Enterprise-ready Kubernetes


Tectonic Enterprise is regularly released, containing new features, bug fixes, and software updates. For existing clusters, review the Upgrading Tectonic guide.

Documentation is versioned along with each release. Each set is maintained on this site and can be accessed by using the dropdown on the main documentation page.

Release Date: November 10, 2017
Kubernetes: 1.7.9
Docker: 1.12.6
Terraform: 0.10.0

Core Components

  • Updates to Kubernetes v1.7.9


  • Ability to download a pre-generated kubeconfig for a Service Account
  • Improved performance under the hood
  • Improved error and access control messages

Tectonic Installer

  • Improved handling of install time secrets using environment variables
  • Fixed error in URL validation when using an external etcd cluster

Release Date: October 11, 2017
Kubernetes: 1.7.5
Docker: 1.12.6
Terraform: 0.10.0

Core Components

  • Updates the Kubernetes DNS server to address the following vulnerabilities:
    • CVE-2017-14491: DNS - 2 byte heap based overflow
    • CVE-2017-14492: DHCP - heap based overflow
    • CVE-2017-14493: DHCP - stack based overflow
    • CVE-2017-14494: DHCP - info leak
    • CVE-2017-14495: DNS - OOM DoS
    • CVE-2017-14496: DNS - DoS Integer underflow


  • Enhanced cluster status page with monitoring overview
  • Added ability to link to filtered table
  • Fixed bug related to Safari’s handling of authentication headers on redirects
  • Fixed a bug related to editing your Tectonic License
  • Improvements to RBAC

Tectonic Monitoring

  • Includes a Grafana managed with automated operations
  • Pre-populated dashboards are behind cluster authentication

Tectonic Installer

  • Updated to Terraform 0.10.0
  • Improved error handling and progress output
  • Enhancements and improvements for Microsoft Azure

Release Date: October 2, 2017
Kubernetes: 1.7.3
Docker: 1.12.6
Terraform: 0.9.6

Core Components

  • Updates the Kubernetes DNS server to address the following vulnerabilities:
    • CVE-2017-14491: DNS - 2 byte heap based overflow
    • CVE-2017-14492: DHCP - heap based overflow
    • CVE-2017-14493: DHCP - stack based overflow
    • CVE-2017-14494: DHCP - info leak
    • CVE-2017-14495: DNS - OOM DoS
    • CVE-2017-14496: DNS - DoS Integer underflow

Release Date: October 2, 2017
Kubernetes: 1.6.10
Docker: 1.12.6
Terraform: 0.9.6

Core Components

  • Updates the Kubernetes DNS server to address the following vulnerabilities:
    • CVE-2017-14491: DNS - 2 byte heap based overflow
    • CVE-2017-14492: DHCP - heap based overflow
    • CVE-2017-14493: DHCP - stack based overflow
    • CVE-2017-14494: DHCP - info leak
    • CVE-2017-14495: DNS - OOM DoS
    • CVE-2017-14496: DNS - DoS Integer underflow

Release Date: September 12, 2017
Kubernetes: 1.7.3
Docker: 1.12.6
Terraform: 0.9.6

Tectonic Installer

  • Fixes PATH issue that could prevent executing Installer components

Release Date: September 6, 2017
Kubernetes: 1.7.3

Core Components

  • Updates to Kubernetes v1.7.3


  • New Quick Start Guide for new users to Console
  • Namespace selector shows only namespaces scoped to the user. Useful for using a restricted RBAC role
  • Console redirects to the desired page after login rather than the cluster status page
  • Improved ability to edit the YAML definition of Prometheus instances
  • Improved automated operations UI for updates in progress

Tectonic Installer

  • AWS accounts with a large amount of hosted zones are now paginated properly
  • UI enhancements with clearer indication of installation progress

Known Issues

  • StatefulSet rolling updates must be executed manually: More details
  • Existing VPCs must be tagged manually for the AWS cloud provider to work correctly: More details

Release Date: August 17, 2017
Kubernetes: 1.7.1
Docker: 1.12.6
Terraform: 0.9.6

Core Components

  • Makes the Container Linux instances on Azure start on the latest available version
  • Fixes the tooltip preventing editing of CIDR inputs in the Installer
  • Fixes a validation issue or STS tokens in the Installer
  • Constrains the updater to go through every available version

Release Date: August 9, 2017
Kubernetes: 1.7.1
Docker: 1.12.6
Terraform: 0.9.6

Core Components

  • Updates to Kubernetes v1.7.1
  • Support for Azure is Stable


  • Multiple update channels can be selected. See instructions below for additional details about updating from 1.6.x to 1.7.1
    • 1.7-preproduction is available for testing and all non-production environments
    • 1.7-production should be used for all production environments
  • Downloadable kubeconfigs now set the context name to the cluster name provided during installation, defaulting to "tectonic" for backwards-compatibility
  • Added ability to view and configure Prometheus clusters run by the Prometheus operator
  • Added ability to view Prometheus AlertManager configuration

Tectonic Installer

  • Container download and start up progress is output when booting a cluster
  • Internet gateways and etcd node root volumes are tagged with default and user-supplied tags
  • The bootkube kubeconfigs' cluster name is set to the Tectonic cluster name provided during installation

Upgrade Notes - Requires 1.6.7-tectonic.2

To upgrade to Tectonic 1.7.1-tectonic.1, you must first update to 1.6.7-tectonic.2 and be capable of one-click updates:

  • 1.6.7-tectonic.1 or later are all capable of one-click updates
  • 1.6.4-tectonic.1 or earlier are not capable of one-click updates unless "experimental operators" were installed. If this option was not enabled, you must reinstall. Going forward, new clusters will be capable of one-click updates.

Once running 1.6.7-tectonic.2, change the update channel to 1.7-preproduction or 1.7-production and click "Check for update". Update packages will be released to these channels in a rolling fashion and will often be available on one channel but not the other.

If you encounter an error, confirm that you are running 1.6.7-tectonic.2 before reading the troubleshooting guide.

Release Date: September 26, 2017
Kubernetes: 1.6.10
Docker: 1.12.6
Terraform: 0.9.6

Core Components

  • Updates to Kubernetes v1.6.10


  • Fixes an issue causing memory leaks in the Prometheus Operator

Release Date: August 17, 2017
Kubernetes: 1.6.8
Docker: 1.12.6
Terraform: 0.9.6

Core Components

  • Updates to Kubernetes v1.6.8
  • Constrains the updater to go through every available version

Release Date: July 27, 2017
Kubernetes: 1.6.7
Docker: 1.12.6
Terraform: 0.9.6

Core Components

  • Allow future updates to Tectonic v1.7.x releases

Release Date: July 11, 2017
Kubernetes: 1.6.7
Docker: 1.12.6
Terraform: 0.9.6

Core Components

  • Updates to Kubernetes v1.6.7
  • Update operators are available to all users to power automated operations
  • Reduced flapping of node NotReady status:
    • Increased controller manager health time out to be greater than the TTL of the load balancer DNS entry
    • Kubernetes default of 40s is below the minimum TTL of 60s for many platforms


  • All tables have sortable columns
  • Removed broken Horizontal Pod Autoscalers UI
  • Adds autocomplete for RBAC binding form dropdowns
  • Adds ability to edit and duplicate RBAC bindings
  • Adds RBAC edit binding roles dropdown filtering by namespace
  • Improved support for valueless labels and annotations

Tectonic Installer

  • Installer will generate all TLS certificates for etcd
  • Terraform tfvars are not pretty-printed

Upgrade Notes - Changes to affinity

When upgrading to Tectonic-1.6.7, we will make two additional changes to kube-scheduler and kube-controller-manager manifests besides bumping their image versions:

  • Change the pod anti-affinity from preferredDuringSchedulingIgnoredDuringException to requiredDuringSchedulingIgnoredDuringExecution.
  • Make the deployment replica counts = the number of master nodes.

These changes imply that if there is any master node that goes down and never comes back during the upgrade, the upgrade won't complete because there's not enough nodes to land the pods.

For example, if the number of master nodes is 5, and the kube-controller-manager (KCM) replica is 2, then during the upgrade, the KCM will be scaled up to 5 replicas. In a normal day, they will be distributed to all master nodes. And on each master node, only 1 of them will be running.

However, if a master node goes down due to some reason (as a result, it will show up as NotReady in kubectl get nodes), then there will be 1 pod that can't be scheduled due to the pod anti-affinity requirement, so it will get stuck in Pending state and prevent upgrade from proceeding.

Luckily, this doesn't mean upgrading to Tectonic-1.6.7 is more fragile than before, because the DaemonSet rolling upgrade faces the same issue in previous versions when some node goes down. For more information and questions, contact your support team or the Tectonic Forum.

Release Date: June 8, 2017
Kubernetes: 1.6.4
Docker: 1.12.6
Terraform: 0.9.6

Core Components

  • Updates to Kubernetes v1.6.4.
  • Updates to Terraform v0.9.6 (fixes some instances of terraform destroy not working).
  • Many components run as "nobody" instead of root.
  • An option has been added to disable the creation of private zones.
  • All resources are now tagged in AWS with the cluster id.
  • A minimal IAM policy has been created.


  • Updates to Console v1.6.3
  • CPU usage graphs now display usage instead of limits.
  • Can now Create Role Bindings and many other supported resources.

Tectonic Channel Operator

  • Updates to Channel Operator v0.3.4
  • Requires signed payloads using the default CoreOS key.
  • No longer creates components upon upgrade when they did not previously exist.

Tectonic Installer Container

Upgrade Notes - Important

Upgrading to Tectonic 1.6.4 requires that all nodes are running "Container Linux by CoreOS 1353.8.0 (Ladybug)" or greater. To inspect the Container Linux version on all nodes run:

kubectl get nodes -o wide

If any nodes are running older versions a reboot may resolve the issue.

The v1.6.4 upgrade will fail if this condition is not met with an error of the format, 'Updates are not possible : Upgrade is not supported: X of Y nodes' OS version are lower than the minimum required version "1353.8.0"'

If this error occurs,

  1. Ensure that all nodes meet the minimum version requirements (see above).
  2. Remove the "failureStatus" field and its children from the ThirdPartyResource using the following command:

kubectl edit appversion/tectonic-cluster -n tectonic-system

  1. Retry the upgrade from the Tectonic Console.

Release Date: May 10, 2017
Kubernetes: 1.6.2
Docker: 1.12.6
Terraform: 0.9.4

Tectonic now uses Terraform for cluster installation. This supports greater customization of environments, enables scripted installs and generally makes it easier to manage the lifecycle of multiple clusters.

  • Switches provisioning methods on AWS & Bare-Metal to Terraform exclusively.
  • Adds support for customizing the Tectonic infrastructure via Terraform.
  • Introduces experimental support for self-hosted etcd using its operator, and associated UI.
  • Adds Container Linux Update Operator(CLUO).
  • Updates to Kubernetes v1.6.2.
  • Updates to bootkube v0.4.2.
  • GUI Installer with Terraform on AWS and bare-metal.
  • Segregates control-plane / user workloads to master / worker nodes respectively.
  • API server-to-etcd communication is secured over TLS.
  • Removes locksmithd, etcd-gateway.
  • Enables audit-logs for the API Server.
  • Removes final manual installation step of copying over assets folder.


Role-based Access Control screens have been redesigned to make it easier to securely grant access to your clusters.

  • Updates to Console v1.5.2.
  • Adds binding name column to Role Bindings list pages
  • Adds role binding name to fields searched by text filter
  • Adds RBAC YAML editor
  • Adds etcd cluster management pages


  • Updates to Dex v2.4.1.
  • Adds support for login through SAML and GitHub Enterprise.

Bug Fixes

  • Fixes an issue where new nodes started automatically by auto-scalers would start with an outdated version of kubelet.

Release Date: May 4, 2017
Kubernetes: 1.5.7

Core Components

  • Updates to Kubernetes v1.5.7
  • Updates to Dex v2.4.1

Release Date: April 14, 2017
Kubernetes: 1.5.6

Core Components

  • Updates to Kubernetes v1.5.6


  • Updates to Console v1.3.1
    • Update links to commerce domain to use account.coreos.com
    • Converts namespaces 3 pane view into separate list and details pages
    • Various bug fixes


  • Upgrades bootkube to v0.3.13
  • UI persists state across refreshes. (No more progress files.)
  • Various UI bug fixes

Release Date: March 30, 2017
Kubernetes: 1.5.5

Core Components

  • Updates to Dex v2.3.0
  • The Tectonic ingress controller can now easily be used by non-Tectonic applications (AWS, bare-metal)
  • Clusters can now span a subset of AZs within a region (AWS)


  • Various fixes for using the installer on Windows
  • Cluster asset bundles include a variable file for the experimental Terraform installer (AWS)


  • Updates to Console v1.2.1
    • Adds the ability to view and edit resource annotations
    • Redirect to resource overview page after creating a resource with YAML editor
    • Adds more resource types to Events page filter dropdown
    • Various bug fixes

Release Date: March 22, 2017
Kubernetes: 1.5.5

Core Components

  • Updates to Kubernetes v1.5.5

Release Date: March 14, 2017
Kubernetes: 1.5.4

Core Components

  • Updates to Kubernetes v1.5.4
  • Updates to Console v1.1.1
  • Upgrade bootkube to v0.3.11


  • Improved validation of AWS credentials
  • Support for multi-controller and multi-etcd on bare metal and AWS
  • Remove step requiring users to scp assets.zip to a controller


  • Support in-place, push-button upgrade from 1.5.3-tectonic.1 in Tectonic Console
  • Displays CA Cert expiration on Cluster Settings page
  • Adds 'View Logs' button for the Operators updates
  • Keeps highlighted sidebar link visible when navigating between pages
  • Improves performance of events stream
  • Fixes overflowing text for labels
  • Fixes animations on events page

Release Date: March 2, 2017
Kubernetes: 1.5.3

Core Components

  • Updates to Kubernetes v1.5.3
  • Updates to Dex v2.2.4
  • Updates to Console v1.0.3


  • Kubernetes pod CIDR and service CIDR can be customized


  • New VPCs can be created with a custom CIDR
  • Allow creation of Tectonic with multi-node etcd
  • Fixed AWS cloudformation size issue preventing use in some regions
  • Added tags to all created AWS resources
  • Removed, internal clusters use host DNS resolver

Bare metal

  • Fixed external etcd check preventing Installer from continuing


  • Displays node selectors and provides an editing modal
  • Improves Kubernetes and Tectonic channel statuses and error messages
  • New and improved Access Denied screens with relevant messages
  • Improvements to the side nav, edit menus, and labels
  • Fixes pod selector modal for services and replication controllers and removes it for jobs

Known Issues

  • Installer custom network validation: Advance validation of custom AWS VPC configurations, as well as custom VPC, subnet, and pod network CIDR ranges, is limited in this release. Take care when setting VPC and network configuration in Tectonic Installer: Configuration errors, range conflicts, or component ommissions can potentially escape detection until the last step of the the install process.

Release Date: February 16, 2017
Kubernetes: 1.5.2

Core Components

  • Update bootcfg and coreos-baremetal to matchbox (bare-metal)
  • Update from etcd2 to etcd3 (bare-metal and AWS)
  • Allow external etcd cluster to be specified (bare-metal and AWS)
  • Installer usability improvements and messaging fixes
  • Add new metrics to tectonic-stats-emitter


  • Allow controller subnets to be configured (AWS)
  • Add support for internal clusters with internal ELBs and private IPs, accessed by VPN (AWS)
  • Deploy a separate etcd and controller node (AWS only)


  • Object 'Create' pages in YAML editor
  • Fixes for sidebar applying active highlight to multiple links
  • Fixes collapsing of side nav headers
  • Improves small screen list display for Config Maps and Secrets
  • Completed migration from Angular to React

Release Date: January 25, 2017
Kubernetes: 1.5.2

Core Components

  • Upgrades Kubernetes to v1.5.2
  • Upgrades Dex to v2.1.0
  • Supports creating clusters in existing VPCs
  • Tectonic Installer usability improvements (follow logs, subnet validations, warnings for long SOA ttls, etc)
  • Switches from cloud-config to Ignition user-data provisioning


  • Enables detailed monitoring of AWS controller nodes which was disabled
  • Ingress redirects from HTTP to HTTPS for Tectonic identity and console
  • Fixes issue where kubelet version file was re-written on reboot of AWS nodes


  • Fixes pod label selector to work with commas
  • Fixes "Cannot read property of null" errors on pod logs page
  • Fixes redirects after deleting a resource

Release Date: January 11, 2017
Kubernetes: 1.5.1

Core Components

  • Upgrade Kubernetes to v1.5.1
  • Upgrade Dex to v2.0.2
  • Upgrade Bootkube to v0.3.1


  • Use internal IPs for workers (private subnets)
  • Allow worker subnets to be customized (advanced)
  • Default the instances type to t2.medium
  • Add new regions: Canada and London


  • Add ability to set a node as Unschedulable
  • Add action menu to overview pages of all the objects
  • Surfaces additional details on node details page
  • Add a minimal YAML editor


  • Run bootkube bootstrap as a daemonized service to avoid SSH hangups
  • Improve port number and SSH key validation during the installation process

Release Date: December 21, 2016
Kubernetes: 1.4.7


  • Add Multi Availability Zone (multi-AZ) support for worker auto-scale groups (AWS).
  • Adds support for Security Token Service (AWS).
  • Fixes custom CA support.
  • Upgrades Kubernetes to 1.4.7.
  • Upgrades Dex to 2.0.0.


  • Fixed memory leak.
  • Exposed support for LDAP integration with Dex.

Release Date: December 9, 2016
Kubernetes: 1.4.5

Tectonic is now free for installations up to 10 nodes.


  • Allow users to select from Container Linux stable, beta, or alpha (AWS).
  • Provide push-button creation of KMS keys on behalf of users (AWS).
  • Usability improvements and bug fixes (bare-metal and AWS).


  • Added support for Ingress objects.
  • Can now view license details from within the console.
  • Expose console on port 443. Previously NodePort 32000 was used.

Ingress Controller

  • Ingress Controller exposed via a dedicated ELB on AWS.
  • Ingress Controller exposed via host ports on bare-metal.
  • Updates and health check fixes.

Operators (experimental)

  • Experimental operators for the Kubernetes control plane can optionally be enabled during install.
  • Tectonic Console can trigger an upgrade attempt.


  • CoreOS collects data about your Tectonic cluster for billing purposes. See the data policy for details.

Other highlights

  • Many documentation improvements.
  • Bug fixes and security improvements.
  • Heapster updated to v1.2.0 for kubectl top support.

Release Date: November 18, 2016
Kubernetes: 1.4.5

New in this Release

  • Tectonic Identity has been updated to Dex v2.0.0-beta.2.
  • GUI Installer now supports AWS and bare-metal.
  • Ships with self-hosted Kubernetes (bare-metal and AWS).
  • Upgrades Kubernetes to v1.4.5.

Tectonic Console

  • Tectonic Console now includes RBAC management and the ability to edit Tectonic license.
  • A logout button has been added to the Tectonic Console.
  • Show readiness in pod listings.

Release Date: October 20, 2016
Kubernetes: 1.4.3

New in this Release

  • Ships with self-hosted Kubernetes (bare-metal installer)
  • Upgrades to Kubernetes v1.4.3 which fixes a critical security issue
  • Fixes self-hosted Kubernetes checkpointing
  • Usability improvements to the bare-metal installer
  • Tectonic Identity has been updated to Dex v2.0.0-alpha
  • Identity state is stored in Kubernetes third party resources
  • Streamlines components, removing postgres and manager dependencies

Release Date: October 5, 2016
Kubernetes: 1.3.7

New in this Release

  • Ships with self-hosted Kubernetes 1.3.7 (bare-metal installer only).
  • User-based authentication fully enabled by default.
  • RBAC authorization fully enabled by default.
  • Usability and stability improvements to the bare-metal GUI installer.

Tectonic Console

  • New node visualizations of Prometehus metrics: CPU, RAM, Network IO, Filesystem, & Pod counts.
  • View cluster RBAC policies.
  • Management of new Kubernetes objects: ConfigMaps, Secrets, Jobs, Horizontal Pod Autoscalers, Service Accounts.
  • Can now run behind proxy.
  • Various layout and bug fixes.

Release Date: August 10, 2016
Kubernetes: 1.3.0

New Installer

This release features a new graphical installation tool which simplifies the process of bootstrapping and launching bare metal clusters (alpha) that includes Kubernetes and additional Tectonic services.

Cluster Software

The default installation now includes:

  • Prometheus and Grafana
  • Kubernetes 1.3.0

Tectonic Console

  • Enhanced user management
  • New look and redesigned navigation
  • Various other enhancements and bug fixes

Release Date: June 8, 2016
Kubernetes: 1.2.3

Tectonic Console

  • Fixed issue with editing env variables for replication controllers
  • Fixed issue with creating/updating replica-sets/deployments when selector is empty
  • Fixed issue with deleting replica-sets/deployments

Release Date: June 8, 2016
Kubernetes: 1.2.3

Tectonic Console

  • Added support for Replica Sets
  • Added support for Deployments
  • Added support for Equality-based and Set-based label selectors
  • Added Heapster integration (namespace cpu/mem resource usage)
  • Added view of service port mappings
  • Added view of container command arguments

Release Date: April 15, 2016
Kubernetes: 1.2.0

Tectonic Console

  • Improved namespace support – users can now create, delete, and search for namespaces by label
  • Nodeport is now visible on Service detail screens
  • Fixed issues with search in Tectonic Console

Release Date: March 22, 2016
Kubernetes: 1.1.2

Tectonic Console

  • Fixes an issue with navigation after changing namespaces
  • Fixes an issue causing the "Create user" dialog not to show when requested
  • Fixes an issue preventing search for nodes by label
  • Change to search behavior — by default, an empty search now returns all resources rather than no resources

Release Date: March 11, 2016
Kubernetes: 1.1.2

Tectonic Console

A variety of design and layout fixes and improvements for Tectonic Console

Release Date: March 8, 2016
Kubernetes: 1.1.2


This release of tectonic fixes a bug introduced in v1.1.1 where the tectonic-manager would create invalid database entries.

Clients on v1.1.1 cannot upgrade without manually editing the database.

Release Date: March 3, 2016
Kubernetes: 1.1.2


New unified account features allow you to share a single Tectonic license and pull secret (coreos-pull-secret) across all of your software purchases. Be sure to download your newly formatted license and pull secret during the installation process, from https://account.coreos.com.

Release Date: December 31, 2015
Kubernetes: 1.1.2


  • Support for Kubernetes 1.1.2
  • Many bug fixes and refinements in Tectonic Identity
  • Refinements throughout Tectonic components, and formalization of the upgrade process

Release Date: December 21, 2015
Kubernetes: 1.1.2

Tectonic Console

  • Expose Tectonic and Kubernetes versions on the status console
  • Stream logs into the pod detail views
  • Timeout HTTP connections to authenticator if the connection fails

Release Date: November 3, 2015
Kubernetes: 1.0.6

This is the first General Availability release of Tectonic Enterprise, featuring an integrated suite of cluster tools and services:

Tectonic Console, a graphical user-interface that gives you a holistic view of your cluster

Tectonic Identity, providing cluster-wide SSO and identity services

CoreUpdate, automating behind-the-firewall software updates of Tectonic clusters CoreOS machines

Quay Enterprise, the most versatile and secure private container registry, running on the cluster

During our Tectonic Preview, many new features have been added and bugs have been identified and fixed. Thank you to our Preview customers for helping us make Tectonic robust, powerful, and stable.

Features and Fixes:

  • Fixed websocket operation under TLS
  • Improved overall user experience with multiple namespaces
  • Enhancements to the mobile Console experience
  • Docs: Created multiple platform and purpose deployment guides, including in-depth examination of kubernetes deployment on bare metal and the underlying networking