Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(github-release): update k3s-io/k3s to v1.28.1+k3s1 #931

Closed
wants to merge 1 commit into from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Sep 9, 2023

Mend Renovate

This PR contains the following updates:

Package Update Change
k3s-io/k3s minor v1.27.4+k3s1 -> v1.28.1+k3s1

Release Notes

k3s-io/k3s (k3s-io/k3s)

v1.28.1+k3s1: v1.28.1+k3s1

Compare Source

This release is K3S's first in the v1.28 line. This release updates Kubernetes to v1.28.1.

⚠️ IMPORTANT: This release includes remediation for CVE-2023-32187, a potential Denial of Service attack vector on K3s servers. See GHSA-m4hf-6vgr-75r2 for more information, including documentation on changes in behavior that harden clusters against this vulnerability.

Kubernetes v1.28 contains a critical regression (kubernetes/kubernetes#120247) that causes init containers to run at the same time as app containers following a restart of the node. This issue will be fixed in v1.28.2. We do not recommend using K3s v1.28 at this time if your application depends on init containers.

For more details on what's new, see the Kubernetes release notes.

Changes since v1.27.5+k3s1:
Embedded Component Versions
Component Version
Kubernetes v1.28.1
Kine v0.10.3
SQLite 3.42.0
Etcd v3.5.9-k3s1
Containerd v1.7.3-k3s2
Runc v1.1.8
Flannel v0.22.2
Metrics-server v0.6.3
Traefik v2.9.10
CoreDNS v1.10.1
Helm-controller v0.15.4
Local-path-provisioner v0.0.24
Helpful Links

As always, we welcome and appreciate feedback from our community of users. Please feel free to:

v1.27.5+k3s1: v1.27.5+k3s1

Compare Source

This release updates Kubernetes to v1.27.5, and fixes a number of issues.

⚠️ IMPORTANT: This release includes support for remediating CVE-2023-32187, a potential Denial of Service attack vector on K3s servers. See GHSA-m4hf-6vgr-75r2 for more information, including mandatory steps necessary to harden clusters against this vulnerability.

For more details on what's new, see the Kubernetes release notes.

Changes since v1.27.4+k3s1:
  • Update cni plugins version to v1.3.0 (#​8056)
    • Upgraded cni-plugins to v1.3.0
  • Update flannel to v0.22.1 (#​8057)
    • Update flannel to v0.22.1
  • ADR on secrets encryption v3 (#​7938)
  • Unit test for MustFindString (#​8013)
  • Add support for using base template in etc/containerd/config.toml.tmpl (#​7991)
    • User-provided containerd config templates may now use {{ template "base" . }} to include the default K3s template content. This makes it easier to maintain user configuration if the only need is to add additional sections to the file.
  • Make apiserver egress args conditional on egress-selector-mode (#​7972)
    • K3s no longer enables the apiserver's enable-aggregator-routing flag when the egress proxy is not being used to route connections to in-cluster endpoints.
  • Security bump to docker/distribution (#​8047)
  • Fix coreos multiple installs (#​8083)
  • Update stable channel to v1.27.4+k3s1 (#​8067)
  • Fix tailscale bug with ip modes (#​8077)
  • Consolidate CopyFile functions (#​8079)
  • E2E: Support GOCOVER for more tests + fixes (#​8080)
  • Fix typo in terraform/README.md (#​8090)
  • Add FilterCN function to prevent SAN Stuffing (#​8085)
    • K3s's external apiserver listener now declines to add to its certificate any subject names not associated with the kubernetes apiserver service, server nodes, or values of the --tls-san option. This prevents the certificate's SAN list from being filled with unwanted entries.
  • Bump docker/docker to master commit; cri-dockerd to 0.3.4 (#​8092)
    • Bump docker/docker module version to fix issues with cri-dockerd caused by recent releases of golang rejecting invalid host headers sent by the docker client.
  • Bump versions for etcd, containerd, runc (#​8109)
    • Updated the embedded containerd to v1.7.3+k3s1
    • Updated the embedded runc to v1.1.8
    • Updated the embedded etcd to v3.5.9+k3s1
  • Etcd snapshots retention when node name changes (#​8099)
  • Bump kine to v0.10.2 (#​8125)
    • Updated kine to v0.10.2
  • Remove terraform package (#​8136)
  • Fix etcd-snapshot delete when etcd-s3 is true (#​8110)
  • Add --disable-cloud-controller and --disable-kube-proxy test (#​8018)
  • Use go list -m instead of grep to look up versions (#​8138)
  • Use VERSION_K8S in tests instead of grep go.mod (#​8147)
  • Fix for Kubeflag Integration test (#​8154)
  • Fix for cluster-reset backup from s3 when etcd snapshots are disabled (#​8155)
  • Run integration test CI in parallel (#​8156)
  • Bump Trivy version (#​8150)
  • Bump Trivy version (#​8178)
  • Fixed the etcd retention to delete orphaned snapshots based on the date (#​8177)
  • Bump dynamiclistener (#​8193)
    • Bumped dynamiclistener to address an issue that could cause the apiserver/supervisor listener on 6443 to stop serving requests on etcd-only nodes.
    • The K3s external apiserver/supervisor listener on 6443 now sends a complete certificate chain in the TLS handshake.
  • Bump helm-controller/klipper-helm versions (#​8204)
    • The version of helm used by the bundled helm controller's job image has been updated to v3.12.3
  • E2E: Add test for k3s token (#​8184)
  • Move flannel to 0.22.2 (#​8219)
    • Move flannel to v0.22.2
  • Update to v1.27.5 (#​8236)
  • Add new CLI flag to enable TLS SAN CN filtering (#​8257)
    • Added a new --tls-san-security option. This flag defaults to false, but can be set to true to disable automatically adding SANs to the server's TLS certificate to satisfy any hostname requested by a client.
  • Add RWMutex to address controller (#​8273)
Embedded Component Versions
Component Version
Kubernetes v1.27.5
Kine v0.10.2
SQLite 3.42.0
Etcd v3.5.9-k3s1
Containerd v1.7.3-k3s1
Runc v1.1.8
Flannel v0.22.2
Metrics-server v0.6.3
Traefik v2.9.10
CoreDNS v1.10.1
Helm-controller v0.15.4
Local-path-provisioner v0.0.24
Helpful Links

As always, we welcome and appreciate feedback from our community of users. Please feel free to:


Configuration

📅 Schedule: Branch creation - "on saturday" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.

@github-actions github-actions bot added area/ansible area/bootstrap Changes made in the bootstrap directory labels Sep 9, 2023
@onedr0p
Copy link
Owner

onedr0p commented Sep 12, 2023

Closing due to initContainer regression that will be fixed in 1.28.2

@onedr0p onedr0p closed this Sep 12, 2023
@renovate renovate bot deleted the renovate/k3s-io-k3s-1.x branch September 12, 2023 13:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
area/bootstrap Changes made in the bootstrap directory renovate/github-release type/minor
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant