Upgraded K8s clusters to 1.24

We have started rolling out AKS and EKS 1.24. This brings our supported AKS platforms to v1.24.6 and EKS to v1.24.8.

Upgraded Teleport to version 11.1.4 for security fixes

We’ve upgraded all Teleport clusters from version 11.1.2 to 11.1.4. This upgrade was done on all Teleport servers to fix potential vulnerabilties:

Upgraded cluster add-ons

As part of our regular upgrade cycle, the following Kubernetes cluster components have been updated. These changes will be rolling out to all clusters soon.

Istio upgraded to version 1.16.1

We have upgraded Istio on all clusters that use it. The version was upgraded from 1.15.2 to 1.16.1. What’s new:

Vault upgraded to 1.12.2

All Vault setups have been updated from 1.12.0 to the latest version 1.12.2. This release brings small improvements and bug fixes. Please refer to the upstream changelogs to see what’s changed:

New feature: Use External-DNS for managing custom DNS records

Whenever you deploy an Ingress resource, external-dns is responsible for creating the matching DNS record. We have now enabled the “CRD” feature of this component, which allows you to manage any DNS records of your choice through external-dns.

Upgraded Teleport to version 11.1.1 for security fix

We’ve upgraded all Teleport clusters from version 11.0.3 to 11.1.1. This upgrade was done on all Teleport servers to fix a potential vulnerabilty:

Fixed issue where an attacker with physical access to user’s computer and raw access to the filesystem could potentially recover the seed QR code.

Upgraded Teleport to version 11.0.3

We’ve upgraded all Teleport clusters from version 10.1.4 to 11.0.3. Teleport is a tool we mostly use internally to provide secure and auditted access to (EC2) instances, Kubernetes clusters and several dashboards. The nodes will gradually be upgraded to the new version when new instances are launched.

New feature: Kubernetes descheduler

Today we’re adding a new fearure in our Kubernetes reference solution. It is now possible to deploy the Kubernetes descheduler on your cluster(s). For now while we are testing this add-on this is an optional component. If all goes well we’ll deploy it as a standard component.

Upgraded cluster add-ons

As part of our regular upgrade cycle, the following Kubernetes cluster components have been updated. We’ve already rolled these out to all non-production clusters. Production upgrades are scheduled to happen next week during business hours. As usual, no workload interuptions are expected.

Upgraded K8s clusters to 1.23

We have started rolling out AKS and EKS 1.23. This brings our supported AKS platforms to v1.22.12 and EKS to v1.22.13.

Upgraded ingress-nginx, fixing CVE-2022-32149, CVE-2022-27664 and CVE-2022-1996

In response to several CVEs, the following Kubernetes cluster components have been updated. These changes have already been rolled out to all clusters.

Upgraded monitoring add-ons, fixing Grafana CVE-2022-32149

In response to CVE-2022-32149, the following Kubernetes cluster components have been updated. These changes have already been rolled out to all clusters.

AWS EKS AMI recalled

We use the AWS-published EKS AMI (Amazon Machine Image) as a base to build our custom image for our managed Kubernetes clusters, which in turn is based on Amazon linux 2. Our CI system monitors the published AWS AMIs and automatically builds our custom base image, which is then rolled out to customer clusters based on our regular update cycle.

Improved monitoring for the RDS snapshot cross-account replicator module

We’ve implemented several improvements on the monitoring of our RDS snapshot cross-account replicator module, which have been rolled out to all customers that are currently using it.

Vault upgraded to 1.12.0

All Vault setups have been updated to the latest version 1.12.0. Please refer to the upstream changelogs to see what’s changed:

CVE-2022-27665 patches

A security issue was discovered in Golang where a user can cause a denial of service because an HTTP/2 connection can hang during closing if shutdown were preempted by a fatal error.

Concourse upgraded to 7.8.3

We have upgraded our Concourse setups to the latest version 7.8.3. This patch release comes with some security fixes. You can check the full changelog in the Concourse releases page.

NLB compatibility in Nginx Ingress

We now offer the option to enable and use an AWS NLB as load balancer type for your ingress. This has a couple of benefits compared to an ELB.

Istio upgraded to version 1.15.2

We have upgraded Istio on all clusters that use it. The version was upgraded to 1.15.2 and comes with many security fixes.