Version 1.18 change log
This version is no longer supported. Update your cluster to a supported version as soon as possible.
Change log for worker node fix pack 1.18.20_1566, released 27 September 2021
The following table shows the changes that are in the worker node fix pack patch update 1.18.20_1566. Worker node patch updates can be applied by updating, reloading (in classic infrastructure), or replacing (in VPC infrastructure)
the worker node.
| Component | Previous | Current | Description |
|---|---|---|---|
| Disk identification | N/A | N/A | Enhanced the disk identification logic to handle the case of 2+ partitions. |
| HA proxy | 9c98dc5 | 07f1e9 | Updated image with fixes for CVE-2021-22922, CVE-2021-22923, CVE-2021-22924, CVE-2021-36222, and CVE-2021-37750. |
| Ubuntu 18.04 packages | 4.15.0-156 | 4.15.0-158 | Updated worker node images and kernel with package updates CVE-2021-22946, CVE-2021-22947, CVE-2021-33560, CVE-2021-3709, CVE-2021-3710, CVE-2021-40330, CVE-2021-40528, and CVE-2021-41072. |
Change log for master fix pack 1.18.20_1565, released 28 September 2021
The following table shows the changes that are in the master fix pack patch update 1.18.20_1565. Master patch updates are applied automatically.
| Component | Previous | Current | Description |
|---|---|---|---|
| Gateway-enabled cluster controller | 1444 | 1510 | Updated image for CVE-2021-3711 and CVE-2021-3712. |
| GPU device plug-in and installer | a9461a8 | eb817b2 | Updated to use Go version 1.16.7. |
| IBM Cloud RBAC Operator | 945df65 | e3cb629 | Updated to use Go version 1.16.7. |
| IBM Cloud File Storage for Classic plug-in and monitor | 398 | 400 | Updated to use Go version 1.16.7. Updated universal base image (UBI) to the latest 8.4-208 version to resolve CVEs. |
| Kubernetes API server auditing configuration | N/A | N/A | Updated to support verbose Kubernetes API server auditing. |
| Kubernetes NodeLocal DNS cache | N/A | N/A | Increased memory resource requests from 5Mi to 8Mi to better align with normal resource utilization. |
| Load balancer and load balancer monitor for IBM Cloud Provider | 1510 | 1550 | Updated image for CVE-2021-3711 and CVE-2021-3712. |
| Operator Lifecycle Manager | 0.14.1-IKS-11 | 0.14.1-IKS-13 | Updated image for CVE-2021-3711 and CVE-2021-3712. |
Change log for worker node fix pack 1.18.20_1564, released 13 September 2021
The following table shows the changes that are in the worker node fix pack patch update 1.18.20_1564. Worker node patch updates can be applied by updating, reloading (in classic infrastructure), or replacing (in VPC infrastructure)
the worker node.
| Component | Previous | Current | Description |
|---|---|---|---|
| Ubuntu 18.04 packages | 4.15.0-154 | 4.15.0-156 | Updated worker node images and kernel with package updates for CVE-2021-3653, CVE-2021-3656, CVE-2021-38185, CVE-2021-40153. |
Change log for worker node fix pack 1.18.20_1563, released 30 August 2021
The following table shows the changes that are in the worker node fix pack patch update 1.18.20_1563. Worker node patch updates can be applied by updating, reloading (in classic infrastructure), or replacing (in VPC infrastructure)
the worker node.
| Component | Previous | Current | Description |
|---|---|---|---|
| Ubuntu 18.04 packages | 4.15.0-153 | 4.15.0-154 | Updated worker node images and kernel with package updates for CVE-2021-3711 and CVE-2021-3712. |
Change log for master fix pack 1.18.20_1562, released 25 August 2021
The following table shows the changes that are in the master fix pack patch update 1.18.20_1562. Master patch updates are applied automatically.
| Component | Previous | Current | Description |
|---|---|---|---|
| Cluster health image | v1.2.14 | v1.2.15 | Updated to use Go version 1.15.15. Updated universal base image (UBI) to the latest 8.4 version to resolve CVEs. |
| Gateway-enabled cluster controller | 1348 | 1444 | Updated image for CVE-2021-36159. |
| GPU device plug-in and installer | 82ee77b | a9461a8 | Updated to use Go version 1.16.6. |
| IBM Calico extension | 747 | 763 | Updated to use Go version 1.16.6. Updated universal base image (UBI) to the latest 8.4-205 version to resolve CVEs. |
| IBM Cloud File Storage for Classic plug-in and monitor | 395 | 398 | Updated to use Go version 1.16.6. Updated image for CVE-2021-33910. |
| Key Management Service provider | v2.3.6 | v2.3.7 | Updated to use Go version 1.15.15. Updated UBI to the latest 8.4 version to resolve CVEs. |
| Kubernetes Dashboard metrics scraper | v1.0.6 | v1.0.7 | See the Kubernetes Dashboard metrics scraper release notes. |
| Load balancer and load balancer monitor for IBM Cloud Provider | 1328 | 1510 | Updated image for CVE-2020-27780. |
| Operator Lifecycle Manager | 0.14.1-IKS-8 | 0.14.1-IKS-11 | Updated image for CVE-2021-36159. |
Change log for worker node fix pack 1.18.20_1561, released 16 August 2021
The following table shows the changes that are in the worker node fix pack patch update 1.18.20_1561. Worker node patch updates can be applied by updating, reloading (in classic infrastructure), or replacing (in VPC infrastructure)
the worker node.
| Component | Previous | Current | Description |
|---|---|---|---|
| Ubuntu 18.04 packages | 4.15.0-151 | 4.15.0-153 | N/A |
| HA proxy | 68e6b3 | 9c98dc | Updated image with fixes for CVE-2021-27218. |
Change log for worker node fix pack 1.18.20_1560, released 02 August 2021
The following table shows the changes that are in the worker node fix pack patch update 1.18.20_1560. Worker node patch updates can be applied by updating, reloading (in classic infrastructure), or replacing (in VPC infrastructure)
the worker node.
| Component | Previous | Current | Description |
|---|---|---|---|
| Ubuntu 18.04 packages | 4.15.0-147 | 4.15.0-151 | Updated worker node images & Kernel with package updates: CVE-2020-13529, CVE-2021-22898, CVE-2021-22924 CVE-2021-22925, CVE-2021-33200, CVE-2021-33909, and CVE-2021-33910. |
| HA proxy | aae810 | 68e6b3 | Updated image with fixes for CVE-2021-33910. |
| Registry endpoints | Added zonal public registry endpoints for clusters with both private and public service endpoints enabled. | ||
| Read only disk self healing | For VPC Gen2 workers. Added automation to recover from disks going read only. |
Change log for master fix pack 1.18.20_1559, released 27 July 2021
The following table shows the changes that are in the master fix pack patch update 1.18.20_1559. Master patch updates are applied automatically.
| Component | Previous | Current | Description |
|---|---|---|---|
| Cluster health image | v1.1.23 | v1.1.24 | Updated universal base image (UBI) to the latest version to resolve CVEs. |
| etcd | v3.4.14 | v3.4.16 | See the etcd release notes. |
| GPU device plug-in and installer | 22e2e0d | 82ee77b | Updated image for CVE-2021-20271, CVE-2021-3516, CVE-2021-3517, CVE-2021-3518, CVE-2021-3537, CVE-2021-3541 and CVE-2021-3520. |
| IBM Calico extension | 730 | 747 | Updated universal base image (UBI) to version 8.4-205 to resolve CVEs. |
| IBM Cloud File Storage for Classic plug-in and monitor | 394 | 395 | Updated universal base image (UBI) to version 8.4-205 to resolve CVEs. |
| IBM Cloud RBAC Operator | b68ea92 | 945df65 | Updated image for CVE-2021-33194. |
| Key Management Service provider | v2.3.5 | v2.3.6 | Updated universal base image (UBI) to the latest version to resolve CVEs. |
Change log for worker node fix pack 1.18.29_1558, released 19 July 2021
The following table shows the changes that are in the worker node fix pack 1.18.29_1558. Worker node patch updates can be applied by updating, reloading (in classic infrastructure), or replacing (in VPC infrastructure) the worker
node.
| Component | Previous | Current | Description |
|---|---|---|---|
| Ubuntu 16.04 packages | N/A | N/A | Updated worker node images with kernel package updates. |
| Ubuntu 18.04 packages | N/A | N/A | Updated worker node images with kernel package updates. |
Change log for worker node fix pack 1.18.20_1557, released 6 July 2021
The following table shows the changes that are in the worker node fix pack 1.18.20_1557. Worker node patch updates can be applied by updating, reloading (in classic infrastructure), or replacing (in VPC infrastructure) the worker
node.
| Component | Previous | Current | Description |
|---|---|---|---|
| HA proxy | 700dc6 | aae810 | Updated image with fixes for CVE-2021-3520, CVE-2021-20271, CVE-2021-3516, CVE-2021-3517, CVE-2021-3518, CVE-2021-3537, and CVE-2021-3541. |
| Kubernetes | v1.18.19 | v1.18.20 | See the Kubernetes release notes. |
| Ubuntu 18.04 packages | 4.15.0.144 | 4.15.0.147 | Updated worker node images with kernel package updates for CVE-2021-23133, CVE-2021-3444, and CVE-2021-3600. |
Change log for master fix pack 1.18.20_1556, released 28 June 2021
The following table shows the changes that are in the master fix pack patch update 1.18.20_1556. Master patch updates are applied automatically.
| Component | Previous | Current | Description |
|---|---|---|---|
| Cluster health image | v1.1.22 | v1.1.23 | Updated to use Go version 1.15.12. Updated image for CVE-2021-33194. |
| Gateway-enabled cluster controller | 1352 | 1348 | Updated to run as a non-root user by default, with privileged escalation as needed. |
| GPU device plug-in and installer | 19bf25c | 22e2e0d | Updated to use Go version 1.15.12. Updated universal base image (UBI) to version 8.4 to resolve CVEs. Updated the GPU drivers to version 460.73.01. |
| IBM Calico extension | 689 | 730 | Updated to use Go version 1.16.15. Updated minimal UBI to version 8.4 to resolve CVEs. |
| IBM Cloud Controller Manager | v1.18.19-2 | v1.18.20-1 | Updated to support the Kubernetes 1.18.20 release. Updated image to implement additional IBM security controls. |
| IBM Cloud File Storage for Classic plug-in and monitor | 392 | 394 | Updated to use Go version 1.15.12. Updated UBI base image to version 8.4 to resolve CVEs. |
| IBM Cloud RBAC Operator | 63cd064 | b68ea92 | Updated to use Go version 1.16.4. Updated UBI base image to version 8.4 to resolve CVEs. |
| Key Management Service provider | v2.3.4 | v2.3.5 | Updated to use Go version 1.15.12. Updated image for CVE-2021-33194. |
| Kubernetes | v1.18.19 | v1.18.20 | See the Kubernetes release notes. |
| Portieris admission controller | v0.10.2 | v0.10.3 | See the Portieris admission controller release notes. |
Change log for worker node fix pack 1.18.19_1555, released 22 June 2021
The following table shows the changes that are in the worker node fix pack 1.18.19_1555. Worker node patch updates can be applied by updating, reloading (in classic infrastructure), or replacing (in VPC infrastructure) the worker
node.
Change log for worker node fix pack 1.18.19_1554, released 7 June 2021
The following table shows the changes that are in the worker node fix pack 1.18.19_1554. Worker node patch updates can be applied by updating, reloading (in classic infrastructure), or replacing (in VPC infrastructure) the worker
node.
| Component | Previous | Current | Description |
|---|---|---|---|
| HA proxy | 26c5cc | 700dc6 | Updated the image for CVE-2021-27219. |
TCP keepalive optimization for VPC |
N/A | N/A | Set the net.ipv4.tcp_keepalive_time setting to 180 seconds for compatibility with VPC gateways. |
| Ubuntu 18.04 packages | 4.15.0-143 | 4.15.0-144 | Updated worker node images with kernel package updates for CVE-2021-25217, CVE-2021-31535, CVE-2021-32547, CVE-2021-32552, CVE-2021-32556, CVE-2021-32557, CVE-2021-3448, and CVE-2021-3520. |
Change log for worker node fix pack 1.18.19_1553, released 24 May 2021
The following table shows the changes that are in the worker node fix pack 1.18.19_1553. Worker node patch updates can be applied by updating, reloading (in classic infrastructure), or replacing (in VPC infrastructure) the worker
node.
Change log for master fix pack 1.18.19_1552, released 24 May 2021
The following table shows the changes that are in the master fix pack patch update 1.18.19_1552. Master patch updates are applied automatically.
| Component | Previous | Current | Description |
|---|---|---|---|
| Cluster health image | v1.1.21 | v1.1.22 | Updated image to implement additional IBM security controls and for CVE-2020-26160, CVE-2020-28483 and CVE-2021-20305. |
| CoreDNS | 1.8.3 | 1.8.0 | See the CoreDNS release notes. |
| Gateway-enabled cluster controller | 1322 | 1352 | Updated to use Go version 1.15.11. Updated image to implement additional IBM security controls and for CVE-2021-28831,
CVE-2021-30139, CVE-2021-3449 and CVE-2021-3450. |
| IBM Calico extension | 618 | 689 | Updated to use Go version 1.15.12. Updated image to implement additional IBM security controls and for CVE-2020-14391,
CVE-2020-25661 and CVE-2020-25662. |
| IBM Cloud Controller Manager | v1.18.18-1 | v1.18.19-2 | Updated to support the Kubernetes 1.18.19 release. |
| IBM Cloud File Storage for Classic plug-in and monitor | 390 | 392 | Improved the prerequisite validation logic for provisioning persistent volume claims (PVCs). Updated image to implement additional IBM security controls and for CVE-2021-20305. |
| IBM Cloud RBAC Operator | b6a694b | 63cd064 | Updated image to implement additional IBM security controls and for CVE-2020-28483. |
| Key Management Service provider | v2.3.3 | v2.3.4 | Updated image to implement additional IBM security controls and for CVE-2020-28483 and CVE-2020-26160. |
| Kubernetes | v1.18.18 | v1.18.19 | See the Kubernetes release notes. The update resolves CVE-2020-8562 (see the IBM security bulletin) and CVE-2021-25737 (see the IBM security bulletin). |
| Kubernetes add-on resizer | 1.8.11 | 1.8.12 | See the Kubernetes add-on resizer release notes. |
| Kubernetes Metrics Server | v0.3.7 | v0.4.4 | See the Kubernetes Metrics Server release notes. |
| Load balancer and load balancer monitor for IBM Cloud Provider | 1274 | 1328 | Updated to use Go version 1.15.11. Updated image to implement additional IBM security controls and for CVE-2021-28831,
CVE-2021-30139, CVE-2021-3449 and CVE-2021-3450. |
| Portieris admission controller | v0.10.1 | v0.10.2 | See the Portieris admission controller release notes. |
Change log for worker node fix pack 1.18.18_1551, released 10 May 2021
The following table shows the changes that are in the worker node fix pack 1.18.18_1551. Worker node patch updates can be applied by updating, reloading (in classic infrastructure), or replacing (in VPC infrastructure) the worker
node.
| Component | Previous | Current | Description |
|---|---|---|---|
| Ubuntu 18.04 packages | N/A | N/A | Updated worker node images with package updates for CVE-2021-25214, CVE-2021-25215, and CVE-2021-25216. |
| Ubuntu 16.04 packages | N/A | N/A | Updated worker node images with package updates for CVE-2020-27350, CVE-2020-3810, CVE-2021-25214, CVE-2021-25215, and CVE-2021-25216. |
Change log for master fix pack 1.18.18_1549, released 27 April 2021
The following table shows the changes that are in the master fix pack patch update 1.18.18_1549. Master patch updates are applied automatically.
| Component | Previous | Current | Description |
|---|---|---|---|
| Cluster health image | v1.1.19 | v1.1.21 | Updated to use Go version 1.15.11. Updated image to implement additional IBM security controls and for CVE-2021-3449,
CVE-2021-3450, and CVE-2021-20305. |
| CoreDNS | 1.8.0 | 1.8.3 | See the CoreDNS release notes. |
| GPU device plug-in and installer | c1c6dd3 | 19bf25c | Updated image for CVE-2021-3449, CVE-2021-3450, and CVE-2021-20305. |
| IBM Cloud Controller Manager | v1.18.17-1 | v1.18.18-1 | Updated to support the Kubernetes 1.18.18 release. |
| IBM Cloud File Storage for Classic plug-in and monitor | 389 | 390 | Updated to use Go version 1.15.9 and for CVE-2020-28851 and CVE-2021-3121. |
| IBM Cloud RBAC Operator | 3dd6bbc | b6a694b | Updated image for CVE-2021-3449 and CVE-2021-3450. |
| Key Management Service provider | v2.2.5 | v2.3.3 | Updated to use Go version 1.15.11. Updated image to implement additional IBM security controls and for CVE-2021-3449,
CVE-2021-3450, and CVE-2021-20305. |
| Kubernetes | v1.18.17 | v1.18.18 | See the Kubernetes release notes. The update resolves CVE-2021-25735 (see the IBM security bulletin). |
| Kubernetes NodeLocal DNS cache | 1.15.14 | 1.17.3 | See the Kubernetes NodeLocal DNS cache release notes. |
| OpenVPN client | 2.4.6-r3-IKS-301 | 2.4.6-r3-IKS-386 | Updated image to implement additional IBM security controls. |
| OpenVPN server | 2.4.6-r3-IKS-301 | 2.4.6-r3-IKS-385 | Updated image to implement additional IBM security controls. |
| Operator Lifecycle Manager | 0.14.1-IKS-4 | 0.14.1-IKS-8 | Updated image for CVE-2021-3449, CVE-2021-3450, and CVE-2021-30139. |
Change log for worker node fix pack 1.18.18_1550, released 26 April 2021
The following table shows the changes that are in the worker node fix pack 1.18.18_1550. Worker node patch updates can be applied by updating, reloading (in classic infrastructure), or replacing (in VPC infrastructure) the worker
node.
| Component | Previous | Current | Description |
|---|---|---|---|
| HA proxy | a3b1ff | e0fa2f | The update addresses CVE-2021-20305. |
| Ubuntu 18.04 packages | N/A | N/A | Added resiliency to systemd units to prevent failures situations where the worker nodes are overused.Updated worker node images with kernel and package updates for CVE-2018-13095, CVE-2021-20305, CVE-2021-29154, and CVE-2021-3348. |
| Ubuntu 16.04 packages | 4.4.0-206 | 4.4.0-210 | Updated worker node images with kernel and package updates for [CVE-2015-1350, CVE-2017-15107, CVE-2017-5967, CVE-2018-13095, CVE-2018-5953, CVE-2019-14513, CVE-2019-16231, CVE-2019-16232, CVE-2019-19061, CVE-2021-20305, and CVE-2021-29154. |
Change log for worker node fix pack 1.18.17_1548, released 12 April 2021
The following table shows the changes that are in the worker node fix pack 1.18.17_1548. Worker node patch updates can be applied by updating, reloading (in classic infrastructure), or replacing (in VPC infrastructure) the worker
node.
| Component | Previous | Current | Description |
|---|---|---|---|
| HA proxy | 9b2dca | a3b1ff | The update addresses CVE-2021-3449 and CVE-2021-3450. |
| Ubuntu 18.04 packages | N/A | N/A | Updated worker node images with package updates for CVE-2021-22876. |
| Ubuntu 16.04 packages | N/A | N/A | Updated worker node images with package updates for CVE-2021-22876. |
Change log for master fix pack 1.18.17_1546, released 30 March 2021
The following table shows the changes that are in the master fix pack patch update 1.18.17_1546. Master patch updates are applied automatically.
| Component | Previous | Current | Description |
|---|---|---|---|
| Activity Tracker event | N/A | N/A | Now, the containers-kubernetes.version.update event is sent to Activity Tracker when a master fix pack update is initiated for a cluster. |
| Cluster health image | v1.1.18 | v1.1.19 | Updated image for CVE-2020-28851. |
| Gateway-enabled cluster controller | 1232 | 1322 | Updated to use Go version 1.15.10 and for CVE-2021-23839, CVE-2021-23840, and CVE-2021-23841. |
| GPU device plug-in and installer | af5a6cb | c1c6dd3 | Updated image for CVE-2021-27919, CVE-2020-28851, and CVE-2020-28852. |
| IBM Cloud Controller Manager | v1.18.16-2 | v1.18.17-1 | Updated to support the Kubernetes 1.18.17 release. Fixed a bug that prevented VPC load balancers from supporting more than 50 subnets in an account. |
| IBM Cloud File Storage for Classic plug-in and monitor | 388 | 389 | Updated to use Go version 1.15.8. |
| IBM Cloud RBAC Operator | 86de2b7 | 3dd6bbc | Updated image for CVE-2020-28851. |
| Kubernetes | v1.18.16 | v1.18.17 | See the Kubernetes release notes. |
Change log for worker node fix pack 1.18.17_1547, released 29 March 2021
The following table shows the changes that are in the worker node fix pack 1.18.17_1547. Worker node patch updates can be applied by updating, reloading (in classic infrastructure), or replacing (in VPC infrastructure) the worker
node.
| Component | Previous | Current | Description |
|---|---|---|---|
| Ubuntu 18.04 packages | 4.15.0-136-generic | 4.15.0-140-generic | Updated worker node images with kernel and package updates for CVE-2020-27170, CVE-2020-27171, CVE-2021-27363, CVE-2021-27365, CVE-2021-28153, and CVE-2021-3449. |
| Ubuntu 16.04 packages | 4.4.0-203-generic | 4.4.0-206-generic | Updated worker node images with kernel and package updates for CVE-2021-27363, CVE-2021-27365, and CVE-2021-28153. |
Change log for worker node fix pack 1.18.16_1545, released 12 March 2021
The following table shows the changes that are in the worker node fix pack 1.18.16_1545. Worker node patch updates can be applied by updating, reloading (in classic infrastructure), or replacing (in VPC infrastructure) the worker
node.
| Component | Previous | Current | Description |
|---|---|---|---|
| Containerd | v1.3.9 | 1.3.10 | See the containerd release notes. The update resolves CVE-2021-21334 (see the IBM security bulletin). |
| Ubuntu 18.04 packages | N/A | N/A | Updated worker node image with package updates for CVE-2021-21300, CVE-2021-24031, CVE-2021-24032, CVE-2021-27218, and CVE-2021-27219. |
| Ubuntu 16.04 packages | N/A | N/A | Updated worker node image with package updates for{: external}, CVE-2021-21300, CVE-2021-27218, CVE-2021-27219, and CVE-2021-3177. |
Change log for worker node fix pack 1.18.16_1544, released 1 March 2021
The following table shows the changes that are in the worker node fix pack 1.18.16_1544. Worker node patch updates can be applied by updating, reloading (in classic infrastructure), or replacing (in VPC infrastructure) the worker
node.
| Component | Previous | Current | Description |
|---|---|---|---|
| Kubernetes | v1.18.15 | v1.18.16 | See the Kubernetes release notes. |
| Ubuntu 18.04 packages | 4.15.0-135-generic | 4.15.0-136-generic | Updated worker node image with package updates for CVE-2020-27619, CVE-2020-29372, CVE-2020-29374, CVE-2020-8625, CVE-2021-23840, CVE-2021-23841, CVE-2021-26937, CVE-2021-27212, and CVE-2021-3177. |
| Ubuntu 16.04 packages | 4.4.0-201-generic | 4.4.0-203-generic | Updated worker node image with package updates for CVE-2020-27619, CVE-2020-29372, CVE-2020-29374, CVE-2020-8625, CVE-2021-23840, CVE-2021-23841, CVE-2021-26937, CVE-2021-27212, and CVE-2021-3177. |
Change log for master fix pack 1.18.16_1544, released 27 February 2021
The following table shows the changes that are in the master fix pack patch update 1.18.16_1543. Master patch updates are applied automatically.
| Component | Previous | Current | Description |
|---|---|---|---|
| Load balancer and load balancer monitor for IBM Cloud Provider | 1165 | 1274 | Fixed a bug that might cause version 2.0 network load balancers (NLBs) to crash and restart on load balancer updates. |
Change log for master fix pack 1.18.16_1543, released 22 February 2021
The following table shows the changes that are in the master fix pack patch update 1.18.16_1543. Master patch updates are applied automatically.
| Component | Previous | Current | Description |
|---|---|---|---|
| Calico | v3.13.4 | v3.13.5 | See the Calico release notes. |
| Cluster health image | v1.1.16 | v1.1.18 | Updated to use Go version 1.15.7. Updated image to implement additional IBM security controls. |
| Gateway-enabled cluster controller | 1195 | 1232 | Updated to use Go version 1.15.7. |
| IBM Calico extension | 567 | 618 | Updated to use Go version 1.15.7. |
| IBM Cloud Controller Manager | v1.18.15-3 | v1.18.16-2 | Updated to support the Kubernetes 1.18.16 release and to use calicoctl version 3.13.5. Updated image to implement additional IBM security controls and for DLA-2509-1. Updated version 1.0 and 2.0 network load balancers (NLBs) to run as a non-root user by default, with privileged escalation as needed. |
| IBM Cloud File Storage for Classic plug-in and monitor | 385 | 388 | Improved the retry logic for provisioning persistent volume claims (PVCs). |
| IBM Cloud RBAC Operator | f859228 | 86de2b7 | Updated to use Go version 1.15.7. |
| Key Management Service provider | v2.2.3 | v2.2.5 | Updated to use Go version 1.15.7. Updated image to implement additional IBM security controls. |
| Kubernetes | v1.18.15 | v1.18.16 | See the Kubernetes release notes. |
| Load balancer and load balancer monitor for IBM Cloud Provider | 1078 | 1165 | Updated to run as a non-root user by default, with privileged escalation as needed. Updated to use Go version 1.15.7. |
| Operator Lifecycle Manager | 0.14.1-IKS-2 | 0.14.1-IKS-4 | Updated image for CVE-2021-23839, CVE-2021-23840, and CVE-2021-23841. |
Change log for worker node fix pack 1.18.15_1541, released 15 February 2021
The following table shows the changes that are in the worker node fix pack 1.18.15_1541. Worker node patch updates can be applied by updating, reloading (in classic infrastructure), or replacing (in VPC infrastructure) the worker
node.
| Component | Previous | Current | Description |
|---|---|---|---|
| Ubuntu 18.04 packages | N/A | N/A | Updated worker node image with package updates for CVE-2020-36221, CVE-2020-36222, CVE-2020-36223, CVE-2020-36224, CVE-2020-36225, CVE-2020-36226, CVE-2020-36227, CVE-2020-36228, CVE-2020-36229, CVE-2020-36230, CVE-2021-25682, CVE-2021-25683, and CVE-2021-25684. |
| Ubuntu 16.04 packages | N/A | N/A | Updated worker node image with package updates for CVE-2020-36221, CVE-2020-36222, CVE-2020-36223, CVE-2020-36224, CVE-2020-36225, CVE-2020-36226, CVE-2020-36227, CVE-2020-36228, CVE-2020-36229, CVE-2020-36230, CVE-2021-25682, CVE-2021-25683, and CVE-2021-25684. |
Change log for worker node fix pack 1.18.15_1540, released 3 February 2021
The following table shows the changes that are in the worker node fix pack 1.18.15_1540. Worker node patch updates can be applied by updating, reloading (in classic infrastructure), or replacing (in VPC infrastructure) the worker
node.
| Component | Previous | Current | Description |
|---|---|---|---|
| Metadata updates | N/A | N/A | Updated the worker node version fix pack metadata for internal documentation purposes. |
Change log for worker node fix pack 1.18.15_1539, released 1 February 2021
The following table shows the changes that are in the worker node fix pack 1.18.15_1539. Worker node patch updates can be applied by updating, reloading (in classic infrastructure), or replacing (in VPC infrastructure) the worker
node.
| Component | Previous | Current | Description |
|---|---|---|---|
| Ubuntu 16.04 packages | 4.4.0-200-generic | 4.4.0-201-generic | Updated worker node image with kernel and package updates for CVE-2019-14834, CVE-2020-25681, CVE-2020-25682, CVE-2020-25683, CVE-2020-25684, CVE-2020-25685, CVE-2020-25686, CVE-2020-25687, CVE-2020-27777, CVE-2021-23239, and CVE-2021-3156. |
| Ubuntu 18.04 packages | 4.15.0-132-generic | 4.15.0-135-generic | Updated worker node image with kernel and package updates for CVE-2019-12761, CVE-2019-14834, CVE-2020-25681, CVE-2020-25682, CVE-2020-25683, CVE-2020-25684, CVE-2020-25685, CVE-2020-25686, CVE-2020-25687, CVE-2020-27777, CVE-2021-23239, and CVE-2021-3156. |
Change log for master fix pack 1.18.15_1538, released 19 January 2021
The following table shows the changes that are in the master fix pack patch update 1.18.15_1538. Master patch updates are applied automatically.
| Component | Previous | Current | Description |
|---|---|---|---|
| Cluster health image | v1.1.14 | v1.1.16 | Updated image to implement additional IBM security controls. |
| Gateway-enabled cluster controller | 1184 | 1195 | Updated image for CVE-2020-1971. |
| GPU device plug-in and installer | c26e2ae | af5a6cb | Updated image for CVE-2021-3114, CVE-2021-3115, CVE-2020-27350, CVE-2020-29361, CVE-2020-29362, CVE-2020-29363, CVE-2020-1971, CVE-2020-8231, CVE-2020-8284, CVE-2020-8285, and CVE-2020-8286. |
| IBM Calico extension | 556 | 567 | Updated image for CVE-2020-1971 and CVE-2020-24659. |
| IBM Cloud Controller Manager | v1.18.14-1 | v1.18.15-3 | Updated to support the Kubernetes 1.18.5 release and to implement additional IBM security controls. |
| IBM Cloud File Storage for Classic plug-in and monitor | 384 | 385 | Updated image for CVE-2020-1971 and CVE-2020-24659. |
| Key Management Service provider | v2.2.2 | v2.2.3 | Fixed bug to ignore conflict errors during KMS secret re-encryption. Updated to use Go version 1.15.5. Updated image to implement additional IBM security controls and for CVE-2020-1971. |
| Kubernetes | v1.18.14 | v1.18.15 | See the Kubernetes release notes. Updated to implement additional IBM security controls. |
| Kubernetes Dashboard | v2.0.4 | v2.0.5 | See the Kubernetes Dashboard release notes. |
| Kubernetes Dashboard metrics scraper | v1.0.4 | v1.0.6 | See the Kubernetes Dashboard metrics scraper release notes. |
| Load balancer and load balancer monitor for IBM Cloud Provider | 1004 | 1078 | Updated image for CVE-2020-1971. |
| Operator Lifecycle Manager Catalog | v1.6.1 | v1.15.3 | See the Operator Lifecycle Manager Catalog release notes. |
Change log for worker node fix pack 1.18.15_1538, released 18 January 2021
The following table shows the changes that are in the worker node fix pack 1.18.15_1538. Worker node patch updates can be applied by updating, reloading (in classic infrastructure), or replacing (in VPC infrastructure) the worker
node.
| Component | Previous | Current | Description |
|---|---|---|---|
| Kubernetes | v1.18.13 | v1.18.15 | See the Kubernetes release notes. |
| Ubuntu 16.04 packages | 4.4.0-197-generic | 4.4.0-200-generic | Updated worker node image with kernel and package updates for CVE-2018-20482, CVE-2019-9923, CVE-2020-28374, CVE-2020-29361 external}, and CVE-2020-29362 external}. |
| Ubuntu 18.04 packages | 4.15.0-128-generic | 4.15.0-132-generic | Updated worker node image with kernel and package updates for{: external}, CVE-2018-20482, CVE-2019-9923, CVE-2020-28374, CVE-2020-29361, CVE-2020-29362, CVE-2020-29363, CVE-2021-1052, CVE-2021-1053, and CVE-2019-19770. |
Change log for master fix pack 1.18.14_1537, released 6 January 2021
The following table shows the changes that are in the master fix pack patch update 1.18.14_1537. Master patch updates are applied automatically.
| Component | Previous | Current | Description |
|---|---|---|---|
| IBM Calico extension | 544 | 556 | Updated image to include the ip command. |
| IBM Cloud Controller Manager | v1.18.13-1 | v1.18.14-1 | Updated to support the Kubernetes 1.18.14 release. |
| IBM Cloud File Storage for Classic plug-in | N/A | N/A | Updated to run with a privileged security context. |
| IBM Cloud RBAC Operator | c148a8a | f859228 | Updated image for CVE-2020-1971 and CVE-2020-24659. |
| Key Management Service provider | v2.0.7 | v2.2.2 |
Updated the key management service (KMS) provider support as follows.
|
| Kubernetes | v1.18.13 | v1.18.14 | See the Kubernetes release notes. |
Kubernetes NodeLocal DNS cache |
N/A | N/A | Updated to run with a least privileged security context. |
| Operator Lifecycle Manager | 0.14.1-IKS-1 | 0.14.1-IKS-2 | Updated image for CVE-2020-1971 and CVE-2020-28928. |
Change log for worker node fix pack 1.18.13_1536, released 21 December 2020
The following table shows the changes that are in the worker node fix pack 1.18.13_1536. Worker node patch updates can be applied by updating, reloading (in classic infrastructure), or replacing (in VPC infrastructure) the worker
node.
| Component | Previous | Current | Description |
|---|---|---|---|
| Ubuntu 16.04 packages | N/A | N/A | Updated worker node image with package updates for: CVE-2020-1971, CVE-2020-27350, CVE-2020-27351, CVE-2020-8284, CVE-2020-8285, and CVE-2020-8286. |
| Ubuntu 18.04 packages | 4.15.0-126-generic | 4.15.0-128-generic | Updated worker node image with kernel and package updates for: CVE-2020-1971, CVE-2020-27350, CVE-2020-27351, CVE-2020-8284, CVE-2020-8285, and CVE-2020-8286. |
| Kubernetes | v1.18.12 | v1.18.13 | See the Kubernetes change logs. |
| Ephemeral storage reservations | N/A | N/A | Reserve local ephemeral storage to prevent workload evictions. |
| HA proxy | db4e6d | 9b2dca | Image update for CVE-2020-1971 and CVE-2020-24659. |
Change log for master fix pack 1.18.13_1535, released 14 December 2020
The following table shows the changes that are in the master fix pack patch update 1.18.13_1535. Master patch updates are applied automatically.
| Component | Previous | Current | Description |
|---|---|---|---|
| Cluster health image | v1.1.13 | v1.1.14 | Updated image to implement additional IBM security controls. |
| CoreDNS | 1.6.9 | 1.8.0 | See the CoreDNS release notes. Additionally, updated the CoreDNS configuration to increase the weight of scheduling CoreDNS pods to different worker nodes and zones. |
| etcd | v3.4.13 | v3.4.14 | See the etcd release notes. |
| Gateway-enabled cluster controller | 1105 | 1184 | Updated to use Go version 1.15.5. Updated image to implement additional IBM security controls. |
| GPU device plug-in and installer | b966c41 | c26e2ae | Updated the GPU drivers to version 450.80.02. Updated image for CVE-2020-28367, CVE-2020-28366, and CVE-2020-28362. Updated image to implement additional IBM security controls. |
| IBM Calico extension | 378 | 544 | Updated to use the universal base image (UBI) and to use Go version 1.15.5. Updated image to implement additional IBM security controls. |
| IBM Cloud Controller Manager | v1.18.12-1 | v1.18.13-1 | Updated to support the Kubernetes 1.18.13 release. Updated image to implement additional IBM security controls. Fixed a bug in VPC load balancer creation when the cluster, VPC, or subnet are in a different resource group. |
| IBM Cloud File Storage for Classic monitor | 379 | 384 | Updated to use Go version 1.15.5 and to run as a non-root user. Updated image to implement additional IBM security controls. |
| IBM Cloud File Storage for Classic plug-in | 379 | 384 | Updated to use Go version 1.15.5 and to run with a least privileged security context. Updated image to implement additional IBM security controls. |
| IBM Cloud RBAC Operator | 197bc70 | c148a8a | Updated to use Go version 1.15.6 and updated image to implement additional IBM security controls. |
| Key management service (KMS) provider | v2.0.5 | v2.0.7 | Updated image to implement additional IBM security controls. |
| Kubernetes | v1.18.12 | v1.18.13 | See the Kubernetes release notes. |
Kubernetes NodeLocal DNS cache |
N/A | N/A | Updated the NodeLocal DNS cache configuration to support customizing the node-local-dns config map. |
| Load balancer and load balancer monitor for IBM Cloud Provider | 208 | 1004 | Updated Alpine base image to version 3.12 and to use Go version 1.15.5. Updated image for CVE-2020-8037 and CVE-2020-28928. Updated image to implement additional IBM security controls. |
| Operator Lifecycle Manager | N/A | N/A | Updated to run as a non-root user. |
| OpenVPN client | 2.4.6-r3-IKS-116 | 2.4.6-r3-IKS-301 | Updated image to implement additional IBM security controls. |
| OpenVPN server | 2.4.6-r3-IKS-222 | 2.4.6-r3-IKS-301 | Updated image to implement additional IBM security controls. |
Change log for worker node fix pack 1.18.12_1535, released 11 December 2020
The following table shows the changes that are in the worker node fix pack 1.18.12_1535. Worker node patch updates can be applied by updating, reloading (in classic infrastructure), or replacing (in VPC infrastructure) the worker
node.
| Component | Previous | Current | Description |
|---|---|---|---|
| Ubuntu 18.04 bare metal kernel | 4.15.0-126-generic | 4.15.0-123-generic | Bare metal worker nodes: Reverted the kernel version for bare metal worker nodes while Canonical addresses issues with the previous version that prevented worker nodes from being reloaded or updated. |
Change log for worker node fix pack 1.18.12_1534, released 7 December 2020
The following table shows the changes that are in the worker node fix pack 1.18.12_1534. Worker node patch updates can be applied by updating, reloading (in classic infrastructure), or replacing (in VPC infrastructure) the worker
node.
| Component | Previous | Current | Description |
|---|---|---|---|
| Containerd | v1.3.4 | 1.3.9 | See the containerd release notes. The update resolves CVE-2020–15257 (see the IBM security bulletin). |
| HA proxy | 1.8.26-384f42 | db4e6d | Added provenance labels for source tracking. |
| Ubuntu 18.04 packages | 4.15.0-123-generic | 4.15.0-126-generic | Updated worker node image with kernel and package updates for CVE-2020-14351 and CVE-2020-4788. |
| Ubuntu 16.04 packages | 4.4.0-194-generic | 4.4.0-197-generic | Updated worker node image with kernel and package updates for CVE-2020-0427, CVE-2020-12352, CVE-2020-14351, CVE-2020-25645, and CVE-2020-4788. |
Change log for worker node fix pack 1.18.12_1533, released 23 November 2020
The following table shows the changes that are in the worker node fix pack 1.18.12_1533. Worker node patch updates can be applied by updating, reloading (in classic infrastructure), or replacing (in VPC infrastructure) the worker
node.
| Component | Previous | Current | Description |
|---|---|---|---|
| Kubernetes | v1.18.10 | v1.18.12 | See the Kubernetes change log. |
| Ubuntu 18.04 packages | 4.15.0-122-generic | 4.15.0-123-generic | Updated worker node image with kernel and package updates for CVE-2020-25692, CVE-2020-25709, CVE-2020-25710, CVE-2020-28196, and CVE-2020-8694. |
| Ubuntu 16.04 packages | 4.4.0-193-generic | 4.4.0-194-generic | Updated worker node image with kernel and package updates for CVE-2020-25692, CVE-2020-25709, CVE-2020-25710, CVE-2020-28196, and CVE-2020-8694. |
Change log for master fix pack 1.18.12_1533, released 16 November 2020
The following table shows the changes that are in the master fix pack patch update 1.18.12_1533. Master patch updates are applied automatically.
Change log for worker node fix pack 1.18.10_1532, released 9 November 2020
The following table shows the changes that are in the worker node fix pack 1.18.10_1532. Worker node patch updates can be applied by updating, reloading (in classic infrastructure), or replacing (in VPC infrastructure) the worker
node.
| Component | Previous | Current | Description |
|---|---|---|---|
| Ubuntu 18.04 packages | N/A | N/A | Updated worker node image with kernel and package updates for CVE-2018-14036, CVE-2020-10543, CVE-2020-10878, CVE-2020-12723, CVE-2020-16126, CVE-2020-25659, and CVE-2017-18269. |
| Ubuntu 16.04 packages | N/A | N/A | Updated worker node image with package updates for CVE-2018-14036, CVE-2020-10543, CVE-2020-10878, CVE-2020-12723, CVE-2020-16126, and CVE-2020-25659. |
Change log for worker node fix pack 1.18.10_1531, released 26 October 2020
The following table shows the changes that are in the worker node fix pack 1.18.10_15313. Worker node patch updates can be applied by updating, reloading (in classic infrastructure), or replacing (in VPC infrastructure) the worker
node.
| Component | Previous | Current | Description |
|---|---|---|---|
| Kubernetes | v1.18.9 | v1.18.10 | See the Kubernetes release notes. |
| Ubuntu 18.04 packages | 4.15.0-118-generic | 4.15.0-122-generic | Updated worker node images with kernel and package updates for CVE-2018-10322, CVE-2019-20807, CVE-2019-20916, CVE-2020-12351, CVE-2020-12352, CVE-2020-15999, CVE-2020-16119, CVE-2020-16120, CVE-2020-24490, and CVE-2020-26116. |
| Ubuntu 16.04 packages | 4.4.0-190-generic | 4.4.0-193-generic | Updated worker node images with kernel and package updates for CVE-2017-17087, CVE-2018-10322, CVE-2019-20807, CVE-2020-15999, CVE-2020-16119, and CVE-2020-26116. |
Change log for master fix pack 1.18.10_1531, released 26 October 2020
The following table shows the changes that are in the master fix pack patch update 1.18.10_1531. Master patch updates are applied automatically.
| Component | Previous | Current | Description |
|---|---|---|---|
| Calico configuration | N/A | N/A | Updated the calico-node daemon set in the kube-system namespace to set the spec.updateStrategy.rollingUpdate.maxUnavailable parameter to 10% for clusters with more than 50 worker nodes. |
| Cluster health image | v1.1.11 | v1.1.12 | Updated to use Go version 1.15.2. |
| Gateway-enabled cluster controller | 1082 | 1105 | Updated to use Go version 1.15.2. |
| IBM Cloud Controller Manager | v1.18.9-1 | v1.18.10-1 | Updated to support the Kubernetes 1.18.10 release. |
| IBM Cloud RBAC Operator | 4b47693 | 31c794a | Updated to use Go version 1.15.2. |
| Kubernetes | v1.18.9 | v1.18.10 | See the Kubernetes release notes. |
Kubernetes NodeLocal DNS cache |
1.15.13 | 1.15.14 | See the Kubernetes NodeLocal DNS cache release notes. |
Change log for worker node fix pack 1.18.9_1530, released 12 October 2020
The following table shows the changes that are in the worker node fix pack 1.18.9_1530. Worker node patch updates can be applied by updating, reloading (in classic infrastructure), or replacing (in VPC infrastructure) the worker
node.
| Component | Previous | Current | Description |
|---|---|---|---|
| Ubuntu 18.04 packages | N/A | N/A | Updated worker node image with package updates for CVE-2019-8936, CVE-2020-26137, and CVE-2020-14365. |
| Ubuntu 16.04 packages | N/A | N/A | Updated worker node image with package updates for CVE-2020-14365 and CVE-2020-26137. |
Change log for worker node fix pack 1.18.9_1529, released 28 September 2020
The following table shows the changes that are in the worker node fix pack 1.18.9_1529. Worker node patch updates can be applied by updating, reloading (in classic infrastructure), or replacing (in VPC infrastructure) the worker
node.
| Component | Previous | Current | Description |
|---|---|---|---|
| Kubernetes | v1.18.8 | v1.18.9 | See the Kubernetes release notes. |
| Ubuntu 18.04 packages | 4.15.0-117-generic | 4.15.0-118-generic | Updated worker node image with kernel and package updates for CVE-2018-1000500, CVE-2018-7738, CVE-2019-14855, CVE-2019-1547, CVE-2019-1551, CVE-2019-1563, CVE-2020-10753, CVE-2020-12059, CVE-2020-12888, CVE-2020-1760, and CVE-2020-1968. |
| Ubuntu 16.04 packages | 4.4.0-189-generic | 4.4.0-190-generic | Updated worker node image with kernel and package updates for CVE-2019-20811, CVE-2019-9453, CVE-2020-0067, and CVE-2020-1968. |
Change log for master fix pack 1.18.9_1528, released 21 September 2020
The following table shows the changes that are in the master fix pack patch update 1.18.9_1528. Master patch updates are applied automatically.
| Component | Previous | Current | Description |
|---|---|---|---|
| Cluster health image | v1.1.9 | v1.1.11 | Updated Go version for CVE-2020-16845 and CVE-2020-24553. |
| etcd | v3.4.10 | v3.4.13 | See the etcd release notes. |
| GPU device plug-in and installer | bacb9e1 | edd26a4 | Updated Go version for CVE-2020-16845 and CVE-2020-24553. Updated the GPU drivers to version 450.51.06. |
| IBM Cloud Controller Manager | v1.18.6-1 | v1.18.9-1 | Updated to support the Kubernetes 1.18.9 release and to use Go version 1.13.15. |
| IBM Cloud File Storage for Classic plug-in and monitor | 377 | 378 | Updated Go version for CVE-2020-16845. |
| IBM Cloud RBAC Operator | d80b738 | 4b47693 | Updated Go version for CVE-2020-16845 and image for CVE-2020-14352. |
| Key Management Service provider | v2.0.2 | v2.0.4 | Updated Go version for CVE-2020-16845 and CVE-2020-24553. |
| Kubernetes | v1.18.8 | v1.18.9 | See the Kubernetes release notes. |
| Kubernetes Dashboard | v2.0.3 | v2.0.4 | See the Kubernetes Dashboard release notes. |
Change log for worker node fix pack 1.18.8_1527, released 14 September 2020
The following table shows the changes that are in the worker node fix pack 1.18.8_1527. Worker node patch updates can be applied by updating, reloading (in classic infrastructure), or replacing (in VPC infrastructure) the worker
node.
| Component | Previous | Current | Description |
|---|---|---|---|
| HA proxy | 1.8.25-384f42 | 1.8.26-561f1a | See the HA proxy change log. |
| Ubuntu 18.04 packages | 4.15.0-112-generic | 4.15.0-117-generic | Updated worker node image with kernel and package updates for CVE-2020-14344, CVE-2020-14363, and CVE-2020-14386. |
| Ubuntu 16.04 packages | 4.4.0-187-generic | 4.4.0-189-generic | Updated worker node image with kernel and package updates for CVE-2020-14344 and CVE-2020-14363. |
Change log for worker node fix pack 1.18.8_1526, released 31 August 2020
The following table shows the changes that are in the worker node fix pack 1.18.8_1526. Worker node patch updates can be applied by updating, reloading (in classic infrastructure), or replacing (in VPC infrastructure) the worker
node.
| Component | Previous | Current | Description |
|---|---|---|---|
| Ubuntu 18.04 packages | N/A | N/A | Updated worker node image with package updates for CVE-2020-12403, CVE-2020-8231, CVE-2020-8622, CVE-2020-8623, and CVE-2020-8624. |
| Ubuntu 16.04 packages | 4.4.0-186-generic | 4.4.0-187-generic | Updated worker node image with kernel and package updates for CVE-2020-8231, CVE-2020-8622, and CVE-2020-8623. |
Change log for master fix pack 1.18.8_1525, released 18 August 2020
The following table shows the changes that are in the master fix pack patch update 1.18.8_1525. Master patch updates are applied automatically.
| Component | Previous | Current | Description |
|---|---|---|---|
| Cluster health image | v1.1.8 | v1.1.9 | Updated to use Go version 1.13.13. |
| etcd | v3.4.9 | v3.4.10 | See the etcd release notes. |
| GPU device plug-in and installer | 6847df8 | f22c75e | Updated image for CVE-2020-14039 and CVE-2020-15586. |
| IBM Cloud File Storage for Classic plug-in and monitor | 376 | 377 | Fixed a bug that prevents persistent volume claim (PVC) creation failures from being retried. |
| IBM Cloud RBAC Operator | 8882606 | d80b738 | Updated image for CVE-2020-12049 and to use Go version 1.13.14. |
| Key Management Service provider | v1.0.0 | v2.0.2 | Updated image for CVE-2020-15586. |
| Kubernetes | v1.18.6 | v1.18.8 | See the Kubernetes release notes. |
| Kubernetes add-on resizer | 1.8.7 | 1.8.11 | See the Kubernetes add-on resizer release notes. |
| Kubernetes configuration | N/A | N/A | The Kubernetes API server audit policy configuration is updated to include auditing of all API groups except apiregistration.k8s.io and coordination.k8s.io. |
| Kubernetes Metrics Server | v0.3.6 | v0.3.7 | See the Kubernetes Metrics Server release notes. |
Kubernetes NodeLocal DNS cache configuration |
N/A | N/A | Increased the pod termination grace period. |
Change log for worker node fix pack 1.18.8_1525, released 17 August 2020
The following table shows the changes that are in the worker node fix pack 1.18.8_1525. Worker node patch updates can be applied by updating, reloading (in classic infrastructure), or replacing (in VPC infrastructure) the worker
node.
| Component | Previous | Current | Description |
|---|---|---|---|
| Kubernetes | v1.18.6 | v1.18.8 | See the Kubernetes change logs. |
| Ubuntu 18.04 packages | N/A | N/A | Updated worker node image with package updates for CVE-2020-11936, CVE-2020-12400, CVE-2020-12401, CVE-2020-15701, CVE-2020-15702, CVE-2020-15709, and CVE-2020-6829. |
| Ubuntu 16.04 packages | N/A | N/A | Updated worker node image with package updates for CVE-2020-11936, CVE-2020-15701, CVE-2020-15702, and CVE-2020-15709. |
Change log for worker node fix pack 1.18.6_1523, released 3 August 2020
The following table shows the changes that are in the worker node fix pack 1.18.6_1523. Worker node patch updates can be applied by updating, reloading (in classic infrastructure), or replacing (in VPC infrastructure) the worker
node.
| Component | Previous | Current | Description |
|---|---|---|---|
| Ubuntu 18.04 packages | 4.15.0-111-generic | 4.15.0-112-generic | Updated worker node images with kernel and package updates for CVE-2019-17514, CVE-2019-20907, CVE-2019-9674, CVE-2020-10713, CVE-2020-10757, CVE-2020-11935, CVE-2020-14308, CVE-2020-14309, CVE-2020-14310, CVE-2020-14311, CVE-2020-14422, CVE-2020-15705, CVE-2020-15706, and CVE-2020-15707. |
| Ubuntu 16.04 packages | 4.4.0-185-generic | 4.4.0-186-generic | Updated worker node images with package updates for CVE-2019-12380, CVE-2019-17514, CVE-2019-20907, CVE-2019-9674, CVE-2020-10713, CVE-2020-11935, CVE-2020-14308, CVE-2020-14309, CVE-2020-14310, CVE-2020-14311, CVE-2020-14422, CVE-2020-15705, CVE-2020-15706, and CVE-2020-15707. |
Change log for master fix pack 1.18.6_1522, released 24 July 2020
The following table shows the changes that are in the master fix pack patch update 1.18.6_1522. Master patch updates are applied automatically.
| Component | Previous | Current | Description |
|---|---|---|---|
| Cluster master operations | N/A | N/A | Fixed a problem that might cause pods to fail authentication to the Kubernetes API server after a cluster master operation. |
| IBM Cloud File Storage for Classic plug-in and monitor | 375 | 376 | Updated to use Go version 1.13.8. |
Change log for master fix pack 1.18.6_1521, released 20 July 2020
The following table shows the changes that are in the master fix pack patch update 1.18.6_1521. Master patch updates are applied automatically.
| Component | Previous | Current | Description |
|---|---|---|---|
| GPU device plug-in and installer | 31d4bb6 | 8c24345 | Updated image for CVE-2017-12133, CVE-2017-18269, CVE-2018-11236, CVE-2018-11237, CVE-2018-19591, CVE-2018-6485, CVE-2019-19126, CVE-2019-9169, CVE-2020-10029, CVE-2020-1751, and CVE-2020-1752. |
| IBM Calico extension | 353 | 378 | Updated to handle any ens network interface. |
| IBM Cloud Controller Manager | v1.18.4-1 | v1.18.6-1 | Updated to support the Kubernetes 1.18.6 release. |
| IBM Cloud File Storage for Classic plug-in and monitor configuration | N/A | N/A | Added a pod memory limit. |
| IBM Cloud RBAC operator | 08ce50e | 8882606 | Updated image for CVE-2020-13777 and to use Go version 1.13.12. |
| Kubernetes | v1.18.4 | v1.18.6 | See the Kubernetes release notes. The update resolves CVE-2020-8559 (see the IBM security bulletin). |
| Kubernetes configuration | N/A | N/A | The Kubernetes API server audit policy configuration is updated to include auditing the scheduling.k8s.io API group and the tokenreviews resource. |
| Kubernetes Dashboard | v2.0.1 | v2.0.3 | See the Kubernetes Dashboard release notes. |
| OpenVPN server | 2.4.6-r3-IKS-131 | 2.4.6-r3-IKS-222 | Removed the deprecated comp-lzo compression configuration option and updated the default cipher that is used for encryption. |
| Operator Lifecycle Manager | 0.14.1 | 0.14.1-IKS-1 | Updated image for CVE-2020-1967. |
Change log for worker node fix pack 1.18.6_1520, released 20 July 2020
The following table shows the changes that are in the worker node fix pack 1.18.6_1520. Worker node patch updates can be applied by updating, reloading (in classic infrastructure), or replacing (in VPC infrastructure) the worker
node.
| Component | Previous | Current | Description |
|---|---|---|---|
| HA proxy | 2.0.15-afe432 | 1.8.25-384f42 | See the HA proxy change log. Fixes a connection leak that happens when HA proxy is under high load. |
| Kubernetes | v1.18.4 | v1.18.6 | See the Kubernetes change logs. The update resolves CVE-2020-8557 (see the IBM security bulletin). |
| Ubuntu 18.04 packages | 4.15.0-109-generic | 4.15.0-111-generic | Updated worker node images with kernel and package updates for CVE-2018-11236, CVE-2018-11237, CVE-2018-19591, CVE-2019-19126, CVE-2019-9169, CVE-2020-10029, CVE-2020-12402, CVE-2020-1751, and CVE-2020-1752. |
| Ubuntu 16.04 packages | 4.4.0-184-generic | 4.4.0-185-generic | Updated worker node images with package updates for CVE-2017-12133, CVE-2017-18269, CVE-2018-11236, CVE-2018-11237, CVE-2018-6485, CVE-2019-19126, CVE-2019-9169, CVE-2020-0543, CVE-2020-10029, CVE-2020-10711, CVE-2020-13143, CVE-2020-1751, and CVE-2020-1752. |
Change log for worker node fix pack 1.18.4_1518, released 6 July 2020
The following table shows the changes that are in the worker node fix pack 1.18.4_1518. Worker node patch updates can be applied by updating, reloading (in classic infrastructure), or replacing (in VPC infrastructure) the worker
node.
| Component | Previous | Current | Description |
|---|---|---|---|
| HA proxy | 1.8.25-30b675 | 2.0.15-afe432 | See the HA proxy change log. |
| Ubuntu 18.04 packages | 4.15.0-106-generic | 4.15.0-109-generic | Updated worker node images with kernel and package updates for CVE-2019-12380, CVE-2019-16089, CVE-2019-19036, CVE-2019-19039, CVE-2019-19318, CVE-2019-19642, CVE-2019-19813, CVE-2019-3689, CVE-2020-0543, CVE-2020-10711, CVE-2020-13143, CVE-2020-8177, CVE-2019-19377, and CVE-2019-19816. |
| Ubuntu 16.04 packages | N/A | N/A | Updated worker node images with package updates for CVE-2019-3689 and CVE-2020-8177. |
Worker node drain automation |
N/A | N/A | Fixes a race condition that can cause worker node drain automation to fail. |
Change log for 1.18.4_1517, released 22 June 2020
The following table shows the changes that are in the master and worker node update 1.18.4_1517. Master patch updates are applied automatically. Worker node patch updates can be applied by updating, reloading (in classic infrastructure),
or replacing (in VPC infrastructure) the worker node. For more information, see Update types.
| Component | Location | Previous | Current | Description |
|---|---|---|---|---|
| Calico | Master | v3.13.3 | v3.13.4 | See the Calico release notes. The master update resolves CVE-2020-13597 (see the IBM security bulletin). |
| Cluster health image | Master | v1.1.5 | v1.1.8 | Additional status information is included when an add-on health state is critical. Improved performance when handling cluster status updates. |
| Cluster master operations | Master | N/A | N/A | Cluster master operations such as refresh or update are now canceled if a broken Kubernetes admission webhook is detected. |
| etcd | Master | v3.4.7 | v3.4.9 | See the etcd release notes. |
| GPU device plug-in and installer | Master | b9a418c | 2bcf8e4 | Updated image for CVE-2020-3810. |
| IBM Cloud Controller Manager | Master | v1.18.3-1 | v1.18.4-1 | Updated to support the Kubernetes 1.18.4 release. Updated the version 2.0 private network load balancers (NLBs) to manage Calico global network policies. Updated calicoctl version to 3.13.4. |
| IBM Cloud File Storage for Classic plug-in | Master | 373 | 375 | Fixed a bug that might cause error handling to create additional persistent volumes. |
| IBM Cloud RBAC operator | Master | N/A | 08ce50e | New!: Added a control plane operator to synchronize IBM Cloud Identity and Access Management (IAM) service access roles with Kubernetes role-based access control (RBAC) roles. |
| Kubernetes | Both | v1.18.3 | v1.18.4 | See the Kubernetes release notes. The master update resolves CVE-2020-8558 (see the IBM security bulletin). |
| Kubernetes configuration | Master | N/A | N/A | The Kubernetes API server audit policy configuration is updated to include auditing the apiextensions.k8s.io API group and the persistentvolumeclaims and persistentvolumes resources. Additionally,
the http2-max-streams-per-connection option is set to 1000 to mitigate network disruption impacts on the kubelet connection to the API server. |
| Kubernetes Dashboard | Master | v2.0.0 | v2.0.1 | See the Kubernetes Dashboard release notes. |
| Load balancer and load balancer monitor for IBM Cloud Provider | Master | 211 | 223 | Improved startup performance of version 2.0 private network load balancers (NLBs). |
| Ubuntu 18.04 packages | Worker | 4.15.0-101-generic | 4.15.0-106-generic | Updated worker node images with kernel and package updates for CVE-2018-8740, CVE-2019-17023, CVE-2020-0543, CVE-2020-12049, CVE-2020-12399, CVE-2020-13434, CVE-2020-13630, and CVE-2020-13632. |
| Ubuntu 16.04 packages | Worker | 4.4.0-179-generic | 4.4.0-184-generic | Updated worker node images with package and kernel updates for CVE-2020-12049, CVE-2020-0543, CVE-2020-12769, CVE-2020-1749, CVE-2020-13434, CVE-2020-13630, andCVE-2020-13632. |
Change log for worker node fix pack 1.18.3_1515, released 8 June 2020
The following table shows the changes that are in the worker node fix pack 1.18.3_1515. Worker node patch updates can be applied by updating, reloading (in classic infrastructure), or replacing (in VPC infrastructure) the worker
node.
| Component | Previous | Current | Description |
|---|---|---|---|
| Ubuntu 18.04 packages | N/A | N/A | Updated worker node images with package updates for CVE-2019-1547, CVE-2019-1549, CVE-2019-1551, CVE-2019-1563, and CVE-2020-12762. |
| Ubuntu 16.04 packages | 4.4.0-178-generic | 4.4.0-179-generic | Updated worker node images with package and kernel updates for CVE-2019-1547, CVE-2019-1551, CVE-2019-1563, and CVE-2020-12762. |
Change log for 1.18.3_1514, released 26 May 2020
The following table shows the changes that are in the master and worker node update 1.18.3_1514. Master patch updates are applied automatically. Worker node patch updates can be applied by updating, reloading (in classic infrastructure),
or replacing (in VPC infrastructure) the worker node. For more information, see Update types.
| Component | Location | Previous | Current | Description |
|---|---|---|---|---|
| IBM Calico extension | Master | 349 | 353 | Skips creating a Calico host endpoint when no endpoint is needed. |
| IBM Cloud Controller Manager | Master | v1.18.2-3 | v1.18.3-1 | Updated to support the Kubernetes 1.18.3 release. |
| IBM Cloud File Storage for Classic plug-in and monitor | Master | 371 | 373 | Image updated for CVE-2020-11655. |
| Kubernetes | Both | v1.18.2 | v1.18.3 | See the Kubernetes release notes. |
| Kubernetes Metrics Server | Master | N/A | N/A | Increased the CPU per node for the metrics-server container to improve availability of the metrics server API service for large clusters. |
Kubernetes NodeLocal DNS cache |
Master | 1.15.12 | 1.15.13 | See the Kubernetes NodeLocal DNS cache release notes. Updated the node-local-dns daemon set to include the
prometheus.io/port and prometheus.io/scrape annotations on the pods. |
| Load balancer and load balancer monitor for IBM Cloud Provider | Master | 207 | 211 | Updated the version 2.0 network load balancers (NLB) to clean up unnecessary IPVS rules. |
| Ubuntu 18.04 packages | Worker | 4.15.0-99-generic | 4.15.0-101-generic | Updated worker node images with kernel and package updates for CVE-2019-20795, CVE-2020-11494, CVE-2020-12762, CVE-2020-3810, CVE-2020-8616, and CVE-2020-8617. |
| Ubuntu 16.04 packages | Worker | 4.4.0-178-generic | 4.4.0-179-generic | Updated worker node images with package and kernel updates for CVE-2019-19060, CVE-2020-11494, CVE-2020-11608, CVE-2020-12762, CVE-2020-3810, CVE-2020-8616, and CVE-2020-8617. |
Change log for 1.18.2_1512, released 11 May 2020
The following table shows the changes that are in patch update 1.18.2_1512. If you update your cluster from Kubernetes 1.17, review the preparation actions.
| Component | Previous | Current | Description |
|---|---|---|---|
| Calico | v3.12.1 | v3.13.3 | See the Calico release notes. |
| Cluster health image | v1.1.1 | v1.1.4 | When cluster add-ons don't support the current cluster version, a warning is now returned in the cluster health state. |
| CoreDNS configuration | N/A | N/A | To improve cluster DNS availability, CoreDNS pods now prefer evenly distributed scheduling across worker nodes and zones. |
| etcd | v3.4.3 | v3.4.7 | See the etcd release notes). |
| Gateway-enabled cluster controller | 1045 | 1082 | Updated image for CVE-2020-1967. |
| GPU device plug-in and installer | 8c6538f | b9a418c | Updated image for CVE-2020-1967. |
| IBM Calico extension | 320 | 349 | Updated image for CVE-2020-1967. |
| IBM Cloud Controller Manager | v1.17.5-1 | v1.18.2-3 | Updated to support the Kubernetes 1.18.2 release and to use calicoctl version 3.13.3. Updated network load balancer (NLB) events to use the latest IBM Cloud troubleshooting documentation. |
| IBM Cloud File Storage for Classic plug-in and monitor | 358 | 371 | Updated image for CVE-2020-1967. |
| Kubernetes | v1.17.5 | v1.18.2 | See the Kubernetes release notes. The master update resolves CVE-2020-8555 (see the IBM security bulletin). |
| Kubernetes admission controllers configuration | N/A | N/A | Added CertificateApproval, CertificateSigning, CertificateSubjectRestriction and DefaultIngressClass to the --enable-admission-plugins option for the cluster's Kubernetes API server. |
| Kubernetes configuration | N/A | N/A | Removed batch/v2alpha1=true from the --runtime-config option for the cluster's Kubernetes API server. |
| Kubernetes Dashboard | v2.0.0-rc7 | v2.0.0 | See the Kubernetes Dashboard release notes. |
| Kubernetes NodeLocal DNS cache | 1.15.8 | 1.15.12 |
|
| Load balancer and load balancer monitor for IBM Cloud Provider | 177 | 207 | Improved application logging. Updated image for CVE-2020-1967. |
| Pause container image | 3.1 | 3.2 | See the pause container image release notes. |