SUSE-FU-2020:0089-1: moderate: Update to kubernetes 1.16, supportconfig update, and helm security fix (CVE-2019-18658)

sle-updates at lists.suse.com sle-updates at lists.suse.com
Mon Jan 13 16:15:59 MST 2020


   SUSE Feature Update: Update to kubernetes 1.16, supportconfig update, and helm security fix (CVE-2019-18658)
______________________________________________________________________________

Announcement ID:    SUSE-FU-2020:0089-1
Rating:             moderate
References:         #1100838 #1118897 #1118898 #1118899 #1143813 
                    #1144065 #1146991 #1147142 #1152861 #1155810 
                    #1156646 
Affected Products:
                    SUSE CaaS Platform 4.0
______________________________________________________________________________

   An update that has 11 feature fixes can now be installed.

Description:

   = Required Actions

   == Skuba and helm update Instructions

   Update skuba and helm on your management workstation as you would do with
   any othe package.

   Refer to:
   link:https://documentation.suse.com/sles/15-SP1/single-html/SLES-admin/#sec
   -zypper-softup

   [WARNING] ==== When running helm-init you may hit a
   link:https://bugzilla.suse.com/show_bug.cgi?id=1159047[known bug on the
   certificate validation]:

   ---- https://kubernetes-charts.storage.googleapis.com is not a valid chart
    repository or cannot be reached: Get
    https://kubernetes-charts.storage.googleapis.com/index.yaml: x509:
    certificate signed by unknown authority
   ----

   In order to fix this, run:

   ---- sudo update-ca-certificates
   ----

   ====


   After updating helm to latest version on the management host, you have to
   also upgrade the helm-tiller image in the cluster, by running:

   ---- helm init \
       --tiller-image registry.suse.com/caasp/v4/helm-tiller:2.16.1 \
       --service-account tiller --upgrade
   ----


   == Update Your Kubernetes Manifests for Kubernetes 1.16.2:

   Some API resources are moved to stable, while others have been moved to
   different groups or deprecated.

   The following will impact your deployment manifests:

   *  `DaemonSet`, `Deployment`, `StatefulSet`, and `ReplicaSet` in
      `extensions/` (both `v1beta1` and `v1beta2`) is deprecated.  Migrate to
      `apps/v1` group instead for all those objects.  Please note that
      `kubectl convert` can help you migrate all the necessary fields.
   *  `PodSecurityPolicy` in `extensions/v1beta1` is deprecated. Migrate to
      `policy/v1beta1` group for `PodSecurityPolicy`.  Please note that
      `kubectl convert` can help you migrate all the necessary fields.
   *  `NetworkPolicy` in `extensions/v1beta1` is deprecated. Migrate to
      `networking.k8s.io/v1` group for `NetworkPolicy`.  Please note that
      `kubectl convert` can help you migrate all the necessary fields.
   *  `Ingress` in `extensions/v1beta1` is being phased out. Migrate to
      `networking.k8s.io/v1beta1` as soon as possible.  This new API does not
      need to update other API fields and therefore only a path change is
      necessary.
   *  Custom resource definitions have moved from
      `apiextensions.k8s.io/v1beta1` to `apiextensions.k8s.io/v1`.

   Please also see
   https://kubernetes.io/blog/2019/07/18/api-deprecations-in-1-16/ for more
   details.


   = Documentation Updates

   * Switched examples to use SUSE supported helm, Prometheus, nginx-ingress
     and Grafana charts and images
   *
   link:{docurl}caasp-admin/single-html/_security.html#_deployment_with_a_cust
     om_ca_certificate[Added instructions on how to replace {kube}
     certificates with custom CA certificate]
   *
   link:{docurl}caasp-admin/single-html/_security.html#_replace_server_certifi
     cate_signed_by_a_trusted_ca_certificate[Added instructions to configure
     custom certificates for gangway and dex]
   *
   link:{docurl}caasp-admin/single-html/_software_management.html#_installing_
     tiller[Added instructions for secured Tiller deployment]
   * link:{docurl}caasp-deployment/single-html/#machine-id[Added notes about
     unique `machine-id` requirement]
   * link:{docurl}caasp-deployment/single-html/#_autoyast_preparation[Added
     timezone configuration example for {ay}]
   *
   link:https://github.com/SUSE/doc-caasp/pulls?q=is%3Apr+is%3Aclosed+sort%3Au
     pdated-desc[Various minor bugfixes and improvements]

   = Known issue: skuba upgrade could not parse "Unknown" as version ====

   Running "skuba node upgrade plan" might fail with the error "could not
   parse "Unknown" as version" when a  worker, after running "skuba node
   upgrade apply", had not fully started yet.

   If you are running into this issue, please add some delay after running
   "skuba node upgrade apply" and prior to running "skuba node upgrade plan".

   This is tracked in
   link:https://bugzilla.suse.com/show_bug.cgi?id=1159452[bsc#1159452]


Patch Instructions:

   To install this SUSE Feature Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - SUSE CaaS Platform 4.0:

      To install this update, use the SUSE CaaS Platform Velum dashboard.
      It will inform you if it detects new updates and let you then trigger
      updating of the complete cluster in a controlled way.



Package List:

   - SUSE CaaS Platform 4.0 (noarch):

      release-notes-caasp-4.1.20191218-4.16.2
      skuba-update-1.2.1-3.21.1

   - SUSE CaaS Platform 4.0 (x86_64):

      caasp-release-4.1.0-24.9.1
      conmon-2.0.0-1.7.1
      cri-o-1.16.0-3.22.2
      cri-o-kubeadm-criconfig-1.16.0-3.22.2
      cri-tools-1.16.1-3.7.1
      helm-2.16.1-3.7.1
      kubernetes-client-1.16.2-4.7.1
      kubernetes-common-1.16.2-4.7.1
      kubernetes-kubeadm-1.16.2-4.7.1
      kubernetes-kubelet-1.16.2-4.7.1
      patterns-caasp-Node-1.15-1.16-1.2-3.11.1
      patterns-caasp-Node-1.16-1.2-3.11.2
      skuba-1.2.1-3.21.1


References:

   https://bugzilla.suse.com/1100838
   https://bugzilla.suse.com/1118897
   https://bugzilla.suse.com/1118898
   https://bugzilla.suse.com/1118899
   https://bugzilla.suse.com/1143813
   https://bugzilla.suse.com/1144065
   https://bugzilla.suse.com/1146991
   https://bugzilla.suse.com/1147142
   https://bugzilla.suse.com/1152861
   https://bugzilla.suse.com/1155810
   https://bugzilla.suse.com/1156646



More information about the sle-updates mailing list