This release updates Kubernetes to v1.19.3
For more details on what's new, see the Kubernetes release notes
Changes since v1.19.2+k3s1:
This release also addresses the following upstream CVEs:
- CVE-2020-8563 - Secret leaks in kube-controller-manager when using vSphere provider (CVE-2020-8563 only affects 1.19.0-1.19.2)
- CVE-2020-8564 - Docker config secrets leaked when file is malformed and loglevel >= 4
- CVE-2020-8566 - Vulnerable if Ceph RBD volumes are supported and kube-controller-manager is using logLevel >= 4
You can read more about the CVEs here.
Known Issues
We've been working through issues in our experimental SELinux support in order to promote it to stable. We expect to promote it (as well as support for CentOS and RHEL 8.x) in a future v1.19 release. Currently, we've identified a few known issues in in this area:
- Unable to run Envoy proxy with SELinux enforcing #2240
- Upgrades of systems that have SELinux support turned on will not function correctly unless additional steps are taken:
- Enablement of SELinux in embedded containerd is no longer automatic. Prior to the v1.19 release line, K3s would auto-detect whether SELinux MCS label support should be enabled. You must now explicitly turn it on by supplying the
--selinuxflag. Because of this change, the--disable-selinuxflag has been deprecated (and it is an error to specify both). See the docs for details.
- Enablement of SELinux in embedded containerd is no longer automatic. Prior to the v1.19 release line, K3s would auto-detect whether SELinux MCS label support should be enabled. You must now explicitly turn it on by supplying the
Helpful Links
As always, we welcome and appreciate feedback from our community of users. Please feel free to:
- Open issues here
- Join our Slack channel
- Check out our documentation for guidance on how to get started or to dive deep into K3s.