Security information¶
Updated the following middleware component versions to resolve vulnerabilities in MKE:
[MKE-10159] NGINX Ingress Controller 1.8.2
[FIELD-6356] AlertManager 0.26.0
[MKE-10050] CoreDNS 1.11.0
Mirantis has begun an initiative to align MKE with CIS Benchmarks, where pertinent. The following table details the CIS Benchmark resolutions and improvements that are introduced in MKE 3.7.1:
CIS Benchmark type/version
Recommendation designation
Ticket
Resolution/Improvement
Docker 1.6
4.9
MKE-9960
The MKE Dockerfiles were improved and are now exempt from ADD instructions, with only COPY in use.
Kubernetes 1.7
1.1.17
MKE-9906
The permission for
/ucp-volume-mounts/ucp-node-certs/controller-manager.conf
is now set to 600.Kubernetes 1.7
1.2.9
MKE-10149
Support for the EventRateLimit admission controller has been added to MKE. By default, the admission controller remains disabled, however it can be enabled with a TOML configuration, as exemplified below:
[cluster_config.k8s_event_rate_limit] event_rate_limit_ac_enabled = true [[cluster_config.k8s_event_rate_limit.limits]] limit = "Namespace" limit_qps = 1 limit_burst = 1 limit_cache_size = 16 [[cluster_config.k8s_event_rate_limit.limits]] limit = "User" limit_qps = 1 limit_burst = 1 limit_cache_size = 16
MKE will not validate the individual values for individual limits specified, except to employ a default value of
4096
forlimit_cache_size
when a value is provided.Refer to the Kubernetes documentation Admission Controllers Reference: EventRateLimit. Note that limit types are adherred to strictly, including case match.
Important
Ensure that you validate your configuration on a test cluster before applying it in production, as a misconfigured admission controller can make
kube-apiserver
unavailable for the cluster.Kubernetes 1.7
1.3.7
MKE-9904
The --bind-address argument is set to 127.0.0.1 in
ucp-kube-controllermanager
.Kubernetes 1.7
4.1.8
MKE-10011, MKE-9917
The kubelet Client Certficate Authority file ownership is now
root:root
, changed from its previousnobody:nogroup
setting.Kubernetes 1.7
4.2.5
MKE-9913
The kubelet
streamingConnectIdleTimeout
argument is set explicitly to4h
.Kubernetes 1.7
4.2.6
MKE-9914
The kubelet
make-iptables-util-chains
argument is set explicitly totrue
.Kubernetes 1.7
4.2.8
MKE-10006
The
kubelet_event_record_qps
parameter can now be configured in the MKE configuration file, as exemplified below:[cluster_config] kubelet_event_record_qps = 50
Kubernetes 1.7
5.1.5
MKE-10005
The MKE install process now sets default service accounts in control plane namespaces to specifically not automount service account tokens.
Kubernetes 1.7
5.1.6
MKE-9921
The use of service account tokens is restricted, allowing for mounting only where necessary in MKE system namespaces.
Kubernetes 1.7
5.2.2
MKE-9923
Work was done to minimize the admission of privileged containers.
Kubernetes 1.7
5.2.8
MKE-9924
NET_RAW capability has been removed from all unprivileged system containers.