Shulou(Shulou.com)05/31 Report--

Today, I will talk to you about how to support the fixed version of K8S CVE in Rancher. Many people may not know much about it. In order to make you understand better, the editor has summarized the following contents for you. I hope you can get something according to this article.

Kubernetes released a new patch version on October 17, 2019, fixing two newly discovered security vulnerabilities: CVE-2019-11253 and CVE-2019-16276. Rancher responded as soon as possible, releasing Rancher v2.3.1 and Rancher v2.2.9 immediately after that day. The updated version not only supports the new patch version of Kubernetes, but also fixes some of the existing bug and optimizes some features.

Currently, the Latest and Stable versions of Rancher are as follows:

Kubernetes CVE vulnerability details

CVE-2019-11253:

CVE-2019-11253 is a denial of service vulnerability in kube-apiserver that allows authorized users to send malicious YAML or JSON payloads, which then cause kube-apiserver to consume too much CPU or memory, which may crash and become unavailable.

CVE-2019-16276:

CVE-2019-16276 in Go's net/ http library causes invalid request headers to be normalized and interpreted as valid by the HTTP server. If the reverse proxy in front of the Go HTTP server allows and forwards some invalid request headers without normalizing them, the Go server may interpret these request headers differently from the reverse proxy.

Kubernetes has released the following new versions to address the above security vulnerabilities:

V1.13.12

V1.14.8

V1.15.5

V1.16.2

For the sake of your cluster security, it is strongly recommended that you upgrade all Kubernetes clusters to the latest released fix version.

Rancher responded effectively as soon as possible.

Rancher immediately responded to the vulnerability by releasing new versions Rancher 2.3.1 and Rancher 2.2.9 to support the above Kubernetes patch. Rancher 2.2.9 supports Kubernetes v1.13.12, v1.14.8, and v1.15.5 (default), and Rancher v2.3.1 adds experimental support for Kubernetes v1.16.2.

Please note:

Rancher 1.6.x users are not affected by these two security vulnerabilities of Kubernetes because Rancher 1.6.x itself does not support the version of Kubernetes affected by these two vulnerabilities.

About users of Rancher 2.0.x:

As shown on the Rancher terms of Service page, Rancher 2.0.x is currently in the EOM to EOL support phase of its product lifecycle. Therefore, Rancher officially has no plans to release a version of the v2.0.x patch to fix these two vulnerabilities. For enterprise subscription customers of Rancher, if you have special circumstances and need to fix these two vulnerabilities in v2.0.x, please contact Rancher's technical support team. Alternatively, upgrade your Rancher to the latest version before the v2.0.x EOL date (November 1, 2019).

About users of Rancher 2.1.x:

Rancher v2.1.x only supports Kubernetes v1.13.x

As shown on the Rancher terms of Service page, Rancher v2.1.x is currently in the EOM to EOL support phase of its product lifecycle. As a result, Rancher has no official plans to release v2.1.x patches to fix these two vulnerabilities. For enterprise subscription customers of Rancher, if you have special circumstances and need to fix these two vulnerabilities in v2.1.x, please contact Rancher's technical support team.

Bug fixed by Rancher 2.3.1

Fixed an issue where a single node could not be installed using a LetsEncrypt certificate due to reference to v1 API [# 23365]

Fixed an issue where the daemon script could not complete the timeout and allowed the timeout to be configurable [# 22379 timeout 23160]

Fixed an issue where the Kubernetes version of the RKE template was not handled correctly during template creation and template display. [# 23360,#23359,#23361]

Fixed an issue where RKE templates could not enable Windows support for some Kubernetes versions [# 23395]

Fixed an attempt to update the cluster to a new RKE template revision that did not work [# 23383]

Fixed an issue where bundled system diagrams could not be used with a single node container or binding installation after upgrade [# 23427]

The yaml libraries used by Rancher and RKE were upgraded to v2.2.4, which included the CVE-2019-11253 hotfix

If you want to know more about the above issue, please enter the issue number in the Rancher Github issue interface to query:

After reading the above, do you have any further understanding of how the fixed version of K8S CVE is supported in Rancher? If you want to know more knowledge or related content, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.