Release v2.4.4 - Addresses Kubernetes Security Announcement

Release v2.4.4

Addressing CVEs

  • Added new Kubernetes versions with updated system images to address the following k8s CVEs [#27369]:
    • CVE-2020-8555: kube-controller-manager SSRF
    • CVE-2020-10749: IPv4 only clusters susceptible to MitM attacks via IPv6 rogue router advertisements
  • Updated Nginx to the latest version [#26957]
  • Docker 19.03.11 is available as part of the Docker install script and addresses Docker CVE-2020-13401 [#27371]


  • Please review the v2.4.0 release notes for important updates/ breaking changes.

  • Users using a single Docker container install - Etcd in the Docker container has been upgraded from 3.3 to 3.4, therefore you must take a backup before upgrading in order to be able to roll back to a v2.3.x release. You will not be able to rollback without this backup.

  • Users using node pools with RHEL/CentOS nodes [#18065]: The default storage driver for RHEL/CentOS nodes has been updated to overlay2. If your node template does not specify a storage driver, any new node will be provisioned using the new updated default (overlay) instead of the old default (devicemapper). If you need to keep using devicemapper as your storage driver option, edit your node template to explicitly set the storage driver as `devicemapper.

  • Users running Windows clusters [#25582] - Windows has launched a security patch as of Feb 11. Before upgrading, please update your nodes to include this security patch, otherwise your upgrade will fail until the patch is applied.

  • Rancher launched clusters require additional 500MB space - By default, Rancher launched clusters have enabled audit logging on the cluster.

  • Rancher launched Kubernetes clusters behavior of upgrades have changed [#23897] - Please refer to the zero downtime upgrades feature to read more about it.


The following versions are now latest and stable:

Type Rancher Version Docker Tag Helm Repo Helm Chart Version
Latest v2.4.4 rancher/rancher:latest server-charts/latest v2.4.4
Stable v2.4.4 rancher/rancher:stable server-charts/stable v2.4.4

Please review our version documentation for more details on versioning and tagging conventions.

Features and Enhancements

Experimental Features

Feature Flags for Experimental Features

We have the ability to turn on and off specific experimental components inside Rancher. You can manage feature flags through our UI. Certain feature flags require a Rancher restart. Alternatively, you can refer to our docs on how to turn on the features when starting Rancher.

Feature Flag Feature Flag Name Default Value Available as of Rancher Restart Required?
Next Gen UI dashboard true v2.4.0 x
New Proxy proxy false v2.4.0
UI for unsupported storage drivers unsupported-storage-drivers false v2.3.0

Major Bugs Fixed Since v2.4.3

  • Fixed an issue where updated Kubernetes versions would not loaded correctly due to a bug in kontainer-driver-metadata [#26752]

Note: This means that the new Kubernetes templates introduced in v2.2.13+ and v2.3.8+ will not work in Rancher v2.4.0-v2.4.3.

Other notes

Air Gap Installations and Upgrades

In v2.4.0, an air gap installation no longer requires mirroring the systems chart git repo. Please follow the directions on how to install Rancher to use the packaged systems chart.

Known Major Issues

  • During a downstream user cluster upgrade, if you have any PodDisruptionBudgets in your cluster, the drain process could get stalled [#26400]
  • When nodes are powered off in the cluster, the metrics server pod and coreDNS pod may not get evicted from the node and needs to be manually deleted until it’s re-scheduled to an active node [#26190, #26191]
  • Logging doesn’t work on imported k3s clusters [#24157]
  • When persistent storage is enabled for monitoring, the latest monitoring 0.1.0 won’t work.[#26969]



  • rancher/rancher:v2.4.4
  • rancher/rancher-agent:v2.4.4



Upgrades and Rollbacks

Rancher supports both upgrade and rollback. Please note the version you would like to upgrade or rollback to change the Rancher version.

Please be aware that upon an upgrade to v2.3.0+, any edits to a Rancher launched Kubernetes cluster will cause all system components to restart due to added tolerations to Kubernetes system components. Plan accordingly.

Recent changes to cert-manager require an upgrade if you have an HA install of Rancher using self-signed certificates. If you are using cert-manager older than v0.9.1, please see the documentation on how to upgrade cert-manager.

Important: When rolling back, we are expecting you to rollback to the state at the time of your upgrade. Any changes post upgrade would not be reflected.