Skip to main content

What's New and Release Notes 25.2

Updates for Core for Kubernetes 5.2.0

Kubelink
Resolved Issues

  • Helm: pull secret to quay gets created even if no credentials are set (E-119659)

    Helm chart now creates Illumio pull secret only if credentials are specified and also externally passed secret names are included.

  • Kubelink: error concurrent map read and map write (E-119626)

    Kubelink was restarted because previous container exited with the message "fatal error concurrent map read and map write."

  • Kubelink: Update base image to address vulnerabilities (E-119429)

    The Unified Base Image was upgraded to address CVE-2023-45288.

  • Kubelink needs to have higher priority assigned to avoid going to evicted state (E-113920)

    If the Kubernetes cluster encounters problems or runs out of space, Kubelink was the first pod to be put into the evicted state, which caused policy enforcement to fail. To prevent permanent eviction, in Helm chart version 5.2.0 the Kubelink Deployment and C-VEN DaemonSets are assigned priority classes by default -- system-cluster-critical for Kubelink and system-node-critical for C-VENs.

C-VEN
Resolved Issues

  • CVEN: Update base image to address vulnerabilities (E-119428)

    The 23.4 C-VEN Unified Base Image was upgraded to the latest UBI9 to address vulnerabilities described in CVE-2014-3566, CVE-2014-3566, CVE-2014-3566, CVE-2022-3358, and CVE-2023-27533.

  • Cannot deploy C-VEN to GKE when using default OS (E-116506)

    For GKE clusters, when using the default cluster OS (Container-Optimized OS from Google), the node filesystems are read-only. This prevented C-VEN from mounting /opt/illumio_ven_data and writing into it for persistent storage.

    To resolve this issue, a new variable `cven.hostBasePath was added to the 5.2.0 Helm Chart to specify where the C-VEN DaemonSet mounts its data directory. The default value is /opt. Use this variable to specify where the C-VEN DaemonSet mounts its data directory. If using a Container-Optimized OS, you can set the directory to /var.

  • [CVEN]: Failed to load policy (E-115231)

    The log message "Error: Failed to load policy" was appearing during scenarios that were obvious or expected. The log level for this message has been changed from Error to Info.

  • Re-adding node does not re-pair it (E-98120)

    When deleting and then re-adding the same node, the node would not reappear, and its policy disappeared.