IBM Cloud Docs
Kubernetes version 1.19 change log

Kubernetes version 1.19 change log

This version is no longer supported. Update your cluster to a supported version as soon as possible.

Overview

Unless otherwise noted in the change logs, the IBM Cloud Kubernetes Service provider version enables Kubernetes APIs and features that are at beta. Kubernetes alpha features, which are subject to change, are disabled.

For more information about major, minor, and patch versions and preparation actions between minor versions, see Kubernetes versions.

Check the Security Bulletins on IBM Cloud Status for security vulnerabilities that affect IBM Cloud Kubernetes Service. You can filter the results to view only Kubernetes Cluster security bulletins that are relevant to IBM Cloud Kubernetes Service. Change log entries that address other security vulnerabilities but don't also refer to an IBM security bulletin are for vulnerabilities that are not known to affect IBM Cloud Kubernetes Service in normal usage. If you run privileged containers, run commands on the workers, or execute untrusted code, then you might be at risk.

Some change logs are for worker node fix packs, and apply only to worker nodes. You must apply these patches to ensure security compliance for your worker nodes. These worker node fix packs can be at a higher version than the master because some build fix packs are specific to worker nodes. Other change logs are for master fix packs, and apply only to the cluster master. Master fix packs might not be automatically applied. You can choose to apply them manually. For more information about patch types, see Update types.

Version 1.19 change log

Review the version 1.19 change log.

Change log for worker node fix pack 1.19.16_1579, released 14 March 2022

Changes since version 1.19.16_1579
Component Previous Current Description
Ubuntu 18.04 packages 4.15.0-169-generic 4.15.0-171-generic Kernel and package updates for CVE-2016-10228, CVE-2019-25013, CVE-2020-27618, CVE-2020-29562, CVE-2020-6096, CVE-2021-3326, CVE-2021-35942, CVE-2021-3999, CVE-2022-0001, CVE-2022-23218, CVE-2022-23219, CVE-2022-25313, CVE-2022-25314, CVE-2022-25315.

Change log for master fix pack 1.19.16_1578, released 3 March 2022

Changes since version 1.19.16_1575
Component Previous Current Description
Cluster health image v1.2.21 v1.2.23 Updated golang.org/x/crypto to v0.0.0-20220214200702-86341886e292. Adds fix for CVE-2021-43565. Adds Golang dependency updates.
Gateway-enabled cluster controller 1586 1653 Updated to use Go version 1.17.7 and updated Go modules to fix CVEs.
IBM Calico extension 923 929 Updated universal base image (UBI) to version 8.5-230 to resolve CVEs. Updated to use Go version 1.16.13.
IBM Cloud Controller Manager v1.19.16-6 v1.19.16-9 Adds changes to the renovate rules.
IBM Cloud File Storage for Classic plug-in and monitor 404 405 Fix for CVE-2021-3538. Adds dependency updates.
Key Management Service provider v2.3.13 v2.4.3 Updated golang.org/x/crypto to v0.0.0-20220214200702-86341886e292. Adds fix for CVE-2021-43565. Adds Golang dependency updates.

Change log for worker node fix pack 1.19.16_1579, released 28 February 2022

Changes since version 1.19.16_1577
Component Previous Current Description
Ubuntu 18.04 packages 4.15.0-167-generic 4.15.0-169-generic Kernel and package updates for CVE-2021-4083, CVE-2021-4155, CVE-2021-45960, CVE-2021-46143, CVE-2022-0330, CVE-2022-22822, CVE-2022-22823, CVE-2022-22824, CVE-2022-22825, CVE-2022-22826, CVE-2022-22827, CVE-2022-22942, CVE-2022-23852, CVE-2022-23990, CVE-2022-24407, CVE-2022-25235, CVE-2022-25236.
HA proxy f6a2b3 15198fb Contains fixes for CVE-2022-24407.

Change log for worker node fix pack 1.19.16_1577, released 14 February 2022

Changes since version 1.19.16_1576
Component Previous Current Description
Ubuntu 18.04 packages N/A N/A N/A
Kubernetes N/A N/A N/A
HA proxy d38fa1 f6a2b3 CVE-2021-3521 CVE-2021-4122.

Change log for worker node fix pack 1.19.16_1576, released 31 January 2022

Changes since version 1.19.16_1575
Component Previous Current Description
Ubuntu 18.04 packages N/A N/A Updated worker node images with package updates for CVE-2018-7169, CVE-2021-3984, CVE-2021-4019, CVE-2021-4034, CVE-2021-4069.

Change log for master fix pack 1.19.16_1575, released 26 January 2022

Changes since version 1.19.16_1573
Component Previous Current Description
Calico N/A N/A Changed to improve Calico availability during updates.
Cluster health image v1.2.20 v1.2.21 Updated to use Go version 1.17.5, updated Go dependencies and golangci-lint
GPU device plug-in and installer cc634b2 9be025c Updated universal base image (UBI) to the 8.5-218 version to resolve CVEs. Updated to use Go version 1.16.13.
IBM Calico extension 900 923 Updated universal base image (UBI) to the 8.5-218 version to resolve CVEs. Updated to use Go version 1.16.13.
IBM Cloud Controller Manager v1.19.16-5 v1.19.16-6 Exclude CVE-2020-14312 from scanning
IBM Cloud File Storage for Classic plug-in and monitor 402 404 Updated universal base image (UBI) to the 8.5-218 version to resolve CVEs. Updated to use Go version 1.16.13.
IBM Cloud RBAC Operator 3430e03 0fc9949 Updated universal base image (UBI) to the 8.5-218 version to resolve CVEs. Updated to use Go version 1.16.13.
Key Management Service provider v2.3.12 v2.3.13 Updated Go module dependencies and golangci-lint
Kubernetes N/A N/A Changed the duration of the Kubernetes API server certificate from 825 days to 730 days. Changed the duration of the cluster CA certificate from 30 years to 10 years. See the Kubernetes release notes.
Kubernetes Metrics Server v0.4.4 v0.4.5 Metrics server now dynamically reloads NannyConfiguration updates. See the Kubernetes Metrics Server release notes.
Load balancer and load balancer monitor for IBM Cloud Provider 1660 1748 Updated the Alpine base image to the 3.15 version to resolve CVEs. Updated to use Go version 1.17.6.
OpenVPN client 2.4.6-r3-IKS-463 2.5.4-r0-IKS-556 Update base image to alpine 3.15 to address CVEs, no longer set the --compress config option, updated scripts
OpenVPN server 2.4.6-r3-IKS-462 2.5.4-r0-IKS-555 Update base image to alpine 3.15 to address CVEs, no longer set the --compress config option, updated scripts

Change log for worker node fix pack 1.19.16_1574, released 18 January 2022

Changes since version 1.19.16_1573
Component Previous Current Description
Ubuntu 18.04 packages 4.15.0-163-generic 4.15.0-166-generic Kernel and package updates for CVE-2018-25020 and CVE-2021-4002.

Change log for worker node fix pack 1.19.16_1573, released 4 January 2022

The following table shows the changes that are in the worker node fix pack patch update 1.19.16_1573. Worker node patch updates can be applied by updating, reloading (in classic infrastructure), or replacing (in VPC infrastructure) the worker node.

Changes since version 1.19.16_1571
Component Previous Current Description
HA proxy 3b8663 d38fa1 Contains fixes for CVE-2021-3712.
Ubuntu 18.04 packages N/A N/A Updated worker node image packages for CVE-2019-19449, CVE-2020-16592, CVE-2020-21913, CVE-2020-27781, CVE-2020-36322, CVE-2020-36385, CVE-2021-25219, CVE-2021-28831, CVE-2021-28950, CVE-2021-3487, CVE-2021-3524, CVE-2021-3531, CVE-2021-3733, CVE-2021-3737, CVE-2021-3759, CVE-2021-3778, CVE-2021-3796, CVE-2021-3800, CVE-2021-38199, CVE-2021-3903, CVE-2021-3927, CVE-2021-3928, CVE-2021-40490, CVE-2021-42374, CVE-2021-42378, CVE-2021-42384, and CVE-2021-43527.

Change log for master fix pack 1.19.16_1570, released 7 December 2021

The following table shows the changes that are in the master fix pack patch update 1.19.16_1570. Master patch updates are applied automatically.

Changes since version 1.19.16_1568
Component Previous Current Description
Cluster health image v1.2.18 v1.2.20 Updated universal base image (UBI) to the latest 8.4 version to resolve CVEs. Updated to use Go version 1.16.10.
Gateway-enabled cluster controller 1567 1586 Updated Alpine base image to the latest 3.14 version to resolve CVEs. Updated to use Go version 1.16.10.
GPU device plug-in and installer b87bfa2 cc634b2 Updated universal base image (UBI) to the 8.5-204 version to resolve CVEs. Updated to use Go version 1.16.10.
IBM Calico extension 864 900 Updated universal base image (UBI) to the 8.5-204 version to resolve CVEs. Updated to use Go version 1.16.10.
IBM Cloud File Storage for Classic plug-in and monitor 401 402 Updated universal base image (UBI) to the 8.5-204 version to resolve CVEs. Updated to use Go version 1.16.10.
IBM Cloud RBAC Operator 4ca5637 3430e03 Updated universal base image (UBI) to the latest 8.5 version to resolve CVEs. Updated to use Go version 1.16.10.
Key Management Service provider v2.3.10 v2.3.12 Updated universal base image (UBI) to the latest 8.4 version to resolve CVEs. Updated to use Go version 1.16.10.
Load balancer and load balancer monitor for IBM Cloud Provider 1589 1660 Updated Alpine base image to the latest 3.14 version to resolve CVEs. Updated to use Go version 1.16.10.
Operator Lifecycle Manager 0.16.1-IKS-14 0.16.1-IKS-15 Updated image for CVE-2021-42374, CVE-2021-42375, CVE-2021-42378, CVE-2021-42379, CVE-2021-42380, CVE-2021-42381, CVE-2021-42382, CVE-2021-42383, CVE-2021-42384, CVE-2021-42385, and CVE-2021-42386.

Change log for worker node fix pack 1.19.16_1571, released 6 December 2021

The following table shows the changes that are in the worker node fix pack patch update 1.19.16_1571. Worker node patch updates can be applied by updating, reloading (in classic infrastructure), or replacing (in VPC infrastructure) the worker node.

Changes since version 1.19.16_1569
Component Previous Current Description
Ubuntu 18.04 packages 4.15.0-162 4.15.0-163 Updated worker node images and kernel with package updates. Contains fixes for CVE-2021-43527
Containerd v1.4.11 v1.4.12 See the change log and the security bulletin.

Change log for worker node fix pack 1.19.16_1569, released 22 November 2021

The following table shows the changes that are in the worker node fix pack patch update 1.19.16_1569. Worker node patch updates can be applied by updating, reloading (in classic infrastructure), or replacing (in VPC infrastructure) the worker node.

Changes since version 1.19.15_1567
Component Previous Current Description
Kubernetes 1.19.15 1.19.16 For more information, see the change log.
HA proxy 07f1e9e 3b8663 Contains fixes for CVE-2021-20231, CVE-2021-20232, CVE-2021-3580, CVE-2021-22946, CVE-2021-22947, CVE-2021-22876, CVE-2021-22898, CVE-2021-22925, CVE-2019-20838, CVE-2020-14155, CVE-2018-20673, CVE-2021-42574, CVE-2019-17594, CVE-2019-17595, CVE-2020-12762, CVE-2020-16135, CVE-2021-3445, CVE-2021-36084, CVE-2021-36085, CVE-2021-36086, CVE-2021-36087, CVE-2021-20266, CVE-2019-18218, CVE-2021-23840, CVE-2021-23841, CVE-2021-27645, CVE-2021-33574, CVE-2021-35942, CVE-2021-33560, CVE-2019-13750, CVE-2019-13751, CVE-2019-19603, CVE-2019-5827, CVE-2020-13435, CVE-2020-24370, CVE-2021-28153, CVE-2021-3800, CVE-2021-33928, CVE-2021-33929, CVE-2021-33930, CVE-2021-33938, andCVE-2021-3200
Ubuntu 18.04 packages 4.15.0-161 4.15.0-162 Updated worker node images and kernel with package fixes forCVE-2019-19449, CVE-2020-36322, CVE-2020-36385, CVE-2021-28950, CVE-2021-3759, CVE-2021-38199, CVE-2021-3903, CVE-2021-3927, andCVE-2021-3928.

Change log for master fix pack 1.19.16_1568, released 17 November 2021

The following table shows the changes that are in the master fix pack patch update 1.19.16_1568. Master patch updates are applied automatically.

Changes since version 1.19.15_1565
Component Previous Current Description
Cluster health image v1.2.16 v1.2.18 Updated Go module dependencies and to use Go version 1.16.9. Updated image for CVE-2021-22946, CVE-2021-22947, CVE-2021-33928, CVE-2021-33929 and CVE-2021-33930.
etcd v3.4.17 v3.4.18 See the etcd release notes.
Gateway-enabled cluster controller 1510 1567 Updated to use Go version 1.16.9.
GPU device plug-in and installer eb817b2 b87bfa2 Updated image for CVE-2021-36222, CVE-2021-37750, CVE-2021-22922, CVE-2021-22923 and CVE-2021-22924.
IBM Cloud Controller Manager v1.19.15-3 v1.19.16-3 Updated to support the Kubernetes 1.19.16 release. Updated image for DLA-2797-1.
IBM Cloud RBAC Operator e3cb629 4ca5637 Updated universal base image (UBI) to the latest 8.4 version to resolve CVEs.
Key Management Service provider v2.3.8 v2.3.10 Updated Go module dependencies and to use Go version 1.16.9. Updated image for CVE-2021-22946.
Kubernetes v1.19.15 v1.19.16 See the Kubernetes release notes.
Kubernetes add-on resizer 1.8.12 1.8.13 See the Kubernetes add-on resizer release notes.
Load balancer and load balancer monitor for IBM Cloud Provider 1550 1589 Updated to use Go version 1.16.9.
OpenVPN client 2.4.6-r3-IKS-386 2.4.6-r3-IKS-463 Updated image to implement additional IBM security controls.
OpenVPN server 2.4.6-r3-IKS-385 2.4.6-r3-IKS-462 Updated image to implement additional IBM security controls.

Change log for worker node fix pack 1.19.15_1567, released 10 November 2021

The following table shows the changes that are in the worker node fix pack patch update 1.19.15_1567. Worker node patch updates can be applied by updating, reloading (in classic infrastructure), or replacing (in VPC infrastructure) the worker node.

Changes since version 1.19.15_1566
Component Previous Current Description
Ubuntu 18.04 packages N/A N/A Updated worker node image packages for CVE-2020-16592, CVE-2020-27781, CVE-2021-25219, CVE-2021-3487, CVE-2021-3524, CVE-2021-3531, and CVE-2021-40490.

Change log for master fix pack 1.19.15_1565, released 29 October 2021

The following table shows the changes that are in the master fix pack patch update 1.19.15_1565. Master patch updates are applied automatically.

Changes since version 1.19.15_1560
Component Previous Current Description
Cluster health image v1.2.15 v1.2.16 Updated universal base image (UBI) to the latest 8.4 version to resolve CVEs: CVE-2021-36222, CVE-2021-37750, CVE-2021-22922, CVE-2021-22923, and CVE-2021-22924.
etcd v3.4.16 v3.4.17 See the etcd release notes.
IBM Calico extension 763 864 Updated to use Go version 1.16.9. Updated universal base image (UBI) to the latest 8.4 version to resolve CVEs.
IBM Cloud Controller Manager v1.19.15-1 v1.19.15-3 Updated to ignore VPC load balancer (LB) state when a LB delete is requested.
IBM Cloud File Storage for Classic plug-in and monitor 400 401 Updated universal base image (UBI) to the latest 8.4-210 version to resolve CVEs.
Key Management Service provider v2.3.7 v2.3.8 Updated universal base image (UBI) to the latest 8.4 version to resolve CVEs: CVE-2021-36222, CVE-2021-37750, CVE-2021-22922, CVE-2021-22923, and CVE-2021-22924.

Change log for worker node fix pack 1.19.15_1566, released 25 October 2021

The following table shows the changes that are in the worker node fix pack patch update 1.19.15_1566. Worker node patch updates can be applied by updating, reloading (in classic infrastructure), or replacing (in VPC infrastructure) the worker node.

Changes since version 1.19.15_1562
Component Previous Current Description
Ubuntu 18.04 packages N/A N/A Updated worker node images with package updates. Contains fix for cloud-init performance problem.
Worker-pool taint automation N/A N/A Fixes known issue related to worker-pool taint automation that prevents workers from getting providerID.

Change log for worker node fix pack 1.19.15_1562, released 11 October 2021

The following table shows the changes that are in the worker node fix pack patch update 1.19.15_1562. Worker node patch updates can be applied by updating, reloading (in classic infrastructure), or replacing (in VPC infrastructure) the worker node.

Changes since version 1.19.15_1561
Component Previous Current Description
Containerd v1.4.9 v1.4.11 See the security bulletin and the change logs.
Ubuntu 18.04 packages 4.15.0-158 4.15.0-159 Updated worker node images and kernel with package updates CVE-2021-3778 and CVE-2021-3796.

Change log for worker node fix pack 1.19.15_1561, released 27 September 2021

The following table shows the changes that are in the worker node fix pack patch update 1.19.15_1561. Worker node patch updates can be applied by updating, reloading (in classic infrastructure), or replacing (in VPC infrastructure) the worker node.

Changes since version 1.19.14_1559
Component Previous Current Description
Disk identification N/A N/A Enhanced the disk identification logic to handle the case of 2+ partitions.
HA proxy 9c98dc5 07f1e9 Updated image with fixes for CVE-2021-22922, CVE-2021-22923, CVE-2021-22924, CVE-2021-36222, and CVE-2021-37750.
Kubernetes 1.19.14 1.19.15 See the change logs. This update resolves CVE-2021-25741. For more information, see the IBM security bulletin).
Ubuntu 18.04 packages 4.15.0-156 4.15.0-158 Updated worker node images and kernel with package updates CVE-2021-22946, CVE-2021-22947 CVE-2021-33560, CVE-2021-3709, CVE-2021-3710, CVE-2021-40330, CVE-2021-40528, and CVE-2021-41072.

Change log for master fix pack 1.19.15_1560, released 28 September 2021

The following table shows the changes that are in the master fix pack patch update 1.19.15_1560. Master patch updates are applied automatically.

Changes since version 1.19.14_1557
Component Previous Current Description
Calico N/A N/A Increased liveness and readiness probe timeouts to 10 seconds.
Gateway-enabled cluster controller 1444 1510 Updated image for CVE-2021-3711 and CVE-2021-3712.
GPU device plug-in and installer a9461a8 eb817b2 Updated to use Go version 1.16.7.
IBM Cloud Controller Manager v1.19.14-1 v1.19.15-1 Updated to support the Kubernetes 1.19.15 release. Fixed a bug that might cause node initialization to fail when a new node reuses the name of a deleted node.
IBM Cloud RBAC Operator 945df65 e3cb629 Updated to use Go version 1.16.7.
IBM Cloud File Storage for Classic plug-in and monitor 398 400 Updated to use Go version 1.16.7. Updated universal base image (UBI) to the latest 8.4-208 version to resolve CVEs.
Kubernetes v1.19.14 v1.19.15 See the Kubernetes release notes.
Kubernetes API server auditing configuration N/A N/A Updated to support verbose Kubernetes API server auditing.
Kubernetes NodeLocal DNS cache N/A N/A Increased memory resource requests from 5Mi to 8Mi to better align with normal resource utilization.
Load balancer and load balancer monitor for IBM Cloud Provider 1510 1550 Updated image for CVE-2021-3711 and CVE-2021-3712.
Operator Lifecycle Manager 0.16.1-IKS-12 0.16.1-IKS-14 Updated image for CVE-2021-3711 and CVE-2021-3712.

Change log for worker node fix pack 1.19.14_1559, released 13 September 2021

The following table shows the changes that are in the worker node fix pack patch update 1.1914_1559. Worker node patch updates can be applied by updating, reloading (in classic infrastructure), or replacing (in VPC infrastructure) the worker node.

Changes since version 1.19.14_1558
Component Previous Current Description
Ubuntu 18.04 packages 4.15.0-154 4.15.0-156 Updated worker node images and kernel with package updates for CVE-2021-3653, CVE-2021-3656, CVE-2021-38185, CVE-2021-40153.

Change log for worker node fix pack 1.19.14_1558, released 30 August 2021

The following table shows the changes that are in the worker node fix pack patch update 1.19.14_1558. Worker node patch updates can be applied by updating, reloading (in classic infrastructure), or replacing (in VPC infrastructure) the worker node.

Changes since version 1.19.13_1556
Component Previous Current Description
Ubuntu 18.04 packages 4.15.0-153 4.15.0-154 Updated worker node images and kernel with package updates for CVE-2021-3711 and CVE-2021-3712.

Change log for master fix pack 1.19.14_1557, released 25 August 2021

The following table shows the changes that are in the master fix pack patch update 1.19.14_1557. Master patch updates are applied automatically.

Changes since version 1.19.13_1554
Component Previous Current Description
Calico N/A N/A Updated the rolling update configuration for the calico-node daemonset in the kube-system namespace. The configuration is now the same regardless of the number of cluster worker nodes.
Cluster health image v1.2.14 v1.2.15 Updated to use Go version 1.15.15. Updated universal base image (UBI) to the latest 8.4 version to resolve CVEs.
Gateway-enabled cluster controller 1348 1444 Updated image for CVE-2021-36159.
GPU device plug-in and installer 82ee77b a9461a8 Updated to use Go version 1.16.6.
IBM Calico extension 747 763 Updated to use Go version 1.16.6. Updated UBI to the latest 8.4-205 version to resolve CVEs.
IBM Cloud Controller Manager v1.19.13-1 v1.19.14-1 Updated to support the Kubernetes 1.19.14 release and to use Go version 1.15.15.
IBM Cloud File Storage for Classic plug-in and monitor 395 398 Updated to use Go version 1.16.6. Updated image for CVE-2021-33910.
Key Management Service provider v2.3.6 v2.3.7 Updated to use Go version 1.15.15. Updated universal base image (UBI) to the latest 8.4 version to resolve CVEs.
Kubernetes v1.19.13 v1.19.14 See the Kubernetes release notes.
Kubernetes Dashboard metrics scraper v1.0.6 v1.0.7 See the Kubernetes Dashboard metrics scraper release notes.
Kubernetes DNS autoscaler 1.8.3 1.8.4 See the Kubernetes DNS autoscaler release notes.
Load balancer and load balancer monitor for IBM Cloud Provider 1328 1510 Updated image for CVE-2020-27780.
Operator Lifecycle Manager 0.16.1-IKS-10 0.16.1-IKS-12 Updated image for CVE-2021-36159.

Change log for worker node fix pack 1.19.13_1556, released 16 August 2021

The following table shows the changes that are in the worker node fix pack patch update 1.19.13_1556. Worker node patch updates can be applied by updating, reloading (in classic infrastructure), or replacing (in VPC infrastructure) the worker node.

Changes since version 1.19.13_1555
Component Previous Current Description
Ubuntu 18.04 packages 4.15.0-151 4.15.0-153 N/A
HA proxy 68e6b3 9c98dc Updated image with fixes for CVE-2021-27218.

Change log for worker node fix pack 1.19.13_1555, released 02 August 2021

The following table shows the changes that are in the worker node fix pack patch update 1.19.13_1555. Worker node patch updates can be applied by updating, reloading (in classic infrastructure), or replacing (in VPC infrastructure) the worker node.

Changes since version 1.19.12_1553
Component Previous Current Description
Ubuntu 18.04 packages 4.15.0-147 4.15.0-151 Updated worker node images & Kernel with package updates: CVE-2020-13529, CVE-2021-22898, CVE-2021-22924 CVE-2021-22925, CVE-2021-33200, CVE-2021-33909, and CVE-2021-33910.
Containerd v1.4.6 v1.4.8 For more information, see the change logs. The update resolves CVE-2021-32760 (see the IBM security bulletin).
HA proxy aae810 68e6b3 Updated image with fixes for CVE-2021-33910.
Registry endpoints Added zonal public registry endpoints for clusters with both private and public service endpoints enabled.
Read only disk self healing For VPC Gen2 workers. Added automation to recover from disks going read only.
Kubernetes v1.19.12 v1.19.13 See the Kubernetes release notes.

Change log for master fix pack 1.19.13_1554, released 27 July 2021

The following table shows the changes that are in the master fix pack patch update 1.19.13_1554. Master patch updates are applied automatically.

Changes since version 1.19.12_1551
Component Previous Current Description
Cluster health image v1.2.13 v1.2.14 Updated universal base image (UBI) to the latest version to resolve CVEs.
etcd v3.4.14 v3.4.16 See the etcd release notes.
GPU device plug-in and installer 22e2e0d 82ee77b Updated image for CVE-2021-20271, CVE-2021-3516, CVE-2021-3517, CVE-2021-3518, CVE-2021-3537, CVE-2021-3541 and CVE-2021-3520.
IBM Calico extension 730 747 Updated universal base image (UBI) to version 8.4-205 to resolve CVEs.
IBM Cloud Controller Manager v1.19.12-2 v1.19.13-1 Updated to support the Kubernetes 1.19.13 release and to use Go version 1.15.14.
IBM Cloud File Storage for Classic plug-in and monitor 394 395 Updated universal base image (UBI) to version 8.4-205 to resolve CVEs.
IBM Cloud RBAC Operator b68ea92 945df65 Updated image for CVE-2021-33194.
Key Management Service provider v2.3.5 v2.3.6 Updated universal base image (UBI) to the latest version to resolve CVEs.
Kubernetes v1.19.12 v1.19.13 See the Kubernetes release notes.

Change log for worker node fix pack 1.19.12_1553, released 19 July 2021

The following table shows the changes that are in the worker node fix pack 1.19.12_1553. Worker node patch updates can be applied by updating, reloading (in classic infrastructure), or replacing (in VPC infrastructure) the worker node.

Changes since version 1.19.12_1552
Component Previous Current Description
Ubuntu 16.04 packages N/A N/A Updated worker node images with kernel package updates.
Ubuntu 18.04 packages N/A N/A Updated worker node images with kernel package updates.

Change log for worker node fix pack 1.19.12_1552, released 6 July 2021

The following table shows the changes that are in the worker node fix pack 1.19.12_1552. Worker node patch updates can be applied by updating, reloading (in classic infrastructure), or replacing (in VPC infrastructure) the worker node.

Changes since version 1.19.11_1550
Component Previous Current Description
HA proxy 700dc6 aae810 Updated image with fixes for CVE-2021-3520, CVE-2021-20271, CVE-2021-3516, CVE-2021-3517, CVE-2021-3518, CVE-2021-3537, and CVE-2021-3541.
Kubernetes v1.19.11 v1.19.12 See the Kubernetes release notes.
Ubuntu 18.04 packages 4.15.0.144 4.15.0.147 Updated worker node images with kernel package updates for CVE-2021-23133, CVE-2021-3444, and CVE-2021-3600.

Change log for master fix pack 1.19.12_1551, released 28 June 2021

The following table shows the changes that are in the master fix pack patch update 1.19.12_1551. Master patch updates are applied automatically.

Changes since version 1.19.11_1547
Component Previous Current Description
Calico v3.16.8 v3.16.10 See the Calico release notes.
Cluster health image v1.2.12 v1.2.13 Updated to use Go version 1.15.12. Updated image for CVE-2021-33194.
Gateway-enabled cluster controller 1352 1348 Updated to run as a non-root user by default, with privileged escalation as needed.
GPU device plug-in and installer 19bf25c 22e2e0d Updated to use Go version 1.15.12. Updated universal base image (UBI) to version 8.4 to resolve CVEs. Updated the GPU drivers to version 460.73.01.
IBM Calico extension 689 730 Updated to use Go version 1.16.15. Updated minimal UBI to version 8.4 to resolve CVEs.
IBM Cloud Controller Manager v1.19.11-3 v1.19.12-2 Updated to support the Kubernetes 1.19.12 release and to use Go version 1.15.13. Updated Go dependencies to resolve CVEs. Updated image to implement additional IBM security controls.
IBM Cloud File Storage for Classic plug-in and monitor 392 394 Updated to use Go version 1.15.12. Updated UBI to version 8.4 to resolve CVEs.
IBM Cloud RBAC Operator 63cd064 b68ea92 Updated to use Go version 1.16.4. Updated UBI to version 8.4 to resolve CVEs.
Key Management Service provider v2.3.4 v2.3.5 Updated to use Go version 1.15.12. Updated image for CVE-2021-33194.
Kubernetes v1.19.11 v1.19.12 See the Kubernetes release notes.
Portieris admission controller v0.10.2 v0.10.3 See the Portieris admission controller release notes.

Change log for worker node fix pack 1.19.11_1550, released 22 June 2021

The following table shows the changes that are in the worker node fix pack 1.19.11_1550. Worker node patch updates can be applied by updating, reloading (in classic infrastructure), or replacing (in VPC infrastructure) the worker node.

Changes since version 1.19.11_1549
Component Previous Current Description
HA proxy 26c5cc d3dc33 Updated image with fixes for CVE-2020-24977, CVE-2020-13434, CVE-2020-15358, CVE-2020-29361, CVE-2020-29362, CVE-2020-29363, CVE-2019-2708, CVE-2019-13012, CVE-2020-13543, CVE-2020-13584, CVE-2020-9948, CVE-2020-9951, CVE-2020-9983, CVE-2021-27219, CVE-2020-8231, CVE-2020-8284, CVE-2020-8285, CVE-2020-8286, CVE-2016-10228, CVE-2019-25013, CVE-2019-9169, CVE-2020-27618, CVE-2021-3326, CVE-2020-26116, CVE-2020-27619, CVE-2021-23336, CVE-2021-3177, CVE-2019-3842, CVE-2020-13776, CVE-2020-24330, CVE-2020-24331, CVE-2020-24332, CVE-2017-14502, CVE-2020-8927 and CVE-2020-28196.
IBM Cloud Container Registry N/A N/A Added private-only registry support for ca.icr.io, br.icr.io and jp2.icr.io.
Ubuntu 18.04 packages N/A N/A Updated worker node images with package updates for CVE-2017-8779, CVE-2017-8872, CVE-2018-16869, CVE-2019-20388, CVE-2020-24977, CVE-2021-3516, CVE-2021-3517 CVE-2021-3518, CVE-2021-3537, CVE-2021-3580.

Change log for worker node fix pack 1.19.11_1549, released 7 June 2021

The following table shows the changes that are in the worker node fix pack 1.19.11_1549. Worker node patch updates can be applied by updating, reloading (in classic infrastructure), or replacing (in VPC infrastructure) the worker node.

Changes since version 1.19.11_1548
Component Previous Current Description
HA proxy 26c5cc 700dc6 Updated the image for CVE-2021-27219.
TCP keepalive optimization for VPC N/A N/A Set the net.ipv4.tcp_keepalive_time setting to 180 seconds for compatibility with VPC gateways.
Ubuntu 18.04 packages 4.15.0-143 4.15.0-144 Updated worker node images with kernel package updates for CVE-2021-25217, CVE-2021-31535, CVE-2021-32547, CVE-2021-32552, CVE-2021-32556, CVE-2021-32557, CVE-2021-3448, and CVE-2021-3520.

Change log for worker node fix pack 1.19.11_1548, released 24 May 2021

The following table shows the changes that are in the worker node fix pack 1.19.11_1548. Worker node patch updates can be applied by updating, reloading (in classic infrastructure), or replacing (in VPC infrastructure) the worker node.

Changes since version 1.19.10_1546
Component Previous Current Description
Containerd v1.4.5 v1.4.6 See the containerd release notes. The update resolves CVE-2021-30465 (see the IBM security bulletin).
HA proxy e0fa2f 26c5cc Updated image with fixes for CVE-2020-26116, CVE-2020-27619, CVE-2021-23336, CVE-2021-3177, CVE-2019-3842, CVE-2020-13776, CVE-2019-18276, CVE-2020-24977, CVE-2020-13434, CVE-2020-15358, CVE-2019-13012, CVE-2020-13543, CVE-2020-13584, CVE-2020-9948, CVE-2020-9951, CVE-2020-9983, CVE-2020-8231, CVE-2020-8284, CVE-2020-8285, CVE-2020-8286, CVE-2020-24330, CVE-2020-24331, CVE-2020-24332, CVE-2020-29361, CVE-2020-29362, CVE-2020-29363, CVE-2020-28196, CVE-2019-2708, CVE-2016-10228, CVE-2019-25013, CVE-2019-9169, CVE-2020-27618, CVE-2021-3326, and CVE-2020-8927.
Kubernetes v1.19.10 v1.19.11 See the Kubernetes release notes.
Ubuntu 18.04 packages 4.15.0-142 4.15.0-143 Updated worker node images with kernel package updates for CVE-2021-28688, CVE-2021-20292, CVE-2021-29264, CVE-2021-29265, and CVE-2021-29650.
Ubuntu 16.04 packages N/A N/A Updated worker node images with package updates for CVE-2009-5155 and CVE-2020-6096.

Change log for master fix pack 1.19.11_1547, released 24 May 2021

The following table shows the changes that are in the master fix pack patch update 1.19.11_1547. Master patch updates are applied automatically.

Changes since version 1.19.10_1545
Component Previous Current Description
Cluster health image v1.2.11 v1.2.12 Improved the add-on status information that is displayed when errors occur. Updated image to implement additional IBM security controls and for CVE-2020-26160, CVE-2020-28483 and CVE-2021-20305.
CoreDNS 1.8.3 1.8.0 See the CoreDNS release notes.
IBM Calico extension 661 689 Updated to use Go version 1.15.12.
IBM Cloud Controller Manager v1.19.10-2 v1.19.11-3 Updated to support the Kubernetes 1.19.11 release and to use Go version 1.15.12.
IBM Cloud File Storage for Classic plug-in and monitor 390 392 Improved the prerequisite validation logic for provisioning persistent volume claims (PVCs). Updated image to implement additional IBM security controls and for CVE-2021-20305.
IBM Cloud RBAC Operator b6a694b 63cd064 Updated image to implement additional IBM security controls and for CVE-2020-28483.
Key Management Service provider v2.3.3 v2.3.4 Updated image to implement additional IBM security controls and for CVE-2020-28483 and CVE-2020-26160.
Kubernetes v1.19.10 v1.19.11 See the Kubernetes release notes. The update resolves CVE-2020-8562 (see the IBM security bulletin) and CVE-2021-25737 (see the IBM security bulletin).
Kubernetes add-on resizer 1.8.11 1.8.12 See the Kubernetes add-on resizer release notes.
Kubernetes Metrics Server v0.3.7 v0.4.4 See the Kubernetes Metrics Server release notes.
Operator Lifecycle Manager 0.16.1-IKS-9 0.16.1-IKS-10 Fixed a bug that was caused by a missing /bin/cpb binary file.
Portieris admission controller v0.10.1 v0.10.2 See the Portieris admission controller release notes.

Change log for worker node fix pack 1.19.10_1546, released 10 May 2021

The following table shows the changes that are in the worker node fix pack 1.19.10_1546. Worker node patch updates can be applied by updating, reloading (in classic infrastructure), or replacing (in VPC infrastructure) the worker node.

Changes since version 1.19.10_1544
Component Previous Current Description
Ubuntu 18.04 packages N/A N/A Updated worker node images with package updates for CVE-2021-25214, CVE-2021-25215, and CVE-2021-25216.
Ubuntu 16.04 packages N/A N/A Updated worker node images with package updates for CVE-2020-27350, CVE-2020-3810, CVE-2021-25214, CVE-2021-25215, and CVE-2021-25216.

Change log for master fix pack 1.19.10_1545, released 4 May 2021

The following table shows the changes that are in the master fix pack patch update 1.19.10_1545. Master patch updates are applied automatically.

Changes since version 1.19.10_1543
Component Previous Current Description
IBM Calico extension 618 661 Updated to use Go version 1.15.11. Updated image to implement additional IBM security controls and for CVE-2020-14391, CVE-2020-25661 and CVE-2020-25662.
Gateway-enabled cluster controller 1322 1352 Updated to use Go version 1.15.11. Updated image to implement additional IBM security controls and for CVE-2021-28831, CVE-2021-30139, CVE-2021-3449 and CVE-2021-3450.
IBM Cloud Controller Manager v1.19.10-1 v1.19.10-2 Updated to support VPC private network load balancers.
Load balancer and load balancer monitor for IBM Cloud Provider 1274 1328 Updated to use Go version 1.15.11. Updated image to implement additional IBM security controls and for CVE-2021-28831, CVE-2021-30139, CVE-2021-3449 and CVE-2021-3450.

Change log for master fix pack 1.19.10_1543, released 27 April 2021

The following table shows the changes that are in the master fix pack patch update 1.19.10_1543. Master patch updates are applied automatically.

Changes since version 1.19.9_1540
Component Previous Current Description
Cluster health image v1.2.9 v1.2.11 Updated to use Go version 1.15.11. Updated image to implement additional IBM security controls and for CVE-2021-3449, CVE-2021-3450, and CVE-2021-20305.
CoreDNS 1.8.0 1.8.3 See the CoreDNS release notes.
GPU device plug-in and installer c1c6dd3 19bf25c Updated image for CVE-2021-3449, CVE-2021-3450, and CVE-2021-20305.
IBM Cloud Controller Manager v1.19.9-1 v1.19.10-1 Updated to support the Kubernetes 1.19.10 release and to use Go version 1.15.10.
IBM Cloud File Storage for Classic plug-in and monitor 389 390 Updated to use Go version 1.15.9 and for CVE-2020-28851 and CVE-2021-3121.
IBM Cloud RBAC Operator 3dd6bbc b6a694b Updated image for CVE-2021-3449 and CVE-2021-3450.
Key Management Service provider v2.2.5 v2.3.3 Updated to use Go version 1.15.11. Updated image to implement additional IBM security controls and for CVE-2021-3449, CVE-2021-3450, and CVE-2021-20305.
Kubernetes v1.19.9 v1.19.10 See the Kubernetes release notes. The update resolves CVE-2021-25735 (see the IBM security bulletin).
Kubernetes NodeLocal DNS cache 1.15.14 1.17.3 See the Kubernetes NodeLocal DNS cache release notes.
Operator Lifecycle Manager 0.16.1-IKS-5 0.16.1-IKS-9 Updated image for CVE-2021-3449, CVE-2021-3450, and CVE-2021-30139.
OpenVPN client 2.4.6-r3-IKS-301 2.4.6-r3-IKS-386 Updated image to implement additional IBM security controls.
OpenVPN server 2.4.6-r3-IKS-301 2.4.6-r3-IKS-385 Updated image to implement additional IBM security controls.

Change log for worker node fix pack 1.19.10_1544, released 26 April 2021

The following table shows the changes that are in the worker node fix pack 1.19.10_1544. Worker node patch updates can be applied by updating, reloading (in classic infrastructure), or replacing (in VPC infrastructure) the worker node.

Changes since version 1.19.9_1542
Component Previous Current Description
HA proxy a3b1ff e0fa2f The update addresses CVE-2021-20305.
Ubuntu 18.04 packages N/A N/A Added resiliency to systemd units to prevent failures situations where the worker nodes are overused. Updated worker node images with kernel and package updates for CVE-2018-13095, CVE-2021-20305, CVE-2021-29154, and CVE-2021-3348.
Ubuntu 16.04 packages 4.4.0-206 4.4.0-210 Updated worker node images with kernel and package updates for [CVE-2015-1350, CVE-2017-15107, CVE-2017-5967, CVE-2018-13095, CVE-2018-5953, CVE-2019-14513, CVE-2019-16231, CVE-2019-16232, CVE-2019-19061, CVE-2021-20305, and CVE-2021-29154.

Change log for worker node fix pack 1.19.9_1542, released 12 April 2021

The following table shows the changes that are in the worker node fix pack 1.19.9_1542. Worker node patch updates can be applied by updating, reloading (in classic infrastructure), or replacing (in VPC infrastructure) the worker node.

Changes since version 1.19.9_1541
Component Previous Current Description
HA proxy 9b2dca a3b1ff The update addresses CVE-2021-3449 and CVE-2021-3450.
Ubuntu 18.04 packages N/A N/A Updated worker node images with package updates for CVE-2021-22876.
Ubuntu 16.04 packages N/A N/A Updated worker node images with package updates for CVE-2021-22876.

Change log for master fix pack 1.19.9_1540, released 30 March 2021

The following table shows the changes that are in the master fix pack patch update 1.19.9_1540. Master patch updates are applied automatically.

Changes since version 1.19.8_1538
Component Previous Current Description
Activity Tracker event N/A N/A Now, the containers-kubernetes.version.update event is sent to Activity Tracker when a master fix pack update is initiated for a cluster.
Cluster health image v1.2.8 v1.2.9 Updated image for CVE-2020-28851.
Gateway-enabled cluster controller 1232 1322 Updated to use Go version 1.15.10 and for CVE-2021-23839, CVE-2021-23840, and CVE-2021-23841.
GPU device plug-in and installer af5a6cb c1c6dd3 Updated image for CVE-2021-27919, CVE-2020-28851, and CVE-2020-28852.
IBM Cloud Controller Manager v1.19.8-4 v1.19.9-1 Updated to support the Kubernetes 1.19.9 release. Fixed a bug that prevented VPC load balancers from supporting more than 50 subnets in an account.
IBM Cloud File Storage for Classic plug-in and monitor 388 389 Updated to use Go version 1.15.8.
IBM Cloud RBAC Operator 86de2b7 3dd6bbc Updated image for CVE-2020-28851.
Kubernetes v1.19.8 v1.19.9 See the Kubernetes release notes.

Change log for worker node fix pack 1.19.9_1541, released 29 March 2021

The following table shows the changes that are in the worker node fix pack 1.19.9_1541. Worker node patch updates can be applied by updating, reloading (in classic infrastructure), or replacing (in VPC infrastructure) the worker node.

Changes since version 1.19.8_1539
Component Previous Current Description
Ubuntu 18.04 packages 4.15.0-136-generic 4.15.0-140-generic Updated worker node images with kernel and package updates for CVE-2020-27170, CVE-2020-27171, CVE-2021-27363, CVE-2021-27365, CVE-2021-28153, and CVE-2021-3449.
Ubuntu 16.04 packages 4.4.0-203-generic 4.4.0-206-generic Updated worker node images with kernel and package updates for CVE-2021-27363, CVE-2021-27365, and CVE-2021-28153.

Change log for worker node fix pack 1.19.8_1539, released 12 March 2021

The following table shows the changes that are in the worker node fix pack 1.19.8_1539. Worker node patch updates can be applied by updating, reloading (in classic infrastructure), or replacing (in VPC infrastructure) the worker node.

Changes since version 1.19.8_1538
Component Previous Current Description
Containerd v1.4.3 v1.4.4 See the containerd release notes. The update resolves CVE-2021-21334 (see the IBM security bulletin.
Ubuntu 18.04 packages N/A N/A Updated worker node image with package updates for CVE-2021-21300, CVE-2021-24031, CVE-2021-24032, CVE-2021-27218, and CVE-2021-27219.
Ubuntu 16.04 packages N/A N/A Updated worker node image with package updates for{: external}, CVE-2021-21300, CVE-2021-27218, CVE-2021-27219, and CVE-2021-3177.

Change log for worker node fix pack 1.19.8_1538, released 1 March 2021

The following table shows the changes that are in the worker node fix pack 1.19.8_1538. Worker node patch updates can be applied by updating, reloading (in classic infrastructure), or replacing (in VPC infrastructure) the worker node.

Changes since version 1.19.7_1535
Component Previous Current Description
Kubernetes v1.19.7 v1.19.8 See the Kubernetes release notes.
Ubuntu 18.04 packages 4.15.0-135-generic 4.15.0-136-generic Updated worker node image with package updates for CVE-2020-27619, CVE-2020-29372, CVE-2020-29374, CVE-2020-8625, CVE-2021-23840, CVE-2021-23841, CVE-2021-26937, CVE-2021-27212, and CVE-2021-3177.
Ubuntu 16.04 packages 4.4.0-201-generic 4.4.0-203-generic Updated worker node image with package updates for CVE-2020-27619, CVE-2020-29372, CVE-2020-29374, CVE-2020-8625, CVE-2021-23840, CVE-2021-23841, CVE-2021-26937, CVE-2021-27212, and CVE-2021-3177.

Change log for master fix pack 1.19.8_1538, released 27 February 2021

The following table shows the changes that are in the master fix pack patch update 1.19.8_1538. Master patch updates are applied automatically.

Changes since version 1.19.8_1537
Component Previous Current Description
Calico v3.16.7 v3.16.8 See the Calico release notes.
IBM Cloud Controller Manager v1.19.8-2 v1.19.8-4 Updated to use calicoctl version 3.16.8.
Load balancer and load balancer monitor for IBM Cloud Provider 1165 1274 Fixed a bug that might cause version 2.0 network load balancers (NLBs) to crash and restart on load balancer updates.

Change log for master fix pack 1.19.8_1537, released 22 February 2021

The following table shows the changes that are in the master fix pack patch update 1.19.8_1537. Master patch updates are applied automatically.

Changes since version 1.19.7_1532
Component Previous Current Description
Calico v3.16.5 v3.16.7 See the Calico release notes.
Cluster health image v1.2.6 v1.2.8 Updated to use Go version 1.15.7. Updated image to implement additional IBM security controls.
Gateway-enabled cluster controller 1195 1232 Updated to use Go version 1.15.7.
IBM Calico extension 567 618 Updated to use Go version 1.15.7.
IBM Cloud Controller Manager v1.19.7-4 v1.19.8-2 Updated to support the Kubernetes 1.19.8 release, to use Go version 1.15.8, and to use calicoctl version 3.16.7. Updated image to implement additional IBM security controls and for DLA-2509-1. Updated version 1.0 and 2.0 network load balancers (NLBs) to run as a non-root user by default, with privileged escalation as needed.
IBM Cloud File Storage for Classic plug-in and monitor 385 388 Improved the retry logic for provisioning persistent volume claims (PVCs).
IBM Cloud RBAC Operator f859228 86de2b7 Updated to use Go version 1.15.7.
Key Management Service provider v2.2.3 v2.2.5 Updated to use Go version 1.15.7. Updated image to implement additional IBM security controls.
Kubernetes v1.19.7 v1.19.8 See the Kubernetes release notes.
Load balancer and load balancer monitor for IBM Cloud Provider 1078 1165 Updated to run as a non-root user by default, with privileged escalation as needed. Updated to use Go version 1.15.7.
Operator Lifecycle Manager 0.16.1-IKS-3 0.16.1-IKS-5 Updated image for CVE-2021-23839, CVE-2021-23840, and CVE-2021-23841.

Change log for worker node fix pack 1.19.7_1535, released 15 February 2021

The following table shows the changes that are in the worker node fix pack 1.19.7_1535. Worker node patch updates can be applied by updating, reloading (in classic infrastructure), or replacing (in VPC infrastructure) the worker node.

Changes since version 1.19.7_1534
Component Previous Current Description
Ubuntu 18.04 packages N/A N/A Updated worker node image with package updates for CVE-2020-36221, CVE-2020-36222, CVE-2020-36223, CVE-2020-36224, CVE-2020-36225, CVE-2020-36226, CVE-2020-36227, CVE-2020-36228, CVE-2020-36229, CVE-2020-36230, CVE-2021-25682, CVE-2021-25683, and CVE-2021-25684.
Ubuntu 16.04 packages N/A N/A Updated worker node image with package updates for CVE-2020-36221, CVE-2020-36222, CVE-2020-36223, CVE-2020-36224, CVE-2020-36225, CVE-2020-36226, CVE-2020-36227, CVE-2020-36228, CVE-2020-36229, CVE-2020-36230, CVE-2021-25682, CVE-2021-25683, and CVE-2021-25684.

Change log for worker node fix pack 1.19.7_1534, released 3 February 2021

The following table shows the changes that are in the worker node fix pack 1.19.7_1534. Worker node patch updates can be applied by updating, reloading (in classic infrastructure), or replacing (in VPC infrastructure) the worker node.

Changes since version 1.19.7_1533
Component Previous Current Description
Metadata updates N/A N/A Updated the worker node version fix pack metadata for internal documentation purposes.

Change log for worker node fix pack 1.19.7_1533, released 1 February 2021

The following table shows the changes that are in the worker node fix pack 1.19.7_1533. Worker node patch updates can be applied by updating, reloading (in classic infrastructure), or replacing (in VPC infrastructure) the worker node.

Changes since version 1.19.7_1532
Component Previous Current Description
Ubuntu 16.04 packages 4.4.0-200-generic 4.4.0-201-generic Updated worker node image with kernel and package updates for CVE-2019-14834, CVE-2020-25681, CVE-2020-25682, CVE-2020-25683, CVE-2020-25684, CVE-2020-25685, CVE-2020-25686, CVE-2020-25687, CVE-2020-27777, CVE-2021-23239, and CVE-2021-3156.
Ubuntu 18.04 packages 4.15.0-132-generic 4.15.0-135-generic Updated worker node image with kernel and package updates for CVE-2019-12761, CVE-2019-14834, CVE-2020-25681, CVE-2020-25682, CVE-2020-25683, CVE-2020-25684, CVE-2020-25685, CVE-2020-25686, CVE-2020-25687, CVE-2020-27777, CVE-2021-23239, and CVE-2021-3156.

Change log for master fix pack 1.19.7_1532, released 19 January 2021

The following table shows the changes that are in the master fix pack patch update 1.19.7_1532. Master patch updates are applied automatically.

Changes since version 1.19.6_1531
Component Previous Current Description
Cluster health image v1.2.4 v1.2.6 Updated image to implement additional IBM security controls.
Gateway-enabled cluster controller 1184 1195 Updated image for CVE-2020-1971.
GPU device plug-in and installer c26e2ae af5a6cb Updated image for CVE-2021-3114, CVE-2021-3115, CVE-2020-27350, CVE-2020-29361, CVE-2020-29362, CVE-2020-29363, CVE-2020-1971, CVE-2020-8231, CVE-2020-8284, CVE-2020-8285, and CVE-2020-8286.
IBM Calico extension 556 567 Updated image for CVE-2020-1971 and CVE-2020-24659.
IBM Cloud Controller Manager v1.19.6-1 v1.19.7-4 Updated to support the Kubernetes 1.19.7 release and to implement additional IBM security controls.
IBM Cloud File Storage for Classic plug-in and monitor 384 385 Updated image for CVE-2020-1971 and CVE-2020-24659.
Key Management Service provider v2.2.2 v2.2.3 Fixed bug to ignore conflict errors during KMS secret re-encryption. Updated to use Go version 1.15.5. Updated image to implement additional IBM security controls and for CVE-2020-1971.
Kubernetes v1.19.6 v1.19.7 See the Kubernetes release notes. Updated to implement additional IBM security controls.
Kubernetes Dashboard v2.0.4 v2.0.5 See the Kubernetes Dashboard release notes.
Kubernetes Dashboard metrics scraper v1.0.4 v1.0.6 See the Kubernetes Dashboard metrics scraper release notes.
Load balancer and load balancer monitor for IBM Cloud Provider 1004 1078 Updated image for CVE-2020-1971.
Operator Lifecycle Manager Catalog v1.14.0 v1.15.3 See the Operator Lifecycle Manager Catalog release notes.
Operator Lifecycle Manager 0.16.1 0.16.1-IKS-3 Updated image for CVE-2020-1971.

Change log for worker node fix pack 1.19.7_1532, released 18 January 2021

The following table shows the changes that are in the worker node fix pack 1.19.7_1532. Worker node patch updates can be applied by updating, reloading (in classic infrastructure), or replacing (in VPC infrastructure) the worker node.

Changes since version 1.19.5_1530
Component Previous Current Description
Kubernetes v1.19.5 v1.19.7 See the Kubernetes release notes.
Ubuntu 16.04 packages 4.4.0-197-generic 4.4.0-200-generic Updated worker node image with kernel and package updates for CVE-2018-20482, CVE-2019-9923, CVE-2020-28374, CVE-2020-29361 external}, and CVE-2020-29362 external}.
Ubuntu 18.04 packages 4.15.0-128-generic 4.15.0-132-generic Updated worker node image with kernel and package updates for{: external}, CVE-2018-20482, CVE-2019-9923, CVE-2020-28374, CVE-2020-29361, CVE-2020-29362, CVE-2020-29363, CVE-2021-1052, CVE-2021-1053, and CVE-2019-19770.

Change log for master fix pack 1.19.6_1531, released 6 January 2021

The following table shows the changes that are in the master fix pack patch update 1.19.6_1531. Master patch updates are applied automatically.

Changes since version 1.19.5_1529
Component Previous Current Description
IBM Calico extension 538 556 Updated image to include the ip command.
IBM Cloud Controller Manager v1.19.5-1 v1.19.6-1 Updated to support the Kubernetes 1.19.6 release and to use Go version 1.15.5.
IBM Cloud File Storage for Classic plug-in N/A N/A Updated to run with a privileged security context.
IBM Cloud RBAC Operator c148a8a f859228 Updated image for CVE-2020-1971 and CVE-2020-24659.
Kubernetes v1.19.5 v1.19.6 See the Kubernetes release notes.
Kubernetes NodeLocal DNS cache N/A N/A Updated to run with a least privileged security context.

Change log for worker node fix pack 1.19.5_1530, released 21 December 2020

The following table shows the changes that are in the worker node fix pack 1.19.5_1530. Worker node patch updates can be applied by updating, reloading (in classic infrastructure), or replacing (in VPC infrastructure) the worker node.

Changes since version 1.19.5_1529
Component Previous Current Description
Ubuntu 16.04 packages N/A N/A Updated worker node image with package updates for: CVE-2020-1971, CVE-2020-27350, CVE-2020-27351, CVE-2020-8284, CVE-2020-8285, and CVE-2020-8286.
Ubuntu 18.04 packages 4.15.0-126-generic 4.15.0-128-generic Updated worker node image with kernel and package updates for: CVE-2020-1971, CVE-2020-27350, CVE-2020-27351, CVE-2020-8284, CVE-2020-8285, and CVE-2020-8286.
Kubernetes v1.19.4 v1.19.5 See the Kubernetes change logs.
Ephemeral storage reservations N/A N/A Reserve local ephemeral storage to prevent workload evictions.
HA proxy db4e6d 9b2dca Image update for CVE-2020-1971 and CVE-2020-24659.

Change log for master fix pack 1.19.5_1529, released 14 December 2020

The following table shows the changes that are in the master fix pack patch update 1.19.5_1529. Master patch updates are applied automatically.

Changes since version 1.19.4_1527
Component Previous Current Description
Cluster health image v1.2.3 v1.2.4 Updated image to implement additional IBM security controls.
etcd v3.4.13 v3.4.14 See the etcd release notes.
Gateway-enabled cluster controller 1105 1184 Updated to use Go version 1.15.5. Updated image to implement additional IBM security controls.
GPU device plug-in and installer b966c41 c26e2ae Updated the GPU drivers to version 450.80.02. Updated image for CVE-2020-28367, CVE-2020-28366, and CVE-2020-28362. Updated image to implement additional IBM security controls.
IBM Calico extension 378 538 Updated to use the universal base image (UBI) and to use Go version 1.15.5. Updated image to implement additional IBM security controls.
IBM Cloud Controller Manager v1.19.4-1 v1.19.5-1 Updated to support the Kubernetes 1.19.5 release. Updated image to implement additional IBM security controls. Fixed a bug in VPC load balancer creation when the cluster, VPC, or subnet are in a different resource group.
IBM Cloud File Storage for Classic monitor 379 384 Updated to use Go version 1.15.5 and to run as a non-root user. Updated image to implement additional IBM security controls.
IBM Cloud File Storage for Classic plug-in 379 384 Updated to use Go version 1.15.5 and to run with a least privileged security context. Updated image to implement additional IBM security controls.
IBM Cloud RBAC Operator 197bc70 c148a8a Updated to use Go version 1.15.6 and updated image to implement additional IBM security controls.
Key management service (KMS) provider v2.2.1 v2.2.2 Updated image to implement additional IBM security controls.
Kubernetes v1.19.4 v1.19.5 See the Kubernetes release notes.
Kubernetes NodeLocal DNS cache N/A N/A Updated the NodeLocal DNS cache configuration to support customizing the node-local-dns config map.
Load balancer and load balancer monitor for IBM Cloud Provider 208 1004 Updated Alpine base image to version 3.12 and to use Go version 1.15.5. Updated image for CVE-2020-8037 and CVE-2020-28928. Updated image to implement additional IBM security controls.
Operator Lifecycle Manager N/A N/A Updated to run as a non-root user.
OpenVPN client 2.4.6-r3-IKS-116 2.4.6-r3-IKS-301 Updated image to implement additional IBM security controls.
OpenVPN server 2.4.6-r3-IKS-222 2.4.6-r3-IKS-301 Updated image to implement additional IBM security controls.

Change log for worker node fix pack 1.19.4_1529, released 11 December 2020

The following table shows the changes that are in the worker node fix pack 1.19.4_1529. Worker node patch updates can be applied by updating, reloading (in classic infrastructure), or replacing (in VPC infrastructure) the worker node.

Changes since version 1.19.4_1528
Component Previous Current Description
Ubuntu 18.04 bare metal kernel 4.15.0-126-generic 4.15.0-123-generic Bare metal worker nodes: Reverted the kernel version for bare metal worker nodes while Canonical addresses issues with the previous version that prevented worker nodes from being reloaded or updated.

Change log for worker node fix pack 1.19.4_1528, released 7 December 2020

The following table shows the changes that are in the worker node fix pack 1.19.4_1528. Worker node patch updates can be applied by updating, reloading (in classic infrastructure), or replacing (in VPC infrastructure) the worker node.

Changes since version 1.19.4_1527
Component Previous Current Description
Containerd v1.4.1 v1.4.3 See the containerd release notes. The update resolves CVE-2020–15257 (see the IBM security bulletin).
HA proxy 1.8.26-384f42 db4e6d Added provenance labels for source tracking.
Ubuntu 18.04 packages 4.15.0-123-generic 4.15.0-126-generic Updated worker node image with kernel and package updates for CVE-2020-14351 and CVE-2020-4788.
Ubuntu 16.04 packages 4.4.0-194-generic 4.4.0-197-generic Updated worker node image with kernel and package updates for CVE-2020-0427, CVE-2020-12352, CVE-2020-14351, CVE-2020-25645, and CVE-2020-4788.

Change log for worker node fix pack 1.19.4_1527, released 23 November 2020

The following table shows the changes that are in the worker node fix pack 1.19.4_1527. Worker node patch updates can be applied by updating, reloading (in classic infrastructure), or replacing (in VPC infrastructure) the worker node.

Changes since version 1.19.3_1526
Component Previous Current Description
Kubernetes v1.19.3 v1.19.4 See the Kubernetes change log.
Ubuntu 18.04 packages 4.15.0-122-generic 4.15.0-123-generic Updated worker node image with kernel and package updates for CVE-2020-25692, CVE-2020-25709, CVE-2020-25710, CVE-2020-28196, and CVE-2020-8694.
Ubuntu 16.04 packages 4.4.0-193-generic 4.4.0-194-generic Updated worker node image with kernel and package updates for CVE-2020-25692, CVE-2020-25709, CVE-2020-25710, CVE-2020-28196, and CVE-2020-8694.

Change log for master fix pack 1.19.4_1527, released 16 November 2020

The following table shows the changes that are in the master fix pack patch update 1.19.4_1527. Master patch updates are applied automatically.

Changes since version 1.19.3_1525
Component Previous Current Description
Calico v3.16.4 v3.16.5 See the Calico release notes.
Cluster health image v1.2.2 v1.2.3 Status codes have been added to add-on health messages. Set add-on health state to critical and status to unknown when cluster health is critical. When a cluster has a Kubernetes key management service (KMS) provider enabled and a disabled Key Protect key, cluster health state is now set to critical. Updated image for DLA-2424-1.
CoreDNS 1.7.1 1.8.0 See the CoreDNS release notes.
GPU device plug-in and installer 0c07674 b966c41 Updated image for CVE-2019-20386, CVE-2019-13050, CVE-2020-8177, CVE-2019-14889, CVE-2020-1730, CVE-2020-10029, CVE-2020-1751, CVE-2020-1752, CVE-2019-16168, CVE-2019-20218, CVE-2019-5018, CVE-2020-13630, CVE-2020-13631, CVE-2020-13632, CVE-2020-6405, CVE-2020-9327, CVE-2019-1551, CVE-2019-19221, CVE-2019-16935, CVE-2019-20907, CVE-2020-14422, CVE-2020-8492, CVE-2019-19906, CVE-2019-20454, CVE-2019-19956, CVE-2019-20388, CVE-2020-7595, CVE-2019-13627, CVE-2018-20843, CVE-2019-15903, and CVE-2019-20387.
IBM Cloud Controller Manager v1.19.3-3 v1.19.4-1 Updated to support the Kubernetes 1.19.4 release. Updated image for DLA-2424-1.
IBM Cloud RBAC Operator 31c794a 197bc70 Updated image for CVE-2019-20454, CVE-2020-10029, CVE-2020-1751, CVE-2020-1752, CVE-2019-20807, CVE-2019-16935, CVE-2019-20907, CVE-2020-14422, CVE-2020-8492, CVE-2019-15165, CVE-2019-16168, CVE-2019-20218, CVE-2019-5018, CVE-2020-13630, CVE-2020-13631, CVE-2020-13632, CVE-2020-6405, CVE-2020-9327, CVE-2020-8177, CVE-2019-13050, CVE-2018-20843, CVE-2019-15903, CVE-2019-14889, CVE-2020-1730, CVE-2019-1551, CVE-2020-14382, CVE-2019-13627, CVE-2019-19956, CVE-2019-20388, CVE-2020-7595, CVE-2019-20386, CVE-2019-19906, CVE-2019-20387, and CVE-2019-19221.
Key Management Service provider v2.1.0 v2.2.1 Updated to support service to service authentication and to use Go version 1.15.2. Updated image for DLA-2424-1.
Kubernetes v1.19.3 v1.19.4 See the Kubernetes release notes.

Change log for worker node fix pack 1.19.3_1526, released 9 November 2020

The following table shows the changes that are in the worker node fix pack 1.19.3_1526. Worker node patch updates can be applied by updating, reloading (in classic infrastructure), or replacing (in VPC infrastructure) the worker node.

Changes since version 1.19.3_1525
Component Previous Current Description
Ubuntu 18.04 packages N/A N/A Updated worker node image with kernel and package updates for CVE-2018-14036, CVE-2020-10543, CVE-2020-10878, CVE-2020-12723, CVE-2020-16126, CVE-2020-25659, and CVE-2017-18269.
Ubuntu 16.04 packages N/A N/A Updated worker node image with package updates for CVE-2018-14036, CVE-2020-10543, CVE-2020-10878, CVE-2020-12723, CVE-2020-16126, and CVE-2020-25659.

Change log for worker node fix pack 1.19.3_1525, released 26 October 2020

The following table shows the changes that are in the worker node fix pack 1.19.3_1525. Worker node patch updates can be applied by updating, reloading (in classic infrastructure), or replacing (in VPC infrastructure) the worker node.

Changes since version 1.19.2_1524
Component Previous Current Description
Kubernetes v1.19.2 v1.19.3 See the Kubernetes release notes.
Ubuntu 18.04 packages 4.15.0-118-generic 4.15.0-122-generic Updated worker node images with kernel and package updates for CVE-2018-10322, CVE-2019-20807, CVE-2019-20916, CVE-2020-12351, CVE-2020-12352, CVE-2020-15999, CVE-2020-16119, CVE-2020-16120, CVE-2020-24490, and CVE-2020-26116.
Ubuntu 16.04 packages 4.4.0-190-generic 4.4.0-193-generic Updated worker node images with kernel and package updates for CVE-2017-17087, CVE-2018-10322, CVE-2019-20807, CVE-2020-15999, CVE-2020-16119, and CVE-2020-26116.

Change log for master fix pack 1.19.3_1525, released 26 October 2020

The following table shows the changes that are in the master fix pack patch update 1.19.3_1525. Master patch updates are applied automatically.

Changes since version 1.19.2_1524
Component Previous Current Description
Calico v3.16.2 v3.16.4 See the Calico release notes.
Calico configuration N/A N/A Updated the calico-node daemon set in the kube-system namespace to set the spec.updateStrategy.rollingUpdate.maxUnavailable parameter to 10% for clusters with more than 50 worker nodes.
Cluster health image v1.2.1 v1.2.2 Fixed the cluster health status for when add-on customizations are used.
IBM Cloud Controller Manager v1.19.2-9 v1.19.3-3 Updated to support the Kubernetes 1.19.3 release and to use Go version 1.15.2.
IBM Cloud File Storage for Classic plug-in and monitor 378 379 Updated to use the universal base image (UBI) and to use Go version 1.15.2.
Kubernetes v1.19.2 v1.19.3 See the Kubernetes release notes.

Change log for 1.19.2_1524, released 13 October 2020

The following table shows the changes that are in the 1.19.2_1524 version update.

Changes since version 1.18.9_1528
Component Previous Current Description
Calico v3.13.4 v3.16.2 See the Calico release notes. In addition, the Calico configuration was updated to use the Kubernetes API data store driver.
Cluster health image v1.1.11 v1.2.1 When a cluster has a Kubernetes key management service (KMS) provider enabled and a disabled Key Protect key, a warning is now returned in the cluster health state. In addition, updated to use Go version 1.15.2.
containerd 1.3.4 1.4.1 See the containerd release notes.
CoreDNS 1.6.9 1.7.1 See the CoreDNS release notes. In addition, the CoreDNS configuration was updated to increase the weight of scheduling CoreDNS pods to different worker nodes and zones.
Gateway-enabled cluster controller 1082 1105 Updated to use Go version 1.15.2.
IBM Cloud Controller Manager v1.18.9-1 v1.19.2-9 Updated to support the Kubernetes 1.19.2 release and to use Go version 1.15 and calicoctl version 3.16.2. Classic network load balancers (NLBs) now set NET_RAW security context. In addition, support was added for VPC network load balancers.
IBM Cloud RBAC Operator 4b47693 31c794a Updated to use Go version 1.15.2.
Key Management Service provider v2.0.4 v2.1.0 Updated to use the key management service (KMS) provider secret to identify when a Key Protect key is enabled and disabled so that encryption and decryption requests are updated accordingly.
Kubernetes v1.18.9 v1.19.2 See the Kubernetes release notes.
Kubernetes configuration N/A N/A Disabled the Kubernetes SCTPSupport and ServiceAppProtocol feature gates.
Kubernetes DNS autoscaler 1.7.1 1.8.3 See the Kubernetes DNS autoscaler release notes. In addition, the Kubernetes DNS autoscaler configuration was updated to include worker nodes that can't be scheduled in scaling calculations.
Kubernetes NodeLocal DNS cache 1.15.13 1.15.14 See the Kubernetes NodeLocal DNS cache release notes.
Load balancer and load balancer monitor for IBM Cloud Provider 223 234 Updated to use Go version 1.15.2.
Operator Lifecycle Manager Catalog v1.6.1 v1.14.0 See the Operator Lifecycle Manager Catalog release notes.
Operator Lifecycle Manager 0.14.1-IKS-1 0.16.1 See the Operator Lifecycle Manager release notes.