Security update for cri-o and kubernetes packages

SUSE Security Update: Security update for cri-o and kubernetes packages
Announcement ID: SUSE-SU-2018:4020-1
Rating: important
References: #1084765 #1095131 #1108195 #1111341 #1112967 #1112980 #1114645 #1116933 #1118198
Cross-References: CVE-2016-8859 CVE-2018-1002105
Affected Products:
  • SUSE CaaS Platform 3.0

An update that solves two vulnerabilities and has 7 fixes is now available.

Description:

This update provide fixes for kubernetes, kubernetes-salt, cri-o, and caasp-container-manifests:

  • VUL-0: kubernetes: proxy request handling in kube-apiserver can leave vulnerable TCP connections (bsc#1118198)
  • Error in Velum when applying the k8s 1.10.8 on CRI-O cluster (bsc#1116933)
  • Update regexp for SUSE images (bsc#1111341)
  • Require kubernetes-kubelet for kubeadm (bsc#1084765)
  • Move deprecated flags to kubelet config.yaml (bsc#1114645)
  • Update to k8s 1.10.x (bsc#1114645)
  • Fix kubelet failing to get device for dir "/var/lib/kubelet (bsc#1095131)
  • Set NOFILE and NPROC limit to 1048576 to align with Docker/containerd and the upstream unit file. (bsc#1112980)
  • Update cluster-proportional-autoscaler-amd64 in typha addon to w/ fix for (CVE-2016-8859)
  • Add a whitelist for returned events so we only save events that we care about (bsc#1112967)
  • Aggregation layer needs configuration (bsc#1108195)

Patch Instructions:

To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

  • SUSE CaaS Platform 3.0:
    To install this update, use the SUSE CaaS Platform Velum dashboard. It will inform you if it detects new updates and let you then trigger updating of the complete cluster in a controlled way.

Package List:

  • SUSE CaaS Platform 3.0 (noarch):
    • caasp-container-manifests-3.0.0+git_r291_33f7b2d-3.6.3
    • kubernetes-salt-3.0.0+git_r888_7af7095-3.33.2
  • SUSE CaaS Platform 3.0 (x86_64):
    • cri-o-1.10.6-4.8.5
    • cri-tools-1.0.0beta2-3.3.3
    • kubernetes-client-1.10.11-4.8.2
    • kubernetes-common-1.10.11-4.8.2
    • kubernetes-kubelet-1.10.11-4.8.2
    • kubernetes-master-1.10.11-4.8.2
    • kubernetes-node-1.10.11-4.8.2

References: