Release v2.2.13 - Addresses Kubernetes Security Announcement

Release v2.2.13

Important notes

Addressing CVEs

  • Added new Kubernetes versions with updated system images to address the following k8s CVEs [#7369]:
    • CVE-2020-8555: kube-controller-manager SSRF
    • CVE-2020-10749: IPv4 only clusters susceptible to MitM attacks via IPv6 rogue router advertisements
  • Updated Nginx to the latest version [#27153]
  • Docker 19.03.11 is available as part of the Docker install script and addresses Docker CVE-2020-13401 [#27371]

Certificate expiry on Rancher provisioned clusters

In Rancher 2.0 and 2.1, the auto generated certificates for Rancher provisioned clusters have 1 year of expiry. It means if you created a Rancher provisioned cluster about 1 year ago, you need to rotate the certificates, otherwise the cluster will go into a bad state when the certificate expires. In Rancher 2.2.x, the rotation can be performed from Rancher UI, more details are here.

Additional Steps Required for Air Gap Installations and Upgrades

In v2.2.0, we’ve introduced a “system catalog” for managing micro-services that Rancher deploys for certain features such as Global DNS, Alerts, and Monitoring. These additional steps are documented as part of air gap installation instructions.

Known Major Issues

  • Cluster alerting and logging can get stuck in Updating state after upgrading Rancher. Workaround steps are provided in the issue [21480]
  • Certificate rotate for Rancher provisioned clusters will not work for the clusters which certificates had expired on Rancher versions v2.0.13 and earlier on 2.0.x release line, and 2.1.8 or earlier on 2.1.x release line. The issue won’t exist if the certificates expired on later versions of Rancher. Steps to workaround can be found in comments to [20381]
  • Catalog app revisions are not visible to the regular user; as a result regular user is not able to rollback the app [20204]
  • Global DNS entries are not properly updated when a node that was hosting an associated ingress becomes unavailable. A records to the unavailable hosts will remain on the ingress and in the DNS entry [#18932]
  • If you have Rancher cluster with OpenStack cloud provider having LoadBalancer set, and the cluster was provisioned on version 2.2.3 or less, the upgrade to the Rancher version v2.2.4 and up will fail. Steps to mitigate can be found in the comment to [20699]

Versions

Images

  • rancher/rancher:v2.2.13
  • rancher/rancher-agent:v2.2.13

Tools

System Charts Branch - For air gap installs

  • system charts branch - release-v2.2 - This is the branch used to populate the catalog items required for tools such as monitoring, logging, alerting and global DNS. To be able to use these features in an air gap install, you will need to mirror the system-charts repository to a location in your network that Rancher can reach and configure Rancher to use that repository.

Kubernetes

Upgrades and Rollbacks

Rancher supports both upgrade and rollback starting with v2.0.2. Please note the version you would like to upgrade or rollback to change the Rancher version.

Note: When rolling back, we are expecting you to rollback to the state at the time of your upgrade. Any changes post upgrade would not be reflected.