Enhancements

This section outlines new features implemented in the Cluster release 17.4.0 that is introduced in the Container Cloud release 2.29.0. For MOSK enhancements, see MOSK 25.1: New features.

Support for MKE 3.7.19 and MCR 25.0.8

Introduced support for Mirantis Container Runtime (MCR) 25.0.8 and Mirantis Kubernetes Engine (MKE) 3.7.19 that includes Kubernetes 1.27.16.

On existing clusters, MKE and MCR are updated to the latest supported version when you update your managed cluster to the Cluster release 17.4.0.

Learn more

• MKE documentation: MKE release notes

• MCR documentation: MCR release notes

Improvements in the CIS Benchmark compliance for Ubuntu, MKE, and Docker

Added the following improvments in the CIS Benchmark compliance for Ubuntu, MKE, and Docker:

• Introduced new password policies for local (Linux) user accounts. These policies match the rules described in CIS Benchmark compliance checks (executed by the Nessus scanner) for Ubuntu Linux 22.04 LTS v2.0.0 L1 Server, revision 1.1.

  The rules are applied automatically to all cluster nodes during cluster update. Therefore, if you use custom Linux accounts protected by passwords, pay attention to the following rules, as you may be forced to update uncompliant password during login:

  • Password expiration interval: 365 days

  • Minimum password length: 14 symbols

  • Required symbols are capital letters, lower case letters, and digits

  • At least 2 characters of the new password must not be present in the old password

  • Maximum identical consecutive characters: 3 (allowed: aaa123, not allowed: aaaa123)

  • Maximum sequential characters: 3 (allowed: abc1xyz, not allowed: abcd123)

  • Dictionary check is enabled

  • You must not reuse old password

  • After 3 failed password input attempts, the account is disabled for 15 minutes

• Analyzed and reached 87% of pass rate in the CIS Benchmark compliance checks (executed by the Nessus scanner) for Ubuntu Linux 22.04 LTS v2.0.0 L1 Server, revision 1.1.

  Note

  Compliance results can vary between clusters due to configuration-dependent tests, such as server disk partitioning.

  If you require a detailed report of analyzed and fixed compliance checks, contact Mirantis support.

• Analyzed and fixed the following checks (where possible, to reduce the number of failed components) in the Docker and MKE CIS benchmarks compliances:

  MKE

  Control ID	Description
  5.1.3	Minimize wildcard use in Roles and ClusterRoles: Over permissive access to resource types in Group
  5.2.8	Minimize the admission of containers with added capabilities: Container with ANY capability
  5.7.3	Apply Security Context to Your Pods and Containers: Policies - Defined Pods Security Context

  Docker

  Control ID	Description
  5.26	Ensure that container health is checked at runtime: No containers without health checks

  Note

  The control IDs may differ depending on the scanning tool.

  Note

  Some security scanners may produce false-negative results for some resources because native Docker containers and Kubernetes pods have different configuration mechanisms.

Learn more

Ubuntu Linux 22.04 LTS v2.0.0 L1 Server revision 1.1