Rancher Release v2.4.16 - Addresses CVE-2021-31999, CVE-2021-25318, and CVE-2021-25320

Release v2.4.16

Changes in this Release

Security Fixes for Rancher Vulnerabilities

This release addresses security issues found in Rancher:

  • Prevented privilege escalation via malicious “Connection” header #33588 Fixes CVE-2021-31999.
  • An unprivileged user can no longer use another user’s cloud credential for API requests to a cloud provider. Fixes CVE-2021-25320. #33589
  • Used apiGroups instead of “*” when creating Kubernetes RBAC resources for apps to avoid granting permissions to all app CRDs that exist in the cluster. Fixes CVE-2021-25318. #33590

For more details, see the security advisories page.

Additional Security Fixes

  • Updated minio-go, removed dependency on etcd, and updated rancherd RKE2 version to v1.20.7+rke2r2 #33003
  • Processes no longer panic upon receipt of malicious protobuf messages. Fixes CVE-2021-3121. #32944

Bug Fixes

  • vSphere vCenter server entries are removed properly. #33510

Important Notes

  • Kubernetes 1.18 is now the default version [#25117] - Kubernetes 1.18 is now the default version. Whenever upgrading to any Kubernetes version, please review the Kubernetes release notes for any breaking changes.
  • Users using a single Docker container install - Etcd in the Docker container has been upgraded from 3.3 to 3.4, therefore you must take a backup before upgrading in order to be able to roll back to a v2.3.x release. You will not be able to rollback without this backup.

  • Users using node pools with RHEL/CentOS nodes [#18065]: The default storage driver for RHEL/CentOS nodes has been updated to overlay2. If your node template does not specify a storage driver, any new node will be provisioned using the new updated default (overlay) instead of the old default (devicemapper). If you need to keep using devicemapper as your storage driver option, edit your node template to explicitly set the storage driver as devicemapper.

  • Users running Windows clusters [#25582] - Windows has launched a security patch as of Feb 11. Before upgrading, please update your nodes to include this security patch, otherwise your upgrade will fail until the patch is applied.

  • Rancher launched clusters require additional 500MB space - By default, Rancher launched clusters have enabled audit logging on the cluster.

  • Rancher launched Kubernetes clusters behavior of upgrades have changed [#23897] - Worker nodes are now upgraded in batches. Please refer to the RKE documentation about how to upgrade clusters without downtime for applications.

  • Restrict Kubernetes versions in Rancher helm chart to versions less than 1.20.0 [#30746] - This restriction was added to prevent Rancher from being installed on incompatible versions of Kubernetes.

Versions

Please refer to the README for latest and stable versions.

Please review our version documentation for more details on versioning and tagging conventions.

Air Gap Installations and Upgrades

In v2.4.0, an air gap installation no longer requires mirroring the systems chart git repo. Please follow the directions on how to install Rancher to use the packaged systems chart.

Known Major Issues

  • When using monitoring with persistent storage for Grafana enabled, upgrading monitoring causes the pod to fail to start. Workaround steps are provided in the issue. [#27450]
  • When using monitoring, upgrading Kubernetes versions removes the “API Server Request Rate” metric [#27267]
  • When a new chart version is added to a helm 3 catalog, the upgrade process can default to helm 2, causing an api error. Workaround in issue. [27252]

Versions

Images

  • rancher/rancher:v2.4.16
  • rancher/rancher-agent:v2.4.16

Tools

Kubernetes Versions

  • 1.18.20 (Default)
  • 1.17.17
  • 1.16.15
  • 1.15.12

Upgrades and Rollbacks

Rancher supports both upgrade and rollback. Please note the version you would like to upgrade or rollback to change the Rancher version.

Please be aware that upon an upgrade to v2.3.0+, any edits to a Rancher launched Kubernetes cluster will cause all system components to restart due to added tolerations to Kubernetes system components. Plan accordingly.

Recent changes to cert-manager require an upgrade if you have an HA install of Rancher using self-signed certificates. If you are using cert-manager older than v0.9.1, please see the documentation on how to upgrade cert-manager.

Important: When rolling back, we are expecting you to rollback to the state at the time of your upgrade. Any changes post upgrade would not be reflected.