This release addresses two security vulnerabilities found in Rancher. The first vulnerability allows users in the Default project of a cluster to escalate privileges to that of a cluster admin through a service account. The second vulnerability allows members to have continued access to create, update, read, and delete namespaces in a project after they have been removed from it. You can view the official CVEs here CVE-2018-20321 and here CVE-2019-6287.
For a more detailed explanation of the CVEs and how we’ve addressed them, you can read our blog article.
With this release, the following versions are now latest and stable:
|Type||Rancher Version||Docker Tag||Helm Repo||Helm Chart Version|
Known Major Issues
The known issues for this release remain unchanged from v2.1.5:
- Clusters created through Rancher can sometimes get stuck in provisioning [#15970] [#15969] [#15695]
- The upgrade for Rancher node-agent daemonset can sometimes get stuck due to pod removal failure on a Kubernetes side [#16722]
Major Bug Fixes since v2.1.5
- Addressed CVE-2018-20321 that allowed users in the Default project of a cluster to escalate privileges to that of a cluster admin through a service account. [#17725]
- Addressed CVE-2019-6287 that allowed members to have continued access to create, update, read, and delete namespaces in a project after they had been removed from it. [#17724, #17244]
NOTE - Image Name Changes: Please note that as of v2.0.0, our images will be rancher/rancher and rancher/rancher-agent. If you are using v1.6, please continue to use rancher/server and rancher/agent.
Upgrades and Rollbacks
IMPORTANT: v2.1.6 specific rollback caveats and instructions
Because the fix for CVE-2018-20321 involves a data migration (deleting a service account and creating it elsewhere), rolling Rancher back from v2.1.6 to a version prior to the patch is more complicated than usual. We have documented the extra steps here. Review these steps prior to upgrading so that you understand their implications.
Standard upgrade and rollback notes:
The following information regarding upgrades and rollbacks remains unchanged from v2.1.5:
Due to the HA improvements introduced in the v2.1.0 release, the Rancher helm chart is the only supported method for installing or upgrading Rancher. Please use the Rancher helm chart to install HA Rancher. For details, see the HA Install - Installation Outline.
If you are currently using the RKE add-on install method, see Migrating from a RKE add-on install for details on how to move to using a helm chart.
Any upgrade from a version prior to v2.0.3, when scaling up workloads, new pods will be created [#14136] - In order to update scheduling rules for workloads [#13527], a new field was added to all workloads on
update, which will cause any pods in workloads from previous versions to re-create.
Note: When rolling back, we are expecting you to rollback to the state at the time of your upgrade. Any changes post upgrade would not be reflected. In the case of rolling back using a Rancher single-node install, you must specify the exact version you want to change the Rancher version to, rather than using the default
Note: If you had the helm stable catalog enabled in v2.0.0, we’ve updated the catalog to start pointing directly to the Kubernetes helm repo instead of an internal repo. Please delete the custom catalog that is now showing up and re-enable the helm stable. [#13582]