SUSE CaaS Platform 4.2.7 Release Notes

Run skuba addons upgrade apply to update Cilium images to rev6 which has the bug fixes to be installed.

bsc#1215713 [cilium] VUL-0: CVE-2023-35945: nghttp2: HTTP/2 memory leak in nghttp2 codec

bsc#1216123 [cilium] VUL-0: CVE-2023-44487: nghttp2: HTTP/2 Rapid Reset Attack

bsc#1200285 [cri-o] VUL-0: CVE-2022-1708: cri-o: memory exhaustion on the node when access to the kube API

bsc#1196424 [cri-o] crio-1.19 seems to increase CPU throttling i

bsc#1177952 [cri-o] reboot of worker hangs for a very long time before crio is up and running (>20 Minutes)

bsc#1189416 [kubernetes] CVE-2021-25741: Symlink Exchange Can Allow Host Filesystem Access

To apply the fix for the CRI-O bug mentioned below, you must perform skuba-update. See https://documentation.suse.com/suse-caasp/4.2/html/caasp-admin/_cluster_updates.html#_base_os_updates for more details.

bsc#1179989 [skuba] Issue with skuba addon upgrade plan and kucero.

bsc#1174182 [cri-o] crio-shutdown.service ExecStop fails

bsc#1181702 Last public cloud update of terraform packages causes inconsistencies on admin node

SUSE CaaS Platform did not detect existing metrics-server installed by the administrator via helm, so please remove the installed metrics-server manually before running skuba upgrade addons.

helm delete metrics-server --purge

bsc#1177661 VUL-0: CVE-2020-8565: kubernetes: Incomplete fix for CVE-2019-11250 allows for token leak in logs when logLevel >= 9

bsc#1177662 VUL-0: CVE-2020-8566: kubernetes: Ceph RBD adminSecrets exposed in logs when loglevel >= 4

bsc#1174951 VUL-0: CVE-2020-15106,CVE-2020-15112: etcd: a large slice causes panic in decodeRecord method and improper checks in entry index

bsc#1176755 VUL-1: CVE-2020-15184: helm,helm2,helm3: alias field on a Chart.yaml is not properly sanitized

bsc#1176754 VUL-1: CVE-2020-15185: helm,helm2,helm3: Helm repository can contain duplicates of the same chart

bsc#1176753 VUL-1: CVE-2020-15186: helm,helm2,helm3: plugin names are not sanitized properly

bsc#1176752 VUL-0: CVE-2020-15187: helm,helm2,helm3: plugin can contain duplicates of the same entry

bsc#1177362 VUL-0: CVE-2020-8029: skuba: Insecure handling of private key

bsc#1177361 VUL-0: CVE-2020-8030: skuba: Insecure /tmp usage when joining node to cluster

bsc#1159274 VUL-0: CVE-2019-19794: coredns: The miekg Go DNS package improperly generates random numbers because math/rand is used

bsc#1176903 skuba does not renew the client-cert of the admin.conf in the skuba cluster directory

bsc#1165854 Sync terraform* with SUSE:SLE-15-SP1

bsc#1174219 Mixed /etc/sysconfig/kubelet changes between older/newer CaaSP4 nodes

Added instructions for automatic certificate renewal using the kucero addon.

Various minor fixes and improvements, refer to: https://github.com/SUSE/doc-caasp/releases

Added migration instructions for new optional Helm 3 installation.

Modifying the file /etc/sysconfig/kubelet directly is not supported: documentation at https://documentation.suse.com/suse-caasp/4.2/html/caasp-admin/_miscellaneous.html#_configuring_kubelet

bsc#1179989 skuba addon upgrade plan shows an error on stdout when upgrading from v4.2.3 to v4.2.4. Cosmetic issue only, the upgrade procedure is still functional.

SUSE CaaS Platform did not detect existing metrics-server installed by the administrator via helm, so please remove the installed metrics-server manually before running skuba upgrade addons.

helm delete metrics-server --purge

bsc#1174400 [cri-o] $HOME is not used in /etc/passwd when runAsUser is used with crio 1.16.1

Kubeproxy is not fully deprecated since envoyproxy requires support of Linux Kernel 5.3 and upwards.

Run skuba addons upgrade apply to update Cilium images to rev5 which has the bug fixes to be installed.

In order to use the latest skuba fixes, you need to update the admin workstation. For detailed instructions, see the Administration Guide

The kubernetes security fix (CVE-2020-8557) will be applied to the kubelet daemon running on the nodes by skuba-update. See https://documentation.suse.com/suse-caasp/4.2/html/caasp-admin/_cluster_updates.html#_base_os_updates for more details.

bsc#1173039 [cilium] - cilium fails to start when IPv6 is disabled

bsc#1173055 [skuba] - dex to AD - error 401 after successful login

bsc#1146991 [skuba] - BPF filesystem is not mounted when cilium pods are restarted

bsc#1173165 [gangway] - Insecure SSL/TLS versions in Gangway (v4)

bsc#1173984 [kubernetes] - Node disk DOS by writing to container /etc/hosts CVE-2020-8557

Various minor fixes and improvements, refer to: https://github.com/SUSE/doc-caasp/releases

Kubeproxy is not fully deprecated since envoyproxy requires support of Linux Kernel 5.3 and upwards.

SUSE CaaS Platform 4.2.1 comes with an update of Cilium from version 1.5.3 to version 1.6.6. For a detailed list of all the changes in this most current version, see the Cilium Changelog.

The update also provides Envoy (open source edge and service proxy) support for Cilium.

Envoy and its dependencies are packaged in version 1.12.2.

In version 1.6.6 Cilium uses Custom Resource Definition (CRD) and ConfigMap points on etcd have been removed.

Cilium 1.6.6 deployment with CRD

Allow Kubernetes pods to use VMware vSphere Virtual Machine Disk (VMDK) volumes as persistent storage.

To migrate from etcd to CRD in case of upgrade, follow the steps described in the official Cilium documentation.

Run skuba addons upgrade apply to upgrade Cilium to version 1.6.6. See information about a possible warning, which might appear during the upgrade in the Administration Guide.

SUSE CaaS Platform did not detect existing metrics-server installed by the administrator, so please remove the installed metrics-server manually before upgrade addons.

helm delete metrics-server --purge

In order to update skuba to apply the latest fixes, you also need to update the admin workstation. For detailed instructions, see this section in the Admin Guide.

bsc#1162651 [skuba] - 10 revisionHistoryLimit value seems too high for our workloads

bsc#1169506 [skuba] - fix issue for aws iam profile

bsc#1121353 [skuba] - Restrict kube-system control plane pods

Added instructions how to enable and configure Kubernetes Audit Log.

Updated Network Policy administration with Cilium at Network Policies.

Added instructions for deployment of Cilium Network policies with Envoy at Cilium Network Policy Config Examples.

Added Networking Whitelist to deployment guide requirements.

Restructured the Disaster Recovery chapter.

Added instruction for vSphere Cloud Provider Integration.

Fixed the location for the flexvolume driver in the documentation.

Various other fixes and improvements, refer to: https://github.com/SUSE/doc-caasp/releases/tag/release-4.2.1

Kubeproxy is not fully deprecated since envoyproxy requires support of Linux Kernel 5.3 and upwards.

helm install is failing on "unavailable metrics.k8s.io/v1beta1 API": Before operating with the cluster and using helm, make sure all pods and apiservices are available. bsc#1172398

The hyperkube image, combining multiple Kubernetes binaries, is planned for removal in 4.3.0, due to upstream deprecations. If running SUSE CaaS Platform in an airgapped environment, please ensure that all our images are mirrored.

Remove ability to re-enable serving deprecated APIs types:

bsc#1161056 [cri-o] - Fix upgrade from 4.0.3 to 4.1.0 - skuba node upgrade - fails due to crio-wipe.service not starting

bsc#1159108 [admin-guide] grafana helm chart version newer than upstream but older image version / grafana version!

bsc#1157337 [skuba] After cluster creation all DEX and all GANGWAY pods run on the first master

bsc#1152334 [skuba] skuba update management - HAS-UPDATES HAS-DISRUPTIVE-UPDATES → no vs none

bsc#1160460 [podman] Update podman to 1.8.0

bsc#1164390 [conmon] Add conmon to SLE15 Containers Module

bsc#1162093 [kubernetes] kubelet referenced wrong volume-plugin dir after upgrade

bsc#1121353 [kubernetes] Kubernetes – Master node pod configured with Privileged PSP

The QuickStart Guide has been removed pending review and rewrite. Please use the Deployment Guide.

Disaster Recovery with Velero is now documented in the Admin Guide.

A subchapter on Managing Replicas has been added to Deployment Requirements.

The list of required addon images was updated.

SUSE Cloud Application Platform integration was removed from the SUSE CaaS Platform Admin Guide. Please now refer to: Deploying SUSE Cloud Application Platform on SUSE CaaS Platform.

A note about using the --non-interactive-include-reboot-patches was added to the Admin Guide.

Instructions on how to update Dex have been enhanced. For details, see the Admin Guide.

We updated the air gapped deployment with a new diagram. See the Admin Guide.

We added an example on how to set up Prometheus Recording Rules.

Instructions on how to troubleshoot the "cannot attach profile" error from AWS have been added.

The Glossary was reintroduced to all our guides.

Various other fixes and improvements (Refer to: https://github.com/SUSE/doc-caasp/releases).

Provide etcd backup process on-demand or on a schedule to prevent etcd data corruption.

Provide etcd restore process to recover failed master node(s) to restore etcd quorum for cluster serving.

Provide Velero as a solution for data protection and data migration by backing up and migrating Kubernetes resources and persistent volumes to and from externally supported storage backend on demand or on a schedule.

bsc#1161056 [cri-o] - Fix upgrade from 4.0.3 to 4.1.0 - skuba node upgrade - fails due to crio-wipe.service not starting

bsc#1161179 [cri-o] - Fix invalid apparmor profile

bsc#1158440 [terraform] - Update in SLE-15 (bsc#1158440, CVE-2019-19316)

bsc#1148092 [terraform] - Include in SLE-15 (bsc#1148092, jsc#ECO-134)

bsc#1145003 [terraform-provider-openstack] - Update to version 1.19.0

bsc#1159082 [grafana] - Fix some missing container images of grafana helm chart

bsc#1161225 [grafana] - Fix grafana helm chart has app version 6.4.2 but version is 6.2.5

bsc#1161110 [grafana] - Fix Grafana dashboard should not name "CaaSP" but "SUSE (r) CaaS Platform"

bsc#1162093 [kubelet] - Release fix for volume-plugin-dir in kubernetes packages

bsc#1160463 [skuba] - Fix skuba-update --version always 0.0.0

bsc#1157323 [skuba] - Fix need a way to report on current available CaaSP version vs. installed version

Added AWS deployment instructions (Tech Preview)

Added KVM deployment instructions

Improved instructions for Monitoring to deploy Grafana in a sub path and enhanced ingress settings

Fix unspecific expression in AlertManager example

Added notes on certificate rotation for the control plane

Various other fixes and improvements (Refer to: https://github.com/SUSE/doc-caasp/releases)

bsc#1161179 [cri-o] - cilium crashes with "apparmor failed to apply profile: write /proc/self/attr/exec: no such file or directory

bsc#1161056 [cri-o] - upgrade from 4.0.3 to 4.1.0 - skuba node upgrade - fails due to crio-wipe.service not starting

bsc#1155323 [cri-o] - Include system proxy settings in service if present

bsc#1159452 [skuba] - Fixed do not panic when version is unknown

bsc#1157802 [skuba] - Enhanced skuba auth login help/error message

bsc#1155810 [skuba] - Refactored to fix CaaSP SSL / PKI / CA Infrastructure unclear and probably inconsistent and wrong?

bsc#1157802 [skuba] - skuba auth login help should mention the port that needs to be use (:32000)

bsc#1137337 [skuba] - Skuba log level description is missing

bsc#1155593 [kubernetes] - second master join always fails

bsc#1160443 [supportutils-plugin-suse-caasp] - Extend supportconfig to check certificates expiration time

bsc#1152335 [supportutils-plugin-suse-caasp] - Add etcd logs for v4

bsc#1160600 [caasp-release-notes] - caasp-release package points to caasp-release-notes 4.0

bsc#1159074 [prometheus] - Prometheus pushgateway image v0.8.0 missing on registry.suse.com/caasp/v4

bsc#1161975 [prometheus] - kube-state-metrics - endless "Failed to list *v1beta1.ReplicaSet: the server could not find the requested resource" on 1.16.2

Added instructions for Stratos Web Console (Tech Preview)

Added instructions for etcd storage performance testing

Added instructions for etcd troubleshooting

Updated CRI-O proxy configuration instructions

Updated upgrade instructions with more information about manual upgrades and reboots

Various minor fixes and improvements (Refer to: https://github.com/SUSE/doc-caasp/releases)

bsc#1144065 [cri-o] - (CVE-2019-10214) VUL-0: CVE-2019-10214: libcontainers-common: library does not enforce TLS connections

bsc#1118898 [cri-o] - (CVE-2018-16874) VUL-0: CVE-2018-16874: go: cmd/go: directory traversal

bsc#1100838 [cri-o] - cri-o does not block /proc/acpi pathnames (i.e., also affected by (CVE-2018-10892))

bsc#1118897 [etcd] - (CVE-2018-16873) VUL-0: CVE-2018-16873: go: cmd/go: remote command execution

bsc#1118899 [etcd] - (CVE-2018-16875) VUL-0: CVE-2018-16875: go: crypto/x509: CPU denial of service

bsc#1156646 [helm] - (CVE-2019-18658) VUL-0: CVE-2019-18658: helm: commands that deal with loading a chart as a directory or packaging a chart provide an opportunity for a maliciously designed chart to include sensitive content such as /etc/passwd

bsc#1152861 [kubernetes] - (CVE-2019-11253) VUL-0: CVE-2019-11253: kubernetes: YAML parsing vulnerable to "Billion Laughs" attack, allowing for remote denial of service

bsc#1146991 [kubernetes] - BPF filesystem is not mounted, possible downtime when cilium pods are restarted

bsc#1147142 [kubernetes] - Update golang/x/net dependency to bring in fixes for (CVE-2019-9512), (CVE-2019-9514)

bsc#1143813 [kubernetes] - kubelet sometimes starting too fast

bsc#1143813 [skuba] - CaaSP SSL / PKI / CA Infrastructure unclear and probably inconsistent and wrong?

bsc#1152335 [supportutils-plugin-suse-caasp] - supportconfig adjustments for CaaSP v4 missing

Switched examples to use SUSE supported helm, Prometheus, nginx-ingress and Grafana charts and images

Added instructions on how to replace Kubernetes certificates with custom CA certificate

Added instructions to configure custom certificates for gangway and dex

Added instructions for secured Tiller deployment

Added notes about unique machine-id requirement

Added timezone configuration example for AutoYaST

Various minor bugfixes and improvements

Updated monitoring documentation in the admin guide to reflect official charts/containers for monitoring stack

Added/Updated information about 389-ds deployment and configuration

Added information about subnet sizing to deployment guide system requirements

Added information on using a cluster wide root CA to admin guide

Add note about NTP client requirement for management workstation

Added less aggressive nginx timeout values to examples

Unified use of placeholders in code examples to <PLACEHOLDER> format

Various minor formatting and wording fixes

bsc#1156667 [Prometheus and Grafana] - User "system:serviceaccount:monitoring:prometheus-kube-state-metrics" cannot list resource

bsc#1140533 [Prometheus and Grafana] - Prometheus and grafana images and helm charts on registry.suse.com

bsc#1155173 [skuba] - skuba node upgrade does not really upgrade node successfully

bsc#1151689 [skuba] - Default verbosity hides most errors

bsc#1151340 [389-ds] - ERR - add_new_slapd_process - Unable to start slapd because it is already running as process 8

bsc#1151343 [389-ds] - The config /etc/dirsrv/slapd-*/dse.ldif can not be accessed. Attempting restore

bsc#1151414 [389-ds] - NOTICE - dblayer_start - Detected Disorderly Shutdown last time Directory Server was running, recovering database.

bsc#1157332 [patterns-caasp] - caasp-release rpm not installed - probably should be included in the patterns?

When using skuba addon upgrade apply, all settings of all addons will be reverted to the defaults. Make sure to reapply your changes after running skuba addon upgrade apply, had you modified the default settings of core addons.

bsc#1145568 [remove-node] failed disarming kubelet due to 63 character limitation

bsc#1145907 LB dies when removing a master node in VMWare

bsc#1146774 AWS: pod to service connectivity broken in certain cases

bsc#1148090 Multinode cluster upgrade fails on 2nd master due to TLS handshake timeout

bsc#1148412 Gangway uses CSS stylesheet from cloudflare.com

bsc#1148524 Allow easy recovery from bootstrap failed during add-ons deployment phase

bsc#1148700 worker node upgrade needs to use kubeletVersion in nodeVersionInfoUpdate type

bsc#1149637 Misspelling of bootstrapping in a common error message

bsc#1153913 Can not bootstrap an new cluster if a valid kubectl config is present

bsc#1153928 Reboot can be triggered before skuba-update finishes

bsc#1154085 skuba node upgrade shows component downgrade

bsc#1154754 oauth2: cannot fetch token after 24 hours

SUSE OpenStack Cloud 8

VMWare ESXi 6.7

KVM

Bare metal

(SUSE CaaS Platform 4.2.7 supports hardware that is certified for SLES through the YES certification program. You will find a database of certified hardware at https://www.suse.com/yessearch/.)