From ca844ec6b363a63b081ea5823ac3b213e6266b09 Mon Sep 17 00:00:00 2001 From: isabelmsft <67024108+isabelmsft@users.noreply.github.com> Date: Fri, 24 Jul 2020 12:14:24 -0500 Subject: [PATCH] Update Kubernetes and kubernetes-cni versions (#5024) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This PR updates kubernetes version to 1.18.6 and kubernetes-cni version to 0.8.6 signed-off by: Isabel Li isabel.li@microsoft.com Why I did it Previous kubernetes-cni version (0.7.5) introduced Kubernetes Man In The Middle Vulnerability. “A vulnerability was found in all versions of containernetworking/plugins before version 0.8.6, that allows malicious containers in Kubernetes clusters to perform man-in-the-middle (MitM) attacks. A malicious container can exploit this flaw by sending rogue IPv6 router advertisements to the host or other containers, to redirect traffic to the malicious container.” How I did it Defined kubernetes-cni version to be 0.8.6 and updated kubernetes version to be 1.18.6 How to verify it Check versions by running dpkg -l | grep kube --- Makefile.work | 1 + build_debian.sh | 11 +++-------- rules/config | 3 ++- 3 files changed, 6 insertions(+), 9 deletions(-) diff --git a/Makefile.work b/Makefile.work index 14c433e4f5..2f0e950416 100644 --- a/Makefile.work +++ b/Makefile.work @@ -168,6 +168,7 @@ SONIC_BUILD_INSTRUCTION := make \ SHUTDOWN_BGP_ON_START=$(SHUTDOWN_BGP_ON_START) \ INSTALL_KUBERNETES=$(INSTALL_KUBERNETES) \ KUBERNETES_VERSION=$(KUBERNETES_VERSION) \ + KUBERNETES_CNI_VERSION=$(KUBERNETES_CNI_VERSION) \ K8s_GCR_IO_PAUSE_VERSION=$(K8s_GCR_IO_PAUSE_VERSION) \ K8s_CNI_FLANNEL_VERSION=$(K8s_CNI_FLANNEL_VERSION) \ SONIC_ENABLE_PFCWD_ON_START=$(ENABLE_PFCWD_ON_START) \ diff --git a/build_debian.sh b/build_debian.sh index be953f51b0..544a6cbd42 100755 --- a/build_debian.sh +++ b/build_debian.sh @@ -217,14 +217,9 @@ then ## Check out the sources list update matches current Debian version sudo cp files/image_config/kubernetes/kubernetes.list $FILESYSTEM_ROOT/etc/apt/sources.list.d/ sudo LANG=C chroot $FILESYSTEM_ROOT apt-get update - if [[ $KUBERNETES_VERSION == 1.18.0 ]]; then - # kubeadm 1.18.0 package auto install has some dependency error so install - # those package explicitly. - sudo LANG=C chroot $FILESYSTEM_ROOT apt-get -y install kubernetes-cni=0.7.5-00 - sudo LANG=C chroot $FILESYSTEM_ROOT apt-get -y install kubelet=1.18.3-00 - sudo LANG=C chroot $FILESYSTEM_ROOT apt-get -y install kubectl=1.18.3-00 - fi - # else kubeadm package auto install kubelet & kubectl + sudo LANG=C chroot $FILESYSTEM_ROOT apt-get -y install kubernetes-cni=${KUBERNETES_CNI_VERSION}-00 + sudo LANG=C chroot $FILESYSTEM_ROOT apt-get -y install kubelet=${KUBERNETES_VERSION}-00 + sudo LANG=C chroot $FILESYSTEM_ROOT apt-get -y install kubectl=${KUBERNETES_VERSION}-00 sudo LANG=C chroot $FILESYSTEM_ROOT apt-get -y install kubeadm=${KUBERNETES_VERSION}-00 # kubeadm package auto install kubelet & kubectl else diff --git a/rules/config b/rules/config index 8dfaf59fd5..098f64e4a3 100644 --- a/rules/config +++ b/rules/config @@ -121,7 +121,8 @@ INSTALL_KUBERNETES = n # These are Used *only* when INSTALL_KUBERNETES=y # NOTE: As a worker node it has to run version compatible to kubernetes master. # -KUBERNETES_VERSION = 1.18.0 +KUBERNETES_VERSION = 1.18.6 +KUBERNETES_CNI_VERSION = 0.8.6 K8s_GCR_IO_PAUSE_VERSION = 3.2 K8s_CNI_FLANNEL_VERSION = v0.12.0