Release Note for CTE for Kubernetes
| CTE for Kubernetes Version | Date | Version |
|---|---|---|
| 1.6.0.49 | 2025-08-28 | v2 |
Container Image Digest
Verify that the Container Image Digest matches the version that you are installing.
New Features and Enhancements
Registering to Multiple CipherTrust Manager Servers for failover in an HA Cluster
For a cluster for CipherTrust Manager servers, you can now configure multiple IP addresses with cte-storageclass.yaml to allow for seamless failover to the next available CipherTrust Manager if a CipherTrust Manager server fails.
- See Registering to Multiple CipherTrust Manager Servers for failover in an HA Cluster for more information.
Support for Expanding Persistent Volumes Claims
You can now resize an existing volume by editing the PersistentVolumeClaim (PVC) object. You no longer have to manually interact with the storage backend, or delete and recreate PV and PVC objects, to increase the size of a volume. Kubernetes will automatically expand the volume, using storage backend, and it will also expand the underlying file system in-use by the Pod, without requiring any downtime if the underlying storage provisioner can support it.
Document Restructure for CTE for Kubernetes and CTE for Kubernetes Operator
For CTE for Kubernetes and CTE for Kubernetes Operator for the v1.5 release, the two applications released together. However, in the future, they may release independently. Therefore, the patch notes and release notes section have been separated. On the initial landing pages, you will see a bullet list which contains two entries: CTE for Kubernetes and CTE for Kubernetes Operator. Select theing one navigates to the appropriate patch or release note.
Alternative mounting for /etc/kubernetes for kubeclient access
CTE for Kubernetes no longer requires mounting the nodes host /etc/kubernetes.
Resolved Issues
-
AGT-61654: Azure passing node information to CipherTrust Manager
AFFECTED VERSIONS: 1.6.0.49
Upgrading nodes in Azure created problems with CTE for Kubernetes due to licenses. When nodes in a cluster were running an older version of the Kubernetes stack, the upgrade process in Azure did not upgrade the node in place. Instead, Azure deployed a new node with the latest version of the Kubernetes stack. Once that node was in the "Ready" condition, an out-of-date node was evicted from the customer's Kubernetes cluster. This issue has been fixed.
-
AGT-62766: AgentInfo EKS ARM
AFFECTED VERSIONS: 1.5.0.27 — 1.6.0.49
Agentinfowas unable to provide Kubernetes information when run from nodes with the ARM architecture. This has been fixed. -
AGT-62926: Removed mounting
/etc/kubernetesas a requirementAFFECTED VERSIONS: 1.6.0.49
Some customers did not want to have the CSI driver mount the
/etc/kubernetesdirectory because it violated their company security policy. This directory was originally mounted by the container so that the CSI driver could access the Kubernetes API. -
AGT-64707: CipherTrust Manager not releasing license when node deleted
AFFECTED VERSIONS: 1.3.0.33 — 1.6.0.49
Previously, when a node was deleted, CTE for Kubernetes did not inform CipherTrust Manager so licenses were not freed. Now, it sends a list of available nodes to CM so that CM will clean up any stale clients and free licenses.
Known Issues
-
AGT-39000: CipherTrust Manager may not report all pods using the same CTE PVC on the same node
AFFECTED VERSIONS: 1.4.0.37 — 1.6.0.49
Work-around:
CTE PVCs with the following access modes:
ReadWriteOnce,ReadWriteManyorReadOnlyMany, may fail to report to CipherTrust Manager all of the pods using the same volume on the same node. This anomaly is due to how Kubernetes handles a single volume used across multiple pods in the same node. This reporting anomaly in CipherTrust Manager does not mean that the CTE PVC is not attached to the pod. It is recommended that the user describe the CTE PVC (# kubectl describe pvc) to find the list of all of the pods that are using a particular CTE PVC. -
AGT-61578: Getting permission denied while creating files in pod
AFFECTED VERSIONS: 1.5.0.27 — 1.6.0.49
CTE does not support the use case where Key rule is "clear_key" and the security rule is "apply_key".
-
AGT-61761 [CS1580017] [Debian12+CRI-O] CTE for Kubernetes pods throwing error
MountDevice failed for volumeAFFECTED VERSIONS: 1.3.0.33 — 1.6.0.49
The combination of Debian 12 Linux OS with Kubernetes CRI-O container runtime interface, is not supported in CTE for Kubernetes.
-
AGT-64989: Agent not using next available CM in cluster when registration fails with the first CM
AFFECTED VERSIONS: 1.6.0.49
This will be fixed in a future version of CTE for Kubernetes.
