Kubernetes v1.22.14 is live!

6 views
Skip to first unread message

Jim Angel

unread,
Sep 15, 2022, 4:18:03 PM (10 days ago) Sep 15
to kubernetes-announce, dev
Kubernetes Community,

Kubernetes v1.22.14 has been built and pushed using Golang version 1.16.15.

The release notes have been updated in CHANGELOG-1.22.md, with a pointer to them on GitHub:


v1.22.14

Downloads for v1.22.14

Source Code

filename sha512 hash
kubernetes.tar.gz 6dfd9a0a66d437fc83b62c71255c771370d8d0b8459b8d01b259a27dded3607577a47e3e597d6db126ad971d64271b93fd1725fb60754055bc8690dcd956dd33
kubernetes-src.tar.gz f70e11e17991ecf3899e8524db22f165155e76cf01e969f4b4c0be0784dbd1317dface47d26975cf65b609e2d94b2693ca97e053660524d9e34b0c9e0f0cfc71

Client Binaries

filename sha512 hash
kubernetes-client-darwin-amd64.tar.gz 72d14697c7f54ea211fe3aabb353094622e75f9889eeb69e11f67727dfe98d19323fe4f65087dd89033e82b2980f394239f1ef8a630fa7ed06d7386f02f87665
kubernetes-client-darwin-arm64.tar.gz 54beaaa9c9e5eca730ed3b8aa5802b469924f0dfb8aafc5182f485aa86c1d64c08dc8330506f2b793242e0c8babd4ade63752379b86e87c5dcff20831e9142f9
kubernetes-client-linux-386.tar.gz 4d1fa56a6d4cfc1ea484176f904d81d6b685303be252d2a3fa6fd2fb3377d00b6bc1d5cbc7e1e552bc8c89992f12dfcd57fe3bc7332670a94871f75ca7d98adf
kubernetes-client-linux-amd64.tar.gz 5c4edacc9d586d8bc5ab5013de2ec74c4d003f341a1b72c90399506cc09a17b2ca243eba98e6aaad8ecfdfbb0336cf20fcfe905ec52fcb5a9e382e5c77771318
kubernetes-client-linux-arm.tar.gz 14e5208eeb4ada72c4cfd36544224c7ed6e033b5881445abadf7a6d2f19120bcbd7b30f1ceaee8f35f65d7c4daca4320301532e7a01541897b4326ba855c725c
kubernetes-client-linux-arm64.tar.gz b0d8771f2ef7897dd16d23ef1991ab49dd487b7502679c8f655304ed5021fcd7441f539bd1607022589dae898ab14bfa801c875928b69fd5de9c25302d929f19
kubernetes-client-linux-ppc64le.tar.gz 8704c66239ee1a4166aeeb408d3c0bed551c85d9394d9abe5dd5bbbb4cd59df2a8f3ded1998e0cbc06a1f41ebb7318038c254c03b2a5872674099a2b63411a01
kubernetes-client-linux-s390x.tar.gz fd79453718acef98cd8ec4b229321fa61b300a08b40939ea5328feaabb18894a26359744f2e68dd90b2181c159f467fd8422ff052a559ae9b46177fa25f29d62
kubernetes-client-windows-386.tar.gz 8b8cb8d416a147e436e9e34867bba39b78e0d543f42079c298d585a02b57b2f59b978a51c1a8cbc5223d7e18bc0514baff5bf88d242b441a7b8722b32a9f55a7
kubernetes-client-windows-amd64.tar.gz 397a074ca01ea863bd229edb1d4b76868d44ef09b4f7ed9a38de0e2592021fede7c6005ff0920dd83ebf7c6aebe9c130b3e4bbec62f984f5505ebfb410b5d886

Server Binaries

filename sha512 hash
kubernetes-server-linux-amd64.tar.gz ca18d9ac217381e6988e9a556919b470da755ceeeed7a2b90e02d4d6fa2ccc1d4884a67b5d4955052abe404f0d688f702acce24eba09470ad1ab940f639dced0
kubernetes-server-linux-arm.tar.gz 711d441474a0fb212082e1b8d8dd4685076a5d619054bb0fd758c35a082717759de81e5e051849f7c34e390dab7b7c630ad15c638260544638ae4e90d97a7825
kubernetes-server-linux-arm64.tar.gz 37328016e4888954e68324b5f95d8775bba597c321c6e0aac0cb8e873d3471f1dcd1bfd4ab6bf98db39dd0942ee95959e21990c218b59db219425e7f50b46bcd
kubernetes-server-linux-ppc64le.tar.gz 2347004f2fd7327a2e6af66d7a8f6f8278494c01c05cfe6cfbb1a8dc1f362203eafd5085d126d6eb1b5ede14a7a31c1c092902aaeab88d4f99b1c9e80efc0ae8
kubernetes-server-linux-s390x.tar.gz 191e3f9ef289e5ddc990bdd9def0d09b93fdcd7434b0cab927daf1c95c6fa289c9bce658e21bb9dea6ecda7a23f255f8fa76299052601d9792a305f864e5d5d0

Node Binaries

filename sha512 hash
kubernetes-node-linux-amd64.tar.gz 92fec25d4fc656fe659ca0363dec0eb470d8545be68851bb0862e9591a3b26f7b2de9038551380523bd7a74d3ac0a13675f086f8dd4109bab8af868621adbe90
kubernetes-node-linux-arm.tar.gz bf903a20a909cfc15f3cca1d3be713cb621a6ef3d575cddd1f86c3103093644c8bfde478ba5d1c62dd9b2bc85d69a17b5c8abf64cb676110212968dc75c94be4
kubernetes-node-linux-arm64.tar.gz fa90fd8c9bc6ee0aebf56aef72349c6d9791c1b232b7e5714be31b49e5d4919a3b3467fd4783759130911261842e8fc61ac30084fb29ba72c72fb37b9b7bb511
kubernetes-node-linux-ppc64le.tar.gz aa58594b3a71d55128e2a0df50d24c493a0a3f7acd380652ea2dcae4813dc26df4d5c9a048289bb5880135017fe3755e46d4a179a23bc33ac006652f8e1a7e25
kubernetes-node-linux-s390x.tar.gz 44365e3670ca7f7f7cd55989e8b9d145e5780e2f5123432a8d126e7dce48c88b17b3b146a7075ee629add3e86b3587946698f4f7df1e021d907078380ebf71d4
kubernetes-node-windows-amd64.tar.gz 3f63e0bf706bf74e561dc34f22a098cada8cbc7672d24ac8c3359a29fc0fb4cd51f5be1d372366ac99aed05e8653db03a09e6522c3b2b1b0c1b8d6912866d0a7

Container Images

All container images are available as manifest lists and support the described architectures. It is also possible to pull a specific architecture directly by adding the "-$ARCH" suffix to the container image name.

name architectures
k8s.gcr.io/conformance:v1.22.14 amd64, arm, arm64, ppc64le, s390x
k8s.gcr.io/kube-apiserver:v1.22.14 amd64, arm, arm64, ppc64le, s390x
k8s.gcr.io/kube-controller-manager:v1.22.14 amd64, arm, arm64, ppc64le, s390x
k8s.gcr.io/kube-proxy:v1.22.14 amd64, arm, arm64, ppc64le, s390x
k8s.gcr.io/kube-scheduler:v1.22.14 amd64, arm, arm64, ppc64le, s390x

Changelog since v1.22.13

Important Security Information

This release contains changes that address the following vulnerabilities:

CVE-2022-3172: Aggregated API server can cause clients to be redirected (SSRF)

A security issue was discovered in kube-apiserver that could allow an attacker controlled aggregated API server to redirect client traffic to any URL. This could lead to the client performing unexpected actions as well as leaking the client's credentials to third parties.

There is no mitigation from this issue. Cluster admins should take care to secure aggregated API servers and should not grant access to mutate APIServices to untrusted parties.

Affected Versions:

  • kube-apiserver v1.25.0
  • kube-apiserver v1.24.0 - v1.24.4
  • kube-apiserver v1.23.0 - v1.23.10
  • kube-apiserver v1.22.0 - v1.22.14
  • kube-apiserver <= v1.21.?

Fixed Versions:

  • kube-apiserver v1.25.1
  • kube-apiserver v1.24.5
  • kube-apiserver v1.23.11
  • kube-apiserver v1.22.14

This vulnerability was reported by Nicolas Joly & Weinong Wang from Microsoft

CVSS Rating: Medium (5.1) CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:L/I:L/A:L

CVE-2021-25749: runAsNonRoot logic bypass for Windows containers

A security issue was discovered in Kubernetes that could allow Windows workloads to run as ContainerAdministrator even when those workloads set the runAsNonRoot option to true .

This issue has been rated low and assigned CVE-2021-25749

Am I vulnerable?

All Kubernetes clusters with following versions, running Windows workloads with runAsNonRoot are impacted

Affected Versions

  • kubelet v1.20 - v1.21
  • kubelet v1.22.0 - v1.22.13
  • kubelet v1.23.0 - v1.23.10
  • kubelet v1.24.0 - v1.24.4

How do I mitigate this vulnerability?

There are no known mitigations to this vulnerability.

Fixed Versions

  • kubelet v1.22.14
  • kubelet v1.23.11
  • kubelet v1.24.5
  • kubelet v1.25.0

To upgrade, refer to this documentation For core Kubernetes: https://kubernetes.io/docs/tasks/administer-cluster/cluster-management/#upgrading-a-cluster

Detection

Kubernetes Audit logs may indicate if the user name was misspelled to bypass the restriction placed on which user is a pod allowed to run as.

If you find evidence that this vulnerability has been exploited, please contact secu...@kubernetes.io

Additional Details

See the GitHub issue for more details: https://github.com/kubernetes/kubernetes/issues/112192

Acknowledgements

This vulnerability was reported and fixed by Mark Rosetti (@marosset)

CVSS Rating: Low (3.4) CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C

Changes by Kind

Bug or Regression

  • Fix an ephemeral port exhaustion bug caused by improper connection management that occurred when a large number of objects were handled by kubectl while exec auth was in use. (#112339, @enj) [SIG API Machinery and Auth]
  • Fix problem in updating VolumeAttached in node status (#112302, @xing-yang) [SIG Apps]
  • Kube-apiserver: redirect responses are no longer returned from backends by default. Set --aggregator-reject-forwarding-redirect=false to continue forwarding redirect responses. (#112359, @enj) [SIG API Machinery]
  • UserName check for 'ContainerAdministrator' is now case-insensitive if runAsNonRoot is set to true on Windows. (#112213, @PushkarJ) [SIG Node, Testing and Windows]

Dependencies

Added

Nothing has changed.

Changed

Nothing has changed.

Removed

Nothing has changed.



Contributors, the CHANGELOG-1.22.md has been bootstrapped with v1.22.14 release notes and you may edit now as needed.



Published by your Kubernetes Release Managers.

Reply all
Reply to author
Forward
0 new messages