Kubernetes v1.24.8 is live!

43 views
Skip to first unread message

Marko Mudrinić

unread,
Nov 10, 2022, 1:27:06 PM11/10/22
to kubernetes-announce, dev
Kubernetes Community,

Kubernetes v1.24.8 has been built and pushed using Golang version 1.18.8.

The release notes have been updated in CHANGELOG-1.24.md, with a pointer to them on GitHub:

v1.24.8

Downloads for v1.24.8

Source Code

filename sha512 hash
kubernetes.tar.gz 2e4e3e8f82d3cf04641e6a06a2558df0abebee760f839adde4d49555536a2e75a886b0d17869b0a9c1a879ef92b4f450ef917bd41555523293cc13bfbcb766bb
kubernetes-src.tar.gz c1ea405c79d2c36181c0fe9ee98ffba4ec495470ebe515ea88aedf1552c690bd9ae171536220683f61206949d652fd4566876284e49b7acb75ad983e508aa4f4

Client Binaries

filename sha512 hash
kubernetes-client-darwin-amd64.tar.gz a4e69b6ac1fda41af1d06b875ae106134339c19a3220d9384ff49fa167cdbbb84216aabd6321908764b2a894ef4563e612f05282322f630c2a5ae404f0a27f76
kubernetes-client-darwin-arm64.tar.gz dccd7456501e1c86fb1b0488560ccdfe247196f2c8266ad3fb96f07b2419b4809687cd4a0e5baadddabd94da49b469637871286089ede8fd2976032e6bf13d54
kubernetes-client-linux-386.tar.gz d83af8e2c7db446e0d927a4a39e5c6ddf8b370aa31cdf21724bfd6b32bc7eb66ce8cf12c72ce87e9621cc5ff24721df12e16046c78b0d203906f66badad48c8b
kubernetes-client-linux-amd64.tar.gz fdea0b93d6dd1774ab138afcaa6566c7f75aec6e5baa78dc531ebf4332c7105de3fe49bbae227b4e30ff3a7a9119b9e0540b031f7ee07585790523e1f04167b7
kubernetes-client-linux-arm.tar.gz be7b209b9e44c504fa7094d8a2bcbce44f107c3cb058801c14ba4955a7ea31a553ba6d7715c7abfe509ce054e93db5c40dab088abc83d39c92434f9675287a8f
kubernetes-client-linux-arm64.tar.gz 222334a5b1a3f36519250ee7b19e397834e96a8d408b164697782d9500282e94148b82318fc16e07442a666e3a89ec00113fea4cd2b2e6b411fbe7dd67b340e2
kubernetes-client-linux-ppc64le.tar.gz bf8571c45959c5327670b1c373c5d650896d4c1347473d45bd52b8d66d7b0749bff2d91f18d3fd32182ac94ea34f0faa18ec2bf24df5fbe568810a566f42b06d
kubernetes-client-linux-s390x.tar.gz 74ee23c7dfd6ef156471dbf4302207f9aba2aa68d6a715ee9a59143e6e6e584dbb5686113eda93bbfc5497b2596e45ac6c0de04c645ad366d9ecf994c3caa273
kubernetes-client-windows-386.tar.gz 67a7f0f75a44fb8455c760269e138886e59321f32a18ba604d859da16a44451b80d4d378e0d1030f5c8c02c96b5d94399b968235e6e98d5df1f3db0e1e23f905
kubernetes-client-windows-amd64.tar.gz b864fefee8e88b0467a52dff55e2eb1d55e90a6c1558c0d2275fe8c3e9d3c7e8d962525dfa4da4e0308a5dac881feceb3c931f9cb4dd1803538c240db99b7ee4
kubernetes-client-windows-arm64.tar.gz f05e5d931cf9aba42c73ca53d2b2da10f9b8e22f76fcded95ac3f861712e35f9151bacb3d98fb1174424f1043607351254441146fb954e528a2405eebd9d74f6

Server Binaries

filename sha512 hash
kubernetes-server-linux-amd64.tar.gz 60b5da86c5f32b1dd38f2adaf36c8e9c960cf9d68c4c57e258930bb7d5adff368adf2f9d50c20ee51094ac45cf94821ea1c34b466cea122927b215d2ffc204ca
kubernetes-server-linux-arm.tar.gz 1a6b371b502f68615b2e070710a5b385b6d1f6186e30a176cecc1b6f296ea6f23ea69b1c5e669a47803a78d7db523b9c0692d4f32400b3c05cab5c4959de38f7
kubernetes-server-linux-arm64.tar.gz 76543ce9ba670d25587b270dfde3f1ee1bf837b459c93e44c15a8dc3663aac73bbd6f33bdcee1dec26a215f4a4a473ccf11bcb5b3ad4e0f9857567de80bccfdc
kubernetes-server-linux-ppc64le.tar.gz efe2c2e55c0b99591e543cc8e65300dcde075370bb42733f0d45997e659f47b4c0a63f85531ec940d96a403f060b82454114213e7e8320703b4f5837a11558f2
kubernetes-server-linux-s390x.tar.gz a3106bcd72f8d06f155d049802a0f321a98c39f764c499c4a7284709269cd422e610b52c8eb89bf315fc63df984296d11e35c23115533b238452e004ebea2d5f

Node Binaries

filename sha512 hash
kubernetes-node-linux-amd64.tar.gz cb91756168b8bab03add0e343590372479475d0b1b3a347e2dfab933a8d39d21272613fe4f015fc137b85a55182431766c085a4ba264a159fb00ed7c4ffa0759
kubernetes-node-linux-arm.tar.gz d2712c89ce10f3c217b89cf5e4a1ae42141c8d2b05d8e66fd7ad1d9dfea89990d7d1b0cef6f6aecfcece67cc7711698e31d20bfafcaf06e12fa90534f4181aeb
kubernetes-node-linux-arm64.tar.gz ef98bcfa1c9b1b2d656243febd8f8bc79a27dfa2be2bb107a525b10e647d803ae6a74851c536494ef682babb5900b8ed1003d4b494446d2e98320e2898e5a6d9
kubernetes-node-linux-ppc64le.tar.gz fefc48a3197899b5917bbea36871e1d04ae90cf6181cee1caee8794e44ebc5a0f51c3f5b40db6fe1f38bf3ae12a7fe0ef96038f45da16a6637ff984beff4c4a6
kubernetes-node-linux-s390x.tar.gz a2e6d606d9fb2fb6383731f35fcfa7056a2de83bd3cb54f2f583b38bd97051628d838d067eec7d39b46bfbd51e92bbe74a0022dbf2b0eee55b3f2350d97ff49c
kubernetes-node-windows-amd64.tar.gz d02a158364b4846a0cc0ec442d755b09239b0a15e77de79aeaafc7788fe7f1eb393efbb088d20c2d97595c31055f4a70ccf28291dfacf04dc6358338b92c2ee1

Container Images

All container images are available as manifest lists and support the described architectures. It is also possible to pull a specific architecture directly by adding the "-$ARCH" suffix to the container image name.

name architectures
k8s.gcr.io/conformance:v1.24.8 amd64, arm, arm64, ppc64le, s390x
k8s.gcr.io/kube-apiserver:v1.24.8 amd64, arm, arm64, ppc64le, s390x
k8s.gcr.io/kube-controller-manager:v1.24.8 amd64, arm, arm64, ppc64le, s390x
k8s.gcr.io/kube-proxy:v1.24.8 amd64, arm, arm64, ppc64le, s390x
k8s.gcr.io/kube-scheduler:v1.24.8 amd64, arm, arm64, ppc64le, s390x

Changelog since v1.24.7

Important Security Information

This release contains changes that address the following vulnerabilities:

CVE-2022-3162: Unauthorized read of Custom Resources

A security issue was discovered in Kubernetes where users authorized to list or watch one type of namespaced custom resource cluster-wide can read custom resources of a different type in the same API group they are not authorized to read.

Affected Versions:

  • kube-apiserver v1.25.0 - v1.25.3
  • kube-apiserver v1.24.0 - v1.24.7
  • kube-apiserver v1.23.0 - v1.23.13
  • kube-apiserver v1.22.0 - v1.22.15
  • kube-apiserver <= v1.21.?

Fixed Versions:

  • kube-apiserver v1.25.4
  • kube-apiserver v1.24.8
  • kube-apiserver v1.23.13
  • kube-apiserver v1.22.16

This vulnerability was reported by Richard Turnbull of NCC Group as part of the Kubernetes Audit

CVSS Rating: Medium (6.5) CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CVE-2022-3294: Node address isn't always verified when proxying

A security issue was discovered in Kubernetes where users may have access to secure endpoints in the control plane network. Kubernetes clusters are only affected if an untrusted user can to modify Node objects and send requests proxying through them.

Kubernetes supports node proxying, which allows clients of kube-apiserver to access endpoints of a Kubelet to establish connections to Pods, retrieve container logs, and more. While Kubernetes already validates the proxying address for Nodes, a bug in kube-apiserver made it possible to bypass this validation. Bypassing this validation could allow authenticated requests destined for Nodes to be redirected to the API Server through its private network.

The merged fix enforces validation against the proxying address for a Node. In some cases, the fix can break clients that depend on the `nodes/proxy` subresource, specifically if a kubelet advertises a localhost or link-local address to the Kubernetes control plane. Configuring an egress proxy for egress to the cluster network can also mitigate this vulnerability.

Affected Versions:

  • kube-apiserver v1.25.0 - v1.25.3
  • kube-apiserver v1.24.0 - v1.24.7
  • kube-apiserver v1.23.0 - v1.23.13
  • kube-apiserver v1.22.0 - v1.22.15
  • kube-apiserver <= v1.21.?

Fixed Versions:

  • kube-apiserver v1.25.4
  • kube-apiserver v1.24.8
  • kube-apiserver v1.23.13
  • kube-apiserver v1.22.16

This vulnerability was reported by Yuval Avrahami of Palo Alto Networks

CVSS Rating: Medium (6.6) CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

Changes by Kind

API Change

  • Protobuf serialization of metav1.MicroTime timestamps (used in Lease and Event API objects) has been corrected to truncate to microsecond precision, to match the documented behavior and JSON/YAML serialization. Any existing persisted data is truncated to microsecond when read from etcd. (#111936, @haoruan) [SIG API Machinery]

Feature

  • Kubernetes is now built with Go 1.18.8 (#113593, @xmudrii) [SIG Release and Testing]

Bug or Regression

  • Consider only plugin directory and not entire kubelet root when cleaning up mounts (#112920, @mattcary) [SIG Storage]
  • Etcd: Update to v3.5.5 (#113099, @mk46) [SIG API Machinery, Cloud Provider, Cluster Lifecycle and Testing]
  • Fixed a bug where a change in the appProtocol for a Service did not trigger a load balancer update. (#113032, @MartinForReal) [SIG Cloud Provider and Network]
  • Kube-proxy, will restart in case it detects that the Node assigned pod.Spec.PodCIDRs have changed (#113252, @code-elinka) [SIG Cloud Provider, Network, Node and Storage]
  • Kubelet no longer reports terminated container metrics from cAdvisor (#112963, @bobbypage) [SIG Node]
  • Kubelet: fix GetAllocatableCPUs method in cpumanager (#113421, @Garrybest) [SIG Node]
  • Pod logs using --timestamps are not broken up with timestamps anymore. (#113516, @rphillips) [SIG Node]

Dependencies

Added

Nothing has changed.

Changed

Nothing has changed.

Removed

Nothing has changed.


Contributors, the CHANGELOG-1.24.md has been bootstrapped with v1.24.8 release notes and you may edit now as needed.



Published by your Kubernetes Release Managers.

Reply all
Reply to author
Forward
0 new messages