Updated the following middleware component versions to resolve vulnerabilities in MKE:
[MKE-10159] NGINX Ingress Controller 1.8.2
[FIELD-6356] AlertManager 0.26.0
[MKE-10050] CoreDNS 1.11.0
Mirantis has begun an initiative to align MKE with CIS Benchmarks, where pertinent. The following table details the CIS Benchmark resolutions and improvements that are introduced in MKE 3.6.7:
CIS Benchmark type/version
The MKE Dockerfiles were improved and are now exempt from ADD instructions, with only COPY in use.
The permission for
/ucp-volume-mounts/ucp-node-certs/controller-manager.confis now set to 600.
Support for the EventRateLimit admission controller has been added to MKE. By default, the admission controller remains disabled, however it can be enabled with a TOML configuration, as exemplified below:
[cluster_config.k8s_event_rate_limit] event_rate_limit_ac_enabled = true [[cluster_config.k8s_event_rate_limit.limits]] limit = "Namespace" limit_qps = 1 limit_burst = 1 limit_cache_size = 16 [[cluster_config.k8s_event_rate_limit.limits]] limit = "User" limit_qps = 1 limit_burst = 1 limit_cache_size = 16
MKE will not validate the individual values for individual limits specified, except to employ a default value of
limit_cache_sizewhen a value is provided.
Refer to the Kubernetes documentation Admission Controllers Reference: EventRateLimit. Note that limit types are adherred to strictly, including case match.
Ensure that you validate your configuration on a test cluster before applying it in production, as a misconfigured admission controller can make
kube-apiserverunavailable for the cluster.
The --bind-address argument is set to 127.0.0.1 in
The kubelet Client Certficate Authority file ownership is now
root:root, changed from its previous
streamingConnectIdleTimeoutargument is set explicitly to
make-iptables-util-chainsargument is set explicitly to
kubelet_event_record_qpsparameter can now be configured in the MKE configuration file, as exemplified below:
[cluster_config] kubelet_event_record_qps = 50
The MKE install process now sets default service accounts in control plane namespaces to specifically not automount service account tokens.
The use of service account tokens is restricted, allowing for mounting only where necessary in MKE system namespaces.
Work was done to minimize the admission of privileged containers.
NET_RAW capability has been removed from all unprivileged system containers.