Kubernetes - v1.23.14

Security

Changelog since v1.23.13

Important Security Information

This release contains changes that address the following vulnerabilities:

CVE-2022-3162: Unauthorized read of Custom Resources

A security issue was discovered in Kubernetes where users authorized to list or watch one type of namespaced custom resource cluster-wide can read custom resources of a different type in the same API group they are not authorized to read.

Affected Versions:
- kube-apiserver v1.25.0 - v1.25.3
- kube-apiserver v1.24.0 - v1.24.7
- kube-apiserver v1.23.0 - v1.23.13
- kube-apiserver v1.22.0 - v1.22.15
- kube-apiserver <= v1.21.?

Fixed Versions:
- kube-apiserver v1.25.4
- kube-apiserver v1.24.8
- kube-apiserver v1.23.13
- kube-apiserver v1.22.16

This vulnerability was reported by Richard Turnbull of NCC Group as part of the Kubernetes Audit

CVSS Rating: Medium (6.5) CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Changes by Kind

API Change

  • Make STS available replicas optional again, (#109241, @ravisantoshgudimetla) [SIG API Machinery and Apps]
  • Make STS available replicas optional again. (#113122, @ashrayjain) [SIG Apps]
  • Protobuf serialization of metav1.MicroTime timestamps (used in Lease and Event API objects) has been corrected to truncate to microsecond precision, to match the documented behavior and JSON/YAML serialization. Any existing persisted data is truncated to microsecond when read from etcd. (#111936, @haoruan) [SIG API Machinery]

Bug or Regression

  • Consider only plugin directory and not entire kubelet root when cleaning up mounts (#112921, @mattcary) [SIG Storage]
  • Etcd: Update to v3.5.5 (#113100, @mk46) [SIG API Machinery, Cloud Provider, Cluster Lifecycle and Testing]
  • Fixed a bug where a change in the appProtocol for a Service did not trigger a load balancer update. (#113033, @MartinForReal) [SIG Cloud Provider and Network]
  • Kube-proxy, will restart in case it detects that the Node assigned pod.Spec.PodCIDRs have changed (#113258, @code-elinka) [SIG Network]
  • Kubelet no longer reports terminated container metrics from cAdvisor (#112964, @bobbypage) [SIG Node]
  • Kubelet: fix GetAllocatableCPUs method in cpumanager (#113422, @Garrybest) [SIG Node]
  • Pod logs using --timestamps are not broken up with timestamps anymore. (#113517, @rphillips) [SIG Node]

Dependencies

Added

Nothing has changed.

Changed

  • github.com/stretchr/objx: v0.2.0 → v0.4.0
  • github.com/stretchr/testify: v1.7.0 → v1.8.0
  • go.uber.org/goleak: v1.1.10 → v1.2.0
  • gopkg.in/yaml.v3: 496545a → v3.0.1
  • sigs.k8s.io/apiserver-network-proxy/konnectivity-client: v0.0.30 → v0.0.33

Removed

Nothing has changed.

Details

date
Nov. 10, 2022, 5:43 p.m.
name
Kubernetes v1.23.14
type
Patch
official page
https://github.com/kubernetes/kubernetes/releases/tag/v1.23.14
👇
Register or login to:
  • 🔍View and search all Kubernetes releases.
  • 🛠️Create and share lists to track your tools.
  • 🚨Setup notifications for major, security, feature or patch updates.
  • 🚀Much more coming soon!
Continue with GitHub
Continue with Google
or