Update to kubernetes 1.16, supportconfig update, and helm security fix (CVE-2019-18658)

SUSE Feature Update: Update to kubernetes 1.16, supportconfig update, and helm security fix (CVE-2019-18658)

---

Announcement ID:	SUSE-FU-2020:0089-1
Rating:	moderate
References:	#1100838 #1118897 #1118898 #1118899 #1143813 #1144065 #1146991 #1147142 #1152861 #1155810 #1156646
Affected Products:	SUSE CaaS Platform 4.0

---

An update that has 11 feature fixes can now be installed.

Description:

= Required Actions
== Skuba and helm update Instructions
Update skuba and helm on your management workstation as you would do with any othe package.
Refer to: link:https://documentation.suse.com/sles/15-SP1/single-html/SLES-admin/#sec -zypper-softup
[WARNING] ==== When running helm-init you may hit a link:https://bugzilla.suse.com/show_bug.cgi?id=1159047[known bug on the certificate validation]:
---- https://kubernetes-charts.storage.googleapis.com is not a valid chart repository or cannot be reached: Get https://kubernetes-charts.storage.googleapis.com/index.yaml: x509: certificate signed by unknown authority ----
In order to fix this, run:
---- sudo update-ca-certificates ----
====

After updating helm to latest version on the management host, you have to also upgrade the helm-tiller image in the cluster, by running:
---- helm init \ --tiller-image registry.suse.com/caasp/v4/helm-tiller:2.16.1 \ --service-account tiller --upgrade ----

== Update Your Kubernetes Manifests for Kubernetes 1.16.2:
Some API resources are moved to stable, while others have been moved to different groups or deprecated.
The following will impact your deployment manifests:

• `DaemonSet`, `Deployment`, `StatefulSet`, and `ReplicaSet` in `extensions/` (both `v1beta1` and `v1beta2`) is deprecated. Migrate to `apps/v1` group instead for all those objects. Please note that `kubectl convert` can help you migrate all the necessary fields.
• `PodSecurityPolicy` in `extensions/v1beta1` is deprecated. Migrate to `policy/v1beta1` group for `PodSecurityPolicy`. Please note that `kubectl convert` can help you migrate all the necessary fields.
• `NetworkPolicy` in `extensions/v1beta1` is deprecated. Migrate to `networking.k8s.io/v1` group for `NetworkPolicy`. Please note that `kubectl convert` can help you migrate all the necessary fields.
• `Ingress` in `extensions/v1beta1` is being phased out. Migrate to `networking.k8s.io/v1beta1` as soon as possible. This new API does not need to update other API fields and therefore only a path change is necessary.
• Custom resource definitions have moved from `apiextensions.k8s.io/v1beta1` to `apiextensions.k8s.io/v1`.

Please also see https://kubernetes.io/blog/2019/07/18/api-deprecations-in-1-16/ for more details.

= Documentation Updates

• Switched examples to use SUSE supported helm, Prometheus, nginx-ingress and Grafana charts and images *

link:{docurl}caasp-admin/single-html/_security.html#_deployment_with_a_cust om_ca_certificate[Added instructions on how to replace {kube} certificates with custom CA certificate] * link:{docurl}caasp-admin/single-html/_security.html#_replace_server_certifi cate_signed_by_a_trusted_ca_certificate[Added instructions to configure custom certificates for gangway and dex] * link:{docurl}caasp-admin/single-html/_software_management.html#_installing_ tiller[Added instructions for secured Tiller deployment]

link:{docurl}caasp-deployment/single-html/#machine-id[Added notes about unique `machine-id` requirement]

link:{docurl}caasp-deployment/single-html/#_autoyast_preparation[Added timezone configuration example for {ay}] *

link:https://github.com/SUSE/doc-caasp/pulls?q=is%3Apr+is%3Aclosed+sort%3Au pdated-desc[Various minor bugfixes and improvements]
= Known issue: skuba upgrade could not parse "Unknown" as version ====
Running "skuba node upgrade plan" might fail with the error "could not parse "Unknown" as version" when a worker, after running "skuba node upgrade apply", had not fully started yet.
If you are running into this issue, please add some delay after running "skuba node upgrade apply" and prior to running "skuba node upgrade plan".
This is tracked in link:https://bugzilla.suse.com/show_bug.cgi?id=1159452[bsc#1159452]

Patch Instructions:

To install this SUSE Feature Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• SUSE CaaS Platform 4.0:
  To install this update, use the SUSE CaaS Platform Velum dashboard. It will inform you if it detects new updates and let you then trigger updating of the complete cluster in a controlled way.

Package List:

• SUSE CaaS Platform 4.0 (noarch):
  • release-notes-caasp-4.1.20191218-4.16.2
  • skuba-update-1.2.1-3.21.1
• SUSE CaaS Platform 4.0 (x86_64):
  • caasp-release-4.1.0-24.9.1
  • conmon-2.0.0-1.7.1
  • cri-o-1.16.0-3.22.2
  • cri-o-kubeadm-criconfig-1.16.0-3.22.2
  • cri-tools-1.16.1-3.7.1
  • helm-2.16.1-3.7.1
  • kubernetes-client-1.16.2-4.7.1
  • kubernetes-common-1.16.2-4.7.1
  • kubernetes-kubeadm-1.16.2-4.7.1
  • kubernetes-kubelet-1.16.2-4.7.1
  • patterns-caasp-Node-1.15-1.16-1.2-3.11.1
  • patterns-caasp-Node-1.16-1.2-3.11.2
  • skuba-1.2.1-3.21.1

References:

• https://bugzilla.suse.com/1100838
• https://bugzilla.suse.com/1118897
• https://bugzilla.suse.com/1118898
• https://bugzilla.suse.com/1118899
• https://bugzilla.suse.com/1143813
• https://bugzilla.suse.com/1144065
• https://bugzilla.suse.com/1146991
• https://bugzilla.suse.com/1147142
• https://bugzilla.suse.com/1152861
• https://bugzilla.suse.com/1155810
• https://bugzilla.suse.com/1156646