Kubernetes - v1.23.14
Changelog since v1.23.13
Important Security Information
This release contains changes that address the following vulnerabilities:
CVE-2022-3162: Unauthorized read of Custom Resources
A security issue was discovered in Kubernetes where users authorized to list or watch one type of namespaced custom resource cluster-wide can read custom resources of a different type in the same API group they are not authorized to read.
- kube-apiserver v1.25.0 - v1.25.3
- kube-apiserver v1.24.0 - v1.24.7
- kube-apiserver v1.23.0 - v1.23.13
- kube-apiserver v1.22.0 - v1.22.15
- kube-apiserver <= v1.21.?
- kube-apiserver v1.25.4
- kube-apiserver v1.24.8
- kube-apiserver v1.23.13
- kube-apiserver v1.22.16
This vulnerability was reported by Richard Turnbull of NCC Group as part of the Kubernetes Audit
CVSS Rating: Medium (6.5) CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Changes by Kind
- Make STS available replicas optional again, (#109241, @ravisantoshgudimetla) [SIG API Machinery and Apps]
- Make STS available replicas optional again. (#113122, @ashrayjain) [SIG Apps]
- Protobuf serialization of metav1.MicroTime timestamps (used in
EventAPI objects) has been corrected to truncate to microsecond precision, to match the documented behavior and JSON/YAML serialization. Any existing persisted data is truncated to microsecond when read from etcd. (#111936, @haoruan) [SIG API Machinery]
Bug or Regression
- Consider only plugin directory and not entire kubelet root when cleaning up mounts (#112921, @mattcary) [SIG Storage]
- Etcd: Update to v3.5.5 (#113100, @mk46) [SIG API Machinery, Cloud Provider, Cluster Lifecycle and Testing]
- Fixed a bug where a change in the
appProtocolfor a Service did not trigger a load balancer update. (#113033, @MartinForReal) [SIG Cloud Provider and Network]
- Kube-proxy, will restart in case it detects that the Node assigned pod.Spec.PodCIDRs have changed (#113258, @code-elinka) [SIG Network]
- Kubelet no longer reports terminated container metrics from cAdvisor (#112964, @bobbypage) [SIG Node]
- Kubelet: fix GetAllocatableCPUs method in cpumanager (#113422, @Garrybest) [SIG Node]
- Pod logs using --timestamps are not broken up with timestamps anymore. (#113517, @rphillips) [SIG Node]
Nothing has changed.
- github.com/stretchr/objx: v0.2.0 → v0.4.0
- github.com/stretchr/testify: v1.7.0 → v1.8.0
- go.uber.org/goleak: v1.1.10 → v1.2.0
- gopkg.in/yaml.v3: 496545a → v3.0.1
- sigs.k8s.io/apiserver-network-proxy/konnectivity-client: v0.0.30 → v0.0.33
Nothing has changed.
- 🔍View and search all Kubernetes releases.
- 🛠️Create and share lists to track your tools.
- 🚨Setup notifications for major, security, feature or patch updates.
- 🚀Much more coming soon!