Deckhouse Kubernetes Platform v1.29.0 is released
The updated (and secure) Grafana version. A critical zero-day vulnerability (CVE-2021-43798) in Grafana was discovered in early December. Using it, an attacker can run a directory traversal attack and gain access to local files. All versions of Grafana, starting from v8.0.0-beta1, are affected. The patch was released within 24 hours after the vulnerability was discovered. Deckhouse now uses the patched Grafana version v8.2.7.
Dropping support for alpha versions of cert-manager due to switching to the v1.6.1 release. This change applies to the “new” cert-manager only; the “old” cert-manager 0.10.1 (
certmanager.k8s.io) is not affected by the upgrade. The cert-manager itself has been updated from v1.5.4 to v1.6.1. The new version fixes several bugs and improves error logging.
Below are some of the new features of existing components and modules:
- log-shipper — support for Elasticsearch data streams for storing logs and metrics. Data streams let you store append-only data across multiple indices while providing a single named resource for requests. Data streams are handy for accumulating logs, events, metrics, and other continuously generated data. The feature was first implemented in Elasticsearch v7.16;
- node-manager now supports forceful Pod eviction from a node when that node requests a breaking update, but PodDisruptionBudget prevents Pods from being evicted;
- secret-copier now features the Create Or Update logic for consistently distributing secret copies to namespaces. Label selector support has also been added. With it, you can copy secrets to selected namespaces;
- ingress-nginx — you can now use an SSL certificate by default. The default SSL certificate can be specified using the
.spec.defaultSSLCertificate.secretReffield in the IngressNginxController configuration. You no longer need to specify a secret name in the Ingress object with this option.
The Deckhouse documentation was extended with instructions on using Harbor as a third-party container registry, information related to the Dex limits preventing the credentials brute-forcing, and to the combining cluster authorization rules for a single user as well as a refactored OpenAPI specifications rendering.
Please, refer to the Deckhouse v1.29.0 changelog to see the full list of changes and improvements. The next stable release of Deckhouse (v1.30) will bring the Kubernetes v1.22 support.
For those who prefer a hands-on approach, the Getting Started guide will help you to start your journey with the Deckhouse Kubernetes platform. Follow @deckhouseio for updates and join our Telegram chat to ask any questions! Deckhouse’s main GitHub repo might also be useful to ask for feature requests and discuss any issues.