Kubernetes Community,
Kubernetes v1.28.9 has been built and pushed using Golang version 1.21.9.
v1.28.9
Downloads for v1.28.9
Source Code
filename |
sha512 hash |
kubernetes.tar.gz |
6445c7b17f50f2244f1fb39a64662db10252ec6c054379ac1119f7c0ee96b1a97aae1d1f663164e1eff89f9d6c3b3089d81702e85e8c4fed7f835bf53db1070e |
kubernetes-src.tar.gz |
ba7ae8b833ebc21f384dd36e5efe61b12c082342314097542da0326fc19a4d54a3cd84848be60c85bf3675718eb213216d503ca8f088084e2d77b92cc1848c6a |
Client Binaries
Server Binaries
Node Binaries
Container Images
All container images are available as manifest lists and support the described architectures. It is also possible to pull a specific architecture directly by adding the "-$ARCH" suffix to the container image name.
name |
architectures |
registry.k8s.io/conformance:v1.28.9 |
amd64, arm64, ppc64le, s390x |
registry.k8s.io/kube-apiserver:v1.28.9 |
amd64, arm64, ppc64le, s390x |
registry.k8s.io/kube-controller-manager:v1.28.9 |
amd64, arm64, ppc64le, s390x |
registry.k8s.io/kube-proxy:v1.28.9 |
amd64, arm64, ppc64le, s390x |
registry.k8s.io/kube-scheduler:v1.28.9 |
amd64, arm64, ppc64le, s390x |
registry.k8s.io/kubectl:v1.28.9 |
amd64, arm64, ppc64le, s390x |
Changelog since v1.28.8
Important Security Information
This release contains changes that address the following vulnerabilities:
CVE-2024-3177: Bypassing mountable secrets policy imposed by the ServiceAccount admission plugin
A security issue was discovered in Kubernetes where users may be able to launch containers that bypass the mountable secrets policy enforced by the ServiceAccount admission plugin when using containers, init containers, and ephemeral containers with the envFrom
field populated.
Affected Versions:
-
kube-apiserver v1.29.0 - v1.29.3
-
kube-apiserver v1.28.0 - v1.28.8
-
kube-apiserver <= v1.27.12
Fixed Versions:
-
kube-apiserver v1.29.4
-
kube-apiserver v1.28.9
-
kube-apiserver v1.27.13
This vulnerability was reported by tha3e1vl.
Changes by Kind
Feature
-
Kubernetes is now built with go 1.21.9
-
update debian-base/set-cap to bookworm-v1.0.2 (#124198,
@cpanato) [SIG API Machinery, Architecture, Release and Testing]
Bug or Regression
-
Fix pod restart after node reboot when NewVolumeManagerReconstruction feature gate is enabled and SELinuxMountReadWriteOncePod
disabled (#124141,
@bertinatto) [SIG Node]
-
Golang.org/x/net is bumped to v0.23.0 to address CVE-2023-45288 (#124179,
@MadhavJivrajani) [SIG API Machinery, Architecture, Auth, CLI, Cloud Provider, Cluster Lifecycle, Instrumentation, Network, Node and Storage]
-
Kube-apiserver: fixes a 1.27+ regression in watch stability by serving watch requests without a resourceVersion
from the watch cache by default, as in <1.27 (disabling the change in #115096 by default). This mitigates the impact of an etcd watch bug (https://github.com/etcd-io/etcd/pull/17555).
If the 1.27 change in #115096 to serve these requests from underlying storage is still desired despite the impact on watch stability, it can be re-enabled with a
WatchFromStorageWithoutResourceVersion
feature gate. (#124006,
@serathius) [SIG API Machinery] -
Kubeadm: fix panic in the command "kubeadm certs check-expiration" when "/etc/kubernetes/pki" exists but cannot
be read. (#124124,
@carlory) [SIG Cluster Lifecycle]
-
NONE (#124326,
@ritazh) [SIG Auth]
-
OpenAPI V2 will no longer publish aggregated apiserver OpenAPI for group-versions not matching the APIService specified
group version (#123625,
@Jefftree) [SIG API Machinery and Testing]
Dependencies
Added
Nothing has changed.
Changed
Removed
Nothing has changed.
Contributors, the
CHANGELOG-1.28.md has been bootstrapped with v1.28.9 release notes and you may edit now as needed.