Fedora 38 was released with Kubernetes v1.26 which has now reached end-of-life. I propose replacing v1.26 with v1.27 due to a security fix described below.
The upstream Kubernetes team released an update today (2024.04.16) for all supported releases. These releases resolve CVE-2024-3177: Bypassing mountable secrets policy imposed by the ServiceAccount admission plugin. The CVSS rating for this CVE is Low (2.7).
A thorough overview of this security fix can be found at https://groups.google.com/g/kubernetes-security-announce/c/JxjHf7fkVd8/m/oVCzypyOAQAJ.
If approved I will announce the change on the develop list, and create a short community blog post.
+1
FESCo members, please vote.
-1
I think we should advise people to upgrade to F39 or F40 instead. Fedora 38 has only a month of life left in it; I don't think it makes sense to do a major upgrade of Kubernetes for a nearly end-of-life release. If it was a more severe CVE, I might have a different opinion, but this doesn't seem like it's worth the effort.
-1 I think we should advise people to upgrade to F39 or F40 instead. Fedora 38 has only a month of life left in it; I don't think it makes sense to do a major upgrade of Kubernetes for a nearly end-of-life release. If it was a more severe CVE, I might have a different opinion, but this doesn't seem like it's worth the effort.
I am on the fence, but wanted to raise the option. I also maintain a COPR repository where any user needing v1.27 on F38 can go if need be. The upstream community also maintains rpms as another option.
One aspect to Kubernetes upgrades is that skipping minor versions is not supported by the upstream community. That is, if your cluster is using v1.26 and you want to rehost on v1.28 then you are supposed to upgrade to v1.27 as an intermediate step.
I will submit a community blog post on forthcoming kubernetes changes and include a note on F38 support and options for users.
-1, I agree with @sgallagh's reasoning.
This will be discussed at the FESCo meeting today at 19:00 UTC in #meeting:fedoraproject.org on Matrix.
Metadata Update from @sgallagh: - Issue tagged with: meeting
We discussed this in today's FESCo meeting and agreed that the kubernetes version in Fedora 38 should be kept at 1.26.
AGREED: Leave the kubernetes version at 1.26 in #3198 for F38 (+7, 0, -0) (@mhayden:fedora.im, 19:11:42)
Metadata Update from @mhayden: - Issue close_status updated to: Rejected - Issue status updated to: Closed (was: Open)
Metadata Update from @mhayden: - Issue untagged with: meeting
Very good. Thanks for the review. Peter Hunt will also be glad to not update cri-o and cri-tools which need to be in sync with Kubernetes at the minor version level.
Login to comment on this ticket.