Jump to content

SUSE CaaS Platform 4.5.0 Release Notes

Publication Date: 2020-08-20

SUSE CaaS Platform is an enterprise-ready Kubernetes-based container management solution.

1 About the Release Notes

The most recent version of the Release Notes is available online at https://susedoc.github.io/r/caasp-45-rn

Entries can be listed multiple times if they are important and belong to multiple sections.

Release notes usually only list changes that happened between two subsequent releases. Certain important entries from the release notes documents of previous product versions may be repeated. To make such entries easier to identify, they contain a note to that effect.

2 SUSE CaaS Platform

SUSE CaaS Platform is an enterprise-ready Kubernetes-based container management solution used by application development and DevOps teams to more easily and efficiently deploy and manage containerized applications and services. Enterprises use SUSE CaaS Platform to reduce application delivery cycle times and improve business agility.

3 Supported Platforms

This release supports deployment on:

  • SUSE OpenStack Cloud 8

  • VMware ESXi 6.7

  • KVM

  • Bare Metal x86_64

  • Amazon Web Services (technological preview)

  • Microsoft Azure (technological preview)

(SUSE CaaS Platform 4.5.0 supports hardware that is certified for SLES through the YES certification program. You will find a database of certified hardware at https://www.suse.com/yessearch/.)

4 What Is New in 4.5.0

4.1 Base Operating System Is Now SLES 15 SP2

SUSE CaaS Platform 4 uses standard SLES 15 SP2 as the base platform OS. SUSE CaaS Platform can be installed as an extension on top of that. Because SLES 15 is designed to address both cloud-native and legacy workloads. these changes make it easier for customers who want to modernize their infrastructure by moving existing workloads to a Kubernetes framework.

4.1.1 Changes in the Installation Media

Please pay attention to the change in the installation media of SLES 15 SP2. The Unified Installer and Packages DVDs known from SUSE SLES 15 SP1 are deprecated and have been replaced by Online Installation Media and Full Installation Media, for further details see this section of the SLES 15 SP2 Release Notes.

For further information on notable changes when going from SLES 15 SP1 to SLES 15 SP2, also refer to the SLES 15 SP2 Release Notes.

4.2 Support disabling routable check in VMware

VMware Terraform config now supports the option wait_for_guest_net_routable to disable Terraform from waiting for a routable network on VM creation. This is useful to prevent an upstream issue in which Terraform hangs waiting for a routable IP even when the VM has one. For more information check the bug report

4.3 Changes to the Kubernetes Stack

4.3.1 Updated Kubernetes

SUSE CaaS Platform 4.5.0 comes with Kubernetes 1.18. The new Kubernetes version includes for example notable upgrades to kubectl, storage enhancements, Horizontal Pod Autoscaler (HPI) and advanced scheduling. Some of these features have been available in SUSE CaaS Platform for a couple of versions now.

You can find a list of changes directly relevant to SUSE CaaS Platform here: Changes from Kubernetes 1.17 to 1.18

For a more generalized summary, you can view the SUSE blog or see the full version in the official Kubernetes documentation.

4.3.2 cri-o

This release upgrades cri-o to 1.18, which brings support for Kubernetes 1.18. This new version, though, requires some manual steps for the upgrade, since the configuration files have been migrated from sysconfig to /etc/crio/crio.conf.d/. In order to upgrade, then, you will have to perform the following command before upgrading each node:

skuba cluster upgrade localconfig

After this you will be able to perform all the skuba commands that you would call normally when upgrading SUSE CaaS Platform.

4.4 Kubernetes Audit Log with rsyslog agent

Starting with this version of SUSE CaaS Platform, the Kubernetes audit log will be forwarded to the centralized logging service using log-agent-rsyslog.

4.5 Required Actions

You must update the CRI-O configuration files on each node before upgrading, please refer to Section 4.3.2, “cri-o”.

5 Documentation Changes

6 Known Issues

6.1 In the upgrade process, after the restart of CRI-O and kubelet, some pods might not run properly

This can happen when there are multiple instances of a PodSandbox in a "NotReady" state. As a workaround please make sure to remove any pod in the "NotReady" state using crictl rmp <podid>. Further it is advisable to drain the node that is being upgrade before actually starting the upgrade procedure.

The upstream fix is https://github.com/cri-o/cri-o/pull/4006 which will be included in the next release.

Reference: https://github.com/SUSE/avant-garde/issues/1808

6.2 etcd: CVE-2020-15106 and CVE-2020-15112

Note the version of etcd shipped with CaaSP 4.5.0 contains two security issues identified as CVE-2020-15106 and CVE-2020-15112

The etcd endpoints should only be accessible inside the cluster if you have set up the firewall rules / network segmentation, following our suggestions in the admin guide; etcd should only be accessible by k8s nodes (or by trusted nodes). Exploiting this vulnerability requires an attacker to take control of the etcd leader in order to send crafted WAL entries, which means access to the SSL certs or local machine access.

Fixes for these will be provided as a maintenance update.

6.3 envoy: CVE-2020-12605,CVE-2020-8663,CVE-2020-12603 and CVE-2020-12604

Note that the version of envoy shipped with CaaSP 4.5.0 contains security issues idendified as CVE-2020-12605,CVE-2020-8663,CVE-2020-12603 and CVE-2020-12604

These are "Denial of Service" vulnerabilities, and do not expose systems to unauthorized access or data exfiltration. A fix for them will be provided as a maintenance update.

7 Legal Notices

SUSE makes no representations or warranties with regard to the contents or use of this documentation, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, SUSE reserves the right to revise this publication and to make changes to its content, at any time, without the obligation to notify any person or entity of such revisions or changes.

Further, SUSE makes no representations or warranties with regard to any software, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, SUSE reserves the right to make changes to any and all parts of SUSE software, at any time, without any obligation to notify any person or entity of such changes.

Any products or technical information provided under this Agreement may be subject to U.S. export controls and the trade laws of other countries. You agree to comply with all export control regulations and to obtain any required licenses or classifications to export, re-export, or import deliverables. You agree not to export or re-export to entities on the current U.S. export exclusion lists or to any embargoed or terrorist countries as specified in U.S. export laws. You agree to not use deliverables for prohibited nuclear, missile, or chemical/biological weaponry end uses. Refer to https://www.suse.com/company/legal/ for more information on exporting SUSE software. SUSE assumes no responsibility for your failure to obtain any necessary export approvals.

Copyright © 2010-2020 SUSE LLC.

This release notes document is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License (CC-BY-SA-4.0). You should have received a copy of the license along with this document. If not, see https://creativecommons.org/licenses/by-sa/4.0/.

SUSE has intellectual property rights relating to technology embodied in the product that is described in this document. In particular, and without limitation, these intellectual property rights may include one or more of the U.S. patents listed at https://www.suse.com/company/legal/ and one or more additional patents or pending patent applications in the U.S. and other countries.

For SUSE trademarks, see SUSE Trademark and Service Mark list (https://www.suse.com/company/legal/). All third-party trademarks are the property of their respective owners.

Print this page