Kubernetes v1.23.14 is live!

23 views
Skip to first unread message

Marko Mudrinić

unread,
Nov 10, 2022, 1:27:47 PM11/10/22
to kubernetes-announce, dev
Kubernetes Community,

Kubernetes v1.23.14 has been built and pushed using Golang version 1.17.13.

The release notes have been updated in CHANGELOG-1.23.md, with a pointer to them on GitHub:


v1.23.14

Downloads for v1.23.14

Source Code

filename sha512 hash
kubernetes.tar.gz b4ef60e57a8590e428b3b9a7b871ad3918c56bde47c215f51534c1698bf75fcd479b7c0fb8e43f5e4f647e37fa6a125c152b16ecd0378d85201118ff206c1679
kubernetes-src.tar.gz 923b56a0e45c9b58d8f42cc499191fd526805eb9ab1ebf6c5a0d37b4724f1a27a5be8297f5913b3cfeaa4bfed138f6073569d58a05b60d1396bd1888bc2448ea

Client Binaries

filename sha512 hash
kubernetes-client-darwin-amd64.tar.gz 10af1dc225e95c1aedeeb0f9b955b6774bccf5dff4a3f242c26294d633b8e4ad593f1fd058cadf533d25b481ce7eb4442ad84f2c28373753650d834b9ffb0afb
kubernetes-client-darwin-arm64.tar.gz 2974b5237b7f99728355dc3cffd12915f2e291a08800f5faca8a802824e4dbfc2b48387f26ed909404cf518977eb9f440ea5e64b253fb34deb7b36fd2606a135
kubernetes-client-linux-386.tar.gz 026e0cd6076f8f2249a9829b82153762b8b918a61d72a292b7da45d24b8c1aed3007d084097b212df1e6d7e5d83581ebf8533eabae6eb376f16135899c28e677
kubernetes-client-linux-amd64.tar.gz 02c650f38d79065543d2d0a003a5b8c9c668bc81b4abd086b0596e964ed16a2fdbf2d16dd84d239a17a8bf7f2ca7bcc66c5daf7b96a22e9f74c0f4e22eb2c46d
kubernetes-client-linux-arm.tar.gz 21ea1e7fc0bc9a2ff31c06b95410047a74b66bcd88b27bf8aecbe90a17a001acb6770f6ef4fdb0599993c1eb5497bf3517b61f81b4ef645bbc168b6da0e38107
kubernetes-client-linux-arm64.tar.gz 0c9011fef724067e4fa81d085ff1389c6681ddc9745d2a264c5a1c7173a6a24a6dcbcd76b10fbf9e8272c0d7ef0a53eb1b51648755e499234a32deacead26704
kubernetes-client-linux-ppc64le.tar.gz 95201598d72abdc8582d125468b343966b588cd610d00adc93424424659791f83944581120495f87025f52fa6707ab111e4dc1ac14f0f6554aa2f863da83051c
kubernetes-client-linux-s390x.tar.gz 588d034bd4ba6d056cf320b1a85b3319a7824c15a37f38e0be1a1825263c043546619f39842fc1297b55881814a5207ecd02e50b0ff87745cb4af0a3b6883fc3
kubernetes-client-windows-386.tar.gz 0fe4d9c2177b849fec0e315dcf4d5a578de60f3838f340645b1cd80a57c2545f4d17b825de8ae6d8a16e42b769e66321c490f51f82bfade5a1250980f382dc51
kubernetes-client-windows-amd64.tar.gz fba076820775283a611be753b6842e6c764512fe49e648cc40666dc3d376d402479a4d00eb8c7e53fdd73609004ae2f525c2d315671b958209f3de9a0ddce447
kubernetes-client-windows-arm64.tar.gz fca4a5c44d7dd9716720181fe09828ad83187c269573a67cc09e6b524db5a0e1b7d14f2d1257cced36aff82902262abb1294884e713ac2e044975c495f6db4d3

Server Binaries

filename sha512 hash
kubernetes-server-linux-amd64.tar.gz f642668f7af84aea2817813ce40e12f416158e40284532ff8bc6dd721ee53ca714d1a88fbf14ddad4c4c3ca575cd196d5f6de044e41268ee7ab25aea749689dc
kubernetes-server-linux-arm.tar.gz dc1fb1486b159e9856cac0c68c9e6ad70112de94c4c9cd8b37321a03e0a2185782704933087212a39358658f9a182674a8a349d420dfdbd548dda75b73ccf424
kubernetes-server-linux-arm64.tar.gz 61616198b40bb64ab770501ddb06099cc65a9fb6cf762ec5cc7c1b31f5df69250d20228fd718398468672c6f33bf92f4aad84a0622d46b526c23c07a9027a1f6
kubernetes-server-linux-ppc64le.tar.gz b12f73b3118478a792f0bc807138e4db5425b740d5bb92f51ea11140e120c92d304006e9b21bb945c3e38ef7000fac1da3c4c4884f0bf3034e38333d11b7e4f6
kubernetes-server-linux-s390x.tar.gz c95a6a97a15181993bd463fb20e08be778ead6a55701aed37d5d69378d6de33ac2d79b98bac3ff861321b82bff495363d032dc999abe2b5a6d171fd5994c1b42

Node Binaries

filename sha512 hash
kubernetes-node-linux-amd64.tar.gz c65e71c583a140a4789cdec4444ab6335ed6e49d808475d6704c1ba3dc67593e087092f1a0e99c08f692667d72ddab38d7bc39c152e384aae858685530ac6763
kubernetes-node-linux-arm.tar.gz e098e856536470b4d5b9cb7d3ea7340a23db76932defd0d9d1a1002ff856199850586d0ec98d6b0cf5bb3afe62ab188f75d5c6e8db96f73eff1175c22b68099c
kubernetes-node-linux-arm64.tar.gz abf8e6232853ff11599c1735af6d0dfb55645e14903c757ebd9dc7ee77d801b7932ea39e817a9ba33964107ef5829f603f6b3ad7c739887c5d3ae85b67a88c66
kubernetes-node-linux-ppc64le.tar.gz 833733e3387859bc7abf4f217abc829095051ba116980673c57e3f24ebc4353a323d75b156b21cdb1c7c4b93ed7ef4c60cadfac5a327fae814b0f060e4330eea
kubernetes-node-linux-s390x.tar.gz 67f517e04dac3b672ed75802c0f4b547a11b23ef5306825f7e4120da9db8ad43d61621f6c098871de3a143bb516e5a7b3f6b12bdf09502b431a6163786b8c48b
kubernetes-node-windows-amd64.tar.gz d0ba80907465ca9e6c39510c13985c4be5d10dcc9e7fa984235959425faa8b5d19499a2265c99964b41fe2f8977d95eae26f7963925a39ad66c09a203cb63483

Container Images

All container images are available as manifest lists and support the described architectures. It is also possible to pull a specific architecture directly by adding the "-$ARCH" suffix to the container image name.

name architectures
k8s.gcr.io/conformance:v1.23.14 amd64, arm, arm64, ppc64le, s390x
k8s.gcr.io/kube-apiserver:v1.23.14 amd64, arm, arm64, ppc64le, s390x
k8s.gcr.io/kube-controller-manager:v1.23.14 amd64, arm, arm64, ppc64le, s390x
k8s.gcr.io/kube-proxy:v1.23.14 amd64, arm, arm64, ppc64le, s390x
k8s.gcr.io/kube-scheduler:v1.23.14 amd64, arm, arm64, ppc64le, s390x

Changelog since v1.23.13

Important Security Information

This release contains changes that address the following vulnerabilities:

CVE-2022-3162: Unauthorized read of Custom Resources

A security issue was discovered in Kubernetes where users authorized to list or watch one type of namespaced custom resource cluster-wide can read custom resources of a different type in the same API group they are not authorized to read.

Affected Versions:

  • kube-apiserver v1.25.0 - v1.25.3
  • kube-apiserver v1.24.0 - v1.24.7
  • kube-apiserver v1.23.0 - v1.23.13
  • kube-apiserver v1.22.0 - v1.22.15
  • kube-apiserver <= v1.21.?

Fixed Versions:

  • kube-apiserver v1.25.4
  • kube-apiserver v1.24.8
  • kube-apiserver v1.23.13
  • kube-apiserver v1.22.16

This vulnerability was reported by Richard Turnbull of NCC Group as part of the Kubernetes Audit

CVSS Rating: Medium (6.5) CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CVE-2022-3294: Node address isn't always verified when proxying

A security issue was discovered in Kubernetes where users may have access to secure endpoints in the control plane network. Kubernetes clusters are only affected if an untrusted user can to modify Node objects and send requests proxying through them.

Kubernetes supports node proxying, which allows clients of kube-apiserver to access endpoints of a Kubelet to establish connections to Pods, retrieve container logs, and more. While Kubernetes already validates the proxying address for Nodes, a bug in kube-apiserver made it possible to bypass this validation. Bypassing this validation could allow authenticated requests destined for Nodes to be redirected to the API Server through its private network.

The merged fix enforces validation against the proxying address for a Node. In some cases, the fix can break clients that depend on the `nodes/proxy` subresource, specifically if a kubelet advertises a localhost or link-local address to the Kubernetes control plane. Configuring an egress proxy for egress to the cluster network can also mitigate this vulnerability.

Affected Versions:

  • kube-apiserver v1.25.0 - v1.25.3
  • kube-apiserver v1.24.0 - v1.24.7
  • kube-apiserver v1.23.0 - v1.23.13
  • kube-apiserver v1.22.0 - v1.22.15
  • kube-apiserver <= v1.21.?

Fixed Versions:

  • kube-apiserver v1.25.4
  • kube-apiserver v1.24.8
  • kube-apiserver v1.23.13
  • kube-apiserver v1.22.16

This vulnerability was reported by Yuval Avrahami of Palo Alto Networks

CVSS Rating: Medium (6.6) CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

Changes by Kind

API Change

  • Make STS available replicas optional again, (#109241, @ravisantoshgudimetla) [SIG API Machinery and Apps]
  • Make STS available replicas optional again. (#113122, @ashrayjain) [SIG Apps]
  • Protobuf serialization of metav1.MicroTime timestamps (used in Lease and Event API objects) has been corrected to truncate to microsecond precision, to match the documented behavior and JSON/YAML serialization. Any existing persisted data is truncated to microsecond when read from etcd. (#111936, @haoruan) [SIG API Machinery]

Bug or Regression

  • Consider only plugin directory and not entire kubelet root when cleaning up mounts (#112921, @mattcary) [SIG Storage]
  • Etcd: Update to v3.5.5 (#113100, @mk46) [SIG API Machinery, Cloud Provider, Cluster Lifecycle and Testing]
  • Fixed a bug where a change in the appProtocol for a Service did not trigger a load balancer update. (#113033, @MartinForReal) [SIG Cloud Provider and Network]
  • Kube-proxy, will restart in case it detects that the Node assigned pod.Spec.PodCIDRs have changed (#113258, @code-elinka) [SIG Network]
  • Kubelet no longer reports terminated container metrics from cAdvisor (#112964, @bobbypage) [SIG Node]
  • Kubelet: fix GetAllocatableCPUs method in cpumanager (#113422, @Garrybest) [SIG Node]
  • Pod logs using --timestamps are not broken up with timestamps anymore. (#113517, @rphillips) [SIG Node]

Dependencies

Added

Nothing has changed.

Changed

Removed

Nothing has changed.



Contributors, the CHANGELOG-1.23.md has been bootstrapped with v1.23.14 release notes and you may edit now as needed.



Published by your Kubernetes Release Managers.

Reply all
Reply to author
Forward
0 new messages