diff --git a/CHANGELOG/CHANGELOG-1.25.md b/CHANGELOG/CHANGELOG-1.25.md index 807eaeba3c7..e239bf45514 100644 --- a/CHANGELOG/CHANGELOG-1.25.md +++ b/CHANGELOG/CHANGELOG-1.25.md @@ -1,59 +1,77 @@ -- [v1.25.3](#v1253) - - [Downloads for v1.25.3](#downloads-for-v1253) +- [v1.25.4](#v1254) + - [Downloads for v1.25.4](#downloads-for-v1254) - [Source Code](#source-code) - [Client Binaries](#client-binaries) - [Server Binaries](#server-binaries) - [Node Binaries](#node-binaries) - [Container Images](#container-images) - - [Changelog since v1.25.2](#changelog-since-v1252) + - [Changelog since v1.25.3](#changelog-since-v1253) + - [Important Security Information](#important-security-information) + - [CVE-2022-3294: Node address isn't always verified when proxying](#cve-2022-3294-node-address-isnt-always-verified-when-proxying) - [Changes by Kind](#changes-by-kind) + - [API Change](#api-change) - [Feature](#feature) - [Bug or Regression](#bug-or-regression) - [Dependencies](#dependencies) - [Added](#added) - [Changed](#changed) - [Removed](#removed) -- [v1.25.2](#v1252) - - [Downloads for v1.25.2](#downloads-for-v1252) +- [v1.25.3](#v1253) + - [Downloads for v1.25.3](#downloads-for-v1253) - [Source Code](#source-code-1) - [Client Binaries](#client-binaries-1) - [Server Binaries](#server-binaries-1) - [Node Binaries](#node-binaries-1) - [Container Images](#container-images-1) - - [Changelog since v1.25.1](#changelog-since-v1251) + - [Changelog since v1.25.2](#changelog-since-v1252) - [Changes by Kind](#changes-by-kind-1) + - [Feature](#feature-1) - [Bug or Regression](#bug-or-regression-1) - [Dependencies](#dependencies-1) - [Added](#added-1) - [Changed](#changed-1) - [Removed](#removed-1) -- [v1.25.1](#v1251) - - [Downloads for v1.25.1](#downloads-for-v1251) +- [v1.25.2](#v1252) + - [Downloads for v1.25.2](#downloads-for-v1252) - [Source Code](#source-code-2) - [Client Binaries](#client-binaries-2) - [Server Binaries](#server-binaries-2) - [Node Binaries](#node-binaries-2) - [Container Images](#container-images-2) - - [Changelog since v1.25.0](#changelog-since-v1250) - - [Important Security Information](#important-security-information) - - [CVE-2022-3172: Aggregated API server can cause clients to be redirected (SSRF)](#cve-2022-3172-aggregated-api-server-can-cause-clients-to-be-redirected-ssrf) + - [Changelog since v1.25.1](#changelog-since-v1251) - [Changes by Kind](#changes-by-kind-2) - - [API Change](#api-change) - - [Feature](#feature-1) - [Bug or Regression](#bug-or-regression-2) - [Dependencies](#dependencies-2) - [Added](#added-2) - [Changed](#changed-2) - [Removed](#removed-2) -- [v1.25.0](#v1250) - - [Downloads for v1.25.0](#downloads-for-v1250) +- [v1.25.1](#v1251) + - [Downloads for v1.25.1](#downloads-for-v1251) - [Source Code](#source-code-3) - [Client Binaries](#client-binaries-3) - [Server Binaries](#server-binaries-3) - [Node Binaries](#node-binaries-3) - [Container Images](#container-images-3) + - [Changelog since v1.25.0](#changelog-since-v1250) + - [Important Security Information](#important-security-information-1) + - [CVE-2022-3172: Aggregated API server can cause clients to be redirected (SSRF)](#cve-2022-3172-aggregated-api-server-can-cause-clients-to-be-redirected-ssrf) + - [Changes by Kind](#changes-by-kind-3) + - [API Change](#api-change-1) + - [Feature](#feature-2) + - [Bug or Regression](#bug-or-regression-3) + - [Dependencies](#dependencies-3) + - [Added](#added-3) + - [Changed](#changed-3) + - [Removed](#removed-3) +- [v1.25.0](#v1250) + - [Downloads for v1.25.0](#downloads-for-v1250) + - [Source Code](#source-code-4) + - [Client Binaries](#client-binaries-4) + - [Server Binaries](#server-binaries-4) + - [Node Binaries](#node-binaries-4) + - [Container Images](#container-images-4) - [Changelog since v1.24.0](#changelog-since-v1240) - [What's New (Major Themes)](#whats-new-major-themes) - [PodSecurityPolicy is Removed, Pod Security Admission graduates to Stable](#podsecuritypolicy-is-removed-pod-security-admission-graduates-to-stable) @@ -74,131 +92,262 @@ - [LocalStorageCapacityIsolationFSQuotaMonitoring ConfigMap rendering failure](#localstoragecapacityisolationfsquotamonitoring-configmap-rendering-failure) - [Urgent Upgrade Notes](#urgent-upgrade-notes) - [(No, really, you MUST read this before you upgrade)](#no-really-you-must-read-this-before-you-upgrade) - - [Changes by Kind](#changes-by-kind-3) + - [Changes by Kind](#changes-by-kind-4) - [Deprecation](#deprecation) - - [API Change](#api-change-1) - - [Feature](#feature-2) + - [API Change](#api-change-2) + - [Feature](#feature-3) - [Documentation](#documentation) - [Failing Test](#failing-test) - - [Bug or Regression](#bug-or-regression-3) - - [Other (Cleanup or Flake)](#other-cleanup-or-flake) - - [Dependencies](#dependencies-3) - - [Added](#added-3) - - [Changed](#changed-3) - - [Removed](#removed-3) -- [v1.25.0-rc.1](#v1250-rc1) - - [Downloads for v1.25.0-rc.1](#downloads-for-v1250-rc1) - - [Source Code](#source-code-4) - - [Client Binaries](#client-binaries-4) - - [Server Binaries](#server-binaries-4) - - [Node Binaries](#node-binaries-4) - - [Container Images](#container-images-4) - - [Changelog since v1.25.0-rc.0](#changelog-since-v1250-rc0) - - [Changes by Kind](#changes-by-kind-4) - - [Documentation](#documentation-1) - [Bug or Regression](#bug-or-regression-4) + - [Other (Cleanup or Flake)](#other-cleanup-or-flake) - [Dependencies](#dependencies-4) - [Added](#added-4) - [Changed](#changed-4) - [Removed](#removed-4) -- [v1.25.0-rc.0](#v1250-rc0) - - [Downloads for v1.25.0-rc.0](#downloads-for-v1250-rc0) +- [v1.25.0-rc.1](#v1250-rc1) + - [Downloads for v1.25.0-rc.1](#downloads-for-v1250-rc1) - [Source Code](#source-code-5) - [Client Binaries](#client-binaries-5) - [Server Binaries](#server-binaries-5) - [Node Binaries](#node-binaries-5) - [Container Images](#container-images-5) - - [Changelog since v1.25.0-beta.0](#changelog-since-v1250-beta0) + - [Changelog since v1.25.0-rc.0](#changelog-since-v1250-rc0) - [Changes by Kind](#changes-by-kind-5) - - [API Change](#api-change-2) + - [Documentation](#documentation-1) - [Bug or Regression](#bug-or-regression-5) - [Dependencies](#dependencies-5) - [Added](#added-5) - [Changed](#changed-5) - [Removed](#removed-5) -- [v1.25.0-beta.0](#v1250-beta0) - - [Downloads for v1.25.0-beta.0](#downloads-for-v1250-beta0) +- [v1.25.0-rc.0](#v1250-rc0) + - [Downloads for v1.25.0-rc.0](#downloads-for-v1250-rc0) - [Source Code](#source-code-6) - [Client Binaries](#client-binaries-6) - [Server Binaries](#server-binaries-6) - [Node Binaries](#node-binaries-6) - [Container Images](#container-images-6) - - [Changelog since v1.25.0-alpha.3](#changelog-since-v1250-alpha3) - - [Urgent Upgrade Notes](#urgent-upgrade-notes-1) - - [(No, really, you MUST read this before you upgrade)](#no-really-you-must-read-this-before-you-upgrade-1) + - [Changelog since v1.25.0-beta.0](#changelog-since-v1250-beta0) - [Changes by Kind](#changes-by-kind-6) - - [Deprecation](#deprecation-1) - [API Change](#api-change-3) - - [Feature](#feature-3) - [Bug or Regression](#bug-or-regression-6) - - [Other (Cleanup or Flake)](#other-cleanup-or-flake-1) - [Dependencies](#dependencies-6) - [Added](#added-6) - [Changed](#changed-6) - [Removed](#removed-6) -- [v1.25.0-alpha.3](#v1250-alpha3) - - [Downloads for v1.25.0-alpha.3](#downloads-for-v1250-alpha3) +- [v1.25.0-beta.0](#v1250-beta0) + - [Downloads for v1.25.0-beta.0](#downloads-for-v1250-beta0) - [Source Code](#source-code-7) - [Client Binaries](#client-binaries-7) - [Server Binaries](#server-binaries-7) - [Node Binaries](#node-binaries-7) - [Container Images](#container-images-7) - - [Changelog since v1.25.0-alpha.2](#changelog-since-v1250-alpha2) - - [Urgent Upgrade Notes](#urgent-upgrade-notes-2) - - [(No, really, you MUST read this before you upgrade)](#no-really-you-must-read-this-before-you-upgrade-2) + - [Changelog since v1.25.0-alpha.3](#changelog-since-v1250-alpha3) + - [Urgent Upgrade Notes](#urgent-upgrade-notes-1) + - [(No, really, you MUST read this before you upgrade)](#no-really-you-must-read-this-before-you-upgrade-1) - [Changes by Kind](#changes-by-kind-7) - - [Deprecation](#deprecation-2) + - [Deprecation](#deprecation-1) - [API Change](#api-change-4) - [Feature](#feature-4) - - [Documentation](#documentation-2) - [Bug or Regression](#bug-or-regression-7) - - [Other (Cleanup or Flake)](#other-cleanup-or-flake-2) + - [Other (Cleanup or Flake)](#other-cleanup-or-flake-1) - [Dependencies](#dependencies-7) - [Added](#added-7) - [Changed](#changed-7) - [Removed](#removed-7) -- [v1.25.0-alpha.2](#v1250-alpha2) - - [Downloads for v1.25.0-alpha.2](#downloads-for-v1250-alpha2) +- [v1.25.0-alpha.3](#v1250-alpha3) + - [Downloads for v1.25.0-alpha.3](#downloads-for-v1250-alpha3) - [Source Code](#source-code-8) - [Client Binaries](#client-binaries-8) - [Server Binaries](#server-binaries-8) - [Node Binaries](#node-binaries-8) - [Container Images](#container-images-8) - - [Changelog since v1.25.0-alpha.1](#changelog-since-v1250-alpha1) + - [Changelog since v1.25.0-alpha.2](#changelog-since-v1250-alpha2) + - [Urgent Upgrade Notes](#urgent-upgrade-notes-2) + - [(No, really, you MUST read this before you upgrade)](#no-really-you-must-read-this-before-you-upgrade-2) - [Changes by Kind](#changes-by-kind-8) + - [Deprecation](#deprecation-2) - [API Change](#api-change-5) - [Feature](#feature-5) - - [Documentation](#documentation-3) + - [Documentation](#documentation-2) - [Bug or Regression](#bug-or-regression-8) - - [Other (Cleanup or Flake)](#other-cleanup-or-flake-3) + - [Other (Cleanup or Flake)](#other-cleanup-or-flake-2) - [Dependencies](#dependencies-8) - [Added](#added-8) - [Changed](#changed-8) - [Removed](#removed-8) -- [v1.25.0-alpha.1](#v1250-alpha1) - - [Downloads for v1.25.0-alpha.1](#downloads-for-v1250-alpha1) +- [v1.25.0-alpha.2](#v1250-alpha2) + - [Downloads for v1.25.0-alpha.2](#downloads-for-v1250-alpha2) - [Source Code](#source-code-9) - [Client Binaries](#client-binaries-9) - [Server Binaries](#server-binaries-9) - [Node Binaries](#node-binaries-9) - [Container Images](#container-images-9) - - [Changelog since v1.24.0](#changelog-since-v1240-1) - - [Urgent Upgrade Notes](#urgent-upgrade-notes-3) - - [(No, really, you MUST read this before you upgrade)](#no-really-you-must-read-this-before-you-upgrade-3) + - [Changelog since v1.25.0-alpha.1](#changelog-since-v1250-alpha1) - [Changes by Kind](#changes-by-kind-9) - - [Deprecation](#deprecation-3) - [API Change](#api-change-6) - [Feature](#feature-6) - - [Failing Test](#failing-test-1) + - [Documentation](#documentation-3) - [Bug or Regression](#bug-or-regression-9) - - [Other (Cleanup or Flake)](#other-cleanup-or-flake-4) + - [Other (Cleanup or Flake)](#other-cleanup-or-flake-3) - [Dependencies](#dependencies-9) - [Added](#added-9) - [Changed](#changed-9) - [Removed](#removed-9) +- [v1.25.0-alpha.1](#v1250-alpha1) + - [Downloads for v1.25.0-alpha.1](#downloads-for-v1250-alpha1) + - [Source Code](#source-code-10) + - [Client Binaries](#client-binaries-10) + - [Server Binaries](#server-binaries-10) + - [Node Binaries](#node-binaries-10) + - [Container Images](#container-images-10) + - [Changelog since v1.24.0](#changelog-since-v1240-1) + - [Urgent Upgrade Notes](#urgent-upgrade-notes-3) + - [(No, really, you MUST read this before you upgrade)](#no-really-you-must-read-this-before-you-upgrade-3) + - [Changes by Kind](#changes-by-kind-10) + - [Deprecation](#deprecation-3) + - [API Change](#api-change-7) + - [Feature](#feature-7) + - [Failing Test](#failing-test-1) + - [Bug or Regression](#bug-or-regression-10) + - [Other (Cleanup or Flake)](#other-cleanup-or-flake-4) + - [Dependencies](#dependencies-10) + - [Added](#added-10) + - [Changed](#changed-10) + - [Removed](#removed-10) +# v1.25.4 + + +## Downloads for v1.25.4 + + + +### Source Code + +filename | sha512 hash +-------- | ----------- +[kubernetes.tar.gz](https://dl.k8s.io/v1.25.4/kubernetes.tar.gz) | f227a66d5595caf33d6ad39c0e50af83f425255bea16aa62747e89fa779c0b525708ed0cb2a61c058a0375a206a567210e5a8a7ceb5ca7f494a51e9a37a21cb4 +[kubernetes-src.tar.gz](https://dl.k8s.io/v1.25.4/kubernetes-src.tar.gz) | 7a1d64990d122e46c8f6af9fb925e787e9752962749410f8ea67eaad50179feeba35b03bc7b763112b99856f310020682d42913313c0016ac9a6c3c47898e097 + +### Client Binaries + +filename | sha512 hash +-------- | ----------- +[kubernetes-client-darwin-amd64.tar.gz](https://dl.k8s.io/v1.25.4/kubernetes-client-darwin-amd64.tar.gz) | 4085e167f35ebc37f416c7605918301dd332d1e5ad08b38ae81612ff9640bb65b0b6a19cc38bbacef7916c03e373022336e8952574711254c14db15edd5b8ce1 +[kubernetes-client-darwin-arm64.tar.gz](https://dl.k8s.io/v1.25.4/kubernetes-client-darwin-arm64.tar.gz) | 267f6015bd4e35ad34cbd6af393dd89b70e636755a4d5620729396e6f822528b9a0b25758347e6ac35bca3ea55e6d51b6555e55b4851f27283c19bb1e6811bd7 +[kubernetes-client-linux-386.tar.gz](https://dl.k8s.io/v1.25.4/kubernetes-client-linux-386.tar.gz) | b8c49112050e0a40bfa36a2484dc1d6df260e6fd093599585ba332b69250738fd8440ad2126011958afaf17030d52cd7babaa2deb1aca4b6545347252be98116 +[kubernetes-client-linux-amd64.tar.gz](https://dl.k8s.io/v1.25.4/kubernetes-client-linux-amd64.tar.gz) | 192985a27178078cf7413cfa15aaf69c94420a0bc316f2a7b84bbd190ad66ebe1276ff4604b38aee673f40a1726226428d15a0a5c392c36b47137cb48bfb09d2 +[kubernetes-client-linux-arm.tar.gz](https://dl.k8s.io/v1.25.4/kubernetes-client-linux-arm.tar.gz) | bb0f6a50bfecda86dcdeecbd972cb494e18741d9dafc6abf2b3f556fe042854ae7d1a1043679eefa4c8be2bbb65b36e477b37b8d424f20d88a52b0ba17097252 +[kubernetes-client-linux-arm64.tar.gz](https://dl.k8s.io/v1.25.4/kubernetes-client-linux-arm64.tar.gz) | 399541835239922d1280b401fdaa4c7779eceed34f18810992958c3a4176c5f5bef148697e569c5ca9b2d68500003cc8911bdc542ce1e106f10bab552a362a7c +[kubernetes-client-linux-ppc64le.tar.gz](https://dl.k8s.io/v1.25.4/kubernetes-client-linux-ppc64le.tar.gz) | 18d0b65c34cb1ae7010ee5f32d47cd21952bde5f35d4e1e0ebf4cc747ecd14593b39181ea8b384bf3c302d54768b5f0a9573d1a0d8fe397d7fb7ce4770fecb1e +[kubernetes-client-linux-s390x.tar.gz](https://dl.k8s.io/v1.25.4/kubernetes-client-linux-s390x.tar.gz) | f025a5bad0fcee7aea37c213fed3545cbfae79589b28e68ea8504b83269d19eec4c888cfcffc47cd2d85cff6d62b81e8856453a6295a4e151fc31850d013c901 +[kubernetes-client-windows-386.tar.gz](https://dl.k8s.io/v1.25.4/kubernetes-client-windows-386.tar.gz) | 8a96b44b04f24d6cec5876857c56e15dd41020de4448e7aa882574e47e42fca2ba7337e9b60aa997284999a8f9039aa164c50053fe1acd31349babf2055dbca2 +[kubernetes-client-windows-amd64.tar.gz](https://dl.k8s.io/v1.25.4/kubernetes-client-windows-amd64.tar.gz) | 22ed2223a5e6ec6f17f357dc0e76691a01396444811f57b905a311a0eeaa785c3026408fbf142bc2a6f3dd318814448feb431485d380b0851dcb2378eff1a34d +[kubernetes-client-windows-arm64.tar.gz](https://dl.k8s.io/v1.25.4/kubernetes-client-windows-arm64.tar.gz) | b4a3d3f1d0f564db3588abddf8548ec22a9fbc3c1811e8fb0112090bfcefb5120d3a88424f2be2b5dcae5e69482ac2b32734a77253b165c625a5326bf561b745 + +### Server Binaries + +filename | sha512 hash +-------- | ----------- +[kubernetes-server-linux-amd64.tar.gz](https://dl.k8s.io/v1.25.4/kubernetes-server-linux-amd64.tar.gz) | fc469119a0ddfc20150ae7956d2c4e63fdb9f1e3478c57339e24cf6c4d1b529c2396a667df7439fa41001d68a1cb8bbca160ee215944d690ad24c6a7d1f2780b +[kubernetes-server-linux-arm.tar.gz](https://dl.k8s.io/v1.25.4/kubernetes-server-linux-arm.tar.gz) | 50b6ba72184f3f13c98063ab41c4dbf208e25279be28aacc5a75d956074f03a08508c6098b77f8d9483c480b5e0104ad791ff25889bde7c47049c21842332671 +[kubernetes-server-linux-arm64.tar.gz](https://dl.k8s.io/v1.25.4/kubernetes-server-linux-arm64.tar.gz) | 058feaf8c3af683ca1ae3ba978cb938c254bfc831452fe345cdddb7d684939e695d6d871a9363f961be85b6f4fc7379ca559edc1175e50bf48baeb0b7df7e7ed +[kubernetes-server-linux-ppc64le.tar.gz](https://dl.k8s.io/v1.25.4/kubernetes-server-linux-ppc64le.tar.gz) | a75b2780eb21c8ffae6f374bed0108b626d317b5e66a714b57e7284cd0eefbd3808d76d54e631a18fa7d70cbd9e7e698fa43b9715c31b952372c03737c0279ed +[kubernetes-server-linux-s390x.tar.gz](https://dl.k8s.io/v1.25.4/kubernetes-server-linux-s390x.tar.gz) | 1ea2eacdb1c65ffcee5c262c97973ae5de5b5fb1fb1a17e458ad4df0412bbe5bd43a872014178ee0d6642f66f67e276984df4dabb4eac311d3fbee94b1727465 + +### Node Binaries + +filename | sha512 hash +-------- | ----------- +[kubernetes-node-linux-amd64.tar.gz](https://dl.k8s.io/v1.25.4/kubernetes-node-linux-amd64.tar.gz) | afc91c699aab2e7bf8b6e04dfc2eebbb4daef03855796b47e7540f32b379a61866c22c97511bfefdf34cd271cde10f016bf8985971c207598edeb5b6af1fb7ae +[kubernetes-node-linux-arm.tar.gz](https://dl.k8s.io/v1.25.4/kubernetes-node-linux-arm.tar.gz) | 4a8d369d6c049dd8252566f7c92baba93afca8bd2208506132f2e976c3db6dccb8f3df84d23aae5cf7a66dde247b52a96f20bb2c0d2baa9d469dd4ff3f21fdbc +[kubernetes-node-linux-arm64.tar.gz](https://dl.k8s.io/v1.25.4/kubernetes-node-linux-arm64.tar.gz) | 4bd590fca3f4325f0d4dd535366d5790da7190697f8a5d1ca0e356ceccbc0e77ed315a992260845dc260958358fae41210bf1ba3d5685c5b46096c27d8190311 +[kubernetes-node-linux-ppc64le.tar.gz](https://dl.k8s.io/v1.25.4/kubernetes-node-linux-ppc64le.tar.gz) | eeae4448a382ff48884a1c86a7369c028edf6425ab299e0b6f13129f62496d4d50083e5c49e8fae6cf774ca1fe7e73dca554007596757f422e80c666ea629bf5 +[kubernetes-node-linux-s390x.tar.gz](https://dl.k8s.io/v1.25.4/kubernetes-node-linux-s390x.tar.gz) | f15b0b5b2ec8db89eb3a1d542ac3270ff74e9a9f1343925588b10a3724cd24e207f5541a8c2a31dfb7a8b18d5875ff1ba56fc0e2b6db3b35f4548ce6ac6dd486 +[kubernetes-node-windows-amd64.tar.gz](https://dl.k8s.io/v1.25.4/kubernetes-node-windows-amd64.tar.gz) | 824257130899bcc1151218fe4ca58b972f270a19900e773da0f28e77f78261bc3995d2416c41ceaf26e4af1a4d8a28c6cee673fdc3f0e165220e23978118d2f6 + +### Container Images + +All container images are available as manifest lists and support the described +architectures. It is also possible to pull a specific architecture directly by +adding the "-$ARCH" suffix to the container image name. + +name | architectures +---- | ------------- +[k8s.gcr.io/conformance:v1.25.4](https://console.cloud.google.com/gcr/images/k8s-artifacts-prod/us/conformance) | [amd64](https://console.cloud.google.com/gcr/images/k8s-artifacts-prod/us/conformance-amd64), [arm](https://console.cloud.google.com/gcr/images/k8s-artifacts-prod/us/conformance-arm), [arm64](https://console.cloud.google.com/gcr/images/k8s-artifacts-prod/us/conformance-arm64), [ppc64le](https://console.cloud.google.com/gcr/images/k8s-artifacts-prod/us/conformance-ppc64le), [s390x](https://console.cloud.google.com/gcr/images/k8s-artifacts-prod/us/conformance-s390x) +[k8s.gcr.io/kube-apiserver:v1.25.4](https://console.cloud.google.com/gcr/images/k8s-artifacts-prod/us/kube-apiserver) | [amd64](https://console.cloud.google.com/gcr/images/k8s-artifacts-prod/us/kube-apiserver-amd64), [arm](https://console.cloud.google.com/gcr/images/k8s-artifacts-prod/us/kube-apiserver-arm), [arm64](https://console.cloud.google.com/gcr/images/k8s-artifacts-prod/us/kube-apiserver-arm64), [ppc64le](https://console.cloud.google.com/gcr/images/k8s-artifacts-prod/us/kube-apiserver-ppc64le), [s390x](https://console.cloud.google.com/gcr/images/k8s-artifacts-prod/us/kube-apiserver-s390x) +[k8s.gcr.io/kube-controller-manager:v1.25.4](https://console.cloud.google.com/gcr/images/k8s-artifacts-prod/us/kube-controller-manager) | [amd64](https://console.cloud.google.com/gcr/images/k8s-artifacts-prod/us/kube-controller-manager-amd64), [arm](https://console.cloud.google.com/gcr/images/k8s-artifacts-prod/us/kube-controller-manager-arm), [arm64](https://console.cloud.google.com/gcr/images/k8s-artifacts-prod/us/kube-controller-manager-arm64), [ppc64le](https://console.cloud.google.com/gcr/images/k8s-artifacts-prod/us/kube-controller-manager-ppc64le), [s390x](https://console.cloud.google.com/gcr/images/k8s-artifacts-prod/us/kube-controller-manager-s390x) +[k8s.gcr.io/kube-proxy:v1.25.4](https://console.cloud.google.com/gcr/images/k8s-artifacts-prod/us/kube-proxy) | [amd64](https://console.cloud.google.com/gcr/images/k8s-artifacts-prod/us/kube-proxy-amd64), [arm](https://console.cloud.google.com/gcr/images/k8s-artifacts-prod/us/kube-proxy-arm), [arm64](https://console.cloud.google.com/gcr/images/k8s-artifacts-prod/us/kube-proxy-arm64), [ppc64le](https://console.cloud.google.com/gcr/images/k8s-artifacts-prod/us/kube-proxy-ppc64le), [s390x](https://console.cloud.google.com/gcr/images/k8s-artifacts-prod/us/kube-proxy-s390x) +[k8s.gcr.io/kube-scheduler:v1.25.4](https://console.cloud.google.com/gcr/images/k8s-artifacts-prod/us/kube-scheduler) | [amd64](https://console.cloud.google.com/gcr/images/k8s-artifacts-prod/us/kube-scheduler-amd64), [arm](https://console.cloud.google.com/gcr/images/k8s-artifacts-prod/us/kube-scheduler-arm), [arm64](https://console.cloud.google.com/gcr/images/k8s-artifacts-prod/us/kube-scheduler-arm64), [ppc64le](https://console.cloud.google.com/gcr/images/k8s-artifacts-prod/us/kube-scheduler-ppc64le), [s390x](https://console.cloud.google.com/gcr/images/k8s-artifacts-prod/us/kube-scheduler-s390x) + +## Changelog since v1.25.3 + +## Important Security Information + +This release contains changes that address the following vulnerabilities: + +### CVE-2022-3294: Node address isn't always verified when proxying + +A security issue was discovered in Kubernetes where users may have access to secure endpoints in the control plane network. Kubernetes clusters are only affected if an untrusted user can to modify Node objects and send requests proxying through them. + +Kubernetes supports node proxying, which allows clients of kube-apiserver to access endpoints of a Kubelet to establish connections to Pods, retrieve container logs, and more. While Kubernetes already validates the proxying address for Nodes, a bug in kube-apiserver made it possible to bypass this validation. Bypassing this validation could allow authenticated requests destined for Nodes to be redirected to the API Server through its private network. + +The merged fix enforces validation against the proxying address for a Node. In some cases, the fix can break clients that depend on the `nodes/proxy` subresource, specifically if a kubelet advertises a localhost or link-local address to the Kubernetes control plane. Configuring an egress proxy for egress to the cluster network can also mitigate this vulnerability. + +**Affected Versions**: + - kube-apiserver v1.25.0 - v1.25.3 + - kube-apiserver v1.24.0 - v1.24.7 + - kube-apiserver v1.23.0 - v1.23.13 + - kube-apiserver v1.22.0 - v1.22.15 + - kube-apiserver <= v1.21.? + +**Fixed Versions**: + - kube-apiserver v1.25.4 + - kube-apiserver v1.24.8 + - kube-apiserver v1.23.13 + - kube-apiserver v1.22.16 + +This vulnerability was reported by Yuval Avrahami of Palo Alto Networks + + +**CVSS Rating:** Medium (6.6) [CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H](https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H) + +## Changes by Kind + +### API Change + +- Protobuf serialization of metav1.MicroTime timestamps (used in `Lease` and `Event` API objects) has been corrected to truncate to microsecond precision, to match the documented behavior and JSON/YAML serialization. Any existing persisted data is truncated to microsecond when read from etcd. ([#111936](https://github.com/kubernetes/kubernetes/pull/111936), [@haoruan](https://github.com/haoruan)) [SIG API Machinery] + +### Feature + +- Kubernetes is now built with Go 1.19.3 ([#113592](https://github.com/kubernetes/kubernetes/pull/113592), [@xmudrii](https://github.com/xmudrii)) [SIG Release and Testing] + +### Bug or Regression + +- Consider only plugin directory and not entire kubelet root when cleaning up mounts ([#112887](https://github.com/kubernetes/kubernetes/pull/112887), [@mattcary](https://github.com/mattcary)) [SIG Storage] +- Etcd: Update to v3.5.5 ([#112489](https://github.com/kubernetes/kubernetes/pull/112489), [@dims](https://github.com/dims)) [SIG API Machinery, Cloud Provider, Cluster Lifecycle and Testing] +- Fixed a bug where a change in the `appProtocol` for a Service did not trigger a load balancer update. ([#113031](https://github.com/kubernetes/kubernetes/pull/113031), [@MartinForReal](https://github.com/MartinForReal)) [SIG Cloud Provider and Network] +- Kube-apiserver: DELETECOLLECTION API requests are now recorded in metrics with the correct verb. ([#113133](https://github.com/kubernetes/kubernetes/pull/113133), [@sxllwx](https://github.com/sxllwx)) [SIG API Machinery] +- Kube-apiserver: bugfix DeleteCollection API fails if request body is non-empty ([#113286](https://github.com/kubernetes/kubernetes/pull/113286), [@sxllwx](https://github.com/sxllwx)) [SIG API Machinery] +- Kube-proxy, will restart in case it detects that the Node assigned pod.Spec.PodCIDRs have changed ([#113247](https://github.com/kubernetes/kubernetes/pull/113247), [@code-elinka](https://github.com/code-elinka)) [SIG Cloud Provider, Network and Storage] +- Kubelet: fix GetAllocatableCPUs method in cpumanager ([#113420](https://github.com/kubernetes/kubernetes/pull/113420), [@Garrybest](https://github.com/Garrybest)) [SIG Node] +- Pod logs using --timestamps are not broken up with timestamps anymore. ([#113515](https://github.com/kubernetes/kubernetes/pull/113515), [@rphillips](https://github.com/rphillips)) [SIG Node] + +## Dependencies + +### Added +_Nothing has changed._ + +### Changed +_Nothing has changed._ + +### Removed +_Nothing has changed._ + + + # v1.25.3