node version mismatches that can cause instability
• Reduced Downtime Risk - Avoid unexpected upgrades during critical business hours
• Simplified Management - Single source of truth for cluster version through Convox rack

How to use it?

Automatic Updates Applied

Once you update your rack to version 3.23.0, the following improvements are automatically applied:

• Kubernetes 1.33 infrastructure upgrade with all core component updates
• Azure 4MB upload fix enabling large file uploads with chunked transfer
• GKE extended release channel configuration for managed version control
• Performance and security enhancements from BuildKit, CSI drivers, and networking updates

No additional configuration is required for these updates - they take effect immediately after the rack update completes.

Disabling Host Users for Linux Containers

To enable the host user isolation feature, add the disableHostUsers attribute to your service definition in convox.yml:

environment:
  - PORT=3000
services:
  web:
    disableHostUsers: true
    build: .
    port: 3000
    scale:
      count: 1

When disableHostUsers: true is set:

• The container runs without mapping to host user namespaces
• Provides additional security isolation for sensitive workloads
• Only available for Linux containers (ignored on Windows)

Configuration Considerations

• Security-First Services - Enable for services handling sensitive data or external traffic
• Legacy Applications - Some applications may require host user access; test before enabling
• Performance Impact - Minimal overhead, but test performance-critical applications

Does it have a breaking change?

Yes, this update contains breaking changes. Due to the Kubernetes version upgrade from previous versions to 1.33, this update cannot be rolled back once applied.

Critical Notes:

• The Kubernetes upgrade is irreversible due to API version changes and etcd data migrations
• All core component updates are bundled and cannot be selectively applied
• Existing workloads will be automatically migrated to new API versions

Important: We strongly recommend:

1. Testing this update in a staging environment first
2. Ensuring recent backups of your applications and data
3. Planning a maintenance window for the upgrade
4. Reviewing your application compatibility with Kubernetes 1.33

Requirements

To use this update, you must be on at least version 3.22.0 for both the CLI and the rack.

Update the CLI: Run convox update to update your CLI to the latest version. You can verify your CLI version with convox version.

For a minor version update, you must state the version with the command convox rack update 3.23.0 -r rackName.
You must be on at least rack version 3.22.0 to perform this update.

If you are unfamiliar with v3 rack versioning, we advise checking the documentation Updating a Rack for more information before applying any updates.