Kubernetes - v1.27.5
Changelog since v1.27.4
Important Security Information
This release contains changes that address the following vulnerabilities:
CVE-2023-3955: Insufficient input sanitization on Windows nodes leads to privilege escalation
A security issue was discovered in Kubernetes where a user that can create pods on Windows nodes may be able to escalate to admin privileges on those nodes. Kubernetes clusters are only affected if they include Windows nodes.
Affected Versions:
- kubelet <= v1.28.0
- kubelet <= v1.27.4
- kubelet <= v1.26.7
- kubelet <= v1.25.12
- kubelet <= v1.24.16
Fixed Versions:
- kubelet v1.28.1
- kubelet v1.27.5
- kubelet v1.26.8
- kubelet v1.25.13
- kubelet v1.24.17
This vulnerability was discovered by James Sturtevant @jsturtevant and Mark Rossetti @marosset during the process of fixing CVE-2023-3676 (that original CVE was reported by Tomer Peled @tomerpeled92)
CVSS Rating: High (8.8) CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CVE-2023-3676: Insufficient input sanitization on Windows nodes leads to privilege escalation
A security issue was discovered in Kubernetes where a user that can create pods on Windows nodes may be able to escalate to admin privileges on those nodes. Kubernetes clusters are only affected if they include Windows nodes.
Affected Versions:
- kubelet <= v1.28.0
- kubelet <= v1.27.4
- kubelet <= v1.26.7
- kubelet <= v1.25.12
- kubelet <= v1.24.16
Fixed Versions:
- kubelet v1.28.1
- kubelet v1.27.5
- kubelet v1.26.8
- kubelet v1.25.13
- kubelet v1.24.17
This vulnerability was reported by Tomer Peled @tomerpeled92
CVSS Rating: High (8.8) CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Changes by Kind
API Change
- Aggregated discovery now returns
responseKind: {}for resources which are missing group/version/kind information, to ensure compatibility with v0.26.0-v0.26.3 clients. (#119835, @liggitt) [SIG API Machinery and Testing]
Feature
- Kubeadm: generate CA certificates with a start time that is offset 5 minutes in the past relative to the current system time to workaround cases of clock desync.
client-go: allow to set NotBefore in NewSelfSignedCACert() (#119113, @champtar) [SIG API Machinery, Auth and Cluster Lifecycle] - Kubernetes is now built with Go 1.20.7 (#119828, @jeremyrickard) [SIG Release and Testing]
Bug or Regression
- Fix Topology Aware Hints not working when the
topology.kubernetes.io/zonelabel is added after Node creation - Fix a data race in TopologyCache when
AddHintsandSetNodesare called concurrently (#117269, @tnqn) [SIG Apps and Network] - Fix computing backoff delay when using Job pod failure policy, by including in the backoff delay calculation pod failures ignored from the backoffLimit counter.
Also, compute the backoff delay more accurately for deleted pods. (#119466, @mimowo) [SIG Apps]
- Fix: After a Node is down and take some time to get back to up again, the mount point of the evicted Pods cannot be cleaned up successfully. (#111933) Meanwhile Kubelet will print the log Orphaned pod "xxx" found, but error not a directory occurred when trying to remove the volumes dir every 2 seconds. (#105536) (#116134, @cvvz) [SIG Node and Storage]
- Fixed kubelet startup getting stuck with NewVolumeManagerReconstruction feature enabled and a CSI volume present in /var/lib/kubelet/pods. (#117804, @jsafrane) [SIG Node and Storage]
- Revert kubelet prober metrics pod tag to include actual pod name (#118549, @a7i) [SIG Node]
- Update kube-apiserver's priority & fairness work estimator such that 'max seats' is MIN(0.15 x nominalCL, nominalCL / handSize)
This fixes a bug where clients with requests using hand size x max seats greater than the nominal concurrency limit can starve other requests in the same priority level. (#118601, @andrewsykim) [SIG API Machinery]
Dependencies
Added
Nothing has changed.
Changed
Nothing has changed.
Removed
Nothing has changed.
Security
Details
- 🔍View and search all Kubernetes releases.
- 🛠️Create and share lists to track your tools.
- 🚨Setup notifications for major, security, feature or patch updates.
- 🚀Much more coming soon!