Kubernetes - v1.24.15
Changelog since v1.24.14
Important Security Information
This release contains changes that address the following vulnerabilities:
CVE-2023-2728: Bypassing enforce mountable secrets policy imposed by the ServiceAccount admission plugin
A security issue was discovered in Kubernetes where users may be able to launch containers that bypass the mountable secrets policy enforced by the ServiceAccount admission plugin when using ephemeral containers. The policy ensures pods running with a service account may only reference secrets specified in the service account's secrets field. Kubernetes clusters are only affected if the ServiceAccount admission plugin and the kubernetes.io/enforce-mountable-secrets
annotation are used together with ephemeral containers.
Note: This only impacts the cluster if the ServiceAccount admission plugin is used (most cluster should have this on by default as recommended in https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#serviceaccount), the kubernetes.io/enforce-mountable-secrets
annotation is used by a service account (this annotation is not added by default), and Pods are using ephemeral containers.
Affected Versions:
- kube-apiserver v1.27.0 - v1.27.2
- kube-apiserver v1.26.0 - v1.26.5
- kube-apiserver v1.25.0 - v1.25.10
- kube-apiserver <= v1.24.14
Fixed Versions:
- kube-apiserver v1.27.3
- kube-apiserver v1.26.6
- kube-apiserver v1.25.11
- kube-apiserver v1.24.15
CVSS Rating: Medium (6.5) CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N
Changes by Kind
Feature
- Kubernetes 1.24.x is now built with Go 1.19.10 (#118557, @puerco) [SIG API Machinery, Architecture, Auth, CLI, Cloud Provider, Cluster Lifecycle, Instrumentation, Node, Release, Storage and Testing]
Bug or Regression
- Fixes a bug at kube-apiserver start where APIService objects for custom resources could be deleted and recreated. (#118104, @liggitt) [SIG API Machinery and Testing]
- If
kubeadm reset
finds no etcd member ID for the peer it removes during theremove-etcd-member
phase, it continues immediately to other phases, instead of retrying the phase for up to 3 minutes before continuing. (#118192, @dlipovetsky) [SIG Cluster Lifecycle] - Kubeadm: fix a bug where the static pod changes detection logic is inconsistent with kubelet (#118069, @SataQiu) [SIG Cluster Lifecycle]
Dependencies
Added
- github.com/a8m/tree: 10a5fd5
- github.com/dougm/pretty: 2ee9d74
- github.com/rasky/go-xdr: 4930550
- github.com/vmware/vmw-guestinfo: 25eff15
Changed
- github.com/google/uuid: v1.1.2 → v1.3.0
- github.com/kr/pretty: v0.2.1 → v0.3.0
- github.com/rogpeppe/go-internal: v1.3.0 → v1.6.1
- github.com/vmware/govmomi: v0.20.3 → v0.30.0
Removed
Nothing has changed.
Security
Details
- 🔍View and search all Kubernetes releases.
- 🛠️Create and share lists to track your tools.
- 🚨Setup notifications for major, security, feature or patch updates.
- 🚀Much more coming soon!