AWS eks documentation change
Summary
Added documentation for Kubernetes 1.29, including deprecation notices and LegacyServiceAccountTokenCleanUp security feature
Security assessment
Documents the LegacyServiceAccountTokenCleanUp feature, which reduces attack surface by managing legacy tokens. This is a security enhancement but not a direct response to a disclosed vulnerability.
Diff
diff --git a/eks/latest/userguide/kubernetes-versions-extended.md b/eks/latest/userguide/kubernetes-versions-extended.md index f02183e19..fb4f30c68 100644 --- a/eks/latest/userguide/kubernetes-versions-extended.md +++ b/eks/latest/userguide/kubernetes-versions-extended.md @@ -5 +5 @@ -Kubernetes 1.28Kubernetes 1.27Kubernetes 1.26Kubernetes 1.25 +Kubernetes 1.29Kubernetes 1.28Kubernetes 1.27Kubernetes 1.26Kubernetes 1.25 @@ -16,0 +17,22 @@ This topic gives important changes to be aware of for each Kubernetes version in +## Kubernetes 1.29 + +Kubernetes `1.29` is now available in Amazon EKS. For more information about Kubernetes `1.29`, see the [official release announcement](https://kubernetes.io/blog/2023/12/13/kubernetes-v1-29-release/). + +###### Important + + * The deprecated `flowcontrol.apiserver.k8s.io/v1beta2` API version of `FlowSchema` and `PriorityLevelConfiguration` are no longer served in Kubernetes version `1.29`. If you have manifests or client software that uses the deprecated beta API group, you should change these before you upgrade to version `1.29`. + + + + + * The `.status.kubeProxyVersion` field for node objects is now deprecated, and the Kubernetes project is proposing to remove that field in a future release. The deprecated field is not accurate and has historically been managed by `kubelet` \- which does not actually know the `kube-proxy` version, or even whether `kube-proxy` is running. If you’ve been using this field in client software, stop - the information isn’t reliable and the field is now deprecated. + + * In Kubernetes `1.29` to reduce potential attack surface, the `LegacyServiceAccountTokenCleanUp` feature labels legacy auto-generated secret-based tokens as invalid if they have not been used for a long time (1 year by default), and automatically removes them if use is not attempted for a long time after being marked as invalid (1 additional year by default). To identify such tokens, a you can run: + + kubectl get cm kube-apiserver-legacy-service-account-token-tracking -n kube-system + + + + +For the complete Kubernetes `1.29` changelog, see [https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.29.md#changelog-since-v1280](https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.29.md#changelog-since-v1280). +