aliases | changes_categories | changes_entry | date | description | title | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|
|
2024-04-24T14:26:26 |
Release notes for AWS workload cluster release v20.1.0, published on 24 April 2024, 14:26. |
Workload cluster release v20.1.0 for AWS |
This release provides security updates for container linux and a fix for IMDSv2 only clusters.
aws-operator 16.1.1
- Bump k8scc to fix issues with IMDS v2.
cert-operator 3.4.0
- Avoid exiting with a failure at startup time if the PKI cleanup fails.
cluster-operator 5.11.1
- Configure
gsoci.azurecr.io
as the default container image registry.
- Add team label in resources.
- Add
global.podSecurityStandards.enforced
value for PSS migration.
- Fix release version check for PSS enforcement.
containerlinux 3815.2.2
Changes since Stable 3815.2.1
- Linux (CVE-2023-28746, CVE-2023-47233, CVE-2023-52639, CVE-2023-6270, CVE-2023-7042, CVE-2024-22099, CVE-2024-23307, CVE-2024-24861, CVE-2024-26584, CVE-2024-26585, CVE-2024-26642, CVE-2024-26651, CVE-2024-26654, CVE-2024-26659, CVE-2024-26686, CVE-2024-26700, CVE-2024-26809)
- Downgraded xz-utils to 5.4.2 as precaution even though Flatcar is not affected of the SSH backdoor (CVE-2024-3094)
- openssh (CVE-2023-48795, CVE-2023-51384, CVE-2023-51385)
- Disabled user-configdrive.service on OpenStack when config drive is used, which caused the hostname to be overwritten. The coreos-cloudinit.service unit already runs on OpenStack if the system is not configured via ignition. (Flatcar#1385)
- Fixed
toolbox
to prevent mountedctr
snapshots from being garbage-collected (toolbox#9)
- Disabled real-time priority for multipathd as it prevents the cgroups2 cpu controller from working. (scripts#1771)
- SDK: Unified qemu image formats, so that the
qemu_uefi
build target provides the regularqemu
and theqemu_uefi_secure
artifacts (scripts#1847)
etcd 3.5.13
- Fix leases wrongly revoked by the leader by ignoring old leader's leases revoking request.
- Fix no progress notification being sent for watch that doesn't get any events.
- Fix watch event loss after compaction.
- Add client backoff and retry config options.
- Ignore SetKeepAlivePeriod errors on OpenBSD.
- Support unix/unixs socket in client or peer URLs
- Add three flags (see below) for grpc-proxy
--dial-keepalive-time
--dial-keepalive-timeout
--permit-without-stream
- Upgrade bbolt to v1.3.9.
- Compile binaries using go 1.21.8.
- Upgrade google.golang.org/protobuf to v1.33.0 to address CVE-2024-24786.
- Upgrade github.com/sirupsen/logrus to v1.9.3 to address PRISMA-2023-0056.
app-operator 6.11.0
- Add support for App resources having a dependency on HelmReleases.
vertical-pod-autoscaler 5.2.1
- Chart: Update
appVersion
andREADME.md
. (#281)
etcd-kubernetes-resources-count-exporter 1.10.0
- Set min VPA settings and adjust CPU and memory resources.
- Use PodMonitor instead of legacy labels for monitoring.
vertical-pod-autoscaler-crd 3.1.0
- Chart: Sync CRDs to VPA v1.1.0. (#93)
observability-bundle 1.3.4
- Upgrade
kube-prometheus-stack
to 9.1.2.
k8s-audit-metrics 0.9.0
- Add team label in resources.
- Use ServiceMonitor for monitoring.
- Configure
gsoci.azurecr.io
as the default container image registry.
cert-manager 3.7.4
- Added support for
AzureDNS
integration with aService Principal
onclusterIssuer
helm chart .
- Changed
appVersion
tov1.14.2
chart-operator 3.2.1
- Use separate rest configs for different Kubernetes clients.
cilium 0.22.0
- Add helm values schema.
- Add safe-to-evict annotations to Hubble Relay and UI pods.
- Enable deletion of extra network policies.
- Update team label to
cabbage
cluster-autoscaler 1.25.3-gs2
- Add possibility to use egress proxy.
- Chart: Improve proxy settings. (#249)
external-dns 3.1.0
- Remove default namespaceFilter configuration. (#324).