From af2e4707af7f77f3141a9a27cba303e424757a65 Mon Sep 17 00:00:00 2001 From: Abhinav Pandey Date: Wed, 23 Oct 2024 12:23:28 -0700 Subject: [PATCH] changelog for v0.20.8 --- docs/content/en/docs/whatsnew/changelog.md | 105 +++++++++++++++++++++ 1 file changed, 105 insertions(+) diff --git a/docs/content/en/docs/whatsnew/changelog.md b/docs/content/en/docs/whatsnew/changelog.md index bfb0278b77dfa..15ef54718e8f4 100644 --- a/docs/content/en/docs/whatsnew/changelog.md +++ b/docs/content/en/docs/whatsnew/changelog.md @@ -24,12 +24,40 @@ description: > * [Building Ubuntu and Red Hat node images]({{< relref "../osmgmt/artifacts/#building-node-images" >}}) * [Downloading Bottlerocket node images]({{< relref "../osmgmt/artifacts/#download-bottlerocket-node-images" >}}) * [Upgrading an EKS Anywhere cluster]({{< relref "../clustermgmt/cluster-upgrades" >}}) + * On October 11, 2024, a security issue CVE-2024-9594 was discovered in the Kubernetes Image Builder where default credentials are enabled during the image build process when using the Nutanix, OVA, QEMU or raw providers. The credentials can be used to gain root access. The credentials are disabled at the conclusion of the image build process. Kubernetes clusters are only affected if their nodes use VM images created via the Image Builder project. Clusters using virtual machine images built with [Kubernetes Image Builder](https://github.com/kubernetes-sigs/image-builder) version `v0.1.37` or earlier are affected if built with the Nutanix, OVA, QEMU or raw providers. These images built using previous versions of image-builder will be vulnerable only during the image build process, if an attacker was able to reach the VM where the image build was happening, login using these default credentials and modify the image at the time the image build was occurring. This CVE has been fixed in image-builder versions >= `v0.1.38`, which has been included in EKS Anywhere releases `v0.19.11` and `v0.20.8`. + * [CVE-2024-9594: VM images built with Image Builder with some providers use default credentials during builds](https://github.com/kubernetes/kubernetes/issues/128007) {{% /alert %}} {{% alert title="General Information" color="info" %}} * When upgrading to a new minor version, a new OS image must be created using the new image-builder CLI pertaining to that release. {{% /alert %}} + +## [v0.20.8](https://github.com/aws/eks-anywhere/releases/tag/v0.20.8) + +### Supported OS version details +| | vSphere | Bare Metal | Nutanix | CloudStack | Snow | +|:-------------------:|:-------:|:----------:|:-------:|:----------:|:----:| +| Ubuntu 20.04 | ✔ | ✔ | ✔ | — | ✔ | +| Ubuntu 22.04 | ✔ | ✔ | ✔ | — | — | +| Bottlerocket 1.20.5 | ✔ | — | — | — | — | +| RHEL 8.x | ✔ | ✔ | ✔ | ✔ | — | +| RHEL 9.x | — | ✔ | ✔ | ✔ | — | + +### Changed +- EKS Distro: + - `v1-28-eks-33` to [`v1-28-eks-34`](https://distro.eks.amazonaws.com/releases/1-28/34/) + - `v1-29-eks-22` to [`v1-29-eks-23`](https://distro.eks.amazonaws.com/releases/1-29/23/) + - `v1-30-eks-15` to [`v1-30-eks-16`](https://distro.eks.amazonaws.com/releases/1-30/16/) +- image-builder: `v0.1.36` to `v0.1.39` +- cluster-api-provider-vsphere(CAPV): `v1.10.3` to `v1.10.4` +- etcdadm-controller: `v1.0.23` to `v1.0.24` +- etcdadm-bootstrap-provider: `v1.0.13` to `v1.0.14` +- kube-vip: `v0.8.3` to `v0.8.4` +- containerd: `v1.7.22` to `v1.7.23` +- runc: `v1.1.14` to `v1.1.15` +- local-path-provisioner: `v0.0.29` to `v0.0.30` + ## [v0.20.7](https://github.com/aws/eks-anywhere/releases/tag/v0.20.7) ### Supported OS version details @@ -269,6 +297,83 @@ description: > ### Fixed - CLI commands for packages to honor the registry mirror setup in cluster spec ([#8026](https://github.com/aws/eks-anywhere/pull/8026)) + +## [v0.19.11](https://github.com/aws/eks-anywhere/releases/tag/v0.19.11) +### Supported OS version details +| | vSphere | Bare Metal | Nutanix | CloudStack | Snow | +|:-------------------:|:-------:|:----------:|:-------:|:----------:|:----:| +| Ubuntu 20.04 | ✔ | ✔ | ✔ | — | ✔ | +| Ubuntu 22.04 | ✔ | ✔ | ✔ | — | — | +| Bottlerocket 1.20.5 | ✔ | \* | — | — | — | +| RHEL 8.x | ✔ | ✔ | ✔ | ✔ | — | +| RHEL 9.x | — | — | ✔ | ✔ | — | + +\* [EKS Anywhere issue regarding deprecation of Bottlerocket bare metal variants](https://github.com/aws/eks-anywhere/issues/7754) + +### Upgraded +- EKS Distro: + - `v1-27-eks-38` to [`v1-27-eks-40`](https://distro.eks.amazonaws.com/releases/1-27/40/) + - `v1-28-eks-31` to [`v1-28-eks-34`](https://distro.eks.amazonaws.com/releases/1-28/34/) + - `v1-29-eks-20` to [`v1-29-eks-23`](https://distro.eks.amazonaws.com/releases/1-29/23/) +- Image-builder: `v0.1.36` to `v0.1.39` ([CVE-2024-9594](https://github.com/kubernetes/kubernetes/issues/128007)) +- containerd: `v1.7.22` to `v1.7.23` +- Cilium: `v1.13.19` to `v1.13.20` +- etcdadm-controller: `v1.0.23` to `v1.0.24` +- etcdadm-bootstrap-provider: `v1.0.13` to `v1.0.14` +- local-path-provisioner: `v0.0.29` to `v0.0.30` +- runc: `v1.1.14` to `v1.1.15` + +### Fixed +- Skip hardware validation logic for InPlace upgrades. [#8779](https://github.com/aws/eks-anywhere/pull/8779) +- Status reconciliation of etcdadm cluster in etcdadm-controller when etcd-machines are unhealthy. [#63](https://github.com/aws/etcdadm-controller/pull/63) +- Skip generating AWS IAM Kubeconfig on cluster upgrade. [#8851](https://github.com/aws/eks-anywhere/pull/8851) + + +## [v0.19.10](https://github.com/aws/eks-anywhere/releases/tag/v0.19.10) +### Supported OS version details +| | vSphere | Bare Metal | Nutanix | CloudStack | Snow | +|:-------------------:|:-------:|:----------:|:-------:|:----------:|:----:| +| Ubuntu 20.04 | ✔ | ✔ | ✔ | — | ✔ | +| Ubuntu 22.04 | ✔ | ✔ | ✔ | — | — | +| Bottlerocket 1.22.0 | ✔ | \* | — | — | — | +| RHEL 8.x | ✔ | ✔ | ✔ | ✔ | — | +| RHEL 9.x | — | — | ✔ | ✔ | — | + +\* [EKS Anywhere issue regarding deprecation of Bottlerocket bare metal variants](https://github.com/aws/eks-anywhere/issues/7754) + +### Upgraded +- EKS Distro: + - `v1-27-eks-36` to [`v1-27-eks-38`](https://distro.eks.amazonaws.com/releases/1-27/38/) + - `v1-28-eks-29` to [`v1-28-eks-31`](https://distro.eks.amazonaws.com/releases/1-28/31/) + - `v1-29-eks-18` to [`v1-29-eks-20`](https://distro.eks.amazonaws.com/releases/1-29/20/) +- EKS Anywhere Packages: `v0.4.3` to `v0.4.4` +- Cilium: `v1.13.18` to `v1.13.19` +- containerd: `v1.7.20` to `v1.7.22` +- runc: `v1.1.13` to `v1.1.14` +- local-path-provisioner: `v0.0.28` to `v0.0.29` +- etcdadm-controller: `v1.0.22` to `v1.0.23` +- New base images with CVE fixes for Amazon Linux 2 + +## [v0.19.9](https://github.com/aws/eks-anywhere/releases/tag/v0.19.9) +### Supported OS version details +| | vSphere | Bare Metal | Nutanix | CloudStack | Snow | +|:-------------------:|:-------:|:----------:|:-------:|:----------:|:----:| +| Ubuntu 20.04 | ✔ | ✔ | ✔ | — | ✔ | +| Ubuntu 22.04 | ✔ | ✔ | ✔ | — | — | +| Bottlerocket 1.19.2 | ✔ | \* | — | — | — | +| RHEL 8.x | ✔ | ✔ | ✔ | ✔ | — | +| RHEL 9.x | — | — | ✔ | ✔ | — | + +\* [EKS Anywhere issue regarding deprecation of Bottlerocket bare metal variants](https://github.com/aws/eks-anywhere/issues/7754) + +### Upgraded +- EKS Distro: + - `v1-25-eks-39` to [`v1-25-eks-40`](https://distro.eks.amazonaws.com/releases/1-25/40/) + - `v1-26-eks-35` to [`v1-26-eks-38`](https://distro.eks.amazonaws.com/releases/1-26/39/) + - `v1-27-eks-35` to [`v1-27-eks-36`](https://distro.eks.amazonaws.com/releases/1-27/36/) + - `v1-28-eks-28` to [`v1-28-eks-29`](https://distro.eks.amazonaws.com/releases/1-28/29/) + - `v1-29-eks-17` to [`v1-29-eks-18`](https://distro.eks.amazonaws.com/releases/1-29/18/) + ## [v0.19.8](https://github.com/aws/eks-anywhere/releases/tag/v0.19.8) ### Supported OS version details | | vSphere | Bare Metal | Nutanix | CloudStack | Snow |