Kubernetes - v1.27.13
Security
Changelog since v1.27.12
Important Security Information
This release contains changes that address the following vulnerabilities:
CVE-2024-3177: Bypassing mountable secrets policy imposed by the ServiceAccount admission plugin
A security issue was discovered in Kubernetes where users may be able to launch containers that bypass the mountable secrets policy enforced by the ServiceAccount admission plugin when using containers, init containers, and ephemeral containers with the envFrom field populated.
Affected Versions:
- kube-apiserver v1.29.0 - v1.29.3
- kube-apiserver v1.28.0 - v1.28.8
- kube-apiserver <= v1.27.12
Fixed Versions:
- kube-apiserver v1.29.4
- kube-apiserver v1.28.9
- kube-apiserver v1.27.13
This vulnerability was reported by tha3e1vl.
CVSS Rating: Low (2.7) CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N
Changes by Kind
Feature
Bug or Regression
- Fix pod restart after node reboot when NewVolumeManagerReconstruction feature gate is enabled and SELinuxMountReadWriteOncePod disabled (#124142, @bertinatto) [SIG Node]
- Golang.org/x/net is bumped to v0.23.0 to address CVE-2023-45288 (#124178, @MadhavJivrajani) [SIG API Machinery, Architecture, Auth, CLI, Cloud Provider, Cluster Lifecycle, Instrumentation, Node and Storage]
- Kube-apiserver: fixes a 1.27+ regression in watch stability by serving watch requests without a resourceVersion from the watch cache by default, as in <1.27 (disabling the change in #115096 by default). This mitigates the impact of an etcd watch bug (https://github.com/etcd-io/etcd/pull/17555). If the 1.27 change in #115096 to serve these requests from underlying storage is still desired despite the impact on watch stability, it can be re-enabled with a
WatchFromStorageWithoutResourceVersionfeature gate. (#124007, @serathius) [SIG API Machinery] - Kubeadm: fix panic in the command "kubeadm certs check-expiration" when "/etc/kubernetes/pki" exists but cannot be read. (#124124, @carlory) [SIG Cluster Lifecycle]
- NONE (#124325, @ritazh) [SIG Auth]
Dependencies
Added
Nothing has changed.
Changed
- golang.org/x/crypto: v0.16.0 → v0.21.0
- golang.org/x/net: v0.19.0 → v0.23.0
- golang.org/x/sys: v0.15.0 → v0.18.0
- golang.org/x/term: v0.15.0 → v0.18.0
Removed
Nothing has changed.
Security
Details
date
April 16, 2024, 7:33 p.m.
name
Kubernetes v1.27.13
type
Patch
👇
Register or login to:
- 🔍View and search all Kubernetes releases.
- 🛠️Create and share lists to track your tools.
- 🚨Setup notifications for major, security, feature or patch updates.
- 🚀Much more coming soon!