Emergency Out-of-Bound Kubernetes 1.25.2, 1.24.6, 1.23.12, 1.22.15 patch releases
Marko Mudrinić
Hello kubefolx,
The latest Kubernetes patch releases (1.25.1, 1.24.5, 1.23.11, 1.22.14) fixed CVE-2022-3172 which is announced and explained here[1]. The CVE fix[2] changed the default behavior of kube-apiserver to reject 3xx requests unless explicitly enabled. However, this introduced a regression[3] as not all 3xx requests are redirects. Depending on the aggregated API server implementation, this regression might manifest as:
Breaking some features of the aggregated API server
Causing a huge amount of warning logs in the kube-apiserver
This regression has been fixed in PR #112526[4], as well as, on all active release branches in the appropriate cherry-pick PRs.
Considering that this is related to a security issue, we decided to release emergency out-of-bound Kubernetes patch releases:
1.25.2
1.24.6
1.23.12
1.22.15
The releases are planned for tomorrow, 21st September 2022.
If you already upgraded to the latest/affected patch releases (1.25.1, 1.24.5, 1.23.11, 1.22.14), we recommend upgrading to the new patch releases as soon as they are available. If you haven’t upgraded yet, we recommend waiting for the new patch releases to become available.
If you have questions about those releases, you can contact us on the #sig-release Slack channel[5].
Thanks for understanding.
SIG Release
[1]: https://groups.google.com/g/kubernetes-announce/c/aaOLnyQPXFg
[2]: https://github.com/kubernetes/kubernetes/pull/112193
[3]: https://github.com/kubernetes/kubernetes/issues/112524