Kubernetes v1.18.18 releases, container cluster management system
Kubernetes is an open-source system for managing containerized applications across multiple hosts; providing basic mechanisms for deployment, maintenance, and scaling of applications.
Kubernetes builds upon a decade and a half of experience at Google running production workloads at scale using a system called Borg, combined with best-of-breed ideas and practices from the community.
Kubernetes is hosted by the Cloud Native Computing Foundation (CNCF). If you are a company that wants to help shape the evolution of technologies that are container-packaged, dynamically scheduled, and micro-services-oriented, consider joining the CNCF. For details about who’s involved and how Kubernetes plays a role, read the CNCF announcement.
This release contains changes that address the following vulnerabilities:
CVE-2021-25735: Validating Admission Webhook does not observe some previous fields
A security issue was discovered in kube-apiserver that could allow node updates to bypass a Validating Admission Webhook. You are only affected by this vulnerability if you run a Validating Admission Webhook for Nodes that denies admission based at least partially on the old state of the Node object.
Note: This only impacts validating admission plugins that rely on old values in certain fields, and does not impact calls from kubelets that go through the built-in NodeRestriction admission plugin.
- kube-apiserver v1.20.0 – v1.20.5
- kube-apiserver v1.19.0 – v1.19.9
- kube-apiserver <= v1.18.17
- kube-apiserver v1.21.0
- kube-apiserver v1.20.6
- kube-apiserver v1.19.10
- kube-apiserver v1.18.18
This vulnerability was reported by Rogerio Bastos & Ari Lima from RedHat
CVSS Rating: Medium (6.5) CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H
Changes by Kind
- Fixes using server-side apply with APIService resources (#100715, @kevindelgado) [SIG API Machinery, Apps, CLI and Testing]
- Regenerate protobuf code to fix CVE-2021-3121 (#100514, @joelsmith) [SIG API Machinery, Auth, CLI, Cloud Provider, Cluster Lifecycle, Instrumentation and Node]
- AWS cloudprovider will ignore provisioning load balancers if the annotation service.beta.kubernetes.io/aws-load-balancer-type is external or nlb-ip (#97973, @kishorj) [SIG Cloud Provider]
Bug or Regression
- Fixed a bug where a high churn of events was causing master instability by reducing the maximum number of objects (events) attached to a single etcd lease. (#100452, @mborsz) [SIG API Machinery and Instrumentation]
- Fixed a race condition on API server startup ensuring previously created webhook configurations are effective before the first write request is admitted. (#95783, @roycaihw) [SIG API Machinery]
- Fixes a data race issue in the priority and fairness API server filter (#100670, @tkashem) [SIG API Machinery]
- HTTP/2 connection health check is enabled by default in all Kubernetes clients to fix persistently broken connections (https://github.com/kubernetes/client-go/issues/374). If needed, users can tune the feature via the HTTP2_READ_IDLE_TIMEOUT_SECONDS and HTTP2_PING_TIMEOUT_SECONDS environment variables. The feature is disabled if HTTP2_READ_IDLE_TIMEOUT_SECONDS is set to 0. (#100376, @liggitt) [SIG API Machinery, CLI, Cloud Provider, Cluster Lifecycle, Instrumentation and Node]
- Reverts breaking change to inline AzureFile volumes in v1.18.15-v1.18.17; referenced secrets are now correctly searched for in the same namespace as the pod as in previous releases. (#100397, @andyzhangx) [SIG Cloud Provider and Storage]
- The maximum number of ports allowed in EndpointSlices has been increased from 100 to 20,000 (#99795, @robscott) [SIG Network]