Update CRI-O version by recreating Kubernetes worker nodes
(Doc ID 2861215.1)
Last updated on APRIL 12, 2022
Applies to:Oracle Cloud Infrastructure - Oracle Container Engine for Kubernetes
Information in this document applies to any platform.
This notification is about Kubernetes CVE-2022-0811, also referred to as cr8escape. Oracle Container Engine for Kubernetes (OKE) has released software updates for Kubernetes 1.20 or 1.21 that allow customers to remediate the cr8escape vulnerability in CRI-O by recreating impacted nodes. This notification is being sent OKE customers with worker nodes running Kubernetes 1.20 or 1.21. Your cluster(s) has been identified as matching these criteria. Oracle highly recommends upgrading worker nodes to Kubernetes 1.22.5. Refer to Supported Versions of Kubernetes for more information about supported Kubernetes versions.
How do I recreate impacted worker nodes?
Nodes created prior to the dates listed in customer notifications must be terminated and recreated. All nodes created after the dates listed below will have the fix applied. You are not required to modify the Node Pool properties, such as by selecting a new image or Kubernetes version. Follow the instructions in Upgrading the Kubernetes Version on Worker Nodes in a Cluster to create new nodes and move over your workloads. The aforementioned document includes steps for how to drain workloads from specific nodes or node pools before creating new nodes.
- Kubernetes 1.19.15: Not applicable.
- Kubernetes 1.20.11: Please refer to customer notification that was sent out for the timestamp. If you don’t have the notification, you may use 30/Mar/2022 00:00:00 UTC
- Kubernetes 1.21.5: Please refer to customer notification that was sent out for the timestamp. If you don’t have the notification, you may use 30/Mar/2022 00:00:00 UTC
- Kubernetes 1.22.5: Not applicable.
To view full details, sign in with your My Oracle Support account.
Don't have a My Oracle Support account? Click to get started!
In this Document