Kubernetes - v1.27.3
Changelog since v1.27.2
Important Security Information
This release contains changes that address the following vulnerabilities:
CVE-2023-2728: Bypassing enforce mountable secrets policy imposed by the ServiceAccount admission plugin
A security issue was discovered in Kubernetes where users may be able to launch containers that bypass the mountable secrets policy enforced by the ServiceAccount admission plugin when using ephemeral containers. The policy ensures pods running with a service account may only reference secrets specified in the service account's secrets field. Kubernetes clusters are only affected if the ServiceAccount admission plugin and the kubernetes.io/enforce-mountable-secrets
annotation are used together with ephemeral containers.
Note: This only impacts the cluster if the ServiceAccount admission plugin is used (most cluster should have this on by default as recommended in https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#serviceaccount), the kubernetes.io/enforce-mountable-secrets
annotation is used by a service account (this annotation is not added by default), and Pods are using ephemeral containers.
Affected Versions:
- kube-apiserver v1.27.0 - v1.27.2
- kube-apiserver v1.26.0 - v1.26.5
- kube-apiserver v1.25.0 - v1.25.10
- kube-apiserver <= v1.24.14
Fixed Versions:
- kube-apiserver v1.27.3
- kube-apiserver v1.26.6
- kube-apiserver v1.25.11
- kube-apiserver v1.24.15
CVSS Rating: Medium (6.5) CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N
Changes by Kind
Feature
- Kubernetes is now built with Go 1.20.5 (#118553, @puerco) [SIG API Machinery, Architecture, Auth, CLI, Cloud Provider, Cluster Lifecycle, Instrumentation, Node, Release, Storage and Testing]
Bug or Regression
- Add DisruptionTarget condition to the pod preempted by Kubelet to make room for a critical pod (#118219, @mimowo) [SIG Node and Testing]
- Fixes a bug at kube-apiserver start where APIService objects for custom resources could be deleted and recreated. (#118104, @liggitt) [SIG API Machinery and Testing]
- If
kubeadm reset
finds no etcd member ID for the peer it removes during theremove-etcd-member
phase, it continues immediately to other phases, instead of retrying the phase for up to 3 minutes before continuing. (#117948, @dlipovetsky) [SIG Cluster Lifecycle] - Kubeadm: fix a bug where the static pod changes detection logic is inconsistent with kubelet (#118069, @SataQiu) [SIG Cluster Lifecycle]
- Kubeadm: fix etc version support for Kubernetes v1.27 (#118307, @SataQiu) [SIG Cluster Lifecycle]
Dependencies
Added
Nothing has changed.
Changed
Nothing has changed.
Removed
Nothing has changed.
Security
Details
- 🔍View and search all Kubernetes releases.
- 🛠️Create and share lists to track your tools.
- 🚨Setup notifications for major, security, feature or patch updates.
- 🚀Much more coming soon!