Kubernetes - v1.27.3

Security

Changelog since v1.27.2

Important Security Information

This release contains changes that address the following vulnerabilities:

CVE-2023-2728: Bypassing enforce mountable secrets policy imposed by the ServiceAccount admission plugin

A security issue was discovered in Kubernetes where users may be able to launch containers that bypass the mountable secrets policy enforced by the ServiceAccount admission plugin when using ephemeral containers. The policy ensures pods running with a service account may only reference secrets specified in the service account's secrets field. Kubernetes clusters are only affected if the ServiceAccount admission plugin and the kubernetes.io/enforce-mountable-secrets annotation are used together with ephemeral containers.

Note: This only impacts the cluster if the ServiceAccount admission plugin is used (most cluster should have this on by default as recommended in https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#serviceaccount), the kubernetes.io/enforce-mountable-secrets annotation is used by a service account (this annotation is not added by default), and Pods are using ephemeral containers.

Affected Versions:
- kube-apiserver v1.27.0 - v1.27.2
- kube-apiserver v1.26.0 - v1.26.5
- kube-apiserver v1.25.0 - v1.25.10
- kube-apiserver <= v1.24.14

Fixed Versions:
- kube-apiserver v1.27.3
- kube-apiserver v1.26.6
- kube-apiserver v1.25.11
- kube-apiserver v1.24.15

CVSS Rating: Medium (6.5) CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N

Changes by Kind

Feature

  • Kubernetes is now built with Go 1.20.5 (#118553, @puerco) [SIG API Machinery, Architecture, Auth, CLI, Cloud Provider, Cluster Lifecycle, Instrumentation, Node, Release, Storage and Testing]

Bug or Regression

  • Add DisruptionTarget condition to the pod preempted by Kubelet to make room for a critical pod (#118219, @mimowo) [SIG Node and Testing]
  • Fixes a bug at kube-apiserver start where APIService objects for custom resources could be deleted and recreated. (#118104, @liggitt) [SIG API Machinery and Testing]
  • If kubeadm reset finds no etcd member ID for the peer it removes during the remove-etcd-member phase, it continues immediately to other phases, instead of retrying the phase for up to 3 minutes before continuing. (#117948, @dlipovetsky) [SIG Cluster Lifecycle]
  • Kubeadm: fix a bug where the static pod changes detection logic is inconsistent with kubelet (#118069, @SataQiu) [SIG Cluster Lifecycle]
  • Kubeadm: fix etc version support for Kubernetes v1.27 (#118307, @SataQiu) [SIG Cluster Lifecycle]

Dependencies

Added

Nothing has changed.

Changed

Nothing has changed.

Removed

Nothing has changed.

Details

date
June 14, 2023, 9:36 p.m.
name
Kubernetes v1.27.3
type
Patch
official page
https://github.com/kubernetes/kubernetes/releases/tag/v1.27.3
👇
Register or login to:
  • 🔍View and search all Kubernetes releases.
  • 🛠️Create and share lists to track your tools.
  • 🚨Setup notifications for major, security, feature or patch updates.
  • 🚀Much more coming soon!
Continue with GitHub
Continue with Google
or