-
Notifications
You must be signed in to change notification settings - Fork 762
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Signed-off-by: liheng.zms <[email protected]>
Signed-off-by: liheng.zms <[email protected]> Signed-off-by: liheng.zms <[email protected]> kruise changelog 1.4.1, 1.3.1, 1.5.2 Signed-off-by: liheng.zms <[email protected]>
- Loading branch information
Showing
1 changed file
with
15 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -3,12 +3,16 @@ | |
## v1.5.2 | ||
> Chang log since v1.5.1 | ||
<<<<<<< HEAD | ||
### CVE FIX: Leverage the kruise-daemon pod to list all secrets in the entire cluster | ||
Attacker that has gain root privilege of the node that kruise-daemon run , can leverage the kruise-daemon pod to list all secrets in the entire cluster. | ||
After that, attackers can leverage the "captured" secrets (e.g. the kruise-manager service account token) to gain extra privilege such as pod modification. | ||
|
||
For this fix, we removed the cluster secret permissions from kruise-daemon and converged the secret to kruise-manager, reducing the risk of cluster secret leaks. | ||
([#1482](https://github.com/openkruise/kruise/pull/1482), [veophi](https://github.com/veophi)) | ||
======= | ||
### CVE FIX: Enhance kruise-daemon security ([#1482](https://github.com/openkruise/kruise/pull/1482), [veophi](https://github.com/veophi)) | ||
>>>>>>> Signed-off-by: liheng.zms <[email protected]> | ||
### Start kruise-manager as a non-root user | ||
We start kruise-manger with a non-root user to further enhance the security of kruise-manager. ([#1491](https://github.com/openkruise/kruise/pull/1491), [@zmberg](https://github.com/zmberg)) | ||
|
@@ -86,6 +90,11 @@ And some bugs were fixed by | |
([#1348](https://github.com/openkruise/kruise/pull/1348), [#1343](https://github.com/openkruise/kruise/pull/1343), [Colvin-Y](https://github.com/Colvin-Y)), | ||
thanks! | ||
|
||
## v.1.4.1 | ||
> Change log since v1.4.0 | ||
### CVE FIX: Enhance kruise-daemon security ([#1482](https://github.com/openkruise/kruise/pull/1482), [veophi](https://github.com/veophi)) | ||
|
||
## v1.4.0 | ||
|
||
> Change log since v1.3.0 | ||
|
@@ -136,6 +145,12 @@ For more detail, please refer to its [proposal](https://github.com/openkruise/kr | |
- Change kruise base image to alpine. ([#1166](https://github.com/openkruise/kruise/pull/1166), [@fengshunli](https://github.com/fengshunli)) | ||
- PersistentPodState support custom workload (like statefulSet). ([#1063](https://github.com/openkruise/kruise/pull/1063), [@baxiaoshi](https://github.com/baxiaoshi)) | ||
|
||
## v1.3.1 | ||
|
||
> Change log since v1.3.0 | ||
### CVE FIX: Enhance kruise-daemon security ([#1482](https://github.com/openkruise/kruise/pull/1482), [veophi](https://github.com/veophi)) | ||
|
||
## v1.3.0 | ||
|
||
> Change log since v1.2.0 | ||
|