This release updates Kubernetes to v1.25.13, and fixes a number of issues.
Important Notes
-
⚠️ This release includes support for remediating CVE-2023-32186, a potential Denial of Service attack vector on RKE2 servers. See GHSA-p45j-vfv5-wprq for more information, including mandatory steps necessary to harden clusters against this vulnerability.
-
If your server (control-plane) nodes were not started with the
--tokenCLI flag or config file key, a randomized token was generated during initial cluster startup. This key is used both for joining new nodes to the cluster, and for encrypting cluster bootstrap data within the datastore. Ensure that you retain a copy of this token, as is required when restoring from backup.You may retrieve the token value from any server already joined to the cluster:
cat /var/lib/rancher/rke2/server/token
Changes since v1.25.12+rke2r1:
- Sync Felix and calico-node datastore (#4577)
- Update Calico and Flannel on Canal (#4565)
- Update cilium to v1.14.0 (#4588)
- Update to whereabouts v0.6.2 (#4592)
- Version bumps and backports for 2023-08 release (#4599)
- Updated the embedded containerd to v1.7.3+k3s1
- Updated the embedded runc to v1.1.8
- Updated the embedded etcd to v3.5.9+k3s1
- Updated the rke2-snapshot-validation-webhook chart to enable VolumeSnapshotClass validation
- Security bump to docker/distribution
- Fix static pod UID generation and cleanup
- Fix default server address for rotate-ca command
- Fix wrongly formatted files (#4613)
- Fix repeating "cannot find file" error (#4619)
- Bump k3s version to recent 1.25 (#4637)
- Bump K3s version for v1.25 (#4648)
- The version of
helmused by the bundled helm controller's job image has been updated to v3.12.3 - Bumped dynamiclistener to address an issue that could cause the supervisor listener on 9345 to stop serving requests on etcd-only nodes.
- The RKE2 supervisor listener on 9345 now sends a complete certificate chain in the TLS handshake.
- The version of
- Install BGP windows packages in Windows image for tests (#4653)
- Allow OS env variables to be consumed (#4658)
- Upgrade multus chart to v4.0.2-build2023081100 (#4665)
- Fix bug. Add VXLAN_VNI env var to Calico-node exec (#4672)
- Update to v1.25.13 (#4685)
- Bump K3s version for v1.25 (#4703)
- Added a new
--tls-san-securityoption. This flag defaults to false, but can be set to true to disable automatically adding SANs to the server's TLS certificate to satisfy any hostname requested by a client.
- Added a new
- Add additional static pod cleanup during cluster reset (#4726)
Packaged Component Versions
| Component | Version |
|---|---|
| Kubernetes | v1.25.13 |
| Etcd | v3.5.9-k3s1 |
| Containerd | v1.7.3-k3s1 |
| Runc | v1.1.8 |
| Metrics-server | v0.6.3 |
| CoreDNS | v1.10.1 |
| Ingress-Nginx | 4.6.1 |
| Helm-controller | v0.15.4 |
Available CNIs
| Component | Version | FIPS Compliant |
|---|---|---|
| Canal (Default) | Flannel v0.22.1 Calico v3.26.1 | Yes |
| Calico | v3.26.1 | No |
| Cilium | v1.14.0 | No |
| Multus | v4.0.2 | No |
Helpful Links
As always, we welcome and appreciate feedback from our community of users. Please feel free to:
- Open issues here
- Join our Slack channel
- Check out our documentation for guidance on how to get started.