IBM Cloud Docs
Kubernetes version 1.20 change log

Kubernetes version 1.20 change log

This version is no longer supported. Update your cluster to a supported version as soon as possible.

Overview

Unless otherwise noted in the change logs, the IBM Cloud Kubernetes Service provider version enables Kubernetes APIs and features that are at beta. Kubernetes alpha features, which are subject to change, are disabled.

For more information about major, minor, and patch versions and preparation actions between minor versions, see Kubernetes versions.

Check the Security Bulletins on IBM Cloud Status for security vulnerabilities that affect IBM Cloud Kubernetes Service. You can filter the results to view only Kubernetes Cluster security bulletins that are relevant to IBM Cloud Kubernetes Service. Change log entries that address other security vulnerabilities but don't also refer to an IBM security bulletin are for vulnerabilities that are not known to affect IBM Cloud Kubernetes Service in normal usage. If you run privileged containers, run commands on the workers, or execute untrusted code, then you might be at risk.

Some change logs are for worker node fix packs, and apply only to worker nodes. You must apply these patches to ensure security compliance for your worker nodes. These worker node fix packs can be at a higher version than the master because some build fix packs are specific to worker nodes. Other change logs are for master fix packs, and apply only to the cluster master. Master fix packs might not be automatically applied. You can choose to apply them manually. For more information about patch types, see Update types.

Version 1.20 change log

Change log for worker node fix pack 1.20.15_1583, released 7 June 2022

The following table shows the changes that are in the worker node fix pack 1.20.15_1583. Worker node patch updates can be applied by updating, reloading (in classic infrastructure), or replacing (in VPC infrastructure) the worker node.

Changes since version 1.20.15_1581
Component Previous Current Description
Ubuntu 18.04 packages 4.15.0-177 4.15.0-180 Worker node kernel & package updates for CVE-2019-13050, CVE-2022-1664, CVE-2022-29581.

Change log for master fix pack 1.20.15_1582, released 3 June 2022

The following table shows the changes that are in the master fix pack 1.20.15_1582. Master patch updates are applied automatically.

Changes since version 1.20.15_1578
Component Previous Current Description
Cluster health image v1.3.6 v1.3.7 Updated Go to version 1.17.10 and also updated the dependencies. Update registry base image version to 104
GPU device plug-in and installer 9485e14 382ada9 Updated Go to version 1.17.9
IBM Calico extension 954 980 Updated to use Go version 1.17.10. Updated minimal UBI to version 8.5.
IBM Cloud Controller Manager v1.20.15-9 v1.20.15-11 Build changes for new key.
IBM Cloud File Storage for Classic plug-in and monitor 408 410 Updated universal base image (UBI) to version 8.6-751 to resolve CVEs.
IBM Cloud RBAC Operator 8c8c82b 8c96932 Updated Go to version 1.18.1
Key Management Service provider v2.5.4 v2.5.5 Updated Go to version 1.17.10 and updated the golang dependencies.
Kubernetes add-on resizer 1.8.13 1.8.14 See the Kubernetes add-on resizer release notes.
Kubernetes Dashboard v2.3.1 v2.3.1 The default Kubernetes Dashboard settings found in the kubernetes-dashboard-settings config map in the kube-system namespace have been updated to set resourceAutoRefreshTimeInterval to 60. This default change is only applied to new clusters. The previous default value was 5. If your cluster has Kubernetes Dashboard performance problems, see the steps for changing the auto refresh time interval.
Load balancer and load balancer monitor for IBM Cloud Provider 1916 1998 Updated Go to version 1.17.10 and updated dependencies.

Change log for worker node fix pack 1.20.15_1581, released 23 May 2022

The following table shows the changes that are in the worker node fix pack 1.20.15_1581. Worker node patch updates can be applied by updating, reloading (in classic infrastructure), or replacing (in VPC infrastructure) the worker node.

Changes since version 1.20.15_1580
Component Previous Current Description
Ubuntu 18.04 packages 4.15.0-176 4.15.0-177 Worker node kernel & package updates for CVE-2019-20838, CVE-2020-14155, CVE-2020-25648, CVE-2020-35512, CVE-2021-26401, CVE-2022-0001, CVE-2022-0934, CVE-2022-26490, CVE-2022-27223, CVE-2022-27781, CVE-2022-27782, CVE-2022-28657, CVE-2022-29155, CVE-2022-29824, CVE-2017-9525, CVE-2022-28654, CVE-2022-28656, CVE-2022-28655, CVE-2022-28652, CVE-2022-1242, CVE-2022-28658, CVE-2021-3899.
HA proxy 36b0307 468c09 CVE-2021-3634.

Change log for worker node fix pack 1.20.15_1580, released 09 May 2022

The following table shows the changes that are in the worker node fix pack 1.20.15_1580. Worker node patch updates can be applied by updating, reloading (in classic infrastructure), or replacing (in VPC infrastructure) the worker node.

Changes since version 1.20.15_1579
Component Previous Current Description
Ubuntu 18.04 packages N/A N/A Worker node package updates for CVE-2021-36084, CVE-2021-36085, CVE-2021-36086, CVE-2021-36087, CVE-2022-1292, CVE-2022-22576, CVE-2022-27774, CVE-2022-27775, CVE-2022-27776, CVE-2022-29799, CVE-2022-29800.
Kubernetes N/A N/A N/A
Haproxy f53b22 36b030 CVE-2022-1271, CVE-2022-1154, CVE-2018-25032.

Change log for master fix pack 1.20.15_1578, released 26 April 2022

The following table shows the changes that are in the master fix pack 1.20.15_1578. Master patch updates are applied automatically.

Changes since version 1.20.15_1576
Component Previous Current Description
Cluster health image v1.3.5 v1.3.6 Updated Go to version 1.17.9 and also updated the dependencies. Update registry base image version to 103.
Gateway-enabled cluster controller 1669 1680 Updated metadata for a rotated key.
GPU device plug-in and installer 13677d2 9485e14 Updated Drivers to 470.103.01. Updated metadata for a rotated key.
IBM Calico extension 950 954 Updated to latest UBI-minimal image to resolve CVE-2021-3999, CVE-2022-23218, CVE-2022-23219, CVE-2022-23308, CVE-2021-23177, and CVE-2021-31566.
IBM Cloud Controller Manager v1.20.15-6 v1.20.15-9 Updated vpcctl to the 3003 binary image.
IBM Cloud File Storage for Classic plug-in and monitor 407 408 Fixed CVE-2022-0778.
IBM Cloud RBAC Operator 6c43ef1 8c8c82b Updated Go to version 1.17.8
Key Management Service provider v2.5.3 v2.5.4 Moved to a different base image, version 102, to reduce CVE footprint. Resolved CVE-2022-0778.
Kubernetes NodeLocal DNS cache 1.21.3 1.21.4 See the Kubernetes NodeLocal DNS cache release notes.
Load balancer and Load balancer monitor for IBM Cloud Provider 1899 1916 Updated the image to resolve CVEs.
OpenVPN client 2.5.4-r0-IKS-579 2.5.6-r0-IKS-592 Upgrade openvpn to version 2.5.6-r0.
OpenVPN server 2.5.4-r0-IKS-578 2.5.6-r0-IKS-591 Upgrade openvpn to version 2.5.6-r0.

Change log for worker node fix pack 1.20.15_1579, released 25 April 2022

Changes since version 1.20.15_1577
Component Previous Current Description
Ubuntu 18.04 packages 4.15.0-175-generic 4.15.0-176-generic Kernel and package updates for CVE-2018-16301, CVE-2019-18276, CVE-2020-8037, CVE-2021-31870, CVE-2021-31871, CVE-2021-31872, CVE-2021-31873, CVE-2021-43975, CVE-2022-1271, CVE-2022-24765.

Change log for worker node fix pack 1.20.15_1577, released 11 April 2022

The following table shows the changes that are in the worker node fix pack 1.20.15_1577. Worker node patch updates can be applied by updating, reloading (in classic infrastructure), or replacing (in VPC infrastructure) the worker node.

Changes since version 1.20.15_1575
Component Previous Current Description
Ubuntu 18.04 packages 4.15.0-173-generic 4.15.0-175-generic Kernel and package updates for CVE-2018-25032 CVE-2021-3426 CVE-2021-4189 CVE-2022-0391 CVE-2022-21712 CVE-2022-21716 CVE-2022-25308 CVE-2022-25309 CVE-2022-25310 CVE-2022-27666.

Change log for master fix pack 1.20.15_1576, released 6 April 2022

Changes since version 1.20.15_1574
Component Previous Current Description
Load balancer and load balancer monitor for IBM Cloud Provider 1865 1899 Revert setting gratuitous ARP on LBv1.

Change log for master fix pack 1.20.15_1574, released 30 March 2022

Changes since version 1.20.15_1571
Component Previous Current Description
Cluster health image v1.3.3 v1.3.5 Updated image to fix CVEs CVE-2021-3999, CVE-2022-23218, CVE-2022-23219. Updated golang dependencies.
Gateway-enabled cluster controller 1653 1669 Updated to use Go version 1.17.8.
GPU device plug-in and installer d7daae6 13677d2 Updated GPU images to resolve CVEs.
IBM Calico extension 929 950 Updated to use Go version 1.17.8. Updated universal base image (UBI) to resolve CVEs.
IBM Cloud File Storage for Classic plug-in and monitor 405 407 Updated Go to version 1.16.14. Updated UBI image to version 8.5-240.
IBM Cloud RBAC Operator 0fc9949 6c43ef1 Upgraded Go packages to resolve vulnerabilities
Key Management Service provider v2.4.3 v2.5.3 Updated to use Go version 1.17.8. Updated golang dependencies. Fixed CVE CVE-2022-24407
Load balancer and Load balancer monitor for IBM Cloud Provider 1747 1865 Updated the image to resolve CVEs. Updated to use Go version 1.17.8. Set gratuitous ARP at the correct time on LBv1.
OpenVPN client 2.5.4-r0-IKS-556 2.5.4-r0-IKS-579 Updated Go to version 1.16.15.
OpenVPN server 2.5.4-r0-IKS-555 2.5.4-r0-IKS-578 Updated Go to version 1.16.15.
Operator Lifecycle Manager 0.16.1-IKS-15 0.16.1-IKS-16 Resolve CVE-2022-0778.

Change log for worker node fix pack 1.20.15_1575, released 28 March 2022

Changes since version 1.20.15_1573
Component Previous Current Description
Ubuntu 18.04 packages 4.15.0-171-generic 4.15.0-173-generic Kernel and package updates for CVE-2021-20193, CVE-2021-25220, CVE-2021-3506, CVE-2022-0435, CVE-2022-0492, CVE-2022-0778, CVE-2022-0847, CVE-2022-23308.
HA proxy 15198f b40c07 CVE-2021-45960, CVE-2021-46143, CVE-2022-22822, CVE-2022-22823, CVE-2022-22824, CVE-2022-22825, CVE-2022-22826, CVE-2022-22827, CVE-2022-23852, CVE-2022-25235, CVE-2022-25236, CVE-2022-25315, CVE-2021-3999, CVE-2022-23218, CVE-2022-23219, CVE-2022-23308, CVE-2021-23177, CVE-2021-31566.
Kubernetes N/A N/A N/A

Change log for worker node fix pack 1.20.15_1573, released 14 March 2022

Changes since version 1.20.15_1572
Component Previous Current Description
Containerd v1.4.12 v1.4.13 See the change log and the security bulletin.
Ubuntu 18.04 packages 4.15.0-169-generic 4.15.0-171-generic Kernel and package updates for CVE-2016-10228, CVE-2019-25013, CVE-2020-27618, CVE-2020-29562, CVE-2020-6096, CVE-2021-3326, CVE-2021-35942, CVE-2021-3999, CVE-2022-0001, CVE-2022-23218, CVE-2022-23219, CVE-2022-25313, CVE-2022-25314, CVE-2022-25315.

Change log for master fix pack 1.20.15_1571, released 3 March 2022

Changes since version 1.20.15_1568
Component Previous Current Description
Cluster health image v1.2.21 v1.3.3 Updated golang.org/x/crypto to v0.0.0-20220214200702-86341886e292. Adds fix for CVE-2021-43565. Adds Golang dependency updates.
Gateway-enabled cluster controller 1586 1653 Updated to use Go version 1.17.7 and updated Go modules to fix CVEs.
GPU device plug-in and installer eefc4ae d7daae6 Updated GPU images to resolve CVEs.
IBM Calico extension 923 929 Updated universal base image (UBI) to the 8.5-230 version to resolve CVEs. Updated to use Go version 1.16.13.
IBM Cloud Controller Manager v1.20.15-1 v1.20.15-4 Adds changes to the renovate rules.
IBM Cloud File Storage for Classic plug-in and monitor 404 405 Fix for CVE-2021-3538 and adds dependency updates.
Key Management Service provider v2.3.13 v2.4.3 Updated golang.org/x/crypto to v0.0.0-20220214200702-86341886e292. Adds fix for CVE-2021-43565. Adds Golang dependency updates.

Change log for worker node fix pack 1.20.15_1572, released 28 February 2022

Changes since version 1.20.15_1570
Component Previous Current Description
Ubuntu 18.04 packages 4.15.0-167-generic 4.15.0-169-generic Kernel and package updates for CVE-2021-4083, CVE-2021-4155, CVE-2021-45960, CVE-2021-46143, CVE-2022-0330, CVE-2022-22822, CVE-2022-22823, CVE-2022-22824, CVE-2022-22825, CVE-2022-22826, CVE-2022-22827, CVE-2022-22942, CVE-2022-23852, CVE-2022-23990, CVE-2022-24407, CVE-2022-25235, CVE-2022-25236.
HA proxy f6a2b3 15198fb Contains fixes for CVE-2022-24407.

Change log for worker node fix pack 1.20.15_1570, released 14 February 2022

Changes since version 1.20.15_1569
Component Previous Current Description
Ubuntu 18.04 packages N/A N/A N/A
Kubernetes N/A N/A N/A
HA proxy d38fa1 f6a2b3 CVE-2021-3521 CVE-2021-4122.

Change log for worker node fix pack 1.20.15_1569, released 31 January 2022

Changes since version 1.20.13_1567
Component Previous Current Description
Ubuntu 18.04 packages N/A N/A Updated worker node images with package updates for CVE-2018-7169, CVE-2021-3984, CVE-2021-4019, CVE-2021-4034, CVE-2021-4069.
Kubernetes 1.20.13 1.20.15 For more information, see the change log.

Change log for master fix pack 1.20.15_1568, released 26 January 2022

Changes since version 1.20.13_1563
Component Previous Current Description
Calico N/A N/A Changed to improve Calico availability during updates.
Cluster health image v1.2.20 v1.2.21 Updated to use Go version 1.17.5, updated Go dependencies and golangci-lint
GPU device plug-in and installer cc634b2 9be025c Updated universal base image (UBI) to the 8.5-218 version to resolve CVEs. Updated to use Go version 1.16.13.
IBM Calico extension 900 923 Updated universal base image (UBI) to the 8.5-218 version to resolve CVEs. Updated to use Go version 1.16.13.
IBM Cloud Controller Manager v1.20.13-4 v1.20.15-1 Updated to support the Kubernetes 1.20.15 release.
IBM Cloud File Storage for Classic plug-in and monitor 402 404 Updated universal base image (UBI) to the 8.5-218 version to resolve CVEs. Updated to use Go version 1.16.13.
IBM Cloud RBAC Operator 3430e03 0fc9949 Updated universal base image (UBI) to the 8.5-218 version to resolve CVEs. Updated to use Go version 1.16.13.
Key Management Service provider v2.3.12 v2.3.13 Updated Go dependencies and golangci-lint
Kubernetes 1.20.13 1.20.15 Changed the duration of the Kubernetes API server certificate from 825 days to 730 days. Changed the duration of the cluster CA certificate from 30 years to 10 years. See the Kubernetes release notes.
Kubernetes Metrics Server v0.4.4 v0.4.5 Metrics server now dynamically reloads NannyConfiguration updates. See the Kubernetes Metrics Server release notes.
Kubernetes NodeLocal DNS cache 1.21.1 1.21.3 See the Kubernetes NodeLocal DNS cache release notes.
Load balancer and load balancer monitor for IBM Cloud Provider 1659 1747 Updated the Alpine base image to the 3.15 version to resolve CVEs. Updated to use Go version 1.17.6.
OpenVPN client 2.4.6-r3-IKS-463 2.5.4-r0-IKS-556 Update base image to alpine 3.15 to address CVEs, no longer set the --compress config option, updated scripts
OpenVPN server 2.4.6-r3-IKS-462 2.5.4-r0-IKS-555 Update base image to alpine 3.15 to address CVEs, no longer set the --compress config option, updated scripts

Change log for worker node fix pack 1.20.13_1567, released 18 January 2022

Changes since version 1.20.13_1566
Component Previous Current Description
Ubuntu 18.04 packages 4.15.0-163-generic 4.15.0-166-generic Kernel and package updates for CVE-2018-25020 and CVE-2021-4002.
Containerd v1.5.8 v1.5.9 See the change log.

Change log for worker node fix pack 1.20.13_1566, released 4 January 2022

The following table shows the changes that are in the worker node fix pack patch update 1.20.13_1566. Worker node patch updates can be applied by updating, reloading (in classic infrastructure), or replacing (in VPC infrastructure) the worker node.

Changes since version 1.20.13_1564
Component Previous Current Description
HA proxy 3b8663 d38fa1 Contains fixes for CVE-2021-3712.
Ubuntu 18.04 packages N/A N/A Updated worker node image packages for CVE-2019-19449, CVE-2020-16592, CVE-2020-21913, CVE-2020-27781, CVE-2020-36322, CVE-2020-36385, CVE-2021-25219, CVE-2021-28831, CVE-2021-28950, CVE-2021-3487, CVE-2021-3524, CVE-2021-3531, CVE-2021-3733, CVE-2021-3737, CVE-2021-3759, CVE-2021-3778, CVE-2021-3796, CVE-2021-3800, CVE-2021-38199, CVE-2021-3903, CVE-2021-3927, CVE-2021-3928, CVE-2021-40490, CVE-2021-42374, CVE-2021-42378, CVE-2021-42384, and CVE-2021-43527.

Change log for master fix pack 1.20.13_1563, released 7 December 2021

The following table shows the changes that are in the master fix pack update 1.20.13_1563. Master patch updates are applied automatically.

Changes since version 1.20.12_1561
Component Previous Current Description
Calico v3.17.5 v3.17.6 See the Calico release notes.
Cluster health image v1.2.18 v1.2.20 Updated universal base image (UBI) to the latest 8.4 version to resolve CVEs. Updated to use Go version 1.16.10.
CoreDNS 1.8.4 1.8.6 See the CoreDNS release notes.
Gateway-enabled cluster controller 1567 1586 Updated Alpine base image to the latest 3.14 version to resolve CVEs. Updated to use Go version 1.16.10.
GPU device plug-in and installer 7fd867d c9bfc8c Updated universal base image (UBI) to the 8.5-204 version to resolve CVEs. Updated to use Go version 1.16.10.
IBM Calico extension 864 900 Updated universal base image (UBI) to the 8.5-204 version to resolve CVEs. Updated to use Go version 1.16.10.
IBM Cloud Controller Manager v1.20.12-3 v1.20.13-4 Updated to support the Kubernetes 1.20.13 release and to use calicoctl version 3.17.6.
IBM Cloud File Storage for Classic plug-in and monitor 401 402 Updated universal base image (UBI) to the 8.5-204 version to resolve CVEs. Updated to use Go version 1.16.10.
IBM Cloud RBAC Operator 4ca5637 3430e03 Updated universal base image (UBI) to the latest 8.5 version to resolve CVEs. Updated to use Go version 1.16.10.
Key Management Service provider v2.3.10 v2.3.12 Updated universal base image (UBI) to the latest 8.4 version to resolve CVEs. Updated to use Go version 1.16.10.
Kubernetes v1.20.12 v1.20.13 See the Kubernetes release notes.
Kubernetes NodeLocal DNS cache 1.17.3 1.21.1 See the Kubernetes NodeLocal DNS cache release notes. Increased memory resource requests from 8Mi to 10Mi to better align with normal resource utilization.
Load balancer and load balancer monitor for IBM Cloud Provider 1590 1659 Updated Alpine base image to the latest 3.14 version to resolve CVEs. Updated to use Go version 1.16.10.
Operator Lifecycle Manager 0.16.1-IKS-14 0.16.1-IKS-15 Updated image for CVE-2021-42374, CVE-2021-42375, CVE-2021-42378, CVE-2021-42379, CVE-2021-42380, CVE-2021-42381, CVE-2021-42382, CVE-2021-42383, CVE-2021-42384, CVE-2021-42385, and CVE-2021-42386.

Change log for worker node fix pack 1.20.13_1564, released 6 December 2021

The following table shows the changes that are in the worker node fix pack patch update 1.20.13_1564. Worker node patch updates can be applied by updating, reloading (in classic infrastructure), or replacing (in VPC infrastructure) the worker node.

Changes since version 1.20.12_1562
Component Previous Current Description
Ubuntu 18.04 packages 4.15.0-162 4.15.0-163 Updated worker node images and kernel with package updates. Contains fixes for CVE-2021-43527
Kubernetes 1.20.12 1.20.13 See the change log
Containerd v1.4.11 v1.4.12 See the change log and the security bulletin.

Change log for worker node fix pack 1.20.12_1562, released 22 November 2021

The following table shows the changes that are in the worker node fix pack patch update 1.20.12_1562. Worker node patch updates can be applied by updating, reloading (in classic infrastructure), or replacing (in VPC infrastructure) the worker node.

Changes since version 1.20.11_1560
Component Previous Current Description
Kubernetes 1.20.11 1.20.12 For more information, see the change log.
HA proxy 07f1e9e 3b8663 Contains fixes for CVE-2021-20231, CVE-2021-20232, CVE-2021-3580, CVE-2021-22946, CVE-2021-22947, CVE-2021-22876, CVE-2021-22898, CVE-2021-22925, CVE-2019-20838, CVE-2020-14155, CVE-2018-20673, CVE-2021-42574, CVE-2019-17594, CVE-2019-17595, CVE-2020-12762, CVE-2020-16135, CVE-2021-3445, CVE-2021-36084, CVE-2021-36085, CVE-2021-36086, CVE-2021-36087, CVE-2021-20266, CVE-2019-18218, CVE-2021-23840, CVE-2021-23841, CVE-2021-27645, CVE-2021-33574, CVE-2021-35942, CVE-2021-33560, CVE-2019-13750, CVE-2019-13751, CVE-2019-19603, CVE-2019-5827, CVE-2020-13435, CVE-2020-24370, CVE-2021-28153, CVE-2021-3800, CVE-2021-33928, CVE-2021-33929, CVE-2021-33930, CVE-2021-33938, andCVE-2021-3200
Ubuntu 18.04 packages 4.15.0-161 4.15.0-162 Updated worker node images and kernel with package fixes forCVE-2019-19449, CVE-2020-36322, CVE-2020-36385, CVE-2021-28950, CVE-2021-3759, CVE-2021-38199, CVE-2021-3903, CVE-2021-3927, and CVE-2021-3928.

Change log for master fix pack 1.20.12_1561, released 17 November 2021

The following table shows the changes that are in the master fix pack patch update 1.20.11_1561. Master patch updates are applied automatically.

Changes since version 1.20.11_1558
Component Previous Current Description
Cluster health image v1.2.16 v1.2.18 Updated Go module dependencies and to use Go version 1.16.9. Updated image for CVE-2021-22946, CVE-2021-22947, CVE-2021-33928, CVE-2021-33929 and CVE-2021-33930.
etcd v3.4.17 v3.4.18 See the etcd release notes.
Gateway-enabled cluster controller 1510 1567 Updated to use Go version 1.16.9.
GPU device plug-in and installer 58d7589 7fd867d Updated image for CVE-2021-36222, CVE-2021-37750, CVE-2021-22922, CVE-2021-22923 and CVE-2021-22924.
Kubernetes add-on resizer 1.8.12 1.8.13 See the Kubernetes add-on resizer release notes.
IBM Cloud Controller Manager v1.20.11-2 v1.20.12-3 Updated to support the Kubernetes 1.20.12 release. Updated image for DLA-2797-1.
IBM Cloud RBAC Operator e3cb629 4ca5637 Updated universal base image (UBI) to the latest 8.4 version to resolve CVEs.
Key Management Service provider v2.3.8 v2.3.10 Updated Go module dependencies and to use Go version 1.16.9. Updated image for CVE-2021-22946.
Kubernetes v1.20.11 v1.20.12 See the Kubernetes release notes.
Load balancer and load balancer monitor for IBM Cloud Provider 1547 1590 Updated to use Go version 1.16.9.
OpenVPN client 2.4.6-r3-IKS-386 2.4.6-r3-IKS-463 Updated image to implement additional IBM security controls.
OpenVPN server 2.4.6-r3-IKS-385 2.4.6-r3-IKS-462 Updated image to implement additional IBM security controls.

Change log for worker node fix pack 1.20.11_1560, released 10 November 2021

The following table shows the changes that are in the worker node fix pack patch update 1.20.11_1560. Worker node patch updates can be applied by updating, reloading (in classic infrastructure), or replacing (in VPC infrastructure) the worker node.

Changes since version 1.20.11_1559
Component Previous Current Description
Ubuntu 18.04 packages N/A N/A Updated worker node image packages for CVE-2020-16592, CVE-2020-27781, CVE-2021-25219, CVE-2021-3487, CVE-2021-3524, CVE-2021-3531, and CVE-2021-40490.

Change log for master fix pack 1.20.11_1558, released 29 October 2021

The following table shows the changes that are in the master fix pack patch update 1.20.11_1558. Master patch updates are applied automatically.

Changes since version 1.20.11_1553
Component Previous Current Description
Cluster health image v1.2.15 v1.2.16 Move from dependency form3tech-oss/jwt-go to golang-jwt/jwt since the former is no longer maintained. Updated universal base image (UBI) to the latest 8.4 version to resolve CVEs: CVE-2021-36222, CVE-2021-37750, CVE-2021-22922, CVE-2021-22923, CVE-2021-22924
etcd v3.4.16 v3.4.17 See the etcd release notes.
IBM Calico extension 763 864 Updated to use Go version 1.16.9. Updated universal base image (UBI) to resolve CVEs.
IBM Cloud Controller Manager v1.20.11-1 v1.20.11-2 Updated to ignore VPC load balancer (LB) state when a LB delete is requested.
IBM Cloud File Storage for Classic plug-in and monitor 400 401 Updated universal base image (UBI) to the latest 8.4-210 version
Key Management Service provider v2.3.7 v2.3.8 Updated universal base image (UBI) to the latest 8.4 version to resolve CVEs: CVE-2021-36222, CVE-2021-37750, CVE-2021-22922, CVE-2021-22923, CVE-2021-22924

Change log for worker node fix pack 1.20.11_1559, released 25 October 2021

The following table shows the changes that are in the worker node fix pack patch update 1.20.11_1559. Worker node patch updates can be applied by updating, reloading (in classic infrastructure), or replacing (in VPC infrastructure) the worker node.

Changes since version 1.20.11_1555
Component Previous Current Description
Ubuntu 18.04 packages N/A N/A Updated worker node images with package updates. Contains fix for cloud-init performance problem.
Worker-pool taint automation N/A N/A Fixes known issue related to worker-pool taint automation that prevents workers from getting providerID.

Change log for worker node fix pack 1.20.11_1555, released 11 October 2021

The following table shows the changes that are in the worker node fix pack patch update 1.20.11_1555. Worker node patch updates can be applied by updating, reloading (in classic infrastructure), or replacing (in VPC infrastructure) the worker node.

Changes since version 1.20.11_1554
Component Previous Current Description
Containerd v1.4.9 v1.4.11 See the security bulletin and the change logs.
Ubuntu 18.04 packages 4.15.0-158 4.15.0-159 Updated worker node images and kernel with package updates CVE-2021-3778 and CVE-2021-3796.

Change log for master fix pack 1.20.11_1553, released 28 September 2021

The following table shows the changes that are in the master fix pack patch update 1.21.1_1553. Master patch updates are applied automatically.

Changes since version 1.20.10_1550
Component Previous Current Description
Calico v3.17.4 v3.17.5 See the Calico release notes. Increased liveness and readiness probe timeouts to 10 seconds.
CoreDNS 1.8.0 1.8.4 See the CoreDNS release notes.
Gateway-enabled cluster controller 1444 1510 Updated image for CVE-2021-3711 and CVE-2021-3712.
GPU device plug-in and installer 8c8bcdf 58d7589 Updated to use Go version 1.16.7.
IBM Cloud Controller Manager v1.20.10-1 v1.20.11-1 Updated to support the Kubernetes 1.20.11 release. Fixed a bug that might cause node initialization to fail when a new node reuses the name of a deleted node.
IBM Cloud RBAC Operator 945df65 e3cb629 Updated to use Go version 1.16.7.
IBM Cloud File Storage for Classic plug-in and monitor 398 400 Updated to use Go version 1.16.7. Updated universal base image (UBI) to the latest 8.4-208 version to resolve CVEs.
Kubernetes v1.20.10 v1.20.11 See the Kubernetes release notes.
Kubernetes API server auditing configuration N/A N/A Updated to support verbose Kubernetes API server auditing.
Kubernetes NodeLocal DNS cache N/A N/A Increased memory resource requests from 5Mi to 8Mi to better align with normal resource utilization.
Load balancer and load balancer monitor for IBM Cloud Provider 1510 1547 Updated image for CVE-2021-3711 and CVE-2021-3712.
Operator Lifecycle Manager 0.16.1-IKS-12 0.16.1-IKS-14 Updated image for CVE-2021-3711 and CVE-2021-3712.

Change log for worker node fix pack 1.20.11_1554, released 27 September 2021

The following table shows the changes that are in the worker node fix pack patch update 1.20.11_1554. Worker node patch updates can be applied by updating, reloading (in classic infrastructure), or replacing (in VPC infrastructure) the worker node.

Changes since version 1.20.10_1552
Component Previous Current Description
Disk identification N/A N/A Enhanced the disk identification logic to handle the case of 2+ partitions.
HA proxy 9c98dc5 07f1e9 Updated image with fixes for CVE-2021-22922, CVE-2021-22923, CVE-2021-22924, CVE-2021-36222, and CVE-2021-37750.
Kubernetes 1.20.10 1.20.11 For more information, see the change logs. This update resolves CVE-2021-25741. For more information, see the IBM security bulletin).
Ubuntu 18.04 packages 4.15.0-156 4.15.0-158 Updated worker node images and kernel with package updates CVE-2021-22946, CVE-2021-22947, CVE-2021-33560, CVE-2021-3709, CVE-2021-3710, CVE-2021-40330, CVE-2021-40528, and CVE-2021-41072.

Change log for worker node fix pack 1.20.10_1552, released 13 September 2021

The following table shows the changes that are in the worker node fix pack patch update 1.20.10_1552. Worker node patch updates can be applied by updating, reloading (in classic infrastructure), or replacing (in VPC infrastructure) the worker node.

Changes since version 1.20.10_1551
Component Previous Current Description
Ubuntu 18.04 packages 4.15.0-154 4.15.0-156 Updated worker node images and kernel with package updates for CVE-2021-3653, CVE-2021-3656, CVE-2021-38185, CVE-2021-40153.

Change log for worker node fix pack 1.20.10_1551, released 30 August 2021

The following table shows the changes that are in the worker node fix pack patch update 1.20.10_1551. Worker node patch updates can be applied by updating, reloading (in classic infrastructure), or replacing (in VPC infrastructure) the worker node.

Changes since version 1.20.9_1549
Component Previous Current Description
Ubuntu 18.04 packages 4.15.0-153 4.15.0-154 Updated worker node images and kernel with package updates for CVE-2021-3711 and CVE-2021-3712.

Change log for master fix pack 1.20.10_1550 released 25 August 2021

The following table shows the changes that are in the master fix pack patch update 1.20.10_1550. Master patch updates are applied automatically.

Changes since version 1.20.9_1547
Component Previous Current Description
Calico N/A N/A Updated the rolling update configuration for the calico-node daemonset in the kube-system namespace. The configuration is now the same regardless of the number of cluster worker nodes.
Cluster health image v1.2.14 v1.2.15 Updated to use Go version 1.15.15. Updated universal base image (UBI) to the latest 8.4 version to resolve CVEs.
Gateway-enabled cluster controller 1348 1444 Updated image for CVE-2021-36159.
GPU device plug-in and installer 483ccc2 8c8bcdf Updated to use Go version 1.16.6.
IBM Calico extension 747 763 Updated to use Go version 1.16.6. Updated universal base image (UBI) to the latest 8.4-205 version to resolve CVEs.
IBM Cloud Controller Manager v1.20.9-1 v1.20.10-1 Updated to support the Kubernetes 1.20.10 release and to use Go version 1.15.15.
IBM Cloud File Storage for Classic plug-in and monitor 395 398 Updated to use Go version 1.16.6. Updated image for CVE-2021-33910.
Key Management Service provider v2.3.6 v2.3.7 Updated to use Go version 1.15.15. Updated UBI to the latest 8.4 version to resolve CVEs.
Kubernetes v1.20.9 v1.20.10 See the Kubernetes release notes.
Kubernetes Dashboard v2.1.0 v2.3.1 See the Kubernetes Dashboard release notes.
Kubernetes Dashboard metrics scraper v1.0.6 v1.0.7 See the Kubernetes Dashboard metrics scraper release notes.
Kubernetes DNS autoscaler 1.8.3 1.8.4 See the Kubernetes DNS autoscaler release notes.
Load balancer and load balancer monitor for IBM Cloud Provider 1328 1510 Updated image for CVE-2020-27780.
Operator Lifecycle Manager 0.16.1-IKS-10 0.16.1-IKS-12 Updated image for CVE-2021-36159.

Change log for worker node fix pack 1.20.9_1549, released 16 August 2021

The following table shows the changes that are in the worker node fix pack patch update 1.20.9_1549. Worker node patch updates can be applied by updating, reloading (in classic infrastructure), or replacing (in VPC infrastructure) the worker node.

Changes since version 1.20.9_1548
Component Previous Current Description
Ubuntu 18.04 packages 4.15.0-151 4.15.0-153 N/A
HA proxy 68e6b3 9c98dc Updated image with fixes for CVE-2021-27218.

Change log for worker node fix pack 1.20.9_1548, released 02 August 2021

The following table shows the changes that are in the worker node fix pack patch update 1.20.9_1548. Worker node patch updates can be applied by updating, reloading (in classic infrastructure), or replacing (in VPC infrastructure) the worker node.

Changes since version 1.20.8_1546
Component Previous Current Description
Ubuntu 18.04 packages 4.15.0-147 4.15.0-151 Updated worker node images & Kernel with package updates: CVE-2020-13529, CVE-2021-22898, CVE-2021-22924 CVE-2021-22925, CVE-2021-33200, CVE-2021-33909, and CVE-2021-33910.
HA proxy aae810 68e6b3 Updated image with fixes for CVE-2021-33910.
Registry endpoints Added zonal public registry endpoints for clusters with both private and public service endpoints enabled.
Read only disk self healing For VPC Gen2 workers. Added automation to recover from disks going read only.
Containerd v1.4.6 v1.4.8 For more information, see the change logs. The update resolves CVE-2021-32760 (see the IBM security bulletin).
Kubernetes v1.20.8 v1.20.9 See the Kubernetes release notes.

Change log for master fix pack 1.20.9_1547, released 27 July 2021

The following table shows the changes that are in the master fix pack patch update 1.20.9_1547. Master patch updates are applied automatically.

Changes since version 1.20.8_1544
Component Previous Current Description
Cluster health image v1.2.13 v1.2.14 Updated universal base image (UBI) to the latest version to resolve CVEs.
etcd v3.4.14 v3.4.16 See the etcd release notes.
GPU device plug-in and installer 772e15f 483ccc2 Updated image for CVE-2021-20271, CVE-2021-3516, CVE-2021-3517, CVE-2021-3518, CVE-2021-3537, CVE-2021-3541 and CVE-2021-3520.
IBM Calico extension 730 747 Updated universal base image (UBI) to version 8.4-205 to resolve CVEs.
IBM Cloud Controller Manager v1.20.8-2 v1.20.9-1 Updated to support the Kubernetes 1.20.9 release and to use Go version 1.15.14.
IBM Cloud File Storage for Classic plug-in and monitor 394 395 Updated universal base image (UBI) to version 8.4-205 to resolve CVEs.
IBM Cloud RBAC Operator b68ea92 945df65 Updated image for CVE-2021-33194.
Key Management Service provider v2.3.5 v2.3.6 Updated universal base image (UBI) to the latest version to resolve CVEs.
Kubernetes v1.20.8 v1.20.9 See the Kubernetes release notes.

Change log for worker node fix pack 1.20.8_1546, released 19 July 2021

The following table shows the changes that are in the worker node fix pack 1.20.8_1546. Worker node patch updates can be applied by updating, reloading (in classic infrastructure), or replacing (in VPC infrastructure) the worker node.

Changes since version 1.20.8_1545
Component Previous Current Description
Ubuntu 16.04 packages N/A N/A Updated worker node images with kernel package updates.
Ubuntu 18.04 packages N/A N/A Updated worker node images with kernel package updates.

Change log for worker node fix pack 1.20.8_1545, released 6 July 2021

The following table shows the changes that are in the worker node fix pack 1.20.8_1545. Worker node patch updates can be applied by updating, reloading (in classic infrastructure), or replacing (in VPC infrastructure) the worker node.

Changes since version 1.20.7_1543
Component Previous Current Description
HA proxy 700dc6 aae810 Updated image with fixes for CVE-2021-3520, CVE-2021-20271, CVE-2021-3516, CVE-2021-3517, CVE-2021-3518, CVE-2021-3537, and CVE-2021-3541.
Kubernetes v1.20.7 v1.20.8 See the Kubernetes release notes.
Ubuntu 18.04 packages 4.15.0.144 4.15.0.147 Updated worker node images with kernel package updates for CVE-2021-23133, CVE-2021-3444, and CVE-2021-3600.

Change log for master fix pack 1.20.8_1544, released 28 June 2021

The following table shows the changes that are in the master fix pack patch update 1.20.8_1544. Master patch updates are applied automatically.

Changes since version 1.20.7_1540
Component Previous Current Description
Calico v3.17.3 v3.17.4 See the Calico release notes.
Cluster health image v1.2.12 v1.2.13 Updated to use Go version 1.15.12. Updated image for CVE-2021-33194.
Gateway-enabled cluster controller 1352 1348 Updated to run as a non-root user by default, with privileged escalation as needed.
GPU device plug-in and installer 9a5e70b 772e15f Updated to use Go version 1.15.12. Updated universal base image (UBI) to version 8.4 to resolve CVEs. Updated the GPU drivers to version 460.73.01.
IBM Calico extension 689 730 Updated to use Go version 1.16.15. Updated minimal UBI to version 8.4 to resolve CVEs.
IBM Cloud Controller Manager v1.20.7-3 v1.20.8-2 Updated to support the Kubernetes 1.20.8 release and to use Go version 1.15.13. Updated Go dependencies to resolve CVEs. Updated image to implement additional IBM security controls.
IBM Cloud File Storage for Classic plug-in and monitor 392 394 Updated to use Go version 1.15.12. Updated UBI to version 8.4 to resolve CVEs.
IBM Cloud RBAC Operator 63cd064 b68ea92 Updated to use Go version 1.16.4. Updated UBI to version 8.4 to resolve CVEs.
Key Management Service provider v2.3.4 v2.3.5 Updated to use Go version 1.15.12. Updated image for CVE-2021-33194.
Kubernetes v1.20.7 v1.20.8 See the Kubernetes release notes.
Portieris admission controller v0.10.2 v0.10.3 See the Portieris admission controller release notes.

Change log for worker node fix pack 1.20.7_1543, released 22 June 2021

The following table shows the changes that are in the worker node fix pack 1.20.7_1543. Worker node patch updates can be applied by updating, reloading (in classic infrastructure), or replacing (in VPC infrastructure) the worker node.

Changes since version 1.20.7_1542
Component Previous Current Description
HA proxy 26c5cc d3dc33 Updated image with fixes for CVE-2020-24977, CVE-2020-13434, CVE-2020-15358, CVE-2020-29361, CVE-2020-29362, CVE-2020-29363, CVE-2019-2708, CVE-2019-13012, CVE-2020-13543, CVE-2020-13584, CVE-2020-9948, CVE-2020-9951, CVE-2020-9983, CVE-2021-27219, CVE-2020-8231, CVE-2020-8284, CVE-2020-8285, CVE-2020-8286, CVE-2016-10228, CVE-2019-25013, CVE-2019-9169, CVE-2020-27618, CVE-2021-3326, CVE-2020-26116, CVE-2020-27619, CVE-2021-23336, CVE-2021-3177, CVE-2019-3842, CVE-2020-13776, CVE-2020-24330, CVE-2020-24331, CVE-2020-24332, CVE-2017-14502, CVE-2020-8927 and CVE-2020-28196.
IBM Cloud Container Registry N/A N/A Added private-only registry support for ca.icr.io, br.icr.io and jp2.icr.io.
Ubuntu 18.04 packages N/A N/A Updated worker node images with package updates for CVE-2017-8779, CVE-2017-8872, CVE-2018-16869, CVE-2019-20388, CVE-2020-24977, CVE-2021-3516, CVE-2021-3517 CVE-2021-3518, CVE-2021-3537, CVE-2021-3580.

Change log for worker node fix pack 1.20.7_1542, released 7 June 2021

The following table shows the changes that are in the worker node fix pack 1.20.7_1542. Worker node patch updates can be applied by updating, reloading (in classic infrastructure), or replacing (in VPC infrastructure) the worker node.

Changes since version 1.20.7_1541
Component Previous Current Description
HA proxy 26c5cc 700dc6 Updated the image for CVE-2021-27219.
TCP keepalive optimization for VPC N/A N/A Set the net.ipv4.tcp_keepalive_time setting to 180 seconds for compatibility with VPC gateways.
Ubuntu 18.04 packages 4.15.0-143 4.15.0-144 Updated worker node images with kernel package updates for CVE-2021-25217, CVE-2021-31535, CVE-2021-32547, CVE-2021-32552, CVE-2021-32556, CVE-2021-32557, CVE-2021-3448, and CVE-2021-3520.

Change log for worker node fix pack 1.20.7_1541, released 24 May 2021

The following table shows the changes that are in the worker node fix pack 1.20.7_1541. Worker node patch updates can be applied by updating, reloading (in classic infrastructure), or replacing (in VPC infrastructure) the worker node.

Changes since version 1.20.6_1539
Component Previous Current Description
Containerd v1.4.5 v1.4.6 See the containerd release notes. The update resolves CVE-2021-30465 (see the IBM security bulletin).
HA proxy e0fa2f 26c5cc Updated image with fixes for CVE-2020-26116, CVE-2020-27619, CVE-2021-23336, CVE-2021-3177, CVE-2019-3842, CVE-2020-13776, CVE-2019-18276, CVE-2020-24977, CVE-2020-13434, CVE-2020-15358, CVE-2019-13012, CVE-2020-13543, CVE-2020-13584, CVE-2020-9948, CVE-2020-9951, CVE-2020-9983, CVE-2020-8231, CVE-2020-8284, CVE-2020-8285, CVE-2020-8286, CVE-2020-24330, CVE-2020-24331, CVE-2020-24332, CVE-2020-29361, CVE-2020-29362, CVE-2020-29363, CVE-2020-28196, CVE-2019-2708, CVE-2016-10228, CVE-2019-25013, CVE-2019-9169, CVE-2020-27618, CVE-2021-3326, and CVE-2020-8927.
Kubernetes v1.20.6 v1.20.7 See the Kubernetes release notes.
Ubuntu 18.04 packages 4.15.0-142 4.15.0-143 Updated worker node images with kernel package updates for CVE-2021-28688, CVE-2021-20292, CVE-2021-29264, CVE-2021-29265, and CVE-2021-29650.
Ubuntu 16.04 packages N/A N/A Updated worker node images with package updates for CVE-2009-5155 and CVE-2020-6096.

Change log for master fix pack 1.20.7_1540, released 24 May 2021

The following table shows the changes that are in the master fix pack patch update 1.20.7_1540. Master patch updates are applied automatically.

Changes since version 1.20.6_1538
Component Previous Current Description
Cluster health image v1.2.11 v1.2.12 Improved the add-on status information that is displayed when errors occur. Updated image to implement additional IBM security controls and for CVE-2020-26160, CVE-2020-28483 and CVE-2021-20305.
CoreDNS 1.8.3 1.8.0 See the CoreDNS release notes.
IBM Calico extension 661 689 Updated to use Go version 1.15.12.
IBM Cloud Controller Manager v1.20.6-2 v1.20.7-3 Updated to support the Kubernetes 1.20.7 release and to use Go version 1.15.12.
IBM Cloud File Storage for Classic plug-in and monitor 390 392 Improved the prerequisite validation logic for provisioning persistent volume claims (PVCs). Updated image to implement additional IBM security controls and for CVE-2021-20305.
IBM Cloud RBAC Operator b6a694b 63cd064 Updated image to implement additional IBM security controls and for CVE-2020-28483.
Key Management Service provider v2.3.3 v2.3.4 Updated image to implement additional IBM security controls and for CVE-2020-28483 and CVE-2020-26160.
Kubernetes v1.20.6 v1.20.7 See the Kubernetes release notes. The update resolves CVE-2020-8562 (see the IBM security bulletin) and CVE-2021-25737 (see the IBM security bulletin).
Kubernetes add-on resizer 1.8.11 1.8.12 See the Kubernetes add-on resizer release notes.
Kubernetes Metrics Server v0.4.2 v0.4.4 See the Kubernetes Metrics Server release notes.
Operator Lifecycle Manager 0.16.1-IKS-9 0.16.1-IKS-10 Fixed a bug that was caused by a missing /bin/cpb binary file.
Portieris admission controller v0.10.1 v0.10.2 See the Portieris admission controller release notes.

Change log for worker node fix pack 1.20.6_1539, released 10 May 2021

The following table shows the changes that are in the worker node fix pack 1.20.6_1539. Worker node patch updates can be applied by updating, reloading (in classic infrastructure), or replacing (in VPC infrastructure) the worker node.

Changes since version 1.20.6_1537
Component Previous Current Description
Ubuntu 18.04 packages N/A N/A Updated worker node images with package updates for CVE-2021-25214, CVE-2021-25215, and CVE-2021-25216.
Ubuntu 16.04 packages N/A N/A Updated worker node images with package updates for CVE-2020-27350, CVE-2020-3810, CVE-2021-25214, CVE-2021-25215, and CVE-2021-25216.

Change log for master fix pack 1.20.6_1538, released 4 May 2021

The following table shows the changes that are in the master fix pack patch update 1.20.6_1538. Master patch updates are applied automatically.

Changes since version 1.20.6_1536
Component Previous Current Description
IBM Calico extension 618 661 Updated to use Go version 1.15.11. Updated image to implement additional IBM security controls and for CVE-2020-14391, CVE-2020-25661 and CVE-2020-25662.
Gateway-enabled cluster controller 1322 1352 Updated to use Go version 1.15.11. Updated image to implement additional IBM security controls and for CVE-2021-28831, CVE-2021-30139, CVE-2021-3449 and CVE-2021-3450.
IBM Cloud Controller Manager v1.20.6-1 v1.20.6-2 Updated to support VPC private network load balancers.
Load balancer and load balancer monitor for IBM Cloud Provider 1274 1328 Updated to use Go version 1.15.11. Updated image to implement additional IBM security controls and for CVE-2021-28831, CVE-2021-30139, CVE-2021-3449 and CVE-2021-3450.

Change log for master fix pack 1.20.6_1536, released 27 April 2021

The following table shows the changes that are in the master fix pack patch update 1.20.6_1536. Master patch updates are applied automatically.

Changes since version 1.20.5_1533
Component Previous Current Description
Cluster health image v1.2.9 v1.2.11 Updated to use Go version 1.15.11. Updated image to implement additional IBM security controls and for CVE-2021-3449, CVE-2021-3450, and CVE-2021-20305.
GPU device plug-in and installer b9ec8af 9a5e70b Updated image for CVE-2021-3449, CVE-2021-3450, and CVE-2021-20305.
IBM Cloud Controller Manager v1.20.5-1 v1.20.6-1 Updated to support the Kubernetes 1.20.6 release and to use Go version 1.15.10.
IBM Cloud File Storage for Classic plug-in and monitor 389 390 Updated to use Go version 1.15.9 and for CVE-2020-28851 and CVE-2021-3121.
IBM Cloud RBAC Operator 3dd6bbc b6a694b Updated image for CVE-2021-3449 and CVE-2021-3450.
Key Management Service provider v2.3.0 v2.3.3 Updated to use Go version 1.15.11 and for CVE-2021-3449, CVE-2021-3450, and CVE-2021-20305.
Kubernetes v1.20.5 v1.20.6 See the Kubernetes release notes. The update resolves CVE-2021-25735 (see the IBM security bulletin).
Kubernetes NodeLocal DNS cache 1.17.1 1.17.3 See the Kubernetes NodeLocal DNS cache release notes.
OpenVPN client 2.4.6-r3-IKS-301 2.4.6-r3-IKS-386 Updated image to implement additional IBM security controls.
OpenVPN server 2.4.6-r3-IKS-301 2.4.6-r3-IKS-385 Updated image to implement additional IBM security controls.
Operator Lifecycle Manager 0.16.1-IKS-5 0.16.1-IKS-9 Updated image for CVE-2021-3449, CVE-2021-3450, and CVE-2021-30139.

Change log for worker node fix pack 1.20.6_1537, released 26 April 2021

The following table shows the changes that are in the worker node fix pack 1.20.6_1537. Worker node patch updates can be applied by updating, reloading (in classic infrastructure), or replacing (in VPC infrastructure) the worker node.

Changes since version 1.20.5_1535
Component Previous Current Description
HA proxy a3b1ff e0fa2f The update addresses CVE-2021-20305.
Ubuntu 18.04 packages N/A N/A Added resiliency to systemd units to prevent failures situations where the worker nodes are overused. Updated worker node images with kernel and package updates for CVE-2018-13095, CVE-2021-20305, CVE-2021-29154, and CVE-2021-3348.
Ubuntu 16.04 packages 4.4.0-206 4.4.0-210 Updated worker node images with kernel and package updates for [CVE-2015-1350, CVE-2017-15107, CVE-2017-5967, CVE-2018-13095, CVE-2018-5953, CVE-2019-14513, CVE-2019-16231, CVE-2019-16232, CVE-2019-19061, CVE-2021-20305, and CVE-2021-29154.

Change log for worker node fix pack 1.20.5_1535, released 12 April 2021

The following table shows the changes that are in the worker node fix pack 1.20.5_1535. Worker node patch updates can be applied by updating, reloading (in classic infrastructure), or replacing (in VPC infrastructure) the worker node.

Changes since version 1.20.5_1534
Component Previous Current Description
HA proxy 9b2dca a3b1ff The update addresses CVE-2021-3449 and CVE-2021-3450.
Ubuntu 18.04 packages N/A N/A Updated worker node images with package updates for CVE-2021-22876.
Ubuntu 16.04 packages N/A N/A Updated worker node images with package updates for CVE-2021-22876.

Change log for master fix pack 1.20.5_1533, released 30 March 2021

The following table shows the changes that are in the master fix pack patch update 1.20.5_1533. Master patch updates are applied automatically.

Changes since version 1.20.4_1531
Component Previous Current Description
Activity Tracker event N/A N/A Now, the containers-kubernetes.version.update event is sent to Activity Tracker when a master fix pack update is initiated for a cluster.
Cluster health image v1.2.8 v1.2.9 Updated image for CVE-2020-28851.
CoreDNS 1.8.0 1.8.3 See the CoreDNS release notes.
Gateway-enabled cluster controller 1232 1322 Updated to use Go version 1.15.10 and for CVE-2021-23839, CVE-2021-23840, and CVE-2021-23841.
GPU device plug-in and installer 1c41e4b b9ec8af Updated image for CVE-2021-27919, CVE-2020-28851, and CVE-2020-28852.
IBM Cloud Controller Manager v1.20.4-4 v1.20.5-1 Updated to support the Kubernetes 1.20.5 release. Fixed a bug that prevented VPC load balancers from supporting more than 50 subnets in an account.
IBM Cloud File Storage for Classic plug-in and monitor 388 389 Updated to use Go version 1.15.8.
IBM Cloud RBAC Operator 86de2b7 3dd6bbc Updated image for CVE-2020-28851.
Kubernetes v1.20.4 v1.20.5 See the Kubernetes release notes.
Kubernetes NodeLocal DNS cache 1.16.0 1.17.1 See the Kubernetes NodeLocal DNS cache release notes.

Change log for worker node fix pack 1.20.5_1534, released 29 March 2021

The following table shows the changes that are in the worker node fix pack 1.20.5_1534. Worker node patch updates can be applied by updating, reloading (in classic infrastructure), or replacing (in VPC infrastructure) the worker node.

Changes since version 1.20.4_1532
Component Previous Current Description
Ubuntu 18.04 packages 4.15.0-136-generic 4.15.0-140-generic Updated worker node images with kernel and package updates for CVE-2020-27170, CVE-2020-27171, CVE-2021-27363, CVE-2021-27365, CVE-2021-28153, and CVE-2021-3449.
Ubuntu 16.04 packages 4.4.0-203-generic 4.4.0-206-generic Updated worker node images with kernel and package updates for CVE-2021-27363, CVE-2021-27365, and CVE-2021-28153.

Change log for worker node fix pack 1.20.4_1532, released 12 March 2021

The following table shows the changes that are in the worker node fix pack 1.20.4_1532. Worker node patch updates can be applied by updating, reloading (in classic infrastructure), or replacing (in VPC infrastructure) the worker node.

Changes since version 1.20.4_1531
Component Previous Current Description
Containerd v1.4.3 v1.4.4 See the containerd release notes. The update resolves CVE-2021-21334 (see the IBM security bulletin).
Ubuntu 18.04 packages N/A N/A Updated worker node image with package updates for CVE-2021-21300, CVE-2021-24031, CVE-2021-24032, CVE-2021-27218, and CVE-2021-27219.
Ubuntu 16.04 packages N/A N/A Updated worker node image with package updates for{: external}, CVE-2021-21300, CVE-2021-27218, CVE-2021-27219, and CVE-2021-3177.

Change log for worker node fix pack 1.20.4_1531, released 1 March 2021

The following table shows the changes that are in the worker node fix pack 1.20.4_1531. Worker node patch updates can be applied by updating, reloading (in classic infrastructure), or replacing (in VPC infrastructure) the worker node.

Changes since version 1.20.2_1527
Component Previous Current Description
Kubernetes v1.20.2 v1.20.4 See the Kubernetes release notes.
Ubuntu 18.04 packages 4.15.0-135-generic 4.15.0-136-generic Updated worker node image with package updates for CVE-2020-27619, CVE-2020-29372, CVE-2020-29374, CVE-2020-8625, CVE-2021-23840, CVE-2021-23841, CVE-2021-26937, CVE-2021-27212, and CVE-2021-3177.
Ubuntu 16.04 packages 4.4.0-201-generic 4.4.0-203-generic Updated worker node image with package updates for CVE-2020-27619, CVE-2020-29372, CVE-2020-29374, CVE-2020-8625, CVE-2021-23840, CVE-2021-23841, CVE-2021-26937, CVE-2021-27212, and CVE-2021-3177.

Change log for master fix pack 1.20.4_1531, released 27 February 2021

The following table shows the changes that are in the master fix pack patch update 1.20.4_1531. Master patch updates are applied automatically.

Changes since version 1.20.4_1530.
Component Previous Current Description
Calico v3.17.2 v3.17.3 See the Calico release notes.
IBM Cloud Controller Manager v1.20.4-2 v1.20.4-4 Updated to use calicoctl version 3.17.3.
Load balancer and load balancer monitor for IBM Cloud Provider 1165 1274 Fixed a bug that might cause version 2.0 network load balancers (NLBs) to crash and restart on load balancer updates.

Change log for master fix pack 1.20.4_1530, released 22 February 2021

The following table shows the changes that are in the master fix pack patch update 1.20.4_1530. Master patch updates are applied automatically.

Changes since version 1.20.2_1528.
Component Previous Current Description
IBM Cloud Controller Manager v1.20.2-15 v1.20.4-2 Updated to support the Kubernetes 1.20.4 release and to use Go version 1.15.8. Updated image to implement additional IBM security controls.
Key Management Service provider v2.2.4 v2.3.0 Updated to use Go version 1.15.7. Updated image to implement additional IBM security controls.
Kubernetes v1.20.2 v1.20.4 See the Kubernetes release notes.
Operator Lifecycle Manager 0.16.1-IKS-3 0.16.1-IKS-5 Updated image for CVE-2021-23839, CVE-2021-23840, and CVE-2021-23841.

Change log for 1.20.2_1528 (master) and 1.20.2_1527 (worker node), released 17 February 2021

The following table shows the changes that are in the version updates for 1.20.2_1528 master fix pack and 1.20.2_1527 worker node fix pack.

Changes since version 1.19.7_1532 (master) and 1.19.7_1535 (worker node).
Component Previous Current Description
Calico v3.16.5 v3.17.2 See the Calico release notes.
Cluster health image v1.2.6 v1.2.8 Updated to use Go version 1.15.7. Updated image to implement additional IBM security controls.
Gateway-enabled cluster controller 1195 1232 Updated to use Go version 1.15.7.
GPU device plug-in and installer af5a6cb 1c41e4b Updated to support the Kubernetes 1.20 release.
IBM Calico extension 567 618 Updated to use Go version 1.15.7.
IBM Cloud Controller Manager v1.19.7-4 v1.20.2-15

Updated to:

  • Support the Kubernetes 1.20.2 release.
  • Use calicoctl version 3.17.2.
  • Implement additional IBM security controls.
  • Address DLA-2509-1.
  • Make version 1.0 and 2.0 network load balancers (NLBs) to run as a non-root user by default, with privileged escalation as needed.
IBM Cloud File Storage for Classic plug-in and monitor 385 388 Improved the retry logic for provisioning persistent volume claims (PVCs).
IBM Cloud RBAC Operator f859228 86de2b7 Updated to use Go version 1.15.7.
Key Management Service provider v2.2.3 v2.2.4 Updated image to implement additional IBM security controls.
Kubernetes v1.19.7 v1.20.2 See the Kubernetes release notes.
Kubernetes configuration N/A N/A Updated the feature gate configuration.
Kubernetes CSI snapshotter CRDs N/A v3.0.2 See the Kubernetes container storage interface (CSI) snapshotter release notes.
Kubernetes Dashboard v2.0.5 v2.1.0 See the Kubernetes Dashboard release notes.
Kubernetes Dashboard metrics scraper configuration N/A N/A Default Kubernetes network policy added to block most pods from accessing the Kubernetes Dashboard metrics.
Kubernetes Metrics Server v0.3.7 v0.4.2 See the Kubernetes Metrics Server release notes.
Kubernetes NodeLocal DNS cache 1.15.14 1.16.0 See the Kubernetes NodeLocal DNS cache release notes.
Load balancer and load balancer monitor for IBM Cloud Provider 1078 1165 Updated to run as a non-root user by default, with privileged escalation as needed. Updated to use Go version 1.15.7.