Kubernetes v1.28.9 is live!

31 views

Skip to first unread message

Mark Rossetti

unread,

Apr 17, 2024, 12:16:15 PMApr 17

to kubernetes-announce, d...@kubernetes.io

Kubernetes Community,

Kubernetes v1.28.9 has been built and pushed using Golang version 1.21.9.

The release notes have been updated in CHANGELOG-1.28.md, with a pointer to them on GitHub:

v1.28.9

Downloads for v1.28.9

Source Code

filename	sha512 hash
kubernetes.tar.gz	6445c7b17f50f2244f1fb39a64662db10252ec6c054379ac1119f7c0ee96b1a97aae1d1f663164e1eff89f9d6c3b3089d81702e85e8c4fed7f835bf53db1070e
kubernetes-src.tar.gz	ba7ae8b833ebc21f384dd36e5efe61b12c082342314097542da0326fc19a4d54a3cd84848be60c85bf3675718eb213216d503ca8f088084e2d77b92cc1848c6a

Client Binaries

filename	sha512 hash
kubernetes-client-darwin-amd64.tar.gz	90d5663170f8bedca8c95bd71653fcb1a2e1c2a7d86b765f8c46de2531447c034560900fd9a31596b4fc2606485c0923b0496902ae9c2c1e43572243596be924
kubernetes-client-darwin-arm64.tar.gz	207efb9097bef48895f6e03a9c3054b376d31a9f649f31b2c5bab18a26571dc5713f1a23bfe8cd546eabdc21765c219fab313e6a26866f58fef3647052ce6ca5
kubernetes-client-linux-386.tar.gz	366bc0ca6b8b6e6887a57f3b75b21da78d8688dc7c3adefdf5370eda7a49ad0251c41d06ef68e71e7841c1307678425200f9b2ccd55def3749994b0f23ca542f
kubernetes-client-linux-amd64.tar.gz	5142ad0fa9d709d28e481d22442550eb5806c376382990c5e8637f7846275841bfa59ace19dc5f6276b563003ef5d7d49b06ec223ba352fc040d17a351085336
kubernetes-client-linux-arm.tar.gz	b77f309567bd3d828499dd7332ec485257df8a8cbc0d4d65f822c68466c2a2d07bab79317f5474826a73950955bc8af9491da215f05bbdd0d53b9367c9b53062
kubernetes-client-linux-arm64.tar.gz	d89b89fad313764ee3b7aa71e0b87651961e1d5485bab40cc3c0af00e9e422ffe8245501baee4c465e7cfdeb446721a28d075ce53f726ab38cdfa5aff554ef8e
kubernetes-client-linux-ppc64le.tar.gz	dfddba1e6db1702b8b80df9bdeead04cd72db47f84d615adc2090c851543d981b3cc9970e68e832ea73d13015ac8113ddef7247828b30da906e75129bb56a17c
kubernetes-client-linux-s390x.tar.gz	0957b71eba14a1728accd1e917e81b2cc95cdb4523a519b21fe82cb15885dedffbe49df2dca75059ba7590243c557d1948339a5fd10b67f141fd066606b35b57
kubernetes-client-windows-386.tar.gz	12179c49f2fa31970edc3b00232b69d431500200a2f3945a3fb4ce04d458c825b1e214f9ced1c7bb06777b79ca19f86444a1bee5f2f35b60f4b3407f4fa861d7
kubernetes-client-windows-amd64.tar.gz	6666378dbc9a43f62bfd69ef81993c4463ef1c8862dda1b40b5b18a90a81cfb2c26f19e15d8e3e019ab1ac8140cc15e11cd5d308c172f949264df69ee335047e
kubernetes-client-windows-arm64.tar.gz	c74973f02e46c6c21a50b9b08c7211e475a8b29ad375feb84d5c36a9b8716052f5daec77e7a6b138b045ff88701740f357c7654bc48a339debae88036bc8ae0f

Server Binaries

filename	sha512 hash
kubernetes-server-linux-amd64.tar.gz	9672e1921f858b3e77d85d8d915ba634b6693aa65ea223fc1eba0ca97e893dc391f691b8a35fb9c17b0f07ff0f6f37cae99164c2510e36a5fad6a3cdcf33a140
kubernetes-server-linux-arm64.tar.gz	668f237dbb96fa6b50f40c5452ea02c9db19c8fc07e73818d447f72b854f4864e6fcb119529439c51aab9e3233559eca7cfbe0d65d6f733f2281380c08c8a3cd
kubernetes-server-linux-ppc64le.tar.gz	222aefa46ce11f3345f72e1ff058da797d2fc3ccd08e5a9a8d4438f7b0262e4abb87cb6d7d719b30105a574fc5e61c9378f6fd1ccb16cfe7ccf5db5e8e0f8299
kubernetes-server-linux-s390x.tar.gz	74d30a38d00843d4b90906aff0aeee067effb64f6e3e244b6fd730a016de39c5754b20127b12239ada4f23099c6f1bcb2a619b084e8a3a5478b7e9fb8465e4c8

Node Binaries

filename	sha512 hash
kubernetes-node-linux-amd64.tar.gz	c215d09bd69bb71ecfc81d6a4605e16c68fae940ab62880b9e3a60e84805897c1bbd29fb98fbc3908629809b7396fe6c00765d6e59c44c85666bf70371aa6b4f
kubernetes-node-linux-arm64.tar.gz	d19a290d769491fe1d97cb416aa481bdfb7d4831a4ceec35abc90d5035f8cd529fb3e4653b1ec71cf8d0a38ce10d6e1e9d054bdee7d243cc01fcb44de94ddabe
kubernetes-node-linux-ppc64le.tar.gz	ab00c8323ec13870a270beb0d172b8c3371c69b234a422979ac5acb68349f46dc87a65fd734305ea940985e46d60a4c4a4a2886076a31ca4a67660506582076d
kubernetes-node-linux-s390x.tar.gz	60dcdb46e9a0b35505e06725eac88b590e62a97ad978573dfc98392a57538ff0d1c8ec15449cc8f47747c97bd29bda75302599443f7f969eb99eba9cbd78c27e
kubernetes-node-windows-amd64.tar.gz	7c2d2f8fdefae24583de5eecbb61165196508f91db57ec7d03eb9c61c02f61b440b1472e0d7619dbd81d94c2aefe04613db59e25e12cd4792cec86aace76d3d4

Container Images

All container images are available as manifest lists and support the described architectures. It is also possible to pull a specific architecture directly by adding the "-$ARCH" suffix to the container image name.

name	architectures
registry.k8s.io/conformance:v1.28.9	amd64, arm64, ppc64le, s390x
registry.k8s.io/kube-apiserver:v1.28.9	amd64, arm64, ppc64le, s390x
registry.k8s.io/kube-controller-manager:v1.28.9	amd64, arm64, ppc64le, s390x
registry.k8s.io/kube-proxy:v1.28.9	amd64, arm64, ppc64le, s390x
registry.k8s.io/kube-scheduler:v1.28.9	amd64, arm64, ppc64le, s390x
registry.k8s.io/kubectl:v1.28.9	amd64, arm64, ppc64le, s390x

Changelog since v1.28.8

Important Security Information

This release contains changes that address the following vulnerabilities:

CVE-2024-3177: Bypassing mountable secrets policy imposed by the ServiceAccount admission plugin

A security issue was discovered in Kubernetes where users may be able to launch containers that bypass the mountable secrets policy enforced by the ServiceAccount admission plugin when using containers, init containers, and ephemeral containers with the envFrom field populated.

Affected Versions:

kube-apiserver v1.29.0 - v1.29.3
kube-apiserver v1.28.0 - v1.28.8
kube-apiserver <= v1.27.12

Fixed Versions:

kube-apiserver v1.29.4
kube-apiserver v1.28.9
kube-apiserver v1.27.13

This vulnerability was reported by tha3e1vl.

CVSS Rating: Low (2.7) CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N

Changes by Kind

Feature

Kubernetes is now built with go 1.21.9

update debian-base/set-cap to bookworm-v1.0.2 (#124198, @cpanato) [SIG API Machinery, Architecture, Release and Testing]

Bug or Regression

Fix pod restart after node reboot when NewVolumeManagerReconstruction feature gate is enabled and SELinuxMountReadWriteOncePod disabled (#124141, @bertinatto) [SIG Node]
Golang.org/x/net is bumped to v0.23.0 to address CVE-2023-45288 (#124179, @MadhavJivrajani) [SIG API Machinery, Architecture, Auth, CLI, Cloud Provider, Cluster Lifecycle, Instrumentation, Network, Node and Storage]
Kube-apiserver: fixes a 1.27+ regression in watch stability by serving watch requests without a resourceVersion from the watch cache by default, as in <1.27 (disabling the change in #115096 by default). This mitigates the impact of an etcd watch bug (https://github.com/etcd-io/etcd/pull/17555). If the 1.27 change in #115096 to serve these requests from underlying storage is still desired despite the impact on watch stability, it can be re-enabled with a WatchFromStorageWithoutResourceVersion feature gate. (#124006, @serathius) [SIG API Machinery]
Kubeadm: fix panic in the command "kubeadm certs check-expiration" when "/etc/kubernetes/pki" exists but cannot be read. (#124124, @carlory) [SIG Cluster Lifecycle]
NONE (#124326, @ritazh) [SIG Auth]
OpenAPI V2 will no longer publish aggregated apiserver OpenAPI for group-versions not matching the APIService specified group version (#123625, @Jefftree) [SIG API Machinery and Testing]

Dependencies

Added

Nothing has changed.

Changed

golang.org/x/crypto: v0.16.0 → v0.21.0
golang.org/x/net: v0.19.0 → v0.23.0
golang.org/x/sys: v0.15.0 → v0.18.0
golang.org/x/term: v0.15.0 → v0.18.0

Removed

Nothing has changed.

Contributors, the CHANGELOG-1.28.md has been bootstrapped with v1.28.9 release notes and you may edit now as needed.