Kubernetes v1.29.4 is live!

59 views

Skip to first unread message

Mark Rossetti

unread,

Apr 17, 2024, 12:17:02 PMApr 17

to kubernetes-announce, d...@kubernetes.io

Kubernetes Community,

Kubernetes v1.29.4 has been built and pushed using Golang version 1.21.9.

The release notes have been updated in CHANGELOG-1.29.md, with a pointer to them on GitHub:

v1.29.4

Downloads for v1.29.4

Source Code

filename	sha512 hash
kubernetes.tar.gz	837cc6ab833228e387e787bdb1508d74bbf79c380ac71fed7acaf9e239f3f2fcbe3fcfb9a9e41711620ec21e6cc3a5984148dc80515f37a6fabb02e50a82a29c
kubernetes-src.tar.gz	716c6fc59d8dfed72ed45dfa5535dff3bae3bd3bd9f8641c2068d76c06c21c7ebc8ba0626374312b4a20285277cb8ea4df446199caae9cc0d992346c9dc09479

Client Binaries

filename	sha512 hash
kubernetes-client-darwin-amd64.tar.gz	01506990cf76344fb12207e3e88a7c38a926ad8ccffc00b0ddcfeff9a5312b01438ef8c813e877e4b856cf1cc3f52dada7cd687a487797168a3436b66c64fc9b
kubernetes-client-darwin-arm64.tar.gz	f77fd94e97f1ecda0715f930d34ed85789f0eb0db6e3aacb35e7ebfbf101efe365169deff98c6b6d3d92b8a18d311032504adfe43e8c7f9fd4a42de2352de389
kubernetes-client-linux-386.tar.gz	c665a345c445878120a05d2c9755a80109423e333bace0423b7208a3fea91c019e3b33c4bcb0761d52a0b5d17258249881b4dd1a5a9a584ae04e4887d3e34b96
kubernetes-client-linux-amd64.tar.gz	c13235bd929eaaf4d0eaaa9ba883e95ce27a402ca7256c634e20a027fbf72db8834de8ea2ca7238e1fe92859e0edc7384a1cec7fbe2b7a5adf07b2e5cf99b04f
kubernetes-client-linux-arm.tar.gz	9c348edc150340219f4b9b8bfd17e1747df9884f9407126c1585c3a817fec5561d5d02ddaed0317ac515bf6142cc7530fcac9e735f60f92390d05e5517c7d166
kubernetes-client-linux-arm64.tar.gz	614cd5b5881c583505d089c09c221e4a06da0dc8b5ac70b3d93d7e2a58c8b439446a646d0bb53396c2a48535808503daa6aa1a37f43affe22176c2211fdc2cc4
kubernetes-client-linux-ppc64le.tar.gz	3c17be398175d0f882a0c1894c05d04fb564a4bd01ac95cbc5dab4902f7827425ff00d3fcee1fda22a31f81888effefff5a9705e266e44aa1a6c8be9ca42f0ca
kubernetes-client-linux-s390x.tar.gz	0a202fee4e78fffc1a25538529a9751dd7d421f75244cf6739332f606bfbf5ae455519f1f5b4378e7f22b4d8e1104f3eeb1acd37739e213b437db78f429dbc49
kubernetes-client-windows-386.tar.gz	afa38bee4b8d09347a5d4c1b4fde74d337d42efc411d62b336c841b2bc7bf39d6355557a169132ff69ce5d239a01cd59298a061437580c168400399b0a6c71d9
kubernetes-client-windows-amd64.tar.gz	653c737e582a43dcb7f8475c61bbffbd892b363dbb015d30c7be9413839ffa2564a97ceeea3e273fd0c46025e06e8828a4eedd0ff7983ad848e5647bb03f2249
kubernetes-client-windows-arm64.tar.gz	b779f64dac14f3d01b2565f093c27e71c793e0b0b2ff491419730d96ec5782152d7266c68f9b892264752022bb6ef600079649df9ab30e7a329bae2835a43803

Server Binaries

filename	sha512 hash
kubernetes-server-linux-amd64.tar.gz	8554f4e2c828df8e2a3aafceea941712ca079f0710ac1390a1bde32e09fe9a588c217462a2666e0d542c42f1e42881fc975751ce7d5b81c9f88aed0c8302f6dc
kubernetes-server-linux-arm64.tar.gz	850c1233ac2b267964ed840b6f4c4d51a961d8e86b1bf78ae4bc50e31e8255f04fdbd50c91d0937b9ce197dcac30fcc3df5be1b537a6a962b9e984a4754e74bf
kubernetes-server-linux-ppc64le.tar.gz	45e1abd9ee2efd0acac599ff3fe360835f1d02cf1075ba6499d41a5f41bd98e96868fc9d3555c41a535a88a3450f64fb7552d6b9f6a281837451b059c8c3695c
kubernetes-server-linux-s390x.tar.gz	2c924db2f1a6ba83d8364d373d79714d6f7f2697fcefb3f9ca3b89ff46f194ae87b81d3567f2e77bbe9f490e68468c64cf86f0e952a7c49efc87600b92bc9a36

Node Binaries

filename	sha512 hash
kubernetes-node-linux-amd64.tar.gz	bf5eb2f4ef8e215941d98ca62bc4901fcad7f68dda153e1f077f9688b1e3f273d3b25bc48167cefd0a1f1ce1e0a3525d71bf7aa37b7fa8b8f639af35df0233bd
kubernetes-node-linux-arm64.tar.gz	d983706b1975d3b8c3cb1dae833efc178337df2c2abdd835588a0be6dbaef55c27e1df993e8623b87f56f7f7a8f6de34390e8a085911644fa8af2d49f47512e0
kubernetes-node-linux-ppc64le.tar.gz	2d0358f1c7b6bc8146a7ec386b44e037dc4dd46b17584a276dc473ee57f74d0f5895b001217cef086785fa12482236fcfa96e005bc46c43fd42edd6e332f6b7f
kubernetes-node-linux-s390x.tar.gz	be7a9cf871c0255df63e16f21005ecf19ad8702a3b4be6483ed158aa8a85ad5ed8719ddabaf85110a2e05ec777fb7426967926be8a7d3a3ee51b557c181b78b9
kubernetes-node-windows-amd64.tar.gz	b4a632a37f76b2486e4ded68928edaa159b41d9f428c396710ca67582040439df0f11dfeeb39d4ba3eef02186ffe937eae08cd9d5fdad84bcf43a682d1226d13

Container Images

All container images are available as manifest lists and support the described architectures. It is also possible to pull a specific architecture directly by adding the "-$ARCH" suffix to the container image name.

name	architectures
registry.k8s.io/conformance:v1.29.4	amd64, arm64, ppc64le, s390x
registry.k8s.io/kube-apiserver:v1.29.4	amd64, arm64, ppc64le, s390x
registry.k8s.io/kube-controller-manager:v1.29.4	amd64, arm64, ppc64le, s390x
registry.k8s.io/kube-proxy:v1.29.4	amd64, arm64, ppc64le, s390x
registry.k8s.io/kube-scheduler:v1.29.4	amd64, arm64, ppc64le, s390x
registry.k8s.io/kubectl:v1.29.4	amd64, arm64, ppc64le, s390x

Changelog since v1.29.3

Important Security Information

This release contains changes that address the following vulnerabilities:

CVE-2024-3177: Bypassing mountable secrets policy imposed by the ServiceAccount admission plugin

A security issue was discovered in Kubernetes where users may be able to launch containers that bypass the mountable secrets policy enforced by the ServiceAccount admission plugin when using containers, init containers, and ephemeral containers with the envFrom field populated.

Affected Versions:

kube-apiserver v1.29.0 - v1.29.3
kube-apiserver v1.28.0 - v1.28.8
kube-apiserver <= v1.27.12

Fixed Versions:

kube-apiserver v1.29.4
kube-apiserver v1.28.9
kube-apiserver v1.27.13

This vulnerability was reported by tha3e1vl.

CVSS Rating: Low (2.7) CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N

Changes by Kind

Feature

Kubernetes is now built with go 1.21.9

update debian-base to bookworm-v1.0.2 (#124197, @cpanato) [SIG API Machinery, Architecture, Cloud Provider, Release, Storage and Testing]

Bug or Regression

Fix pod restart after node reboot when NewVolumeManagerReconstruction feature gate is enabled and SELinuxMountReadWriteOncePod disabled (#124140, @bertinatto) [SIG Node]
Golang.org/x/net is bumped to v0.23.0 to address CVE-2023-45288 (#124180, @MadhavJivrajani) [SIG API Machinery, Architecture, Auth, CLI, Cloud Provider, Cluster Lifecycle, Instrumentation, Network, Node and Storage]
Kube-apiserver: fixes a 1.27+ regression in watch stability by serving watch requests without a resourceVersion from the watch cache by default, as in <1.27 (disabling the change in #115096 by default). This mitigates the impact of an etcd watch bug (https://github.com/etcd-io/etcd/pull/17555). If the 1.27 change in #115096 to serve these requests from underlying storage is still desired despite the impact on watch stability, it can be re-enabled with a WatchFromStorageWithoutResourceVersion feature gate. (#123973, @serathius) [SIG API Machinery]
Kubeadm: fix panic in the command "kubeadm certs check-expiration" when "/etc/kubernetes/pki" exists but cannot be read. (#124124, @carlory) [SIG Cluster Lifecycle]
NONE (#124327, @ritazh) [SIG Auth]
OpenAPI V2 will no longer publish aggregated apiserver OpenAPI for group-versions not matching the APIService specified group version (#123624, @Jefftree) [SIG API Machinery and Testing]

Dependencies

Added

Nothing has changed.

Changed

golang.org/x/crypto: v0.16.0 → v0.21.0
golang.org/x/net: v0.19.0 → v0.23.0
golang.org/x/sys: v0.15.0 → v0.18.0
golang.org/x/term: v0.15.0 → v0.18.0

Removed

Nothing has changed.

Contributors, the CHANGELOG-1.29.md has been bootstrapped with v1.29.4 release notes and you may edit now as needed.