Kubernetes v1.27.13 is live!

15 views

Skip to first unread message

Mark Rossetti

unread,

Apr 17, 2024, 12:14:54 PMApr 17

to kubernetes-announce, d...@kubernetes.io

Kubernetes Community,

Kubernetes v1.27.13 has been built and pushed using Golang version 1.21.9.

The release notes have been updated in CHANGELOG-1.27.md, with a pointer to them on GitHub:

v1.27.13

Downloads for v1.27.13

Source Code

filename	sha512 hash
kubernetes.tar.gz	d3fe54bd77a722b0d46b89aba321a5ab16c93f4f1b32646643a9d780f466149fd35d205cd18838a5a46abfb0f6ff29185e0c93d627a9b4dfe3f2ca3710c67f75
kubernetes-src.tar.gz	65dfd50d6a1cdd5cbcbe1cf346949d1e0e99fbe747a7f95e66db52bf3a318afcfb514232e856f4fccaef4935d85fc71cd27dc77544711189c059e45587aa6067

Client Binaries

filename	sha512 hash
kubernetes-client-darwin-amd64.tar.gz	7ddf02f44ee8d119b2876f1864da1cde5e1c3b2b10dc14a535b9b30799e08064bfb7285ae9df55a1a4dec73f83fe2b0631cc17eb3b607152cd6ab6879dd5f987
kubernetes-client-darwin-arm64.tar.gz	3a0fd8050e3cfe36bcbd905b199139589a7dcacb5be4f218b5e0f2bfef692c082ee007b8415e91cbb6566648f4dd5ff7566d24834764a75e879b7e6a64bcd658
kubernetes-client-linux-386.tar.gz	e95d44a3859d86fadf35a0727c628e0c12aea3cc4d98a0ca06d9aaa68800155dc355eb1fdc54711be7a630c98263e155f82f1557196895f307ee85b45db6f5fb
kubernetes-client-linux-amd64.tar.gz	6480d87386b766f379f6cd2356e87be089c8e1656e71ee8e4cb6878b71b724c0b8461ba40b2b416f6e43b9525ccffaa1df7d528b891fe57da97bfbde7c51352c
kubernetes-client-linux-arm.tar.gz	b13502a952b8bbc481ea08657ec86c2520e2e9b563017fc706e902f437e14532bd71f5805d611dc5c013754566d555230a561692e86c0f4b8171db0bcc80422c
kubernetes-client-linux-arm64.tar.gz	38b59a701b21d2ce4473579556354d1beeec71d69e31a0138a4c036af163281aed3677e641827226b9ee6aedf56c0f96bb7c7f0dcce23b7242be138282ca42eb
kubernetes-client-linux-ppc64le.tar.gz	37b34738df126e7812b4609fed507bc01914d40acba0db5e9b23082a000df37eb9d3e867a6dc79c48057ecfd0c5d3c25259fcd3acc7e1d9ea98be9dfecaf8ccb
kubernetes-client-linux-s390x.tar.gz	20e62246595d9605e8611cd6972da3be57fffa14da62c502f3cb3267266eb7c891cb4af66677a872bf638a27a7c822fa4628a428e39f08a9e3c9ae00277f4e73
kubernetes-client-windows-386.tar.gz	9ba18d9a959f17c2ff5caf99f31d3e0e0e84927d7c1be408518d99b7bc669e1393ff3b5f3c1368f27e4dae303ad70c2dc79bdcea42f7853170398f885d77bbe9
kubernetes-client-windows-amd64.tar.gz	f009f13428119ce9239ab1444bcd7c20796382c108c2e44adfc7cdb8874cf7acaf65bf3ce723dd2b395154196b1bcc1fec79625409226b31b563aae86741903d
kubernetes-client-windows-arm64.tar.gz	12a1716be5aa0bbd863ac330ae0beb59a0aea5f74be704bfd2e2849b9ecdb5ce10e2a86e71558ee3a40d839993ae21692f9cf6e8350c2969f528b6406e8f243c

Server Binaries

filename	sha512 hash
kubernetes-server-linux-amd64.tar.gz	6d5a3313e5e336c3877ca4202a94c4d8320f53d3c1fe29d81aff2ca8b2d3ae3cce035c84b5322821fa78f4e2cdc51321dc33b95f9baf00942d6d4d56cfd19e69
kubernetes-server-linux-arm64.tar.gz	a14658d0147077d2c0a63d84ebb321666537e6be55e9dccf86eb391e10a65d917b02ea5b3ccf7b8ee14af32e4f7a9b71dd631b691cc18f53ceda19e61e6b2e7b
kubernetes-server-linux-ppc64le.tar.gz	e51c928c658457b32ff1c7cbf716fdf9519342f0da54dd32f198c4c0edbf5c62b1379c06e872ec07780672b2e1b203d84e1cd103f40e3de2a30ae4dc25c060ae
kubernetes-server-linux-s390x.tar.gz	fa89cb300e4b9ac75c0439b32fc1a4f77904b3f2b47184530345d00d45b2cfe8555244f62be562c47aef50c6c9132e1c7f109de198ca07d6d4ca75801a87659e

Node Binaries

filename	sha512 hash
kubernetes-node-linux-amd64.tar.gz	b6fc891bda8f29f214723cf9ccd08ac282e4aed0ba76981008be40088a7d8132ed74d8ddd4aa23cd09e438a9801b51aebc582d52f06526114b19aa164c9725f1
kubernetes-node-linux-arm64.tar.gz	751ac5bf9d06b3ca521a3c17b5f4265c76dade6759af543ca57e5395c63baf6db4a91d67df09b604aaec128b312e92a7faff43d8a7ae3218df5481201445a7ae
kubernetes-node-linux-ppc64le.tar.gz	5ef40c6c887c8a8a91612bbd751d4e7c63582c74e3475c9444ad36415577653ee01f4a72a987f20e0faee5dc35bc2c91b4de737caf0e10336b3828cecaa18378
kubernetes-node-linux-s390x.tar.gz	d418dee6b26d781d13b6e3d6b7baaf6cda994474042651385e56891c4823421cb4a868f7f2d4824afcdbfaa9e314ef40791db6afa5354163180083475406dc2c
kubernetes-node-windows-amd64.tar.gz	a87a4f1e64026ba8dab92f64b6fdd02bba095be6098ab79e647082b2312d9a4442e9926f09e8a07f12d8003b712a15fbe109626ae2e796f961cf1c42b439925c

Container Images

All container images are available as manifest lists and support the described architectures. It is also possible to pull a specific architecture directly by adding the "-$ARCH" suffix to the container image name.

name	architectures
registry.k8s.io/conformance:v1.27.13	amd64, arm64, ppc64le, s390x
registry.k8s.io/kube-apiserver:v1.27.13	amd64, arm64, ppc64le, s390x
registry.k8s.io/kube-controller-manager:v1.27.13	amd64, arm64, ppc64le, s390x
registry.k8s.io/kube-proxy:v1.27.13	amd64, arm64, ppc64le, s390x
registry.k8s.io/kube-scheduler:v1.27.13	amd64, arm64, ppc64le, s390x

Changelog since v1.27.12

Important Security Information

This release contains changes that address the following vulnerabilities:

CVE-2024-3177: Bypassing mountable secrets policy imposed by the ServiceAccount admission plugin

A security issue was discovered in Kubernetes where users may be able to launch containers that bypass the mountable secrets policy enforced by the ServiceAccount admission plugin when using containers, init containers, and ephemeral containers with the envFrom field populated.

Affected Versions:

kube-apiserver v1.29.0 - v1.29.3
kube-apiserver v1.28.0 - v1.28.8
kube-apiserver <= v1.27.12

Fixed Versions:

kube-apiserver v1.29.4
kube-apiserver v1.28.9
kube-apiserver v1.27.13

This vulnerability was reported by tha3e1vl.

CVSS Rating: Low (2.7) CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N

Changes by Kind

Feature

Kubernetes is now built with go 1.21.9 (#124199, @cpanato) [SIG Release and Testing]

Bug or Regression

Fix pod restart after node reboot when NewVolumeManagerReconstruction feature gate is enabled and SELinuxMountReadWriteOncePod disabled (#124142, @bertinatto) [SIG Node]
Golang.org/x/net is bumped to v0.23.0 to address CVE-2023-45288 (#124178, @MadhavJivrajani) [SIG API Machinery, Architecture, Auth, CLI, Cloud Provider, Cluster Lifecycle, Instrumentation, Node and Storage]
Kube-apiserver: fixes a 1.27+ regression in watch stability by serving watch requests without a resourceVersion from the watch cache by default, as in <1.27 (disabling the change in #115096 by default). This mitigates the impact of an etcd watch bug (https://github.com/etcd-io/etcd/pull/17555). If the 1.27 change in #115096 to serve these requests from underlying storage is still desired despite the impact on watch stability, it can be re-enabled with a WatchFromStorageWithoutResourceVersion feature gate. (#124007, @serathius) [SIG API Machinery]
Kubeadm: fix panic in the command "kubeadm certs check-expiration" when "/etc/kubernetes/pki" exists but cannot be read. (#124124, @carlory) [SIG Cluster Lifecycle]
NONE (#124325, @ritazh) [SIG Auth]

Dependencies

Added

Nothing has changed.

Changed

golang.org/x/crypto: v0.16.0 → v0.21.0
golang.org/x/net: v0.19.0 → v0.23.0
golang.org/x/sys: v0.15.0 → v0.18.0
golang.org/x/term: v0.15.0 → v0.18.0

Removed

Nothing has changed.

Contributors, the CHANGELOG-1.27.md has been bootstrapped with v1.27.13 release notes and you may edit now as needed.