Kubernetes v1.27.5 is live!

127 views
Skip to first unread message

Marko Mudrinić

unread,
Aug 24, 2023, 7:29:08 PM8/24/23
to kubernetes-announce, dev
Kubernetes Community,

Kubernetes v1.27.5 has been built and pushed using Golang version 1.20.7.

The release notes have been updated in CHANGELOG-1.27.md, with a pointer to them on GitHub:

v1.27.5

Downloads for v1.27.5

Source Code

filename sha512 hash
kubernetes.tar.gz c38254c54938b816edbbbfb104846e5802500b09029719cda914cde334d4372f56a9ad70d01cdcb2983c06b3386cb6af01c04b26dec5e9b51bee772989826fd9
kubernetes-src.tar.gz 1e06ed46e530a8fa4cfd928e22008cfdc804473867fcf55c5304277fd36c1265069473a4a4d36ca1f53d1db4c742a7e3823f0910dab82ab82518c4e4d1bc7932

Client Binaries

filename sha512 hash
kubernetes-client-darwin-amd64.tar.gz 62dfc1d11fca2a2cc5b39d72233c94846af57a476984c7cac725f74dd6e3f3a5483de4b910d5c1becacf9ae33aef06de70f78f727c1b5114cd3a92ab120595b0
kubernetes-client-darwin-arm64.tar.gz a209d4533602b7fb49d9f850976de26d71b4936b1669726052c22842842e96a402a36ec85dd189bdb367b780f761a41c6272652907b1e7df128fb6bbcb7ea1ca
kubernetes-client-linux-386.tar.gz 71e5a5f26ca4b005582189ec9b6711a3e59197e9df268c6cd85c146ae042d97da82a41254df21bfcee2187939dc7a2a413db9ebd228e2a9d1e91f3a244c69d8b
kubernetes-client-linux-amd64.tar.gz 82ed21532b842d2da029eb7d2cbf0630619051d278034493c48b98b1149175f78d80cc8fcba79658384cdc6ed4b236aed1fc8dbe69fd47a0c7811a2f4e54369e
kubernetes-client-linux-arm.tar.gz a368c4275045b6a5a7efaa3adf18a8488ca728c689d5d4d0e0d562dd9046fdd3eceb1104b1f2a3f27b9fe1bf7006d5dd11294ee8d3c2468a51fe0c30bac1f0d3
kubernetes-client-linux-arm64.tar.gz 3631bea44d8e745035b044bddb3cb9a22002a61045365ea5485070e90501371ccf249ab6b83a2bc5188cc05a9b5c2adb35da2651ddf024a295fe7f584c56dd70
kubernetes-client-linux-ppc64le.tar.gz 9ca26442c15406e15813ff76a293afbc01b051ee2f5db29a415ff0a6daf9ec4186e0044f8a6cb410d22998167b393b8b65bc3a47a2ac57da44dbb25b4dec6d31
kubernetes-client-linux-s390x.tar.gz 1d39dbaae47cb7b8677010a905896461068ac408d17bfe401114ef08d39fd73affb115d5a86b0ec2fb98d0e6ee3a499460a0f874bc8c998b29346cf46c217712
kubernetes-client-windows-386.tar.gz a75f574826b613b71de6b4057ef7e7f2fd7c08053c7f973680c0b96e0659d75baeb34b491c9a0d877477688021b77719d270afe480b590b5c0cb60f834633586
kubernetes-client-windows-amd64.tar.gz fef167cba4f3f6793ca2a70ac33d24e0fae859fdf7eb78cffcd7ea1693bc4ba400c7f7244d1b4d124ddc67b5439bd3ac46b3a887703d6db7be28b553cb028222
kubernetes-client-windows-arm64.tar.gz 19583b45d2affba34ac1b3bf7c40fee86591d4f0a06710ea88da5a6345ad32b4ca283e16a06b88af37ecceed78b58b3cc716e70967a35c2a16a018a31848e9c7

Server Binaries

filename sha512 hash
kubernetes-server-linux-amd64.tar.gz d135dcd85ee02b2e39f5b08e97bc335c1a79f3c98ad17848de258d842c476c9f779c00b32763e99191e7a45eb2c4be02d87efa2ed38c304a49d91fabebb0eb6a
kubernetes-server-linux-arm64.tar.gz 2040380ddaac3039c15b10ae8474f677ecda83fd5489c7d52772038b8b377026f20ecf48998c2b33b355ff541702a896ef71154d935fd4f11f5a6d0c0177881b
kubernetes-server-linux-ppc64le.tar.gz d08827a2ade5407735177b245bb4660f5db3efd44bec14b7613e042aa8d011065548a626cd6af50090c5380384e6bcfb6d1fd21fcd1d2b3039480be634027754
kubernetes-server-linux-s390x.tar.gz a3a01b9aa6d7b826eb0dc6de519d881bbf0273e3fbc62857a328fd23be37cb0749b812ac3a40a739e03ea02ef60808599832237a803770f773bfe277946060b9

Node Binaries

filename sha512 hash
kubernetes-node-linux-amd64.tar.gz 4560cd0ad15195e6752df67a1a079d49e2254aeef1713459549f13e9b922602e364a22208e9b3a1168a976648583c476c601d88e08dcc8dfeca7bf3955325879
kubernetes-node-linux-arm64.tar.gz 83ec9e500d6a63c646fc488eee0cd5381d295616e0b49ad8e702d0bede8cc163184a77a50817b0b29b949aa25da99ef702d285b39844a92534f513599d1beb86
kubernetes-node-linux-ppc64le.tar.gz 0610be236df7fb50ec4fea5eda50d9d491f174ad9c0d4eff1968501258f69a8059b6d165eed0be8637d86649a5e23a24084916366c95d5b2f27c8c7c13fd24eb
kubernetes-node-linux-s390x.tar.gz 6bf0a266eb9a73800455380c1692e2b630042762a619514e257d1c672f3b6146f3aaf3711e3392802ed0565139819924ccd998c054720a305d8c65c70bd5595b
kubernetes-node-windows-amd64.tar.gz d0476c2cc08472aa73ca921167ed5849b072933553b5e076d6eae86b9a6c0e10816321cba0a5ca0cb51159b2958213c26a2a5c7a518474968ec21d06f425d640

Container Images

All container images are available as manifest lists and support the described architectures. It is also possible to pull a specific architecture directly by adding the "-$ARCH" suffix to the container image name.

name architectures
registry.k8s.io/conformance:v1.27.5 amd64, arm64, ppc64le, s390x
registry.k8s.io/kube-apiserver:v1.27.5 amd64, arm64, ppc64le, s390x
registry.k8s.io/kube-controller-manager:v1.27.5 amd64, arm64, ppc64le, s390x
registry.k8s.io/kube-proxy:v1.27.5 amd64, arm64, ppc64le, s390x
registry.k8s.io/kube-scheduler:v1.27.5 amd64, arm64, ppc64le, s390x

Changelog since v1.27.4

Important Security Information

This release contains changes that address the following vulnerabilities:

CVE-2023-3955: Insufficient input sanitization on Windows nodes leads to privilege escalation

A security issue was discovered in Kubernetes where a user that can create pods on Windows nodes may be able to escalate to admin privileges on those nodes. Kubernetes clusters are only affected if they include Windows nodes.

Affected Versions:

  • kubelet <= v1.28.0
  • kubelet <= v1.27.4
  • kubelet <= v1.26.7
  • kubelet <= v1.25.12
  • kubelet <= v1.24.16

Fixed Versions:

  • kubelet v1.28.1
  • kubelet v1.27.5
  • kubelet v1.26.8
  • kubelet v1.25.13
  • kubelet v1.24.17

This vulnerability was discovered by James Sturtevant @jsturtevant and Mark Rossetti @marosset during the process of fixing CVE-2023-3676 (that original CVE was reported by Tomer Peled @tomerpeled92)

CVSS Rating: High (8.8) CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVE-2023-3676: Insufficient input sanitization on Windows nodes leads to privilege escalation

A security issue was discovered in Kubernetes where a user that can create pods on Windows nodes may be able to escalate to admin privileges on those nodes. Kubernetes clusters are only affected if they include Windows nodes.

Affected Versions:

  • kubelet <= v1.28.0
  • kubelet <= v1.27.4
  • kubelet <= v1.26.7
  • kubelet <= v1.25.12
  • kubelet <= v1.24.16

Fixed Versions:

  • kubelet v1.28.1
  • kubelet v1.27.5
  • kubelet v1.26.8
  • kubelet v1.25.13
  • kubelet v1.24.17

This vulnerability was reported by Tomer Peled @tomerpeled92

CVSS Rating: High (8.8) CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Changes by Kind

API Change

  • Aggregated discovery now returns responseKind: {} for resources which are missing group/version/kind information, to ensure compatibility with v0.26.0-v0.26.3 clients. (#119835, @liggitt) [SIG API Machinery and Testing]

Feature

  • Kubeadm: generate CA certificates with a start time that is offset 5 minutes in the past relative to the current system time to workaround cases of clock desync. client-go: allow to set NotBefore in NewSelfSignedCACert() (#119113, @champtar) [SIG API Machinery, Auth and Cluster Lifecycle]
  • Kubernetes is now built with Go 1.20.7 (#119828, @jeremyrickard) [SIG Release and Testing]

Bug or Regression

  • Fix Topology Aware Hints not working when the topology.kubernetes.io/zone label is added after Node creation

    • Fix a data race in TopologyCache when AddHints and SetNodes are called concurrently (#117269, @tnqn) [SIG Apps and Network]

  • Fix computing backoff delay when using Job pod failure policy, by including in the backoff delay calculation pod failures ignored from the backoffLimit counter.

    Also, compute the backoff delay more accurately for deleted pods. (#119466, @mimowo) [SIG Apps]

  • Fix: After a Node is down and take some time to get back to up again, the mount point of the evicted Pods cannot be cleaned up successfully. (#111933) Meanwhile Kubelet will print the log Orphaned pod "xxx" found, but error not a directory occurred when trying to remove the volumes dir every 2 seconds. (#105536) (#116134, @cvvz) [SIG Node and Storage]

  • Fixed kubelet startup getting stuck with NewVolumeManagerReconstruction feature enabled and a CSI volume present in /var/lib/kubelet/pods. (#117804, @jsafrane) [SIG Node and Storage]

  • Revert kubelet prober metrics pod tag to include actual pod name (#118549, @a7i) [SIG Node]

  • Update kube-apiserver's priority & fairness work estimator such that 'max seats' is MIN(0.15 x nominalCL, nominalCL / handSize)

    This fixes a bug where clients with requests using hand size x max seats greater than the nominal concurrency limit can starve other requests in the same priority level. (#118601, @andrewsykim) [SIG API Machinery]

Dependencies

Added

Nothing has changed.

Changed

Nothing has changed.

Removed

Nothing has changed.


Contributors, the CHANGELOG-1.27.md has been bootstrapped with v1.27.5 release notes and you may edit now as needed.



Published by your Kubernetes Release Managers.

Reply all
Reply to author
Forward
0 new messages