v2.15.13
This is the last planned release for the release/v2.15
branch. Uses are encouraged to update at least to 2.16 to receive future updates.
Security
Two vulnerabilities were identified in Kubernetes (CVE-2021-25741 and CVE-2020-8561) of which one (CVE-2021-25741) was fixed in Kubernetes 1.19.15. CVE-2020-8561 is mitigated by Kubermatic not allowing users to reconfigure the kube-apiserver.
Because of these updates, this KKP release includes an automatic update rule for all 1.19 clusters older than 1.19.15. This release also removes all affected Kubernetes versions from the list of supported versions. While CVE-2020-8561 affects the controlplane, CVE-2021-25741 affects the kubelets, which means that updating the controlplane is not enough. Once the automated controlplane updates have completed, an administrator must manually patch all vulnerable MachineDeployment
s in all affected userclusters.
The automatic update rules can, if needed, be overwritten using the spec.versions.kubernetes.updates
field in the KubermaticConfiguration
or updating the updates.yaml
if using the legacy kubermatic
Helm chart. See #7823 for how the versions and updates are configured. It is however not recommended to deviate from the default and leave userclusters vulnerable.