CVEs
Updated envoy-gloo to one based on envoy 1.14.3, which includes security fixes in envoy. For more details on the CVEs, see the envoy release notes here.
Note that one of the CVEs requires setting the global_downstream_max_connections, which may affect traffic if you perform a rolling upgrade from a version vulnerable to the CVE. The max connections is configurable and defaults to 250,000.
Dependency Bumps
- envoy-gloo/solo-io has been upgraded to v1.14.3-patch1.
Fixes
- Ingress: fixed updating status.loadBalancer field (#2473)
- Properly suffix all cluster-scoped RBAC resources, including those only relevant to ingress- and knative-mode installations. This ensures that multi-tenant Gloo installations will not experience conflicts on those RBAC resources. (#3103)
- Default gateway proxy to running as non-root and disabling NET_BIND_SERVICE by default. (#3084)
- Enable certgen to run in a fully restricted kubernetes environment. Certgen now runs without root privileges. (#3084)