backport cve-2019-5736 to release-2.8 (#4234 )

* [SECURITY] Docker patches for CVE-2019-5736 (#4223) This updates docker 18.06 and 18.09 with the two patches released yesterday to address the new runc exploit. Details here: https://kubernetes.io/blog/2019/02/11/runc-and-cve-2019-5736/ * keep edge versions to same minor * keep edge versions to same minor
Upgrade to 1.12.5 (#4066 )
2025-12-14 13:54:37 +03:00 · 2019-02-14 00:55:54 -08:00 · 2019-01-18 06:30:36 -08:00
9 changed files with 18 additions and 16 deletions
--- a/README.md
+++ b/README.md
@@ -18,7 +18,7 @@ Quick Start
 To deploy the cluster you can use :

 ### Current release
-2.8
+2.8.2

 ### Ansible

@@ -114,7 +114,7 @@ Supported Components
 --------------------

 -   Core
-    -   [kubernetes](https://github.com/kubernetes/kubernetes) v1.12.4
+    -   [kubernetes](https://github.com/kubernetes/kubernetes) v1.12.5
    -   [etcd](https://github.com/coreos/etcd) v3.2.24
    -   [docker](https://www.docker.com/) v18.06 (see note)
    -   [rkt](https://github.com/rkt/rkt) v1.21.0 (see Note 2)
--- a/inventory/sample/group_vars/k8s-cluster/k8s-cluster.yml
+++ b/inventory/sample/group_vars/k8s-cluster/k8s-cluster.yml
@@ -19,7 +19,7 @@ kube_users_dir: "{{ kube_config_dir }}/users"
 kube_api_anonymous_auth: true

 ## Change this to use another Kubernetes version, e.g. a current beta release
-kube_version: v1.12.3
+kube_version: v1.12.5

 # kubernetes image repo define
 kube_image_repo: "gcr.io/google-containers"
--- a/roles/container-engine/docker/vars/debian.yml
+++ b/roles/container-engine/docker/vars/debian.yml
@@ -13,8 +13,8 @@ docker_versioned_pkg:
  '17.09': docker-ce=17.09.0~ce-0~debian
  '17.12': docker-ce=17.12.1~ce-0~debian
  '18.03': docker-ce=18.03.1~ce-0~debian
-  '18.06': docker-ce=18.06.1~ce~3-0~debian
-  'stable': docker-ce=18.06.1~ce~3-0~debian
+  '18.06': docker-ce=18.06.2~ce~3-0~debian
+  'stable': docker-ce=18.06.2~ce~3-0~debian
  'edge': docker-ce=17.12.1~ce-0~debian

 docker_package_info:
--- a/roles/container-engine/docker/vars/fedora.yml
+++ b/roles/container-engine/docker/vars/fedora.yml
@@ -6,7 +6,7 @@ docker_kernel_min_version: '0'
 docker_versioned_pkg:
  'latest': docker-ce
  '18.03': docker-ce-18.03.1.ce-3.fc28
-  '18.06': docker-ce-18.06.1.ce-3.fc28
+  '18.06': docker-ce-18.06.2.ce-3.fc28

 #
 # This is due to the fact that the docker
--- a/roles/container-engine/docker/vars/redhat.yml
+++ b/roles/container-engine/docker/vars/redhat.yml
@@ -14,8 +14,8 @@ docker_versioned_pkg:
  '17.09': docker-ce-17.09.0.ce-1.el7.centos
  '17.12': docker-ce-17.12.1.ce-1.el7.centos
  '18.03': docker-ce-18.03.1.ce-1.el7.centos
-  '18.06': docker-ce-18.06.1.ce-3.el7
-  'stable': docker-ce-18.06.1.ce-3.el7
+  '18.06': docker-ce-18.06.2.ce-3.el7
+  'stable': docker-ce-18.06.2.ce-3.el7
  'edge': docker-ce-17.12.1.ce-1.el7.centos

 docker_selinux_versioned_pkg:
--- a/roles/container-engine/docker/vars/ubuntu-amd64.yml
+++ b/roles/container-engine/docker/vars/ubuntu-amd64.yml
@@ -10,9 +10,9 @@ docker_versioned_pkg:
  '17.03': docker-ce=17.03.2~ce-0~ubuntu-{{ ansible_distribution_release|lower }}
  '17.09': docker-ce=17.09.0~ce-0~ubuntu-{{ ansible_distribution_release|lower }}
  '17.12': docker-ce=17.12.1~ce-0~ubuntu-{{ ansible_distribution_release|lower }}
-  '18.06': docker-ce=18.06.1~ce~3-0~ubuntu
-  'stable': docker-ce=18.06.1~ce~3-0~ubuntu
-  'edge': docker-ce=18.06.1~ce~3-0~ubuntu
+  '18.06': docker-ce=18.06.2~ce~3-0~ubuntu
+  'stable': docker-ce=18.06.2~ce~3-0~ubuntu
+  'edge': docker-ce=18.06.2~ce~3-0~ubuntu

 docker_package_info:
  pkg_mgr: apt
--- a/roles/container-engine/docker/vars/ubuntu-arm64.yml
+++ b/roles/container-engine/docker/vars/ubuntu-arm64.yml
@@ -6,9 +6,9 @@ docker_versioned_pkg:
  'latest': docker-ce
  '17.09': docker-ce=17.09.1~ce-0~ubuntu
  '17.12': docker-ce=17.12.1~ce-0~ubuntu-{{ ansible_distribution_release|lower }}
-  '18.06': docker-ce=18.06.1~ce~3-0~ubuntu
-  'stable': docker-ce=18.06.1~ce~3-0~ubuntu
-  'edge': docker-ce=18.06.1~ce~3-0~ubuntu
+  '18.06': docker-ce=18.06.2~ce~3-0~ubuntu
+  'stable': docker-ce=18.06.2~ce~3-0~ubuntu
+  'edge': docker-ce=18.06.2~ce~3-0~ubuntu

 docker_package_info:
  pkg_mgr: apt
--- a/roles/download/defaults/main.yml
+++ b/roles/download/defaults/main.yml
@@ -35,7 +35,7 @@ download_delegate: "{% if download_localhost %}localhost{% else %}{{groups['kube
 image_arch: "{{host_architecture | default('amd64')}}"

 # Versions
-kube_version: v1.12.4
+kube_version: v1.12.5
 kubeadm_version: "{{ kube_version }}"
 etcd_version: v3.2.24

@@ -70,6 +70,7 @@ cni_download_url: "https://github.com/containernetworking/plugins/releases/downl

 # Checksums
 hyperkube_checksums:
+  v1.12.5: f8b651816b2caa33e8b25a666e5c370e9786356d59f89579bba772f28370ed00
  v1.12.4: a4697d8f3791f0408fcdb97b3de187e47d7b39a63332c75f68f95e25f4891cc9
  v1.12.3: 600aad3f0d016716abd85931239806193ffbe95f2edfdcea11532d518ae5cdb1
  v1.12.2: 566dfed398c20c9944f8999d6370cb584cb8c228b3c5881137b6b3d9306e4b06
@@ -89,6 +90,7 @@ hyperkube_checksums:
  v1.10.1: 6e0642ad6bae68dc81b8d1c9efa18e265e17e23da1895862823cafac08c0344c
  v1.10.0: b5575b2fb4266754c1675b8cd5d9b6cac70f3fee7a05c4e80da3a9e83e58c57e
 kubeadm_checksums:
+  v1.12.5: d61730b3deb4d9825af0cc1e452a4be2292400507128279770c39669f6599af9
  v1.12.4: 674ad5892ff2403f492c9042c3cea3fa0bfa3acf95bc7d1777c3645f0ddf64d7
  v1.12.3: c675aa3be82754b3f8dfdde2a1526a72986713312d46d898e65cb564c6aa8ad4
  v1.12.2: 51bc4bfd1d934a27245111c0ad1f793d5147ed15389415a1509502f23fcfa642
--- a/roles/kubespray-defaults/defaults/main.yaml
+++ b/roles/kubespray-defaults/defaults/main.yaml
@@ -12,7 +12,7 @@ is_atomic: false
 disable_swap: true

 ## Change this to use another Kubernetes version, e.g. a current beta release
-kube_version: v1.12.3
+kube_version: v1.12.5

 ## Kube Proxy mode One of ['iptables','ipvs']
 kube_proxy_mode: ipvs