github k3s-io/k3s v1.25.13+k3s1

latest releases: v1.31.2+k3s1, v1.30.6+k3s1, v1.29.10+k3s1...
14 months ago

This release updates Kubernetes to v1.25.13, and fixes a number of issues.

⚠️ IMPORTANT: This release includes support for remediating CVE-2023-32187, a potential Denial of Service attack vector on K3s servers. See GHSA-m4hf-6vgr-75r2 for more information, including mandatory steps necessary to harden clusters against this vulnerability.

For more details on what's new, see the Kubernetes release notes.

Changes since v1.25.12+k3s1:

  • Update flannel and plugins (#8076)
  • Fix tailscale bug with ip modes (#8098)
  • Etcd snapshots retention when node name changes (#8123)
  • August Test Backports (#8127)
  • Backports for 2023-08 release (#8132)
    • K3s's external apiserver listener now declines to add to its certificate any subject names not associated with the kubernetes apiserver service, server nodes, or values of the --tls-san option. This prevents the certificate's SAN list from being filled with unwanted entries.
    • K3s no longer enables the apiserver's enable-aggregator-routing flag when the egress proxy is not being used to route connections to in-cluster endpoints.
    • Updated the embedded containerd to v1.7.3+k3s1
    • Updated the embedded runc to v1.1.8
    • User-provided containerd config templates may now use {{ template "base" . }} to include the default K3s template content. This makes it easier to maintain user configuration if the only need is to add additional sections to the file.
    • Bump docker/docker module version to fix issues with cri-dockerd caused by recent releases of golang rejecting invalid host headers sent by the docker client.
    • Updated kine to v0.10.2
  • K3s etcd-snapshot delete fail to delete local file when called with s3 flag (#8145)
  • Fix for cluster-reset backup from s3 when etcd snapshots are disabled (#8169)
  • Fixed the etcd retention to delete orphaned snapshots based on the date (#8190)
  • Additional backports for 2023-08 release (#8213)
    • The version of helm used by the bundled helm controller's job image has been updated to v3.12.3
    • Bumped dynamiclistener to address an issue that could cause the apiserver/supervisor listener on 6443 to stop serving requests on etcd-only nodes.
    • The K3s external apiserver/supervisor listener on 6443 now sends a complete certificate chain in the TLS handshake.
  • Move flannel to 0.22.2 (#8223)
  • Update to v1.25.13 (#8241)
  • Fix runc version bump (#8246)
  • Add new CLI flag to enable TLS SAN CN filtering (#8259)
    • Added a new --tls-san-security option. This flag defaults to false, but can be set to true to disable automatically adding SANs to the server's TLS certificate to satisfy any hostname requested by a client.
  • Add RWMutex to address controller (#8275)

Embedded Component Versions

Component Version
Kubernetes v1.25.13
Kine v0.10.2
SQLite 3.42.0
Etcd v3.5.3-k3s1
Containerd v1.7.3-k3s1
Runc v1.1.8
Flannel v0.22.2
Metrics-server v0.6.3
Traefik v2.9.10
CoreDNS v1.10.1
Helm-controller v0.15.4
Local-path-provisioner v0.0.24

Helpful Links

As always, we welcome and appreciate feedback from our community of users. Please feel free to:

Don't miss a new k3s release

NewReleases is sending notifications on new releases.