Kubernetes - v1.26.8
Changelog since v1.26.7
Important Security Information
This release contains changes that address the following vulnerabilities:
CVE-2023-3955: Insufficient input sanitization on Windows nodes leads to privilege escalation
A security issue was discovered in Kubernetes where a user that can create pods on Windows nodes may be able to escalate to admin privileges on those nodes. Kubernetes clusters are only affected if they include Windows nodes.
Affected Versions:
- kubelet <= v1.28.0
- kubelet <= v1.27.4
- kubelet <= v1.26.7
- kubelet <= v1.25.12
- kubelet <= v1.24.16
Fixed Versions:
- kubelet v1.28.1
- kubelet v1.27.5
- kubelet v1.26.8
- kubelet v1.25.13
- kubelet v1.24.17
This vulnerability was discovered by James Sturtevant @jsturtevant and Mark Rossetti @marosset during the process of fixing CVE-2023-3676 (that original CVE was reported by Tomer Peled @tomerpeled92)
CVSS Rating: High (8.8) CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CVE-2023-3676: Insufficient input sanitization on Windows nodes leads to privilege escalation
A security issue was discovered in Kubernetes where a user that can create pods on Windows nodes may be able to escalate to admin privileges on those nodes. Kubernetes clusters are only affected if they include Windows nodes.
Affected Versions:
- kubelet <= v1.28.0
- kubelet <= v1.27.4
- kubelet <= v1.26.7
- kubelet <= v1.25.12
- kubelet <= v1.24.16
Fixed Versions:
- kubelet v1.28.1
- kubelet v1.27.5
- kubelet v1.26.8
- kubelet v1.25.13
- kubelet v1.24.17
This vulnerability was reported by Tomer Peled @tomerpeled92
CVSS Rating: High (8.8) CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Changes by Kind
API Change
- Aggregated discovery now returns
responseKind: {}for resources which are missing group/version/kind information, to ensure compatibility with v0.26.0-v0.26.3 clients. (#119835, @liggitt) [SIG API Machinery and Testing]
Feature
- Kubeadm: generate CA certificates with a start time that is offset 5 minutes in the past relative to the current system time to workaround cases of clock desync.
client-go: allow to set NotBefore in NewSelfSignedCACert() (#119114, @champtar) [SIG API Machinery, Auth and Cluster Lifecycle] - Kubernetes is now built with Go 1.20.7 (#119830, @jeremyrickard) [SIG Release and Testing]
Bug or Regression
- Fix Topology Aware Hints not working when the
topology.kubernetes.io/zonelabel is added after Node creation - Fix a data race in TopologyCache when
AddHintsandSetNodesare called concurrently (#117268, @tnqn) [SIG Apps and Network] - Revert kubelet prober metrics
podtag to include actual pod name (#118549, @a7i) [SIG Node] - Update kube-apiserver's priority & fairness work estimator such that 'max seats' is MIN(0.15 x nominalCL, nominalCL / handSize)
This fixes a bug where clients with requests using hand size x max seats greater than the nominal concurrency limit can starve other requests in the same priority level. (#118601, @andrewsykim) [SIG API Machinery]
- Update the Event series starting count when emitting isomorphic events from 1 to 2. (#119375, @dgrisonnet) [SIG API Machinery and Testing]
Dependencies
Added
Nothing has changed.
Changed
Nothing has changed.
Removed
Nothing has changed.
Security
Details
- 🔍View and search all Kubernetes releases.
- 🛠️Create and share lists to track your tools.
- 🚨Setup notifications for major, security, feature or patch updates.
- 🚀Much more coming soon!