3.3.2

(2020-08-10)

Components

Component

Version

MKE

3.3.2

Kubernetes

1.17.9

Calico

3.12.2

Calico for Windows

3.12.1

Interlock

3.2.0

Interlock NGINX proxy

1.17.10

Istio Ingress

1.4.10

What’s new

  • On Docker Hub, MKE images are now released to ‘mirantis’ instead of ‘docker’.

  • We updated the location of our offline bundles for MKE from https://packages.docker.com/caas/ to https://packages.mirantis.com/caas/ for the following versions of MKE.

    • MKE 3.3.2

    • MKE 3.2.8

    • MKE 3.1.15

    Offline bundles for other previous versions of MKE will remain on the docker domain. You can see the installation links for all supported bundles in the Installation Guide.

  • We updated our version of Kubernetes to 1.17.9.

  • We updated our version of Istio to 1.4.10.

  • Whitelisting of all MKE repos (FIELD-2723).

  • Added tracing to Interlock (ENGORC-7565).

Bug fixes

  • We fixed an issue in which Docker Content Trust was randomly failing to verify valid signatures (FIELD-2302).

  • We fixed an issue in which ucp:3.3.2-tp1 images –list commands cause Cannot connect to the Docker daemon errors (ENGORC-7774).

  • The MKE upgrade GUI create a command string that uses docker image pull mirantis/ucp:..... You should change it to `` docker image pull mirantis/ucp:….”`` (ENGORC-7806).

  • We fixed an issue that caused the following ucp-kubelet error when the docker root location (/var/lib/docker) was modified (ENGORC-7671).

    failed to load Kubelet config file
/var/lib/docker/volumes/ucp-node-certs/_data/kubelet_daemon.conf,
error failed to read kubelet config file
"/var/lib/docker/volumes/ucp-node-certs/_data/kubelet_daemon.conf",
error: open /var/lib/docker/volumes/ucp-node-certs/_data/kubelet_daemon.
conf: no such file or directory

  • We fixed an issue that prevented setting istio-policy and istio-telemetry affinity rules on Linux nodes (ENGORC-7682).

  • We updated the container/ps APIs to require admin access (ENGORC-7618).

  • We fixed an issue that prevented users from logging into MKE using Security Assertion Markup Language (SAML) after the root certificate for Active Directory Federation Services (ADFS) has been renewed (ENGORC-7754).

  • We added support for installing MKE on cloud providers using cloud-provider=external (ENGORC-7686).

  • We added a banner to the Istio Ingress configuration page in MKE to encourage users to deploy the full Istio service mesh and related UI technologies from upstream (ENGORC-7755).

  • We fixed an issue that allowed users unlimited login attempts in MKE, MSR, and eNZi (ENGORC-7742).

  • We fixed an issue that prevented the HNS network from starting before starting the kube-proxy on Windows, which prevented kube bringup on the node (ENGORC-7961).

  • We fixed an issue with the MKE user interface for Kubernetes pods that made it look like no data was returned if no vulnerabilities were found, instead of indicating a clean report (ENGORC-7685).

  • We added warning about affinity and taint rules for Istio Ingress configuration (ENGORC-7684).

  • We fixed an issue that caused Kubernetes windows nodes take too long to come up (ENGORC-7660).

  • Added interlock configuration validation (ENGORC-7643).

  • When HitlessServiceUpdate is enabled, the config service no longer waits for the proxy service to complete an update, thus reducing the delay between a configuration change being made and taking effect (FIELD-2152).

  • Improved the speed of interlock API calls (ENGORC-7366).

  • We fixed an issue that causes API path traversal (ENGORC-7744).

  • Using MKE with the AWS Kubernetes cloud provider requires the metadata service for Linux nodes. Enabling the metadata service also enables access from Linux workload containers. It’s a best practice to limit access to Linux workload containers. You can create an iptable to block access to workload containers. It can be made persistent by adding it to the docker systemd unit (ENGORC-7620).

    • Create a file /etc/systemd/system/docker.service.d/block-aws-metadata.conf with the following contents:

      # /etc/systemd/system/docker.service.d/block-aws-metadata.conf
[Service]
ExecStartPost=/bin/sh -c ""iptables -I DOCKER-USER -d 169.254.169.254/32 -j DROP
    • Reload the systemd configuration (systemctl daemon-reload).

      The iptables rule will now be installed every time MCR starts.

    • Check for the presence of the rule with iptables -nvL DOCKER-USER.

  • We fixed an issue in which the MKE support dump script checks for the obsolete legacy MSR (1.x) dtr-br bridge network, and being unable to find it subsequently reports an error in dsinfo.txt (FIELD-2670).

  • We fixed an issue in which the Windows node stays in “kubelet not ready” state (ENGORC-7566).

  • We fixed an issue in which all node/edit pages rendered blank when a user logs in as MKE Admin, as a result of attempts to set Kubernetes orchestration mode) (ENGORC-2819).

Security

  • We updated our Go engine to address CVE-2020-14040 (ENGORC-7772)

  • We fixed an issue that allowed users unlimited login attempts in MKE, MSR, and eNZi.

  • We fixed an issue that prevented Istio from reporting usage data (ENGORC-7738).

  • We fixed an issue that caused the “docker ps” command to provide the incorrect status (starting) for running containers after sourcing a client bundle. This command now shows the correct (healthy) status value (ENGORC-7721).

  • We fixed an issue that allowed unpriviledged user account to access plain text data from backups, including encrypted backups, such as user password hashes, eNZi signing keys, and the Kubernetes service account key, which may enable direct compromise of the MKE cluster (ENGORC-7631).

  • We fixed an issue that allowed access to containers running in other collections in order to escalate their privileges throughout the cluster (ENGORC-7595).

  • Fixed an issue that causes API path traversal (ENGORC-7744).