ELSA-2020-5654

Описание

kubernetes [1.12.10-1.0.11]

• [CVE-2019-11254] kube-apiserver Denial of Service vulnerability from malicious YAML payloads

[1.12.10-1.0.10]

• [CVE-2019-16276] Kubernetes Vulnerabilities Allow Authentication Bypass, DoS

[1.12.10-1.0.9]

• Define rolling update for flannel

[1.12.10-1.0.8]

• Modify flannel/dashboard image tags to use images that have the cve fix

[1.12.10-1.0.7]

• [CVE-2019-11253] Kubernetes API Server JSON/YAML parsing vulnerable to resource exhaustion attack

[1.12.10-1.0.6]

• [CVE-2019-16276] bump golang to 1.12.10

[1.12.10-1.0.5]

• added THIRD_PARTY_LICENSES.txt file

[1.12.10-1.0.4]

• fix for CVE-2019-11251

[1.12.10-1.0.3]

• replacing references to kubernetes-dashboard-amd64 with kubernetes-dashboard

[1.12.10-1.0.2]

• Added Oracle specific build files for Kubernetes

kubeadm-ha-setup [0.0.2-1.0.69]

• [CVE-2019-11254] kube-apiserver Denial of Service vulnerability from malicious YAML payloads

[0.0.2-1.0.68]

• Pull image prior to update and fix image repo for addons

[0.0.2-1.0.67]

• Bump golang build version

[0.0.2-1.0.66]

• [CVE-2019-16276] Support patching flannel/dashboard on upgrade

[0.0.2-1.0.65]

• [CVE 2019-16276] Support deploygin 1.12 and 1.13 with CVE patched

[0.0.2-1.0.64]

• [CVE-2019-16276] Support patching etcd on upgrade

[0.0.2-1.0.63]

• [CVE-2019-16276] while upgrading a cluster patch the coredns image

[0.0.2-1.0.62]

• CVE-2019-16276 : Update flannel , etcd coredns and dashboard images.

[0.0.2-1.0.61]

• Added Support for 1.13.11 and removed support for 1.13.10

[0.0.2-1.0.59]

• Remove Support for 1.14.6

[0.0.2-1.0.58]

• Replacing reference to kubernetes-dashboard-amd64 with kubernetes-dashboard

[0.0.2-1.0.57]

• Support 1.12.10

[0.0.2-1.0.56]

• Support 1.14.6

[0.0.2-1.0.55]

• Support 1.13.10

[0.0.2-1.0.54]

• Support 1.13.9

[0.0.2-1.0.53]

• Mark 1.14 as a developer build

[0.0.2-1.0.52]

• Restore fails when trying to restore after a failed update

[0.0.2-1.0.51]

• Minor version update doesn't update kubeadm on all master nodes

[0.0.2-1.0.50]

• Make k8s 1.14 specific changes

[0.0.2-1.0.49]

• Remove 1.10 and 1.11 version since they are incompatable

[0.0.2-1.0.48]

• Support deploying 5 master nodes

[0.0.2-1.0.47]

• Only update/upgrade the controlplane images if they changed in the Release object

[0.0.2-1.0.46]

• Fix version comparison function during upgrade

[0.0.2-1.0.45]

• Fix rpm version compare
• Allow kubernetes updates for patch version

[0.0.2-1.0.44]

• Allow assume yes to deploy a single master without the prompt

[0.0.2-1.0.43]

• Post cluster creation should check only for master nodes

[0.0.2-1.0.42]

• Update keepalived check api server to ensure we are grepping the correct IP

[0.0.2-1.0.41]

• Make ha.yaml an optional argument in the cli for single master cluster

[0.0.2-1.0.40]

• Add pod cidr default and refactor ha.yaml example

[0.0.2-1.0.39]

• Remove features: feature1_13=true from config

[0.0.2-1.0.38]

• Default kubernetes version to latest production version

[0.0.2-1.0.37]

• Fix keepalived issue when firewalld is disable

[0.0.2-1.0.36]

• Default kubernetes version to latest production version

[0.0.2-1.0.35]

• Add addons template and config files

[0.0.2-1.0.34]

• Enhance tests

[0.0.2-1.0.33]

• fix regression of previous firewall fix

[0.0.2-1.0.32]

• Fix firewall issues during restore

[0.0.2-1.0.31]

• Fix firewall issues

[0.0.2-1.0.30]

• Enhance output while validating the system

[0.0.2-1.0.29]

• Fix DR in 1.13

[0.0.2-1.0.28]

• Fix apiserver_cert_extra_sans for 1.13 clusters

[0.0.2-1.0.27]

• Fix update/upgrade output message

[0.0.2-1.0.26]

• Fix major upgrade

[0.0.2-1.0.25]

• Add registry migration

[0.0.2-1.0.24]

• Return stdout and stderr from Run function to allow the caller decided what to display

[0.0.2-1.0.23]

• Proxy variable is inherited in remote master

[0.0.2-1.0.22]

• The Trim function doesn't work for replacing strings
• Upgrade should use the pause container instead of pause-amd64

[0.0.2-1.0.21]

• Include 1.12.7 image and update 1.13 and metric servers info

[0.0.2-1.0.20]

• Support new registries and allow for password to have a colon

[0.0.2-1.0.19]

• --force flag for full restore

[0.0.2-1.0.18]

• Change update help message

[0.0.2-1.0.17]

• Change update message, add ha install command and ask for confirmation

[0.0.2-1.0.16]

• Change upgrade command name to update

[0.0.2-1.0.15]

• Fix upgrade for point release

[0.0.2-1.0.14]

• Move file.go to config.go

[0.0.2-1.0.13]

• Feature Flag 1.13 code

[0.0.2-1.0.12]

• Add support of upgrading HA master nodes

[0.0.2-1.0.11]

• Support deploying Kubernetes version 1.13.2

[0.0.2-1.0.10]

• CVE-2018-16875

[0.0.2-1.0.9]

• Add timeout to Run() (gitlab issues #3)
• Rename path to linux-git.us.oracle.com/Kubernetes

[0.0.2-1.0.8]

• Remove releases.json dependency

[0.0.2-1.0.7]

• Pin dependent kubernetes packages

[0.0.2-1.0.6]

• Update deps for kube 1.13

[0.0.2-1.0.5]

• Add test runner in makefile and execute it in CI/CD

[0.0.2-1.0.4]

• Fix backup path issue again found by Tom Cocozzello

[0.0.2-1.0.3]

• [Orabug 29152516] Backup and restore /var/lib/kubelet/kubeadm-flags.env too
• Cleanup kube-ipvs0 interface too
• More code cleanup
• Use map for checking kernel module
• Fix client joining errors
• Addressing Tom Cocozzello's review
• Enabling IPVS in HA

[0.0.2-1.0.2]

• Update dashboard image (CVE-2018-18264)

[0.0.2-1.0.1]

• Allow Oracle certified addons to be installed via cli

[0.0.1-2.0.9]

• Use 'dep ensure' to clean up symlinks in the vendor directory

[0.0.1-2.0.5]

• Clean up un-used build scripts

[0.0.1-2.0.4]

• Add Makefile for building and testing code

[0.0.1-2.0.3]

• Fix file restore issue when it contains './'

[0.0.1-2.0.2]

• Resolve the full filepath when '.' is passed in
• Addressing review by Muminul Islam

[0.0.1-2.0.1]

• Remove 'firewall-cmd --reload' as it can hangs OCI
• Fix some errors reported by Shubham
• Error out if options is not currently supported in HandleEtcdOps
• Fix down issue
• Dump log output to /var/log/kubeadm-ha-setup

[0.0.1-1.0.37]

• Fix kubernetes version
• Include log printing when error occurs
• Fix client.go regression due to new down function

[0.0.1-1.0.36]

• Remove Godeps, using dep for now
• Check if image is not set before referencing
• Rename getEtcdConfigV2 to getEtcdConfig
• Adding down functionality
• Update ha.yaml file

[0.0.1-1.0.35]

• Removing etcd.go
• Addressing Tom Cocozzello review
• [Orabug 28977571]

[0.0.1-1.0.34]

• Enabling full restore on HA master and single master
• Cleanup
• Enable single master backup
• Double the context request timeout
• Implement retryable AddMember

[0.0.1-1.0.33]

• Modified DR for One node case to use new etcd API
• Enhanced the helper scripts such that it will error out
• HealthCheck re-implementation

[0.0.1-1.0.32]

• Update dashboard image

[0.0.1-1.0.31]

• Needs to be run as a privileged user
• Enable CoreDNS as default

[0.0.1-1.0.30]

• Enable single master setup

[0.0.1-1.0.29]

• Redesigned for setting up v1.12 HA clusters

[0.0.1-1.0.28]

• Fixes for v1.11
• Addressing Laszlo Peter review
• Addressing Daniel Krasinski review

[0.0.1-1.0.27]

• Fix build failure
• Add UPL LICENSE
• Fix the usage of defer
• Re-try when docker pull image gets a timeout
• Refactor SetupCreds()
• Remove --force flag for restore
• When something fail, we should lenghten the timeout time

[0.0.1-1.0.26]

• When context timed out catch it and print stdout, stderr

[0.0.1-1.0.25]

• Check output from docker client and probe for error

[0.0.1-1.0.24]

• Properly parse if repo has a special ':' character

[0.0.1-1.0.23]

• Checking the total nodes would be better implementation
• Fixup etcd add member errors

[0.0.1-1.0.22]

• Pod count could be >= 20
• Remove port 30000-32767/tcp check for client node
• Querying k8s cluster health instead of etcd for backup
• Cosmestic fix
• Etcd one node restore problems

[0.0.1-1.0.21]

• Check whether repo needs auth even in one node restore case
• Fixup the restore script
• docker pull image change in behavior in 18.03
• Include client side image repo checking too
• Provide a full repo path for comparison
• Make kubernetes_developer as the sample repo
• Use strings.Contains to compare strings
• Fix README
• Initial README
• Include changes in kube.go

[0.0.1-1.0.20]

• In OCI LB can takes time to setup properly
• Fix random string
• [Orabug 28445064]
• Replace RunCmdExec() with just Run()
• Sanity check for # of master
• Make kubeadm token default to be random

[0.0.1-1.0.19]

• Check if docker exec etcd returns Error
• Check env first before trying to pull image
• [Orabug 28461826]

[0.0.1-1.0.18]

• Fixing LB, kubelet, kubectl-proxy
• Add a DEBUG flag for more verbose output

[0.0.1-1.0.17]

• Don't loop forever in client, make Run() more consistent in master
• Fixup LB for OCI
• Add apiserver-bind-port capability

[0.0.1-1.0.17]

• Include apiserver_cert_extra_sans and service_cidr

[0.0.1-1.0.16]

• Include restoring keepalived for one and full restore
• For Full Restore we need to first clean up before anything else
• Clean up DR, make backup check etcd health first
• Properly clean-up flannel.1 and cni0

[0.0.1-1.0.15]

• DR code cleanup
• Changed permission on the created dir to 0755
• Fix filename not found error

[0.0.1-1.0.14]

• Don't panic()
• In One node restore case verify the ca.crt MD5SUM
• Full DR feature
• Redesign of the DR
• Include file and its line number for logging
• Put the binary full path
• Re-arrange varibles for ssh.go
• Separate etcd cli to another file (etcd.go)
• Addition to kubectl cli
• Check if MyIP for local node is missing/empty

[0.0.1-1.0.13]

• Replace binary names
• Include the ability to re-try master setup

[0.0.1-1.0.12]

• Renamed the whole REPO to kubeadm-ha-setup
• Don't print out more logs as necessary

[0.0.1-1.0.12]

• Enhance ssh/sftp code

[0.0.1-1.0.11]

• Change the storePath
• Include keepalived backup and change backup.sh/restore.sh

[0.0.1-1.0.10]

• Continuing on the restore part
• Make the script to query all KUBEDIR directory from a single file
• Consolidate KUBEDIR
• Make systemd related file 0644

[0.0.1-1.0.9]

• Fixup the hardcoded directory as such we are reading from only limited source
• Include the Docker API for restore
• Initial implementation of DR

[0.0.1-1.0.8]

• Fixup kubeadm-setup join
• systemctl enable kubelet

[0.0.1-1.0.7]

• Fix LoadBalancer to take care of extra steps

[0.0.1-1.0.6]

• Cleanup some stdout
• Add token field in ha.yaml for ease of automated setup

[0.0.1-1.0.5]

• If Loadbalancer is preferred/used

[0.0.1-1.0.4]

• Remove goroutine sleep - unnecessary
• Provides structure to store required files and cert files
• Fix merge errors

[0.0.1-1.0.3]

• Create /run/kubeadm w-w/o --skip

[0.0.1-1.0.2]

• NoHA and LoadBalancer

[0.0.1-1.0.1]

• Initial build

kubeadm-upgrade [0.0.1-1.0.28] -- [CVE-2019-11254] kube-apiserver Denial of Service vulnerability from malicious YAML payloads

[0.0.1-1.0.27] -- [CVE-2019-16276] Kubernetes Vulnerabilities Allow Authentication Bypass, DoS

[0.0.1-1.0.26] -- Create log folder before any log write or error exit [ orabug: 29806186 ]

[0.0.1-1.0.25] -- Enforce exit on errors

[0.0.1-1.0.24] -- Dashboard yaml location was moved in Kubernetes 1.12.7

[0.0.1-1.0.23] -- Detect latest kubernetes version from yum

[0.0.1-1.0.22] -- Bump up 1.12.7 version for coredns fix

[0.0.1-1.0.21] -- CVE-2019-9946

[0.0.1-1.0.20] -- CVE-2019-1002101

[0.0.1-1.0.19] -- Bump up 1.12.6 version

[0.0.1-1.0.18] -- Upgrade from 1.9 to 1.12 fails

[0.0.1-1.0.17] -- Update the Kubernetes version to include the conntrack fix

[0.0.1-1.0.16] -- CVE-2019-1002100

[0.0.1-1.0.15] -- CVE-2018-1002105

[0.0.1-1.0.14] -- Fix kube version for 1.10.5

[0.0.1-1.0.13] -- Updating 1.10 and 1.11 version for CVE fixes -- Include flannel and dashboard upgrade

[0.0.1-1.0.12] -- Upgrade to 1.12.5-2.1.1

[0.0.1-1.0.11] -- Upgrade to 1.12.5

[0.0.1-1.0.10] -- Add license info to the script

[0.0.1-1.0.9] -- Add license file

[0.0.1-1.0.8] -- Fix the bug on number of CPU checking

[0.0.1-1.0.7] -- Use install instead of update for a specifc 1.12 version

[0.0.1-1.0.6] -- Upgrade cluster to 1.12.3-* version only

[0.0.1-1.0.5] -- Add exit handler to gather logs on failure

[0.0.1-1.0.4] -- Enhance logging and check return code after kubeadm apply. Checking CPU and Memory of the system

[0.0.1-1.0.3] -- Change REPO_PREFIX to use a single repo, increased timeout during cluster health check

[0.0.1-1.0.2] -- Added comments and fix rpm name

[0.0.1-1.0.1]

• Upgrade to 1.12.3