cve-template.md

Release notes for v1.18.1

Documentation

Changelog since v1.18.0

Important Security Information

This release contains changes that address the following vulnerabilities:

CVE-2020-8555: Half-Blind SSRF in kube-controller-manager

There exists a Server Side Request Forgery (SSRF) vulnerability in kube-controller-manager that allows certain authorized users to leak up to 500 bytes of arbitrary information from unprotected endpoints within the master's host network (such as link-local or loopback services). An attacker with permissions to create a pod with certain built-in Volume types (GlusterFS, Quobyte, StorageOS, ScaleIO) or permissions to create a StorageClass can cause kube-controller-manager to make GET requests or POST requests without an attacker controlled request body from the master's host network.

Rating: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N — Score: 5.2 — Published: 2020-05-28

Pull Requests: #89794 #89796 #89837 #89838 #89839

Changes by Kind

Feature

• Deps: Update to Golang 1.13.9
  • build: Remove kube-cross image building (#89398, @justaugustus) [SIG Release and Testing]

Bug or Regression

• Azure: fix concurreny issue in lb creation (#89604, @aramase) [SIG Cloud Provider]
• Ensure Azure availability zone is always in lower cases. (#89722, @feiskyer) [SIG Cloud Provider]
• Fix kubectl diff so it doesn't actually persist patches (#89795, @julianvmodesto) [SIG CLI and Testing]
• Fix: get attach disk error due to missing item in max count table (#89768, @andyzhangx) [SIG Cloud Provider and Storage]
• Fixed the EndpointSlice controller to run without error on a cluster with the OwnerReferencesPermissionEnforcement validating admission plugin enabled. (#89804, @marun) [SIG Auth and Network]
• Fixes kubectl to apply all validly built objects, instead of stopping on error. (#89864, @seans3) [SIG CLI and Testing]
• In the kubelet resource metrics endpoint at /metrics/resource, change the names of the following metrics:
  • node_cpu_usage_seconds --> node_cpu_usage_seconds_total
  • container_cpu_usage_seconds --> container_cpu_usage_seconds_total This is a partial revert of #86282, which was added in 1.18.0, and initially removed the _total suffix (#89540, @dashpole) [SIG Instrumentation and Node]
• Kubeadm: during join when a check is performed that a Node with the same name already exists in the cluster, make sure the NodeReady condition is properly validated (#89602, @kvaps) [SIG Cluster Lifecycle]
• Kubeadm: fix a bug where post upgrade to 1.18.x, nodes cannot join the cluster due to missing RBAC (#89537, @neolit123) [SIG Cluster Lifecycle]
• Kubectl azure authentication: fixed a regression in 1.18.0 where "spn:" prefix was unexpectedly added to the apiserver-id configuration in the kubeconfig file (#89706, @weinong) [SIG API Machinery and Auth]
• Kubectl: Fixes bug by aggregating 'apply' errors instead of failing after first error (#89607, @seans3) [SIG CLI and Testing]

Other (Cleanup or Flake)

• Implement changes to mitigate CVE-2020-8555 (#89796, @kubernetes/product-security-committee)