[PLEASE READ] Kubernetes 1.24 and 1.23 release branches are updated to Go 1.19
Marko Mudrinić
Dear Kubernetes Community,
We updated Kubernetes 1.24 (release-1.24) and 1.23 (release-1.23) release branches to Go 1.19. The upcoming 1.24.10 and 1.23.16 patch releases scheduled for January 18 will be built with Go 1.19.5. We don’t anticipate any side effects. Please note that 1.26.x and 1.25.x are already on Go 1.19, so we are confident about this update.
In order to pick up Go security fixes only available in 1.18+, and to ensure that currently supported Kubernetes releases use supported Go versions, we decided to upgrade Go on those release branches to Go 1.19:
The 1.23 release branch had been using Go 1.17, which reached EOL on 2022-08-03
The 1.24 release branch had been using Go 1.18, which is scheduled to reach EOL on 2023-03-15. The 1.24 release branch will reach EOL on 2023-07-28, which means that without the update, it would use an unsupported Go version for at least 4 months
What’s the reasoning for this change?
Using an unsupported Go release can impose security risks in case new vulnerabilities are discovered. As unsupported Go releases do not receive security fixes, Kubernetes clusters will be vulnerable to exploits. We want to ensure that we can deliver security fixes targeting Go in a safe and timely manner. Specifically, this update means that fixes for CVE-2022-41715 and CVE-2022-41717 (two recent security issues only fixed in Go 1.18+) will be available in Kubernetes 1.23.16.
Am I, as a Kubernetes user, affected by this?
We paid special attention to preserving existing behavior for 1.23 and 1.24. For example, on the release-1.23 branch, we overrode some of the garbage collector changes in Go 1.19 that might affect kube-apiserver resource consumption to match Go 1.17 defaults (for more information on that specific change, see the Kubernetes 1.24 release note[1] about GOGC tuning on Go 1.18+.
If you do see issues, please report them to us by following the instructions below.
Am I, as a Kubernetes library user, affected by this?
The libraries based on Kubernetes 1.24.10 and 1.23.16 can still be used with Go 1.18 and 1.17, respectively. That said, it is generally recommended to use supported Go versions in your own builds as well.
Where can I find more details about those changes?
Please see the following PRs:
Does this affect End-of-Life dates for those releases in any way?
No, the original maintenance mode and End-of-Life dates are still in effect. See the Patch Release page for more details[4].
If you run into any issues, please create an issue in the kubernetes/kubernetes repository[5] and tag Release Managers with `/cc kubernetes/release-managers`. If you have any questions, please respond to this email or reach out to Release Managers on the #sig-release Slack channel[6].
Thanks to everyone who helped with driving this change forward!
Marko Mudrinić,
on behalf of Kubernetes SIG Release
[1]: https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.24.md
[2]: https://github.com/kubernetes/kubernetes/pull/113983
[3]: https://github.com/kubernetes/kubernetes/pull/113956
[4]: https://kubernetes.io/releases/patch-releases/
[6]: https://kubernetes.slack.com/archives/C2C40FMNF