Update Kubernetes updates (patch)
This MR contains the following updates:
| Package | Update | Change |
|---|---|---|
| kubernetes/kubernetes | patch |
1.25.14 -> 1.25.16
|
| kubernetes/kubernetes | patch |
1.26.9 -> 1.26.15
|
| kubernetes/kubernetes | patch |
1.27.10 -> 1.27.12
|
| rancher/rke2 | patch |
1.25.14 -> v1.25.16+rke2r1
|
| rancher/rke2 | patch |
1.26.9 -> v1.26.15+rke2r1
|
| rancher/rke2 | patch |
1.27.10 -> v1.27.12+rke2r1
|
⚠ WarningSome dependencies could not be looked up. Check the Dependency Dashboard for more information.
Release Notes
kubernetes/kubernetes (kubernetes/kubernetes)
v1.25.16: Kubernetes v1.25.16
See kubernetes-announce@. Additional binary downloads are linked in the CHANGELOG.
See the CHANGELOG for more details.
v1.25.15: Kubernetes v1.25.15
See kubernetes-announce@. Additional binary downloads are linked in the CHANGELOG.
See the CHANGELOG for more details.
rancher/rke2 (rancher/rke2)
v1.25.16+rke2r1: v1.25.16+rke2r1
This release updates Kubernetes to v1.25.16.
Important Notes
This release includes a version of ingress-nginx affected by CVE-2023-5043 and CVE-2023-5044. Ingress administrators should set the --enable-annotation-validation flag to enforce restrictions on the contents of ingress-nginx annotation fields.
If your server (control-plane) nodes were not started with the --token CLI flag or config file key, a randomized token was generated during initial cluster startup. This key is used both for joining new nodes to the cluster, and for encrypting cluster bootstrap data within the datastore. Ensure that you retain a copy of this token, as is required when restoring from backup.
You may retrieve the token value from any server already joined to the cluster:
cat /var/lib/rancher/rke2/server/tokenChanges since v1.25.15+rke2r2:
- Add chart validation tests (#5012)
- Update canal to v3.26.3 (#5019)
- Update calico to v3.26.3 (#5028)
- Bump cilium chart to 1.14.400 (#5058)
- Bump K3s version for v1.25 (#5032)
- Containerd may now be configured to use rdt or blockio configuration by defining
rdt_config.yamlorblockio_config.yamlfiles. - Disable helm CRD installation for disable-helm-controller
- Omit snapshot list configmap entries for snapshots without extra metadata
- Add jitter to client config retry to avoid hammering servers when they are starting up
- Containerd may now be configured to use rdt or blockio configuration by defining
- Bump K3s version for v1.25 (#5075)
- Don't apply S3 retention if S3 client failed to initialize
- Don't request metadata when listing S3 snapshots
- Print key instead of file path in snapshot metadata log message
- Kubernetes patch release (#5063)
- Remove s390x steps temporarily since runners are disabled (#5098)
Charts Versions
| Component | Version |
|---|---|
| rke2-cilium | 1.14.400 |
| rke2-canal | v3.26.3-build2023110900 |
| rke2-calico | v3.26.300 |
| rke2-calico-crd | v3.26.300 |
| rke2-coredns | 1.24.006 |
| rke2-ingress-nginx | 4.8.200 |
| rke2-metrics-server | 2.11.100-build2023051510 |
| rancher-vsphere-csi | 3.0.1-rancher101 |
| rancher-vsphere-cpi | 1.5.100 |
| harvester-cloud-provider | 0.2.200 |
| harvester-csi-driver | 0.1.1600 |
| rke2-snapshot-controller | 1.7.202 |
| rke2-snapshot-controller-crd | 1.7.202 |
| rke2-snapshot-validation-webhook | 1.7.302 |
Packaged Component Versions
| Component | Version |
|---|---|
| Kubernetes | v1.25.16 |
| Etcd | v3.5.9-k3s1 |
| Containerd | v1.7.7-k3s1 |
| Runc | v1.1.8 |
| Metrics-server | v0.6.3 |
| CoreDNS | v1.10.1 |
| Ingress-Nginx | nginx-1.9.3-hardened1 |
| Helm-controller | v0.15.4 |
Available CNIs
| Component | Version | FIPS Compliant |
|---|---|---|
| Canal (Default) |
Flannel v0.23.0 Calico v3.26.3 |
Yes |
| Calico | v3.26.3 | No |
| Cilium | v1.14.4 | No |
| Multus | v4.0.2 | No |
Helpful Links
As always, we welcome and appreciate feedback from our community of users. Please feel free to:
- Open issues here
- Join our Slack channel
- Check out our documentation for guidance on how to get started.
v1.25.16+rke2r2: v1.25.16+rke2r2
This is a special security release addressing a runc CVE.
Important Notes
Addresses the runc CVE: CVE-2024-21626 by updating runc to v1.1.12.
If your server (control-plane) nodes were not started with the --token CLI flag or config file key, a randomized token was generated during initial cluster startup. This key is used both for joining new nodes to the cluster, and for encrypting cluster bootstrap data within the datastore. Ensure that you retain a copy of this token, as is required when restoring from backup.
You may retrieve the token value from any server already joined to the cluster:
cat /var/lib/rancher/rke2/server/tokenChanges since v1.25.16+rke2r1:
- Update runc (#5509)
Charts Versions
| Component | Version |
|---|---|
| rke2-cilium | 1.14.400 |
| rke2-canal | v3.26.3-build2023110900 |
| rke2-calico | v3.26.300 |
| rke2-calico-crd | v3.26.300 |
| rke2-coredns | 1.24.006 |
| rke2-ingress-nginx | 4.8.200 |
| rke2-metrics-server | 2.11.100-build2023051510 |
| rancher-vsphere-csi | 3.0.1-rancher101 |
| rancher-vsphere-cpi | 1.5.100 |
| harvester-cloud-provider | 0.2.200 |
| harvester-csi-driver | 0.1.1600 |
| rke2-snapshot-controller | 1.7.202 |
| rke2-snapshot-controller-crd | 1.7.202 |
| rke2-snapshot-validation-webhook | 1.7.302 |
Packaged Component Versions
| Component | Version |
|---|---|
| Kubernetes | v1.25.16 |
| Etcd | v3.5.9-k3s1 |
| Containerd | v1.7.7-k3s1 |
| Runc | v1.1.12 |
| Metrics-server | v0.6.3 |
| CoreDNS | v1.10.1 |
| Ingress-Nginx | nginx-1.9.3-hardened1 |
| Helm-controller | v0.15.4 |
Available CNIs
| Component | Version | FIPS Compliant |
|---|---|---|
| Canal (Default) |
Flannel v0.23.0 Calico v3.26.3 |
Yes |
| Calico | v3.26.3 | No |
| Cilium | v1.14.4 | No |
| Multus | v4.0.2 | No |
Helpful Links
As always, we welcome and appreciate feedback from our community of users. Please feel free to:
- Open issues here
- Join our Slack channel
- Check out our documentation for guidance on how to get started.
v1.25.15+rke2r1: v1.25.15+rke2r1
This release updates Kubernetes to v1.25.15.
Important Notes
This release includes a version of ingress-nginx affected by CVE-2023-5043 and CVE-2023-5044. Ingress administrators should set the --enable-annotation-validation flag to enforce restrictions on the contents of ingress-nginx annotation fields.
If your server (control-plane) nodes were not started with the --token CLI flag or config file key, a randomized token was generated during initial cluster startup. This key is used both for joining new nodes to the cluster, and for encrypting cluster bootstrap data within the datastore. Ensure that you retain a copy of this token, as is required when restoring from backup.
You may retrieve the token value from any server already joined to the cluster:
cat /var/lib/rancher/rke2/server/tokenChanges since v1.25.14+rke2r1:
- Add a time.Sleep in calico-win to avoid polluting the logs (#4793)
- Support generic "cis" profile (#4799)
- Update calico chart to accept felix config values (#4816)
- Remove unnecessary docker pull (#4821)
- Mirrored pause backport (#4825)
- Write pod-manifests as 0600 in cis mode (#4840)
- K3s bump (#4861)
- Filter release branches (#4859)
- Update charts to have ipFamilyPolicy: PreferDualStack as default (#4847)
- Bump K3s, Cilium, Token Rotation support (#4871)
- Bump containerd to v1.7.7+k3s1 (#4882)
- Bump K3s version for v1.25 (#4886)
- RKE2 now tracks snapshots using custom resource definitions. This resolves an issue where the configmap previously used to track snapshot metadata could grow excessively large and fail to update when new snapshots were taken.
- Fixed an issue where static pod startup checks may return false positives in the case of pod restarts.
- Bump k3s (#4899)
- Bump K3s version for v1.25 (#4919)
- Re-enable etcd endpoint auto-sync
- Manually requeue configmap reconcile when no nodes have reconciled snapshots
- Update Kubernetes to v1.25.15 (#4920)
- Remove pod-manifests dir in killall script (#4928)
- Revert mirrored pause backport (#4937)
- Bump ingress-nginx to v1.9.3 (#4958)
- Bump K3s version for v1.25 (#4971)
Packaged Component Versions
| Component | Version |
|---|---|
| Kubernetes | v1.25.15 |
| Etcd | v3.5.9-k3s1 |
| Containerd | v1.7.7-k3s1 |
| Runc | v1.1.8 |
| Metrics-server | v0.6.3 |
| CoreDNS | v1.10.1 |
| Ingress-Nginx | 4.8.2 |
| Helm-controller | v0.15.4 |
Available CNIs
| Component | Version | FIPS Compliant |
|---|---|---|
| Canal (Default) |
Flannel v0.22.1 Calico v3.26.1 |
Yes |
| Calico | v3.26.1 | No |
| Cilium | v1.14.2 | No |
| Multus | v4.0.2 | No |
Helpful Links
As always, we welcome and appreciate feedback from our community of users. Please feel free to:
- Open issues here
- Join our Slack channel
- Check out our documentation for guidance on how to get started.
v1.25.15+rke2r2: v1.25.15+rke2r2
This release fixes an issue with identifying additional container runtimes.
Important Notes
This release includes a version of ingress-nginx affected by CVE-2023-5043 and CVE-2023-5044. Ingress administrators should set the --enable-annotation-validation flag to enforce restrictions on the contents of ingress-nginx annotation fields.
If your server (control-plane) nodes were not started with the --token CLI flag or config file key, a randomized token was generated during initial cluster startup. This key is used both for joining new nodes to the cluster, and for encrypting cluster bootstrap data within the datastore. Ensure that you retain a copy of this token, as is required when restoring from backup.
You may retrieve the token value from any server already joined to the cluster:
cat /var/lib/rancher/rke2/server/tokenChanges since v1.25.15+rke2r1:
- Bump k3s, include container runtime fix (#4982)
- Fixed an issue with identifying additional container runtimes
- Update hardened kubernetes image (#4985)
Packaged Component Versions
| Component | Version |
|---|---|
| Kubernetes | v1.25.15 |
| Etcd | v3.5.9-k3s1 |
| Containerd | v1.7.7-k3s1 |
| Runc | v1.1.8 |
| Metrics-server | v0.6.3 |
| CoreDNS | v1.10.1 |
| Ingress-Nginx | 4.8.2 |
| Helm-controller | v0.15.4 |
Available CNIs
| Component | Version | FIPS Compliant |
|---|---|---|
| Canal (Default) |
Flannel v0.22.1 Calico v3.26.1 |
Yes |
| Calico | v3.26.1 | No |
| Cilium | v1.14.2 | No |
| Multus | v4.0.2 | No |
Helpful Links
As always, we welcome and appreciate feedback from our community of users. Please feel free to:
- Open issues here
- Join our Slack channel
- Check out our documentation for guidance on how to get started.
Configuration
-
If you want to rebase/retry this MR, check this box
This MR has been generated by Renovate Bot.