Release v2.5.17
This release concludes support for Rancher 2.5. Please upgrade to a newer version of Rancher for continued support.
It is important to review the Install/Upgrade Notes below before upgrading to any Rancher version.
Rancher v2.5.17 is a security release to address the following issues:
Security Fixes for Rancher Vulnerabilities
This release addresses 04 security issues found in Rancher:
-
Improved authorization logic checks around project role template binding (PRTB) and
-promoted
roles to protect against possible privilege escalation. For more information, see CVE-2022-43759. -
Fixed an issue in Rancher’s Git package that could potentially lead to command injection. For more information, see CVE-2022-43758.
-
Fixed an issue where sensitive fields and credentials like secret tokens, encryption keys, and SSH keys were stored as plaintext on Kubernetes objects. This is a follow-up security fix to address the fields missed in CVE-2021-36782. For more information, see CVE-2022-43757.
-
Fixed an authorization logic flaw that allowed an authenticated user on any downstream cluster to (1) open a shell pod in the Rancher local cluster and (2) have limited kubectl access to the local cluster. For more information, see CVE-2022-21953.
Additionally, the following security related updates were performed in this release to address security issues:
-
Fixed a validation check issue where Rancher generated tokens are not revoked after modifications are made to a configured authentication provider. This issue is only applicable if external authentication providers were configured in Rancher. For more information, see security advisory GHSA-c45c-39f6-6gw9.
-
Updated the version of Rancher’s Fleet chart to
0.3.1000+up0.3.10-security1
to address two security issues inrancher/wrangler
dependency:-
The high severity CVE-2022-31249 that could lead to a command injection vulnerability in Rancher’s Continuous Delivery feature through Fleet’s GitJob pod.
-
The medium severity CVE-2022-43756 that could cause a denial of service (DoS) attack in Fleet’s GitJob pod.
-
-
Updated the version of
crewjam/saml
SAML library to address the critical severity CVE-2022-41912.
For more details, see the Security Advisories and CVEs page in Rancher’s documentation page or in Rancher’s GitHub repo.
Install/Upgrade Notes
If you are installing Rancher for the first time, your environment must fulfill the installation requirements.
Upgrade Requirements
- Creating backups:
- We strongly recommend creating a backup before upgrading Rancher. To roll back Rancher after an upgrade, you must back up and restore Rancher to the previous Rancher version. Because Rancher will be restored to its state when a backup was created, any changes post upgrade will not be included after the restore. For more information, see the documentation on backing up Rancher.
- Helm version:
- Rancher install or upgrade must occur with Helm 3.2.x+ due to the changes with the latest cert-manager release. See #29213.
- Kubernetes version:
- The local Kubernetes cluster for the Rancher server should be upgraded to Kubernetes 1.17+ before installing Rancher 2.5+.
- CNI requirements:
- For Kubernetes v1.19 and newer, we recommend disabling firewalld as it has been found to be incompatible with various CNI plugins. See #28840.
- If upgrading or installing to a Linux distribution that uses nf_tables as the backend packet filter, such as SLES 15, RHEL 8, Ubuntu 20.10, Debian 10, or newer, users should upgrade to RKE1 v1.19.2 or later to get Flannel version v0.13.0 that supports nf_tables. See Flannel #1317.
- For users upgrading from
>=v2.4.4
tov2.5.x
with clusters where ACI CNI is enabled, note that upgrading Rancher will result in automatic cluster reconciliation. This is applicable for Kubernetes versionsv1.17.16-rancher1-1
,v1.17.17-rancher1-1
,v1.17.17-rancher2-1
,v1.18.14-rancher1-1
,v1.18.15-rancher1-1
,v1.18.16-rancher1-1
, andv1.18.17-rancher1-1
. Please refer to the workaround BEFORE upgrading tov2.5.x
. See #32002.
- Requirements for air-gapped environments:
- For installing or upgrading Rancher in an air-gapped environment, please add the flag
--no-hooks
to thehelm template
command to skip rendering files for Helm’s hooks. See #3226. - If using a proxy in front of an air-gapped Rancher, you must pass additional parameters to
NO_PROXY
. See the documentation and #2725.
- For installing or upgrading Rancher in an air-gapped environment, please add the flag
- Cert-manager version requirements:
- Recent changes to cert-manager require an upgrade if you have a high-availability install of Rancher using self-signed certificates. If you are using cert-manager older than v0.9.1, please see the documentation for information on how to upgrade cert-manager.
- Requirements for Docker installs:
- When starting the Rancher Docker container, the privileged flag must be used. See the documentation.
- When installing in an air-gapped environment, you must supply a custom
registries.yaml
file to thedocker run
command as shown in the K3s documentation. If the registry has certs, then you will need to also supply those. See #28969. - When upgrading a Docker installation, a panic may occur in the container, which causes it to restart. After restarting, the container comes up and works as expected. See #33685.
- RKE requirements:
- For users upgrading from
<=v2.4.8 (<= RKE v1.1.6)
tov2.4.12+ (RKE v1.1.13+)
/v2.5.0+ (RKE v1.2.0+)
, please note that Edit and Save cluster (even with no changes or a trivial change like cluster name) will result in cluster reconciliation and upgradingkube-proxy
on all nodes because of a change inkube-proxy
binds. This only happens on the first edit, and later edits shouldn’t affect the cluster. See #32216.
- For users upgrading from
- EKS requirements:
- There was a setting for Rancher versions prior to 2.5.8 that allowed users to configure the length of refresh time in cron format: eks-refresh-cron. That setting is now deprecated and has been migrated to a standard seconds format in a new setting: eks-refresh. If previously set, the migration will happen automatically. See #31789.
- Fleet-agent:
- When upgrading
<=v2.5.7
to>=v2.5.8
, you may notice that in Apps & Marketplace, there is a fleet-agent release stuck at uninstalling. This is caused by migrating fleet-agent release name. It is safe to delete fleet-agent release as it is no longer used, and doing so should not delete the real fleet-agent deployment since it has been migrated. See #362.
- When upgrading
Rancher Behavior Changes
- Upgrades and Rollbacks:
- Rancher supports both upgrade and rollback. Please note the version you would like to upgrade or roll back to change the Rancher version.
- Please be aware when upgrading to v2.3.0+, any edits to a Rancher-launched Kubernetes cluster will cause all system components to restart due to added tolerations to Kubernetes system components. Plan accordingly.
- Recent changes to cert-manager require an upgrade if you have an HA install of Rancher using self-signed certificates. If you are using cert-manager older than v0.9.1, please see the documentation on how to upgrade cert-manager.
- Existing GKE clusters and imported clusters will continue to operate as is. Only new creations and registered clusters will use the new full lifecycle management.
- The process to roll back Rancher has been updated for versions v2.5.0 and above. Refer to the documentation for the new instructions.
- Important:
- When rolling back, we are expecting you to roll back to the state at the time of your upgrade. Any changes post-upgrade would not be reflected.
- The local cluster can no longer be turned off:
- In older Rancher versions, the local cluster could be hidden to restrict admin access to the Rancher server’s local Kubernetes cluster, but that feature has been deprecated. The local Kubernetes cluster can no longer be hidden and all admins will have access to the local cluster. If you would like to restrict permissions to the local cluster, there is a new restricted-admin role that must be used. Access to the local cluster can now be disabled by setting
hide_local_cluster
to true from the v3/settings API. See the documentation and #29325. For more information on upgrading from Rancher with a hidden local cluster, see the documentation.
- In older Rancher versions, the local cluster could be hidden to restrict admin access to the Rancher server’s local Kubernetes cluster, but that feature has been deprecated. The local Kubernetes cluster can no longer be hidden and all admins will have access to the local cluster. If you would like to restrict permissions to the local cluster, there is a new restricted-admin role that must be used. Access to the local cluster can now be disabled by setting
Versions
Please refer to the README for latest and stable versions.
Please review our version documentation for more details on versioning and tagging conventions.
Images
- rancher/rancher:v2.5.17
- rancher/rancher-agent:v2.5.17
Tools
Kubernetes Versions
- 1.20.15 (Default)
- 1.19.16
- 1.18.20
- 1.17.17
Other Notes
Deprecated Features
Feature | Justification |
---|---|
Cluster Manager - Rancher Monitoring | Monitoring in Cluster Manager UI has been replaced with a new monitoring chart available in the Apps & Marketplace in Cluster Explorer. |
Cluster Manager - Rancher Alerts and Notifiers | Alerting and notifiers functionality is now directly integrated with a new monitoring chart available in the Apps & Marketplace in Cluster Explorer. |
Cluster Manager - Rancher Logging | Functionality replaced with a new logging solution using a new logging chart available in the Apps & Marketplace in Cluster Explorer. |
Cluster Manager - MultiCluster Apps | Deploying to multiple clusters is now recommended to be handled with Rancher Continuous Delivery powered by Fleet available in Cluster Explorer. |
Cluster Manager - Kubernetes CIS 1.4 Scanning | Kubernetes CIS 1.5+ benchmark scanning is now replaced with a new scan tool deployed with a cis benchmarks chart available in the Apps & Marketplace in Cluster Explorer. |
Cluster Manager - Rancher Pipelines | Git-based deployment pipelines is now recommend to be handled with Rancher Continuous Delivery powered by Fleet available in Cluster Explorer. |
Cluster Manager - Istio v1.5 | The Istio project has ended support for Istio 1.5 and has recommended all users upgrade. Newer Istio versions are now available as a chart in the Apps & Marketplace in Cluster Explorer. |
Cluster Manager - Provision Kubernetes v1.16 Clusters | We have ended support for Kubernetes v1.16. Cluster Manager no longer provisions new v1.16 clusters. If you already have a v1.16 cluster, it is unaffected. |
Experimental Features
RancherD was introduced as part of Rancher v2.5.4 through v2.5.10 as an experimental feature but is now deprecated. See #33423.
Duplicated Features in Cluster Manager and Cluster Explorer
- Only one version of the feature may be installed at any given time due to potentially conflicting CRDs.
- Each feature should only be managed by the UI that it was deployed from.
- If you have installed a feature in Cluster Manager, you must uninstall it in Cluster Manager before attempting to install the new version in Cluster Explorer dashboard.
Cluster Explorer Feature Caveats and Upgrades
- General:
- Not all new features are currently installable on a hardened cluster.
- New features are expected to be deployed using the Helm 3 CLI and not with the Rancher CLI.
- UI Shell:
- After closing the shell in the Rancher UI, be aware that the corresponding processes remain running indefinitely for each shell in the pod. See #16192.
- Continuous Delivery:
- Restricted admins are not able to create git repos from the Continuous Delivery option under Cluster Explorer; the screen will become stuck in a loading status. See #4909.
- Rancher Backup:
- When migrating to a cluster with the Rancher Backup feature, the server-url cannot be changed to a different location; it must continue to use the same URL.
- Monitoring:
- Monitoring sometimes errors on installation because it can’t identify CRDs. See #29171.
- Istio:
- Be aware that when upgrading from Istio v1.7.4 or earlier to any later version, there may be connectivity issues. See upgrade notes and #31811.
- Starting in v1.8.x, DNS is supported natively. This means that the additional addon component
istioCoreDNS
is deprecated in v1.8.x and is not supported in v1.9x. If you are upgrading from v1.8.x to v1.9.x and you are using theistioCoreDNS
addon, it is recommended that you disable it and switch to the natively supported DNS prior to upgrade. If you upgrade without disabling it, you will need to manually clean up your installation as it will not get removed automatically. See #31761 and #31265. - Istio v1.10 and earlier versions are now End-of-life but are required for the upgrade path in order to not skip a minor version. See #33824.
Cluster Manager Feature Caveats and Upgrades
- GKE:
- EKS & GKE:
- When creating EKS and GKE clusters in Terraform, string fields cannot be set to empty. See #32440.
Known Major Issues
- Kubernetes Cluster Distributions
- RKE:
- Rotating encryption keys with a custom encryption provider is not supported. See #30539.
- After migrating from the in-tree vSphere cloud provider to the out-of-tree cloud provider, attempts to upgrade the cluster will not complete. This is due to nodes containing workloads with bound volumes before the migration failing to drain. Users will observe these nodes stuck in a
draining
state. Follow this workaround to continue with the upgrade. See #35102.
- AKS:
- AKS Kubernetes versions 1.20 and earlier have reached end of life. As Rancher v2.5 does not support Kubernetes greater than 1.20, it is not possible to provision new downstream AKS clusters. See #38406.
- Azure Container Registry-based Helm charts cannot be added in Cluster Explorer but do work in the Apps feature of Cluster Manager. Note that when using a Helm chart repository, the
disableSameOriginCheck
setting controls when credentials are attached to requests. See documentation and #35940 for more information.
- RKE:
- Cluster Tools
- Hardened clusters:
- Not all cluster tools can currently be installed on a hardened cluster.
- Monitoring:
- Deploying Monitoring V2 on a Windows cluster with win_prefix_path set requires users to deploy Rancher Wins Upgrader to restart wins on the hosts to start collecting metrics in Prometheus. See #32535.
- Monitoring V2 fails to scrape ingress-nginx pods on any nodes except for the one Prometheus is deployed on, if the security group used by worker nodes blocks incoming requests to port 10254. The workaround for this issue is to open up port 10254 on all hosts. See #32563.
- Logging:
- Logging (Cluster Explorer): Windows nodeAgents are not deleted when performing Helm upgrade after disabling Windows logging on a Windows cluster. See #32325.
- Istio versions:
- Istio v1.5 is not supported in air-gapped environments. Please note that the Istio project has ended support for Istio v1.5.
- Istio v1.10 support ended on January 7th, 2022.
- Legacy Monitoring:
- In air-gapped setups, the generated
rancher-images.txt
that is used to mirror images on private registries does not contain the images required to run Legacy Monitoring, also called Monitoring V1, which is compatible with Kubernetes 1.15 clusters. If you are running Kubernetes 1.15 clusters in an air-gapped environment, and you want to either install Monitoring V1 or upgrade Monitoring V1 to the latest that is offered by Rancher for Kubernetes 1.15 clusters, you will need to take one of the following actions:- Upgrade the Kubernetes version so that you can use v0.2.x of the Monitoring application Helm chart.
- Manually import the necessary images into your private registry for the Monitoring application to use.
- In air-gapped setups, the generated
- Installation requirements:
- Importing a Kubernetes v1.21 cluster might not work properly and is unsupported.
- Backup and Restore:
- Reinstalling Rancher 2.5.x on the same cluster may fail due to a lingering
rancher.cattle.io.
MutatingWebhookConfiguration object from a previous installation. Manually deleting it will resolve the issue.
- Reinstalling Rancher 2.5.x on the same cluster may fail due to a lingering
- Docker installs:
- Hardened clusters: