SUSE-FU-2020:0089-1: moderate: Update to kubernetes 1.16, supportconfig update, and helm security fix (CVE-2019-18658)
sle-updates at lists.suse.com
sle-updates at lists.suse.com
Mon Jan 13 16:15:59 MST 2020
SUSE Feature Update: Update to kubernetes 1.16, supportconfig update, and helm security fix (CVE-2019-18658)
______________________________________________________________________________
Announcement ID: SUSE-FU-2020:0089-1
Rating: moderate
References: #1100838 #1118897 #1118898 #1118899 #1143813
#1144065 #1146991 #1147142 #1152861 #1155810
#1156646
Affected Products:
SUSE CaaS Platform 4.0
______________________________________________________________________________
An update that has 11 feature fixes can now be installed.
Description:
= Required Actions
== Skuba and helm update Instructions
Update skuba and helm on your management workstation as you would do with
any othe package.
Refer to:
link:https://documentation.suse.com/sles/15-SP1/single-html/SLES-admin/#sec
-zypper-softup
[WARNING] ==== When running helm-init you may hit a
link:https://bugzilla.suse.com/show_bug.cgi?id=1159047[known bug on the
certificate validation]:
---- https://kubernetes-charts.storage.googleapis.com is not a valid chart
repository or cannot be reached: Get
https://kubernetes-charts.storage.googleapis.com/index.yaml: x509:
certificate signed by unknown authority
----
In order to fix this, run:
---- sudo update-ca-certificates
----
====
After updating helm to latest version on the management host, you have to
also upgrade the helm-tiller image in the cluster, by running:
---- helm init \
--tiller-image registry.suse.com/caasp/v4/helm-tiller:2.16.1 \
--service-account tiller --upgrade
----
== Update Your Kubernetes Manifests for Kubernetes 1.16.2:
Some API resources are moved to stable, while others have been moved to
different groups or deprecated.
The following will impact your deployment manifests:
* `DaemonSet`, `Deployment`, `StatefulSet`, and `ReplicaSet` in
`extensions/` (both `v1beta1` and `v1beta2`) is deprecated. Migrate to
`apps/v1` group instead for all those objects. Please note that
`kubectl convert` can help you migrate all the necessary fields.
* `PodSecurityPolicy` in `extensions/v1beta1` is deprecated. Migrate to
`policy/v1beta1` group for `PodSecurityPolicy`. Please note that
`kubectl convert` can help you migrate all the necessary fields.
* `NetworkPolicy` in `extensions/v1beta1` is deprecated. Migrate to
`networking.k8s.io/v1` group for `NetworkPolicy`. Please note that
`kubectl convert` can help you migrate all the necessary fields.
* `Ingress` in `extensions/v1beta1` is being phased out. Migrate to
`networking.k8s.io/v1beta1` as soon as possible. This new API does not
need to update other API fields and therefore only a path change is
necessary.
* Custom resource definitions have moved from
`apiextensions.k8s.io/v1beta1` to `apiextensions.k8s.io/v1`.
Please also see
https://kubernetes.io/blog/2019/07/18/api-deprecations-in-1-16/ for more
details.
= Documentation Updates
* Switched examples to use SUSE supported helm, Prometheus, nginx-ingress
and Grafana charts and images
*
link:{docurl}caasp-admin/single-html/_security.html#_deployment_with_a_cust
om_ca_certificate[Added instructions on how to replace {kube}
certificates with custom CA certificate]
*
link:{docurl}caasp-admin/single-html/_security.html#_replace_server_certifi
cate_signed_by_a_trusted_ca_certificate[Added instructions to configure
custom certificates for gangway and dex]
*
link:{docurl}caasp-admin/single-html/_software_management.html#_installing_
tiller[Added instructions for secured Tiller deployment]
* link:{docurl}caasp-deployment/single-html/#machine-id[Added notes about
unique `machine-id` requirement]
* link:{docurl}caasp-deployment/single-html/#_autoyast_preparation[Added
timezone configuration example for {ay}]
*
link:https://github.com/SUSE/doc-caasp/pulls?q=is%3Apr+is%3Aclosed+sort%3Au
pdated-desc[Various minor bugfixes and improvements]
= Known issue: skuba upgrade could not parse "Unknown" as version ====
Running "skuba node upgrade plan" might fail with the error "could not
parse "Unknown" as version" when a worker, after running "skuba node
upgrade apply", had not fully started yet.
If you are running into this issue, please add some delay after running
"skuba node upgrade apply" and prior to running "skuba node upgrade plan".
This is tracked in
link:https://bugzilla.suse.com/show_bug.cgi?id=1159452[bsc#1159452]
Patch Instructions:
To install this SUSE Feature Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- SUSE CaaS Platform 4.0:
To install this update, use the SUSE CaaS Platform Velum dashboard.
It will inform you if it detects new updates and let you then trigger
updating of the complete cluster in a controlled way.
Package List:
- SUSE CaaS Platform 4.0 (noarch):
release-notes-caasp-4.1.20191218-4.16.2
skuba-update-1.2.1-3.21.1
- SUSE CaaS Platform 4.0 (x86_64):
caasp-release-4.1.0-24.9.1
conmon-2.0.0-1.7.1
cri-o-1.16.0-3.22.2
cri-o-kubeadm-criconfig-1.16.0-3.22.2
cri-tools-1.16.1-3.7.1
helm-2.16.1-3.7.1
kubernetes-client-1.16.2-4.7.1
kubernetes-common-1.16.2-4.7.1
kubernetes-kubeadm-1.16.2-4.7.1
kubernetes-kubelet-1.16.2-4.7.1
patterns-caasp-Node-1.15-1.16-1.2-3.11.1
patterns-caasp-Node-1.16-1.2-3.11.2
skuba-1.2.1-3.21.1
References:
https://bugzilla.suse.com/1100838
https://bugzilla.suse.com/1118897
https://bugzilla.suse.com/1118898
https://bugzilla.suse.com/1118899
https://bugzilla.suse.com/1143813
https://bugzilla.suse.com/1144065
https://bugzilla.suse.com/1146991
https://bugzilla.suse.com/1147142
https://bugzilla.suse.com/1152861
https://bugzilla.suse.com/1155810
https://bugzilla.suse.com/1156646
More information about the sle-updates
mailing list