8000 Release v1.117.5 · gardener/gardener · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

v1.117.5
Compare
Choose a tag to compare
@gardener-robot-ci-1 gardener-robot-ci-1 released this 17 May 07:48
· 224 commits to master since this release
v1.117.5
9824a8e

[gardener/gardener]

🛡️ Important Security Information

This release contains changes that address the following vulnerabilities:

CVE-2025-47284: Metadata injection for a project secret can lead to privilege escalation

A security vulnerability was discovered in the gardenlet component of Gardener. It could allow a user with administrative privileges for a Gardener project to obtain control over the seed cluster(s) where their shoot clusters are managed.

Affected Versions:

  • gardenlet < v1.116.4
  • gardenlet < v1.117.5
  • gardenlet < v1.118.2
  • gardenlet < v1.119.0

Fixed Versions:

  • gardenlet >= v1.116.4
  • gardenlet >= v1.117.5
  • gardenlet >= v1.118.2
  • gardenlet >= v1.119.0

CVSS Rating: Critical (9.9) CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:F/RL:U/RC:C/CR:H/IR:H/AR:H/MAV:N/MAC:L/MPR:L/MUI:N/MS:C/MC:H/MI:H/MA:H

CVE-2025-47283: Bypassing project secret validation can lead to privilege escalation

A security vulnerability was discovered in Gardener that could allow a user with administrative privileges for a Gardener project to obtain control over the seed cluster(s) where their shoot clusters are managed.

Affected Versions:

  • Gardener < v1.116.4
  • Gardener < v1.117.5
  • Gardener < v1.118.2
  • Gardener < v1.119.0

Fixed Versions:

  • Gardener >= v1.116.4
  • Gardener >= v1.117.5
  • Gardener >= v1.118.2
  • Gardener >= v1.119.0

CVSS Rating: Critical (9.9) CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/MA:H

🐛 Bug Fixes

  • [OPERATOR] A bug preventing the system:serviceaccount:kube-system:gardener-internal service account, used by gardener-operator, to label restricted resources was fixed. by @dimityrmirchev [#12065]

🏃 Others

  • [OPERATOR] It is now ensured that extension admission webhooks have validated WorkloadIdentitys/Secrets referenced in Shoots. by @rfranzke [#12076]
  • [OPERATOR] Set minAllowed CPU to 150m for prometheus-shoot to avoid frequent evictions by @voelzmo [#12079]
  • [OPERATOR] Annotations and labels are now ignored when creating referenced resources in the shoot control plane namespaces in seed clusters. by @rfranzke [#12066]
  • [OPERATOR] A new check ensures that only owners and project members with a UAM role are allowed to modify the project owner. by @timuthy [#12083]
  • [DEVELOPER] The admission-local deployment was fixed to work with KinD based test setup. by @timuthy [#12107]

Helm Charts

  • controlplane: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/controlplane:v1.117.5
  • gardenlet: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/gardenlet:v1.117.5
  • operator: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/operator:v1.117.5
  • resource-manager: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/resource-manager:v1.117.5

Container (OCI) Images

  • admission-controller: europe-docker.pkg.dev/gardener-project/releases/gardener/admission-controller:v1.117.5
  • apiserver: europe-docker.pkg.dev/gardener-project/releases/gardener/apiserver:v1.117.5
  • controller-manager: europe-docker.pkg.dev/gardener-project/releases/gardener/controller-manager:v1.117.5
  • gardenlet: europe-docker.pkg.dev/gardener-project/releases/gardener/gardenlet:v1.117.5
  • node-agent: europe-docker.pkg.dev/gardener-project/releases/gardener/node-agent:v1.117.5
  • operator: europe-docker.pkg.dev/gardener-project/releases/gardener/operator:v1.117.5
  • resource-manager: europe-docker.pkg.dev/gardener-project/releases/gardener/resource-manager:v1.117.5
  • scheduler: europe-docker.pkg.dev/gardener-project/releases/gardener/scheduler:v1.117.5

Contributors

voelzmo, rfranzke, and 2 other contributors
Assets 10
Loading
0