Update to kubernetes 1.16, supportconfig update, and helm security fix (CVE-2019-18658)

Announcement ID: SUSE-FU-2020:0089-1
Rating: moderate
Affected Products:
  • SUSE CaaS Platform 4.0
  • SUSE Linux Enterprise Server 15 SP1

An update that has 11 fixes can now be installed.


= Required Actions

== Skuba and helm update Instructions

Update skuba and helm on your management workstation as you would do with any othe package.

Refer to: link:https://documentation.suse.com/sles/15-SP1/single-html/SLES-admin/#sec-zypper-softup


When running helm-init you may hit a link:https://bugzilla.suse.com/show_bug.cgi?id=1159047[known bug on the certificate validation]:

https://kubernetes-charts.storage.googleapis.com is not a valid chart repository or cannot be reached: Get https://kubernetes-charts.storage.googleapis.com/index.yaml: x509: certificate signed by unknown authority

In order to fix this, run:

sudo update-ca-certificates


After updating helm to latest version on the management host, you have to also upgrade the helm-tiller image in the cluster, by running:

helm init \
--tiller-image registry.suse.com/caasp/v4/helm-tiller:2.16.1 \
--service-account tiller --upgrade

== Update Your Kubernetes Manifests for Kubernetes 1.16.2:

Some API resources are moved to stable, while others have been moved to different groups or deprecated.

The following will impact your deployment manifests:

  • DaemonSet, Deployment, StatefulSet, and ReplicaSet in extensions/ (both v1beta1 and v1beta2) is deprecated. Migrate to apps/v1 group instead for all those objects. Please note that kubectl convert can help you migrate all the necessary fields.
  • PodSecurityPolicy in extensions/v1beta1 is deprecated. Migrate to policy/v1beta1 group for PodSecurityPolicy. Please note that kubectl convert can help you migrate all the necessary fields.
  • NetworkPolicy in extensions/v1beta1 is deprecated. Migrate to networking.k8s.io/v1 group for NetworkPolicy. Please note that kubectl convert can help you migrate all the necessary fields.
  • Ingress in extensions/v1beta1 is being phased out. Migrate to networking.k8s.io/v1beta1 as soon as possible. This new API does not need to update other API fields and therefore only a path change is necessary.
  • Custom resource definitions have moved from apiextensions.k8s.io/v1beta1 to apiextensions.k8s.io/v1.

Please also see https://kubernetes.io/blog/2019/07/18/api-deprecations-in-1-16/ for more details.

= Documentation Updates

  • Switched examples to use SUSE supported helm, Prometheus, nginx-ingress and Grafana charts and images
  • link:{docurl}caasp-admin/single-html/_security.html#_deployment_with_a_custom_ca_certificate[Added instructions on how to replace {kube} certificates with custom CA certificate]
  • link:{docurl}caasp-admin/single-html/_security.html#_replace_server_certificate_signed_by_a_trusted_ca_certificate[Added instructions to configure custom certificates for gangway and dex]
  • link:{docurl}caasp-admin/single-html/_software_management.html#_installing_tiller[Added instructions for secured Tiller deployment]
  • link:{docurl}caasp-deployment/single-html/#machine-id[Added notes about unique machine-id requirement]
  • link:{docurl}caasp-deployment/single-html/#_autoyast_preparation[Added timezone configuration example for {ay}]
  • link:https://github.com/SUSE/doc-caasp/pulls?q=is%3Apr+is%3Aclosed+sort%3Aupdated-desc[Various minor bugfixes and improvements]

= Known issue: skuba upgrade could not parse "Unknown" as version ====

Running "skuba node upgrade plan" might fail with the error "could not parse "Unknown" as version" when a worker, after running "skuba node upgrade apply", had not fully started yet.

If you are running into this issue, please add some delay after running "skuba node upgrade apply" and prior to running "skuba node upgrade plan".

This is tracked in link:https://bugzilla.suse.com/show_bug.cgi?id=1159452[bsc#1159452]

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

  • SUSE CaaS Platform 4.0
    To install this update, use the SUSE CaaS Platform 'skuba' tool. It will inform you if it detects new updates and let you then trigger updating of the complete cluster in a controlled way.

Package List:

  • SUSE CaaS Platform 4.0 (x86_64)
    • conmon-2.0.0-1.7.1
    • caasp-release-4.1.0-24.9.1
    • helm-2.16.1-3.7.1
    • kubernetes-client-1.16.2-4.7.1
    • cri-o-1.16.0-3.22.2
    • kubernetes-kubelet-1.16.2-4.7.1
    • cri-o-kubeadm-criconfig-1.16.0-3.22.2
    • patterns-caasp-Node-1.16-1.2-3.11.2
    • skuba-1.2.1-3.21.1
    • patterns-caasp-Node-1.15-1.16-1.2-3.11.1
    • kubernetes-kubeadm-1.16.2-4.7.1
    • kubernetes-common-1.16.2-4.7.1
    • cri-tools-1.16.1-3.7.1
  • SUSE CaaS Platform 4.0 (noarch)
    • release-notes-caasp-4.1.20191218-4.16.2
    • skuba-update-1.2.1-3.21.1