Update to kubernetes 1.16, supportconfig update, and helm security fix (CVE-2019-18658)
Announcement ID: | SUSE-FU-2020:0089-1 |
---|---|
Rating: | moderate |
References: | |
Affected Products: |
|
An update that has 11 fixes can now be installed.
Description:
= Required Actions
== Skuba and helm update Instructions
Update skuba and helm on your management workstation as you would do with any othe package.
Refer to: link:https://documentation.suse.com/sles/15-SP1/single-html/SLES-admin/#sec-zypper-softup
[WARNING]
When running helm-init you may hit a link:https://bugzilla.suse.com/show_bug.cgi?id=1159047[known bug on the certificate validation]:
https://kubernetes-charts.storage.googleapis.com is not a valid chart repository or cannot be reached: Get https://kubernetes-charts.storage.googleapis.com/index.yaml: x509: certificate signed by unknown authority
In order to fix this, run:
sudo update-ca-certificates
====
After updating helm to latest version on the management host, you have to also upgrade the helm-tiller image in the cluster, by running:
helm init \
--tiller-image registry.suse.com/caasp/v4/helm-tiller:2.16.1 \
--service-account tiller --upgrade
== Update Your Kubernetes Manifests for Kubernetes 1.16.2:
Some API resources are moved to stable, while others have been moved to different groups or deprecated.
The following will impact your deployment manifests:
DaemonSet
,Deployment
,StatefulSet
, andReplicaSet
inextensions/
(bothv1beta1
andv1beta2
) is deprecated. Migrate toapps/v1
group instead for all those objects. Please note thatkubectl convert
can help you migrate all the necessary fields.PodSecurityPolicy
inextensions/v1beta1
is deprecated. Migrate topolicy/v1beta1
group forPodSecurityPolicy
. Please note thatkubectl convert
can help you migrate all the necessary fields.NetworkPolicy
inextensions/v1beta1
is deprecated. Migrate tonetworking.k8s.io/v1
group forNetworkPolicy
. Please note thatkubectl convert
can help you migrate all the necessary fields.Ingress
inextensions/v1beta1
is being phased out. Migrate tonetworking.k8s.io/v1beta1
as soon as possible. This new API does not need to update other API fields and therefore only a path change is necessary.- Custom resource definitions have moved from
apiextensions.k8s.io/v1beta1
toapiextensions.k8s.io/v1
.
Please also see https://kubernetes.io/blog/2019/07/18/api-deprecations-in-1-16/ for more details.
= Documentation Updates
- Switched examples to use SUSE supported helm, Prometheus, nginx-ingress and Grafana charts and images
- link:{docurl}caasp-admin/single-html/_security.html#_deployment_with_a_custom_ca_certificate[Added instructions on how to replace {kube} certificates with custom CA certificate]
- link:{docurl}caasp-admin/single-html/_security.html#_replace_server_certificate_signed_by_a_trusted_ca_certificate[Added instructions to configure custom certificates for gangway and dex]
- link:{docurl}caasp-admin/single-html/_software_management.html#_installing_tiller[Added instructions for secured Tiller deployment]
- link:{docurl}caasp-deployment/single-html/#machine-id[Added notes about unique
machine-id
requirement] - link:{docurl}caasp-deployment/single-html/#_autoyast_preparation[Added timezone configuration example for {ay}]
- link:https://github.com/SUSE/doc-caasp/pulls?q=is%3Apr+is%3Aclosed+sort%3Aupdated-desc[Various minor bugfixes and improvements]
= Known issue: skuba upgrade could not parse "Unknown" as version ====
Running "skuba node upgrade plan" might fail with the error "could not parse "Unknown" as version" when a worker, after running "skuba node upgrade apply", had not fully started yet.
If you are running into this issue, please add some delay after running "skuba node upgrade apply" and prior to running "skuba node upgrade plan".
This is tracked in link:https://bugzilla.suse.com/show_bug.cgi?id=1159452[bsc#1159452]
Patch Instructions:
To install this SUSE update use the SUSE recommended
installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
-
SUSE CaaS Platform 4.0
To install this update, use the SUSE CaaS Platform 'skuba' tool. It will inform you if it detects new updates and let you then trigger updating of the complete cluster in a controlled way.
Package List:
-
SUSE CaaS Platform 4.0 (x86_64)
- conmon-2.0.0-1.7.1
- caasp-release-4.1.0-24.9.1
- helm-2.16.1-3.7.1
- kubernetes-client-1.16.2-4.7.1
- cri-o-1.16.0-3.22.2
- kubernetes-kubelet-1.16.2-4.7.1
- cri-o-kubeadm-criconfig-1.16.0-3.22.2
- patterns-caasp-Node-1.16-1.2-3.11.2
- skuba-1.2.1-3.21.1
- patterns-caasp-Node-1.15-1.16-1.2-3.11.1
- kubernetes-kubeadm-1.16.2-4.7.1
- kubernetes-common-1.16.2-4.7.1
- cri-tools-1.16.1-3.7.1
-
SUSE CaaS Platform 4.0 (noarch)
- release-notes-caasp-4.1.20191218-4.16.2
- skuba-update-1.2.1-3.21.1
References:
- https://bugzilla.suse.com/show_bug.cgi?id=1100838
- https://bugzilla.suse.com/show_bug.cgi?id=1118897
- https://bugzilla.suse.com/show_bug.cgi?id=1118898
- https://bugzilla.suse.com/show_bug.cgi?id=1118899
- https://bugzilla.suse.com/show_bug.cgi?id=1143813
- https://bugzilla.suse.com/show_bug.cgi?id=1144065
- https://bugzilla.suse.com/show_bug.cgi?id=1146991
- https://bugzilla.suse.com/show_bug.cgi?id=1147142
- https://bugzilla.suse.com/show_bug.cgi?id=1152861
- https://bugzilla.suse.com/show_bug.cgi?id=1155810
- https://bugzilla.suse.com/show_bug.cgi?id=1156646