From 03c8bae1443416c653ba6c4782ee286b0b021f6b Mon Sep 17 00:00:00 2001 From: Ciprian Hacman Date: Thu, 4 Jun 2020 11:40:34 +0300 Subject: [PATCH] Update Calico and Canal for CVE-2020-13597 --- upup/models/bindata.go | 40 +++++++++---------- .../k8s-1.15.yaml.template | 8 ++-- .../k8s-1.16.yaml.template | 8 ++-- .../k8s-1.12.yaml.template | 12 +++--- .../k8s-1.16.yaml.template | 12 +++--- .../pkg/fi/cloudup/bootstrapchannelbuilder.go | 8 ++-- 6 files changed, 44 insertions(+), 44 deletions(-) diff --git a/upup/models/bindata.go b/upup/models/bindata.go index 80e2053c8db40..73ea4c9c54619 100644 --- a/upup/models/bindata.go +++ b/upup/models/bindata.go @@ -7389,7 +7389,7 @@ spec: serviceAccountName: calico-node priorityClassName: system-cluster-critical containers: - - image: calico/typha:v3.9.5 + - image: calico/typha:v3.9.6 name: calico-typha ports: - containerPort: 5473 @@ -7505,7 +7505,7 @@ spec: # It can be deleted if this is a fresh installation, or if you have already # upgraded to use calico-ipam. - name: upgrade-ipam - image: calico/cni:v3.9.5 + image: calico/cni:v3.9.6 command: ["/opt/cni/bin/calico-ipam", "-upgrade"] env: - name: KUBERNETES_NODE_NAME @@ -7525,7 +7525,7 @@ spec: # This container installs the CNI binaries # and CNI network config file on each node. - name: install-cni - image: calico/cni:v3.9.5 + image: calico/cni:v3.9.6 command: ["/install-cni.sh"] env: # Name of the CNI config file to create. @@ -7559,7 +7559,7 @@ spec: # Adds a Flex Volume Driver that creates a per-pod Unix Domain Socket to allow Dikastes # to communicate with Felix over the Policy Sync API. - name: flexvol-driver - image: calico/pod2daemon-flexvol:v3.9.5 + image: calico/pod2daemon-flexvol:v3.9.6 volumeMounts: - name: flexvol-driver-host mountPath: /host/driver @@ -7568,7 +7568,7 @@ spec: # container programs network policy and routes on each # host. - name: calico-node - image: calico/node:v3.9.5 + image: calico/node:v3.9.6 env: # Use Kubernetes API as the backing datastore. - name: DATASTORE_TYPE @@ -7771,7 +7771,7 @@ spec: priorityClassName: system-cluster-critical containers: - name: calico-kube-controllers - image: calico/kube-controllers:v3.9.5 + image: calico/kube-controllers:v3.9.6 env: # Choose which controllers to run. - name: ENABLED_CONTROLLERS @@ -8501,7 +8501,7 @@ spec: securityContext: fsGroup: 65534 containers: - - image: calico/typha:v3.13.3 + - image: calico/typha:v3.13.4 name: calico-typha ports: - containerPort: 5473 @@ -8613,7 +8613,7 @@ spec: # It can be deleted if this is a fresh installation, or if you have already # upgraded to use calico-ipam. - name: upgrade-ipam - image: calico/cni:v3.13.3 + image: calico/cni:v3.13.4 command: ["/opt/cni/bin/calico-ipam", "-upgrade"] env: - name: KUBERNETES_NODE_NAME @@ -8635,7 +8635,7 @@ spec: # This container installs the CNI binaries # and CNI network config file on each node. - name: install-cni - image: calico/cni:v3.13.3 + image: calico/cni:v3.13.4 command: ["/install-cni.sh"] env: # Name of the CNI config file to create. @@ -8671,7 +8671,7 @@ spec: # Adds a Flex Volume Driver that creates a per-pod Unix Domain Socket to allow Dikastes # to communicate with Felix over the Policy Sync API. - name: flexvol-driver - image: calico/pod2daemon-flexvol:v3.13.3 + image: calico/pod2daemon-flexvol:v3.13.4 volumeMounts: - name: flexvol-driver-host mountPath: /host/driver @@ -8682,7 +8682,7 @@ spec: # container programs network policy and routes on each # host. - name: calico-node - image: calico/node:v3.13.3 + image: calico/node:v3.13.4 env: # Use Kubernetes API as the backing datastore. - name: DATASTORE_TYPE @@ -8886,7 +8886,7 @@ spec: priorityClassName: system-cluster-critical containers: - name: calico-kube-controllers - image: calico/kube-controllers:v3.13.3 + image: calico/kube-controllers:v3.13.4 env: # Choose which controllers to run. - name: ENABLED_CONTROLLERS @@ -11541,7 +11541,7 @@ spec: securityContext: fsGroup: 65534 containers: - - image: calico/typha:v3.12.1 + - image: calico/typha:v3.12.2 name: calico-typha ports: - containerPort: 5473 @@ -11658,7 +11658,7 @@ spec: # This container installs the CNI binaries # and CNI network config file on each node. - name: install-cni - image: calico/cni:v3.12.1 + image: calico/cni:v3.12.2 command: ["/install-cni.sh"] env: # Name of the CNI config file to create. @@ -11694,7 +11694,7 @@ spec: # Adds a Flex Volume Driver that creates a per-pod Unix Domain Socket to allow Dikastes # to communicate with Felix over the Policy Sync API. - name: flexvol-driver - image: calico/pod2daemon-flexvol:v3.12.1 + image: calico/pod2daemon-flexvol:v3.12.2 volumeMounts: - name: flexvol-driver-host mountPath: /host/driver @@ -11705,7 +11705,7 @@ spec: # container programs network policy and routes on each # host. - name: calico-node - image: calico/node:v3.12.1 + image: calico/node:v3.12.2 env: # Use Kubernetes API as the backing datastore. - name: DATASTORE_TYPE @@ -12465,7 +12465,7 @@ spec: securityContext: fsGroup: 65534 containers: - - image: calico/typha:v3.13.3 + - image: calico/typha:v3.13.4 name: calico-typha ports: - containerPort: 5473 @@ -12576,7 +12576,7 @@ spec: # This container installs the CNI binaries # and CNI network config file on each node. - name: install-cni - image: calico/cni:v3.13.3 + image: calico/cni:v3.13.4 command: ["/install-cni.sh"] env: # Name of the CNI config file to create. @@ -12612,7 +12612,7 @@ spec: # Adds a Flex Volume Driver that creates a per-pod Unix Domain Socket to allow Dikastes # to communicate with Felix over the Policy Sync API. - name: flexvol-driver - image: calico/pod2daemon-flexvol:v3.13.3 + image: calico/pod2daemon-flexvol:v3.13.4 volumeMounts: - name: flexvol-driver-host mountPath: /host/driver @@ -12623,7 +12623,7 @@ spec: # container programs network policy and routes on each # host. - name: calico-node - image: calico/node:v3.13.3 + image: calico/node:v3.13.4 env: # Use Kubernetes API as the backing datastore. - name: DATASTORE_TYPE diff --git a/upup/models/cloudup/resources/addons/networking.projectcalico.org.canal/k8s-1.15.yaml.template b/upup/models/cloudup/resources/addons/networking.projectcalico.org.canal/k8s-1.15.yaml.template index c23e247061c2d..2b8ccc2abedd9 100644 --- a/upup/models/cloudup/resources/addons/networking.projectcalico.org.canal/k8s-1.15.yaml.template +++ b/upup/models/cloudup/resources/addons/networking.projectcalico.org.canal/k8s-1.15.yaml.template @@ -552,7 +552,7 @@ spec: securityContext: fsGroup: 65534 containers: - - image: calico/typha:v3.12.1 + - image: calico/typha:v3.12.2 name: calico-typha ports: - containerPort: 5473 @@ -669,7 +669,7 @@ spec: # This container installs the CNI binaries # and CNI network config file on each node. - name: install-cni - image: calico/cni:v3.12.1 + image: calico/cni:v3.12.2 command: ["/install-cni.sh"] env: # Name of the CNI config file to create. @@ -705,7 +705,7 @@ spec: # Adds a Flex Volume Driver that creates a per-pod Unix Domain Socket to allow Dikastes # to communicate with Felix over the Policy Sync API. - name: flexvol-driver - image: calico/pod2daemon-flexvol:v3.12.1 + image: calico/pod2daemon-flexvol:v3.12.2 volumeMounts: - name: flexvol-driver-host mountPath: /host/driver @@ -716,7 +716,7 @@ spec: # container programs network policy and routes on each # host. - name: calico-node - image: calico/node:v3.12.1 + image: calico/node:v3.12.2 env: # Use Kubernetes API as the backing datastore. - name: DATASTORE_TYPE diff --git a/upup/models/cloudup/resources/addons/networking.projectcalico.org.canal/k8s-1.16.yaml.template b/upup/models/cloudup/resources/addons/networking.projectcalico.org.canal/k8s-1.16.yaml.template index cc925d43adc72..64b0f10386cb5 100644 --- a/upup/models/cloudup/resources/addons/networking.projectcalico.org.canal/k8s-1.16.yaml.template +++ b/upup/models/cloudup/resources/addons/networking.projectcalico.org.canal/k8s-1.16.yaml.template @@ -549,7 +549,7 @@ spec: securityContext: fsGroup: 65534 containers: - - image: calico/typha:v3.13.3 + - image: calico/typha:v3.13.4 name: calico-typha ports: - containerPort: 5473 @@ -660,7 +660,7 @@ spec: # This container installs the CNI binaries # and CNI network config file on each node. - name: install-cni - image: calico/cni:v3.13.3 + image: calico/cni:v3.13.4 command: ["/install-cni.sh"] env: # Name of the CNI config file to create. @@ -696,7 +696,7 @@ spec: # Adds a Flex Volume Driver that creates a per-pod Unix Domain Socket to allow Dikastes # to communicate with Felix over the Policy Sync API. - name: flexvol-driver - image: calico/pod2daemon-flexvol:v3.13.3 + image: calico/pod2daemon-flexvol:v3.13.4 volumeMounts: - name: flexvol-driver-host mountPath: /host/driver @@ -707,7 +707,7 @@ spec: # container programs network policy and routes on each # host. - name: calico-node - image: calico/node:v3.13.3 + image: calico/node:v3.13.4 env: # Use Kubernetes API as the backing datastore. - name: DATASTORE_TYPE diff --git a/upup/models/cloudup/resources/addons/networking.projectcalico.org/k8s-1.12.yaml.template b/upup/models/cloudup/resources/addons/networking.projectcalico.org/k8s-1.12.yaml.template index 1440d7957c8ee..8f176f600ae46 100644 --- a/upup/models/cloudup/resources/addons/networking.projectcalico.org/k8s-1.12.yaml.template +++ b/upup/models/cloudup/resources/addons/networking.projectcalico.org/k8s-1.12.yaml.template @@ -578,7 +578,7 @@ spec: serviceAccountName: calico-node priorityClassName: system-cluster-critical containers: - - image: calico/typha:v3.9.5 + - image: calico/typha:v3.9.6 name: calico-typha ports: - containerPort: 5473 @@ -694,7 +694,7 @@ spec: # It can be deleted if this is a fresh installation, or if you have already # upgraded to use calico-ipam. - name: upgrade-ipam - image: calico/cni:v3.9.5 + image: calico/cni:v3.9.6 command: ["/opt/cni/bin/calico-ipam", "-upgrade"] env: - name: KUBERNETES_NODE_NAME @@ -714,7 +714,7 @@ spec: # This container installs the CNI binaries # and CNI network config file on each node. - name: install-cni - image: calico/cni:v3.9.5 + image: calico/cni:v3.9.6 command: ["/install-cni.sh"] env: # Name of the CNI config file to create. @@ -748,7 +748,7 @@ spec: # Adds a Flex Volume Driver that creates a per-pod Unix Domain Socket to allow Dikastes # to communicate with Felix over the Policy Sync API. - name: flexvol-driver - image: calico/pod2daemon-flexvol:v3.9.5 + image: calico/pod2daemon-flexvol:v3.9.6 volumeMounts: - name: flexvol-driver-host mountPath: /host/driver @@ -757,7 +757,7 @@ spec: # container programs network policy and routes on each # host. - name: calico-node - image: calico/node:v3.9.5 + image: calico/node:v3.9.6 env: # Use Kubernetes API as the backing datastore. - name: DATASTORE_TYPE @@ -960,7 +960,7 @@ spec: priorityClassName: system-cluster-critical containers: - name: calico-kube-controllers - image: calico/kube-controllers:v3.9.5 + image: calico/kube-controllers:v3.9.6 env: # Choose which controllers to run. - name: ENABLED_CONTROLLERS diff --git a/upup/models/cloudup/resources/addons/networking.projectcalico.org/k8s-1.16.yaml.template b/upup/models/cloudup/resources/addons/networking.projectcalico.org/k8s-1.16.yaml.template index 722bf53cb8bb0..db154c8382350 100644 --- a/upup/models/cloudup/resources/addons/networking.projectcalico.org/k8s-1.16.yaml.template +++ b/upup/models/cloudup/resources/addons/networking.projectcalico.org/k8s-1.16.yaml.template @@ -586,7 +586,7 @@ spec: securityContext: fsGroup: 65534 containers: - - image: calico/typha:v3.13.3 + - image: calico/typha:v3.13.4 name: calico-typha ports: - containerPort: 5473 @@ -698,7 +698,7 @@ spec: # It can be deleted if this is a fresh installation, or if you have already # upgraded to use calico-ipam. - name: upgrade-ipam - image: calico/cni:v3.13.3 + image: calico/cni:v3.13.4 command: ["/opt/cni/bin/calico-ipam", "-upgrade"] env: - name: KUBERNETES_NODE_NAME @@ -720,7 +720,7 @@ spec: # This container installs the CNI binaries # and CNI network config file on each node. - name: install-cni - image: calico/cni:v3.13.3 + image: calico/cni:v3.13.4 command: ["/install-cni.sh"] env: # Name of the CNI config file to create. @@ -756,7 +756,7 @@ spec: # Adds a Flex Volume Driver that creates a per-pod Unix Domain Socket to allow Dikastes # to communicate with Felix over the Policy Sync API. - name: flexvol-driver - image: calico/pod2daemon-flexvol:v3.13.3 + image: calico/pod2daemon-flexvol:v3.13.4 volumeMounts: - name: flexvol-driver-host mountPath: /host/driver @@ -767,7 +767,7 @@ spec: # container programs network policy and routes on each # host. - name: calico-node - image: calico/node:v3.13.3 + image: calico/node:v3.13.4 env: # Use Kubernetes API as the backing datastore. - name: DATASTORE_TYPE @@ -971,7 +971,7 @@ spec: priorityClassName: system-cluster-critical containers: - name: calico-kube-controllers - image: calico/kube-controllers:v3.13.3 + image: calico/kube-controllers:v3.13.4 env: # Choose which controllers to run. - name: ENABLED_CONTROLLERS diff --git a/upup/pkg/fi/cloudup/bootstrapchannelbuilder.go b/upup/pkg/fi/cloudup/bootstrapchannelbuilder.go index 978dcf834b28b..e6d9db6f4433a 100644 --- a/upup/pkg/fi/cloudup/bootstrapchannelbuilder.go +++ b/upup/pkg/fi/cloudup/bootstrapchannelbuilder.go @@ -725,8 +725,8 @@ func (b *BootstrapChannelBuilder) buildAddons() *channelsapi.Addons { versions := map[string]string{ "k8s-1.7": "2.6.12-kops.1", "k8s-1.7-v3": "3.8.0-kops.2", - "k8s-1.12": "3.9.5-kops.3", - "k8s-1.16": "3.13.3-kops.2", + "k8s-1.12": "3.9.6-kops.1", + "k8s-1.16": "3.13.4-kops.1", } { @@ -793,8 +793,8 @@ func (b *BootstrapChannelBuilder) buildAddons() *channelsapi.Addons { versions := map[string]string{ "k8s-1.9": "3.2.3-kops.1", "k8s-1.12": "3.7.5-kops.2", - "k8s-1.15": "3.12.1-kops.2", - "k8s-1.16": "3.13.3-kops.2", + "k8s-1.15": "3.12.2-kops.1", + "k8s-1.16": "3.13.4-kops.1", } { id := "k8s-1.9"