Kubernetes v1.22.16 is live!
Marko Mudrinić
Kubernetes v1.22.16 has been built and pushed using Golang version 1.16.15.
The release notes have been updated in CHANGELOG-1.22.md, with a pointer to them on GitHub:
v1.22.16
Downloads for v1.22.16
Source Code
| filename | sha512 hash |
|---|---|
| kubernetes.tar.gz | 547fd0f9a4301a34e22088c845c03bee479fe562fa4078ead544cd76672fb9c25102c39ac2c8c1deb59bc41fd3f04b46b0c11e422e34fe9789e5fa2340a43062 |
| kubernetes-src.tar.gz | d78ef6f84b101dcbc5064673d5da1d23130f0d76c35d4a5c91977a15d290e3ae93d98e9c7d18d5136716638eb1e51e13a2ddcc832ad406d7d6f40d8f1e439ee7 |
Client Binaries
| filename | sha512 hash |
|---|---|
| kubernetes-client-darwin-amd64.tar.gz | a04b511ed93a47f62a0f2446d15a97bf606433b81aaf755013940f824e38261727af27b15e5e47be921a9808eab9a0bd322f44f99cacf0c7f920f33a1175db88 |
| kubernetes-client-darwin-arm64.tar.gz | 122cf1e66207e8f7a14bd7798fef0e0ba119a8f9bdeecef7f3b89dcefe90e576687353b48521e5da5509903efc3a0e34b0d3c6d1a358f38988ee407b39fe547f |
| kubernetes-client-linux-386.tar.gz | c46218da6bf11199156d1180ef6ef06884004df892a4dfc1c5600801f1bb3ea05e23167b48cbfa93ca75e3caf7c220e7efeb37c0e43d1c2503e0975afdf05421 |
| kubernetes-client-linux-amd64.tar.gz | 3db1b4bdfacbf7b3929deac4afe6bf2cb8ae1fbc82c8bf090e8b9e03624754b1e5094a0c62c53f9d26f129b0be105c586be22b1719a35773006a160663db259e |
| kubernetes-client-linux-arm.tar.gz | e506e6b48567ec31254f4f8e425cc2fb369898bfb538651aef6ba7103ec4ef4854705d94929315b7c01a1a00e5dc4a21959088d245da970dcd16da74fcc4f6da |
| kubernetes-client-linux-arm64.tar.gz | f07bfb799a91cda03749b85c1aa48e09c7ed43322602b32ae0f8bf8af35b37caab6dfd798c655d8cf33d078a97e68010a75f4905754ed0749eee7ed06e1eeeff |
| kubernetes-client-linux-ppc64le.tar.gz | 81210234de687d9b5bb3bced57b104dbc3d4e3dd5d044b66ee8c1beb039ad31e30d982adafee645e9cef77a6386514f339bd4d5f0edec3d7cac4d9a8ac824343 |
| kubernetes-client-linux-s390x.tar.gz | 5e74b8b53bab7d9bbdbb59fffbaa2b69b71e1a64da3ce52bd968a9be03b9e7b55300a9b7b7846e23f5797fab934d91932689d5e361f938cd4271ece6de42d9e2 |
| kubernetes-client-windows-386.tar.gz | 5cc204be26b95c61d7606bc53f42ed8d9035c6ea30a154fbd6f8a2ae2dec05bf3880fa4f235c020f80028e25d53b3610409814b9189d38455af72e6dcbc39049 |
| kubernetes-client-windows-amd64.tar.gz | 50a9262336dfe60904f2034d0de2a381435cd8b1010017fb95deb903431a64ed63ffb0c946e3ab7ed372bffd455874fcfd648cf6834b09617ce469a10684767b |
Server Binaries
| filename | sha512 hash |
|---|---|
| kubernetes-server-linux-amd64.tar.gz | 7c718fc6e0a7c39313279e13fb32a090bba88cb7556e3f584da49a44708d0b4da39b92d025f270268266e22ed8ed5547a3a68ca30b3cb4f7079b3e0b1931b4f0 |
| kubernetes-server-linux-arm.tar.gz | 40ae53a81f5cdfe173588803ae6f515dc32141602137abae849f55596f888bd5c93f444287dfafb32ae9608321531fd6aaaef7508cd5e2c95217488e7af3b391 |
| kubernetes-server-linux-arm64.tar.gz | 12ecf65d132342cc0816e9c9b7a4c3c0307246fcded98846d6271080f5feb8a38df2f5242e80e448fc5806f3b99670fe4c46abc57143003615ecd2f3d1501aa4 |
| kubernetes-server-linux-ppc64le.tar.gz | b430f7a770631da1213be3f4d374bc54327d607bce7671304037e51f8378293786e288796dc46ba4cdede2ba431f217efdc93f068ac734b1c96f6f37092456e7 |
| kubernetes-server-linux-s390x.tar.gz | 06e51e090faaa190cb50cb4e2490e31ab9dc6992964f46a2c3c0ee05da3e8198389152b0268099764b20127fe8031afaead9dbf9b82be2b1cfb0fd9243d53073 |
Node Binaries
| filename | sha512 hash |
|---|---|
| kubernetes-node-linux-amd64.tar.gz | 275c5b4e545de89162e918384ae984de494d8d902be85f42560d8456822b7ea23a02a9b1e5c291470426bf18a16087f8110a45a248539b995a5f09c25ba951be |
| kubernetes-node-linux-arm.tar.gz | 91d2b3804d81029fee44b393312793ad6796271f74cb74414930be046b8904cdbd532343fe5ee422528cbb01a5ec11dce6613977fd51a22405028898d2513aab |
| kubernetes-node-linux-arm64.tar.gz | 76d9b02a13cb5bd5c12517c441db7b5413568f74f745e93d8b32ae43fe9026f707fcee7826714b61d269e20985b6f7eafd1b5bc9f0accf18018ed95f675ecb9f |
| kubernetes-node-linux-ppc64le.tar.gz | fba787d3db2696c18747b8d959bfa9023e1ee81e972fffd8f9b21e8003af48fb2ac3ba94fe52e19126b06ee6e0af500ecf13b9cc15ffebe5f91a075843634b41 |
| kubernetes-node-linux-s390x.tar.gz | 730012efc6b115451478a35cfcf0ef0e717e849259be87b5277b96cc3513a338a51e37a91e485e217eb9839b2e3bfce4c5421eb63eed8260268300bcbf8d72cc |
| kubernetes-node-windows-amd64.tar.gz | 862ec1966eedb5f5cd4307ef16c8a84983be2b5141c753ab9e8ab96aac4c0fba1fe48def71104917ce6402c46c0a3622e7663a25a854d78312419855ed646563 |
Container Images
All container images are available as manifest lists and support the described architectures. It is also possible to pull a specific architecture directly by adding the "-$ARCH" suffix to the container image name.
Changelog since v1.22.15
Important Security Information
This release contains changes that address the following vulnerabilities:
CVE-2022-3162: Unauthorized read of Custom Resources
A security issue was discovered in Kubernetes where users authorized to list or watch one type of namespaced custom resource cluster-wide can read custom resources of a different type in the same API group they are not authorized to read.
Affected Versions:
- kube-apiserver v1.25.0 - v1.25.3
- kube-apiserver v1.24.0 - v1.24.7
- kube-apiserver v1.23.0 - v1.23.13
- kube-apiserver v1.22.0 - v1.22.15
- kube-apiserver <= v1.21.?
Fixed Versions:
- kube-apiserver v1.25.4
- kube-apiserver v1.24.8
- kube-apiserver v1.23.13
- kube-apiserver v1.22.16
This vulnerability was reported by Richard Turnbull of NCC Group as part of the Kubernetes Audit
CVSS Rating: Medium (6.5) CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CVE-2022-3294: Node address isn't always verified when proxying
A security issue was discovered in Kubernetes where users may have access to secure endpoints in the control plane network. Kubernetes clusters are only affected if an untrusted user can to modify Node objects and send requests proxying through them.
Kubernetes supports node proxying, which allows clients of kube-apiserver to access endpoints of a Kubelet to establish connections to Pods, retrieve container logs, and more. While Kubernetes already validates the proxying address for Nodes, a bug in kube-apiserver made it possible to bypass this validation. Bypassing this validation could allow authenticated requests destined for Nodes to be redirected to the API Server through its private network.
The merged fix enforces validation against the proxying address for a Node. In some cases, the fix can break clients that depend on the `nodes/proxy` subresource, specifically if a kubelet advertises a localhost or link-local address to the Kubernetes control plane. Configuring an egress proxy for egress to the cluster network can also mitigate this vulnerability.
Affected Versions:
- kube-apiserver v1.25.0 - v1.25.3
- kube-apiserver v1.24.0 - v1.24.7
- kube-apiserver v1.23.0 - v1.23.13
- kube-apiserver v1.22.0 - v1.22.15
- kube-apiserver <= v1.21.?
Fixed Versions:
- kube-apiserver v1.25.4
- kube-apiserver v1.24.8
- kube-apiserver v1.23.13
- kube-apiserver v1.22.16
This vulnerability was reported by Yuval Avrahami of Palo Alto Networks
CVSS Rating: Medium (6.6) CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
Dependencies
Added
Nothing has changed.
Changed
Nothing has changed.
Removed
Nothing has changed.
Contributors, the
CHANGELOG-1.22.md has been bootstrapped with
v1.22.16 release notes and you may edit now as needed.
Published by your
Kubernetes Release
Managers.