Skip to content

Releases: rancher/rke2

v1.18.12+rke2r2

07 Dec 21:30
1d6e826
Compare
Choose a tag to compare

This release upgrades containerd to version v1.3.9 to address CVE-2020-15257 found in previous versions of containerd.

This vulnerability is present in the following releases:

  • v1.18.12+rke2r1 and prior

The security issue affects containerd BEFORE versions 1.3.9 and 1.4.3. In these prior versions, the containerd-shim API is improperly exposed to host network containers. This would allow malicious containers running in the same network namespace as the shim, with an effective UID of 0 but otherwise reduced privileges, to cause new processes to be run with elevated privileges. Please see containerd's security advisory for more information.

Packaged Component Versions

Component Version
Kubernetes v1.18.12
Etcd v3.4.13-k3s1
Containerd v1.3.9-k3s1
Runc v1.0.0-rc92
CNI Plugins v0.8.7
Flannel v0.13.0-rancher1
Calico v3.13.3
Metrics-server v0.3.6
CoreDNS v1.6.9
Ingress-Nginx v1.36.3
Helm-controller v0.7.3

Known Issues

  • Helm-controller sometimes leave behind failed install job pods with reason "NodeAffinity". This is due to an upstream issue. This is harmless as the pods will be recreated and eventually succeed, but the failed pods will remain until manually deleted. #127

These items will be addressed in an upcoming release.

Helpful Links

As always, we welcome and appreciate feedback from our community of users. Please feel free to:

v1.18.12-rc1+rke2r2

05 Dec 00:02
28e12bf
Compare
Choose a tag to compare
v1.18.12-rc1+rke2r2 Pre-release
Pre-release
containerd: v1.3.9-k3s1 (#561)

Addresses #557

v1.18.12-beta1+rke2r2

23 Nov 19:46
a0fcf72
Compare
Choose a tag to compare
v1.18.12-beta1+rke2r2 Pre-release
Pre-release

This beta release contains only minor changes since v1.18.12+rke2r1:

  • Add CLI flags to override images and kubelet binary (#543)

v1.18.12+rke2r1

17 Nov 01:50
b63f92a
Compare
Choose a tag to compare

This release updates Kubernetes to v1.18.12
For more details on what's new, see the Kubernetes release notes

Changes since v1.18.10+rke2r1

RKE2, also known as RKE Government, is Rancher's next-generation Kubernetes distribution.

It is a fully conformant Kubernetes distribution that focuses on security and compliance within the U.S. Federal Government sector.

To meet these goals, RKE2 does the following:

RKE2 also brings together the best aspects of Rancher's RKE1 and K3s distributions. For more on this, check out our docs.

Try it Now

On a modern AMD64 Linux host, run:

curl -sfL https://get.rke2.io | sh -

See our Quick Start Guide for more.

Packaged Component Versions

Component Version
Kubernetes v1.18.12
Etcd v3.4.13-k3s1
Containerd v1.3.7-k3s1
Runc v1.0.0-rc92
CNI Plugins v0.8.7
Flannel v0.13.0-rancher1
Calico v3.13.3
Metrics-server v0.3.6
CoreDNS v1.6.9
Ingress-Nginx v1.36.3
Helm-controller v0.7.3

Known Issues

  • Helm-controller sometimes leave behind failed install job pods with reason "NodeAffinity". This is due to an upstream issue. This is harmless as the pods will be recreated and eventually succeed, but the failed pods will remain until manually deleted. #127

These items will be addressed in an upcoming release.

Helpful Links

As always, we welcome and appreciate feedback from our community of users. Please feel free to:

v1.18.12-rc1+rke2r1

16 Nov 19:11
b63f92a
Compare
Choose a tag to compare
v1.18.12-rc1+rke2r1 Pre-release
Pre-release
Merge pull request #532 from Oats87/issues/rke2/509

Bump to K8s v1.18.12 and containerd v1.3.7-k3s1

v1.18.10-alpha1+rke2r1

05 Nov 18:04
0dcc727
Compare
Choose a tag to compare
Pre-release
Merge pull request #477 from briandowns/issue-207

Refactor Code to Use K8S Retries

v1.18.10-alpha1+rke2: Merge pull request #477 from briandowns/issue-207

05 Nov 18:06
0dcc727
Compare
Choose a tag to compare
Refactor Code to Use K8S Retries

v1.18.10+rke2r1

16 Oct 19:56
Compare
Choose a tag to compare

This release updates Kubernetes to v1.18.10
For more details on what's new, see the Kubernetes release notes

Changes since v1.18.9+rke2r1

RKE2, also known as RKE Government, is Rancher's next-generation Kubernetes distribution.

It is a fully conformant (currently under review) Kubernetes distribution that focuses on security and compliance within the U.S. Federal Government sector.

To meet these goals, RKE2 does the following:

RKE2 also brings together the best aspects of Rancher's RKE1 and K3s distributions. For more on this, check out our docs.

This release also addresses the following upstream CVEs:

  • CVE-2020-8564 - Docker config secrets leaked when file is malformed and loglevel >= 4
  • CVE-2020-8566 - Vulnerable if Ceph RBD volumes are supported and kube-controller-manager is using logLevel >= 4

You can read more about the CVEs here.

Try it Now

On a modern AMD64 Linux host, run:

curl -sfL https://get.rke2.io | sh -

See our Quick Start Guide for more.

Features

RKE2 introduces the following features and functionality to make operating a secure Kubernetes cluster easier than ever.

Ease of Deployment

RKE2 is deployed as a single binary that then launches the entire Kubernetes stack on your host. Containerd and the kubelet are launched as host-level processes managed by RKE2. Etcd and Kubernetes control plane components are then launched as static pods by the kubelet. Finally, additional components such as Canal CNI, CoreDNS, NGINX ingress, kube-proxy, and metrics-server are launched as customizable Helm charts.

For more details on the design of RKE2, see our architecture documentation.

Security and Compliance Focused

RKE2 has been built from the ground up with security and compliance in mind. Here are the key features and functionality in this area:

SELinux Support - Working with upstream, we've brought SELinux Multi-Category Security (MCS) Labels enforcement to containerd and incorporated that into RKE2. When installing RKE2 using our RPMs, required SELinux policies will automatically be installed and MCS Label enforcement enabled in containerd. See upstream PRs: containerd/cri#1487 and containers/container-selinux#98.

FIPS 140-2 Enablement - RKE2 and the components it deploys (with the exception of NGINX ingress) have been compiled to leverage the FIPS 140-2 validated BoringCrypto module. Moreover, this module is currently being revalidated as the Rancher Kubernetes Cryptographic Library for the additional platforms supported by RKE2.

Simple CIS Kubernetes Benchmark v1.5 Compliance - RKE2 was designed to pass the majority of this benchmark without any additional configuration. Some controls can impact cluster functionality or require host-level modifications. So, operators can opt-in to passing these controls. To do so, operators can follow the simple hardening guide and launch the cluster with our cis-1.5 profile. Running in the CIS profile will ensure that host-level requirements have been met and enforce cluster-level requirements, such as turning on restrictive PodSecurityPolicies.

Secure and Hardened Images and Binaries - Upstream components are recompiled, repackaged, and scanned (excluding NGINX ingress). This reduces operators' exposure to critical CVEs.

Etcd Cluster Management

Etcd management can be one of the most challenging aspects of running a Kubernetes cluster, and RKE2 makes it simple.

As server (control plane) nodes are added and removed from your cluster, RKE2 will automatically add and remove them from the underlying etcd cluster, simplifying complex quorum management issues.

RKE2 also automatically takes snapshots of the etcd database and makes rollback and recovery of your cluster straight-forward. More details here.

Bootstrapping Custom Workloads

Like K3s, RKE2 makes bringing up a cluster with custom workloads incredibly simple.

Operators just need to drop Kubernetes manifests into RKE2's manifest directory. Learn more.

For an additional level of customization and control, operators can pair this with our built-in Helm controller and CRDs. Learn more

Embedded Component Versions

Component Version
Kubernetes v1.18.10
Etcd v3.4.13-k3s1
Containerd v1.3.6-k3s2
Runc v1.0.0-rc92
CNI Plugins v0.8.7
Flannel v0.13.0-rancher1
Calico v3.13.3
Metrics-server v0.3.6
CoreDNS v1.6.9
Ingress-Nginx v1.36.3
Helm-controller v0.7.3

Known Issues

  • Audit logging cannot be configured in the Kubernetes api-server. The api-server is launched as a static pod and it doesn't have the necessary host bind mounts. #410
  • Nodes may occasionally get stuck upon deletion. Please see the issue for a workaround to this. #401
  • Helm-controller sometimes leave behind failed install job pods with reason "NodeAffinity". This is due to an upstream issue. This is harmless as the pods will be recreated and eventually succeed, but the failed pods will remain until manually deleted. #127
  • The cluster-init flag is vestigial and not needed to set up embedded etcd, see the docs for details on how to set up a cluster. #426

These items will be addressed in an upcoming release.

Helpful Links

As always, we welcome and appreciate feedback from our community of users. Please feel free to:

v1.18.10-rc1+rke2r1

16 Oct 05:51
Compare
Choose a tag to compare
v1.18.10-rc1+rke2r1 Pre-release
Pre-release

Update Kubernetes to v1.18.10

v1.18.9+rke2r1

05 Oct 02:22
67ded31
Compare
Choose a tag to compare

Introducing v1.18.9+rke2r1 🥳

RKE2, also known as RKE Government, is Rancher's next-generation Kubernetes distribution.

It is a fully conformant (currently under review) Kubernetes distribution that focuses on security and compliance within the U.S. Federal Government sector.

To meet these goals, RKE2 does the following:

RKE2 also brings together the best aspects of Rancher's RKE1 and K3s distributions. For more on this, check out our docs.

Try it Now

On a modern AMD64 Linux host, run:

curl -sfL https://get.rke2.io | sh -

See our Quick Start Guide for more.

Features

RKE2 introduces the following features and functionality to make operating a secure Kubernetes cluster easier than ever.

Ease of Deployment

RKE2 is deployed as a single binary that then launches the entire Kubernetes stack on your host. Containerd and the kubelet are launched as host-level processes managed by RKE2. Etcd and Kubernetes control plane components are then launched as static pods by the kubelet. Finally, additional components such as Canal CNI, CoreDNS, NGINX ingress, kube-proxy, and metrics-server are launched as customizable Helm charts.

For more details on the design of RKE2, see our architecture documentation.

Security and Compliance Focused

RKE2 has been built from the ground up with security and compliance in mind. Here are the key features and functionality in this area:

SELinux Support - Working with upstream, we've brought SELinux Multi-Category Security (MCS) Labels enforcement to containerd and incorporated that into RKE2. When installing RKE2 using our RPMs, required SELinux policies will automatically be installed and MCS Label enforcement enabled in containerd. See upstream PRs: containerd/cri#1487 and containers/container-selinux#98.

FIPS 140-2 Enablement - RKE2 and the components it deploys (with the exception of NGINX ingress) have been compiled to leverage the FIPS 140-2 validated BoringCrypto module. Moreover, this module is currently being revalidated as the Rancher Kubernetes Cryptographic Library for the additional platforms supported by RKE2.

Simple CIS Kubernetes Benchmark v1.5 Compliance - RKE2 was designed to pass the majority of this benchmark without any additional configuration. Some controls can impact cluster functionality or require host-level modifications. So, operators can opt-in to passing these controls. To do so, operators can follow the simple hardening guide and launch the cluster with our cis-1.5 profile. Running in the CIS profile will ensure that host-level requirements have been met and enforce cluster-level requirements, such as turning on restrictive PodSecurityPolicies.

Secure and Hardened Images and Binaries - Upstream components are recompiled, repackaged, and scanned (excluding NGINX ingress). This reduces operators' exposure to critical CVEs.

Etcd Cluster Management

Etcd management can be one of the most challenging aspects of running a Kubernetes cluster, and RKE2 makes it simple.

As server (control plane) nodes are added and removed from your cluster, RKE2 will automatically add and remove them from the underlying etcd cluster, simplifying complex quorum management issues.

RKE2 also automatically takes snapshots of the etcd database and makes rollback and recovery of your cluster straight-forward. More details here.

Bootstrapping Custom Workloads

Like K3s, RKE2 makes bringing up a cluster with custom workloads incredibly simple.

Operators just need to drop Kubernetes manifests into RKE2's manifest directory. Learn more.

For an additional level of customization and control, operators can pair this with our built-in Helm controller and CRDs. Learn more

Embedded Component Versions

Component Version
Kubernetes v1.18.9
Etcd v3.4.13-k3s1
Containerd v1.3.6-k3s2
Runc v1.0.0-rc92
CNI Plugins v0.8.7
Flannel v0.13.0-rancher1-rc1
Calico v3.13.3
Metrics-server v0.3.6
CoreDNS v1.6.9
Ingress-Nginx v1.36.3
Helm-controller v0.7.3

Known Issues

  • Audit logging cannot be configured in the Kubernetes api-server. The api-server is launched as a static pod and it doesn't have the necessary host bind mounts. #410
  • Nodes may occasionally get stuck upon deletion. Please see the issue for a workaround to this. #401
  • Helm-controller sometimes leave behind failed install job pods with reason "NodeAffinity". This is due to an upstream issue. This is harmless as the pods will be recreated and eventually succeed, but the failed pods will remain until manually deleted. #127
  • The cluster-init flag is vestigial and not needed to set up embedded etcd, see the docs for details on how to set up a cluster. #426
  • Uninstallation on RHEL/CentOS 8 systems does not work because the uninstall script relies on iptables #462

These items will be addressed in an upcoming release.

Helpful Links

As always, we welcome and appreciate feedback from our community of users. Please feel free to: