v2.15.13
This is the last planned release for the release/v2.15 branch. Uses are encouraged to update at least to 2.16 to receive future updates.
Security
Two vulnerabilities were identified in Kubernetes (CVE-2021-25741 and CVE-2020-8561) of which one (CVE-2021-25741) was fixed in Kubernetes 1.19.15. CVE-2020-8561 is mitigated by Kubermatic not allowing users to reconfigure the kube-apiserver.
Because of these updates, this KKP release includes an automatic update rule for all 1.19 clusters older than 1.19.15. This release also removes all affected Kubernetes versions from the list of supported versions. While CVE-2020-8561 affects the controlplane, CVE-2021-25741 affects the kubelets, which means that updating the controlplane is not enough. Once the automated controlplane updates have completed, an administrator must manually patch all vulnerable MachineDeployments in all affected userclusters.
The automatic update rules can, if needed, be overwritten using the spec.versions.kubernetes.updates field in the KubermaticConfiguration or updating the updates.yaml if using the legacy kubermatic Helm chart. See #7823 for how the versions and updates are configured. It is however not recommended to deviate from the default and leave userclusters vulnerable.