How to install or upgrade Tanzu Kubernetes Grid 1.3.1 and remediate for CVE-2021-30465
search cancel

How to install or upgrade Tanzu Kubernetes Grid 1.3.1 and remediate for CVE-2021-30465

book

Article ID: 317052

calendar_today

Updated On:

Products

VMware

Issue/Introduction

This article provides instructions that will allow a user to install or upgrade Tanzu Kubernetes Grid (TKG) 1.3.1 and remediate for CVE-2021-30465. 

Environment

VMware Tanzu Kubernetes Grid 1.x
VMware Tanzu Kubernetes Grid Plus 1.x

Resolution

Notes:
  • If you are using TKG on vSphere, use the instructions at Import the Base Image Template Into vSphere to download and import the updated base image(s) in to your vSphere environment. Updated images that address the CVE-2021-30465 vulnerability are in the Updated Kubernetes OVAs to address CVE-2021-30465 for VMware Tanzu Kubernetes Grid 1.3.1 section.
  • If you are building your own image and using the instructions at Building Machine Images, you will need to use an updated/remediated version, i.e. replace 1.20.5+vmware.1 with 1.20.5+vmware.2 everywhere it is referenced.
  • If you have not already done so, follow the instructions at Install the Tanzu CLI to install and configure the Tanzu Kubernetes Grid 1.3.1 tanzu CLI binary.
 
  1. From the system where you will launch the tanzu CLI, remove any existing bom data by running the following command:
rm -rf ~/.tanzu/tkg/bom
  1. Issue the following command to ensure that the updated bom will be used when deploying clusters:
export TKG_BOM_CUSTOM_IMAGE_TAG="v1.3.1-patch1"
  1. Issue the tanzu management-cluster create command with no additional parameters. This will produce the following error but will result in the bom files being downloaded to ~/.tanzu/tkg/bom.

Error: unable to parse provider name: invalid provider name "". Provider name should be in the form name[:version] and name cannot be empty

Note: You can validate that the new bom files are referencing the updated image by looking for v1.20.5+vmware.2-tkg.1 in both of them, for example:

grep k8sVersion tkg-bom-v1.3.1.yaml
  k8sVersion: v1.20.5+vmware.2-tkg.1

awk 'NR==3' tkr-bom-v1.20.5+vmware.2-tkg.1.yaml
  version: v1.20.5+vmware.2-tkg.1
  1. Proceed with the creation or upgrade of management clusters and workload clusters. Ensure that the tkr version used for workload clusters is an updated/remediated version.
Note: If you attempt to create a cluster without setting the TKG_BOM_CUSTOM_IMAGE_TAG="v1.3.1-patch1" parameter, the installer UI will present a message similar to the following indicating that a default, unpatched TKG 1.3 Node OS image (v1.20.5+vmware.1-tkg.1 in this example) would be used instead of a patched Node OS image (v1.20.5+vmware.2-tkg.1 is the patched equivalent in this example).

Tanzu Kubernetes Grid management cluster will be deployed with TanzuKubernetesRelease v1.20.5+vmware.1-tkg.1. We are unable to detect a VM template that belongs to this TanzuKubernetesRelease. You must install a VM template that belongs to TanzuKubernetesRelease v1.20.5+vmware.1-tkg.1 to continue with deployment of the management cluster. You may click the refresh icon to reload the OS image list once the appropriate VM template has been installed.



Additional Information

How to remediate Contour (Envoy) CVE-2021-28682, CVE-2021-28683 and CVE-2021-29258 in a Tanzu Kubernetes Grid 1.3 cluster (83761)


Powered by Wolken Software