Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[release-1.25] Backports for 2023-08 release #8132

Merged

Conversation

brandond
Copy link
Member

@brandond brandond commented Aug 4, 2023

Proposed Changes

Backports:

Types of Changes

backports

Verification

See linked issues

Testing

Linked Issues

User-Facing Change

K3s's external apiserver listener now declines to add to its certificate any subject names not associated with the kubernetes apiserver service, server nodes, or values of the --tls-san option. This prevents the certificate's SAN list from being filled with unwanted entries.
K3s no longer enables the apiserver's `enable-aggregator-routing` flag when the egress proxy is not being used to route connections to in-cluster endpoints.
Updated the embedded containerd to v1.7.3+k3s1
Updated the embedded runc to v1.1.8
User-provided containerd config templates may now use `{{ template "base" . }}` to include the default K3s template content. This makes it easier to maintain user configuration if the only need is to add additional sections to the file.
Bump docker/docker module version to fix issues with cri-dockerd caused by recent releases of golang rejecting invalid host headers sent by the docker client.
Updated kine to v0.10.2

Further Comments

skirsten and others added 4 commits August 4, 2023 01:27
…ml.tmpl (k3s-io#7991)

Signed-off-by: Simon Kirsten <[email protected]>
(cherry picked from commit 546dc24)
Signed-off-by: Brad Davidson <[email protected]>
Only configure enable-aggregator-routing and egress-selector-config-file
if required by egress-selector-mode.

Signed-off-by: Brad Davidson <[email protected]>
(cherry picked from commit f21ae1d)
Signed-off-by: Brad Davidson <[email protected]>
Signed-off-by: Guilherme Macedo <[email protected]>
(cherry picked from commit cc9dce5)
Signed-off-by: Brad Davidson <[email protected]>
Wire up a node watch to collect addresses of server nodes, to prevent adding unauthorized SANs to the dynamiclistener cert.

Signed-off-by: Brad Davidson <[email protected]>
(cherry picked from commit aa76942)
Signed-off-by: Brad Davidson <[email protected]>
@brandond brandond requested a review from a team as a code owner August 4, 2023 03:35
@brandond brandond force-pushed the 2023-08-backports_release-1.25 branch from 71388a7 to 1473366 Compare August 4, 2023 08:24
Fixes issue with invalid HTTP host headers over unix sockets caused by
recent releases of golang rejecting invalid header values.

Signed-off-by: Brad Davidson <[email protected]>
(cherry picked from commit a0da8ed)
Signed-off-by: Brad Davidson <[email protected]>
Signed-off-by: Brad Davidson <[email protected]>
(cherry picked from commit 23d6842)
Signed-off-by: Brad Davidson <[email protected]>
Signed-off-by: Brad Davidson <[email protected]>
(cherry picked from commit fd53114)
Signed-off-by: Brad Davidson <[email protected]>
@brandond brandond force-pushed the 2023-08-backports_release-1.25 branch from 64cb847 to e85465f Compare August 4, 2023 19:12
@brandond
Copy link
Member Author

brandond commented Aug 4, 2023

s390 issue; merging

@brandond brandond merged commit 5bcaa01 into k3s-io:release-1.25 Aug 4, 2023
5 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants