cs_versions_addons.md

copyright	lastupdated	keywords	subcollection
years 2014, 2019	2019-10-03	kubernetes, iks, nginx, ingress controller, fluentd	containers

{:new_window: target="_blank"} {:shortdesc: .shortdesc} {:screen: .screen} {:pre: .pre} {:table: .aria-labeledby="caption"} {:codeblock: .codeblock} {:tip: .tip} {:note: .note} {:important: .important} {:deprecated: .deprecated} {:download: .download} {:preview: .preview}

Fluentd and Ingress ALB changelog

{: #cluster-add-ons-changelog}

Your {{site.data.keyword.containerlong}} cluster comes with components, such as the Fluentd and Ingress ALB components, that are updated automatically by IBM. You can also disable automatic updates for some components and manually update them separately from the master and worker nodes. Refer to the tables in the following sections for a summary of changes for each version. {: shortdesc}

Check the Security Bulletins on {{site.data.keyword.cloud_notm}} Status for security vulnerabilities that affect {{site.data.keyword.containerlong_notm}}. You can filter the results to view only Kubernetes Cluster security bulletins that are relevant to {{site.data.keyword.containerlong_notm}}. {{site.data.keyword.containerlong_notm}}. Changelog entries that address other security vulnerabilities but do not also refer to an IBM Security Bulletin are for vulnerabilities that are not known to affect {{site.data.keyword.containerlong_notm}} in normal usage. If you run privileged containers, run commands on the workers, or execute untrusted code, then you might be at risk.

For more information about managing updates for Fluentd and Ingress ALBs, see Updating cluster components.

Ingress ALBs changelog

{: #alb_changelog}

View build version changes for Ingress application load balancers (ALBs) in your {{site.data.keyword.containerlong_notm}} clusters. {:shortdesc}

When the Ingress ALB component is updated, the nginx-ingress and ingress-auth containers in all ALB pods are updated to the latest build version. By default, automatic updates to the component are enabled, but you can disable automatic updates and manually update the component. For more information, see Updating the Ingress application load balancer.

Refer to the following table for a summary of changes for each build of the Ingress ALB component.

Changelog for the Ingress application load balancer component

`nginx-ingress` / `ingress-auth` build	Release date	Non-disruptive changes	Disruptive changes
579 / 341	03 Oct 2019	Fixes `e2fsprogs` vulnerabilities for [CVE-2019-5094 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5094).	-
566 / 340	24 Sept 2019	In Kubernetes version 1.14 and later clusters, adds support for `apiVersion: networking.k8s.io/v1beta1` in Ingress resource YAML files. Note that `apiVersion: extensions/v1beta1` is still supported for all versions, and version 1.13 clusters must continue to use `apiVersion: extensions/v1beta1`.	-
552 / 340	12 Sept 2019	Adds the [`proxy-ssl-verify-depth` optional parameter to the `ssl-services` annotation](/docs/containers?topic=containers-ingress_annotation#ssl-services). Fixes a bug so that when traffic is routed to a host that does not exist, a default server now successfully returns a `404 Not Found` error message.	-
524 / 340	05 Sept 2019	Fixes HTTP/2 vulnerabilities for [CVE-2019-9511 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9511) and [CVE-2019-9513 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9513).	-
524 / 337	26 Aug 2019	Fixes a bug in the deployment for the readiness check for ALB pod restarts in some older images. Fixes `golang` vulnerabilities for [CVE-2019-9512 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9512) and [CVE-2019-9514 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9514).	Updates the deployment for Ingress ALBs. If you use edge nodes in your cluster, [redeploy your ALBs to your edge nodes (step 4)](/docs/containers?topic=containers-edge#edge_nodes).
519 / 335	20 Aug 2019	Fixes a bug so that [specifying custom ports](/docs/containers?topic=containers-ingress_annotation#custom-port) is now functional for VPC on Classic clusters.	-
515 / 335	12 Aug 2019	Fixes `musl libc` vulnerabilities for [CVE-2019-14697 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14697).	-
515 / 334	30 Jul 2019	Adds a readiness check for ALB pod restarts to prevent request loss. ALB pods are prevented from attempting to route traffic requests until all of the Ingress resource files are parsed, up to a default maximum of 5 minutes. For more information, including steps for changing the default timeout values, see [Increasing the restart readiness check time for ALB pods](/docs/containers?topic=containers-ingress-settings#readiness-check). Fixes GNU `patch` vulnerabilities for [CVE-2019-13636 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13636) and [CVE-2019-13638 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13638).	-
512 / 334	17 Jul 2019	Fixes `rbash` vulnerabilities for [CVE-2016-3189 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9924). Removes the following apt packages from the `nginx-ingress` image: `curl`, `bash`, `vim`, `tcpdump`, and `ca-certificates`.	-
497 / 334	14 Jul 2019	Adds the [`upstream-keepalive-timeout`](/docs/containers?topic=containers-ingress_annotation#upstream-keepalive-timeout) to set the maximum time that a keepalive connection stays open between the ALB proxy server and the upstream server for your back-end app. Adds support for the [`reuse-port`](/docs/containers?topic=containers-ingress-settings#reuse-port) directive to increase the number of ALB socket listeners from one per cluster to one per worker node. Removes the redundant update of the load balancer that exposes an ALB when a port number is changed. Fixes `bzip2` vulnerabilities for [CVE-2016-3189 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3189) and [CVE-2019-12900 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12900). Fixes Expat vulnerabilities for [CVE-2018-20843 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20843).	-
477 / 331	24 Jun 2019	Fixes SQLite vulnerabilities for [CVE-2016-6153 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6153), [CVE-2017-10989 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10989), [CVE-2017-13685 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13685), [CVE-2017-2518 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2518), [CVE-2017-2519 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2519), [CVE-2017-2520 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2520), [CVE-2018-20346 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20346), [CVE-2018-20505 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20505), [CVE-2018-20506 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20506), [CVE-2019-8457 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8457), [CVE-2019-9936 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9936), and [CVE-2019-9937 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9937).	-
473 / 331	18 Jun 2019	Fixes Vim vulnerabilities for [CVE-2019-5953 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5953) and [CVE-2019-12735 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12735). Updates the NGINX version of ALBs to 1.15.12.	-
470 / 330	07 Jun 2019	Fixes Berkeley DB vulnerabilities for [CVE-2019-8457 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8457).	-
470 / 329	06 Jun 2019	Fixes Berkeley DB vulnerabilities for [CVE-2019-8457 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8457).	-
467 / 329	03 Jun 2019	Fixes GnuTLS vulnerabilities for [CVE-2019-3829 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3829), [CVE-2019-3836 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3836), [CVE-2019-3893 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3893), [CVE-2018-10844 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10845), [CVE-2018-10845 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10844), and [CVE-2018-10846 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10846).	-
462 / 329	28 May 2019	Fixes cURL vulnerabilities for [CVE-2019-5435 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5435) and [CVE-2019-5436 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5436).	-
457 / 329	23 May 2019	Fixes Go vulnerabilities for [CVE-2019-11841 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11841).	-
423 / 329	13 May 2019	Improves performance for the integration with {{site.data.keyword.appid_full}}.	-
411 / 315	15 Apr 2019	Updates the value of the {{site.data.keyword.appid_full_notm}} cookie expiration so that it matches the value of the access token expiration.	-
411 / 306	22 Mar 2019	Updates the Go version to 1.12.1.	-
410 / 305	18 Mar 2019	Fixes vulnerabilities for image scans. Improves logging for the integration with {{site.data.keyword.appid_full_notm}}.	-
408 / 304	05 Mar 2019	-	Fixes bugs in the authorization integration that is related to log out functionality, token expiration, and the `OAuth` authorization callback. These fixes are implemented only if you enabled {{site.data.keyword.appid_full_notm}} authorization by using the [`appid-auth`](/docs/containers?topic=containers-ingress_annotation#appid-auth) annotation. To implement these fixes, additional headers are added, which increases the total header size. Depending on the size of your own headers and the total size of responses, you might need to adjust any [proxy buffer annotations](/docs/containers?topic=containers-ingress_annotation#proxy-buffer) that you use.
406 / 301	19 Feb 2019	Updates the Go version to 1.11.5. Fixes vulnerabilities for image scans.	-
404 / 300	31 Jan 2019	Updates the Go version to 1.11.4.	-
403 / 295	23 Jan 2019	Updates the NGINX version of ALBs to 1.15.2. IBM-provided TLS certificates are now automatically renewed 37 days before they expire instead of 7 days. Adds {{site.data.keyword.appid_full_notm}} logout functionality: If the `/logout` prefix exists in an {{site.data.keyword.appid_full_notm}} path, cookies are removed and the user is sent back to the login page. Adds a header to {{site.data.keyword.appid_full_notm}} requests for internal tracking purposes. Updates the {{site.data.keyword.appid_short_notm}} location directive so that the `app-id` annotation can be used with the `proxy-buffers`, `proxy-buffer-size`, and `proxy-busy-buffer-size` annotations. Fixes a bug so that informational logs are not labeled as errors.	Disables TLS 1.0 and 1.1 by default. If the clients that connect to your apps support TLS 1.2, no action is required. If you still have legacy clients that require TLS 1.0 or 1.1 support, manually enable the required TLS versions by following [these steps](/docs/containers?topic=containers-ingress-settings#ssl_protocols_ciphers). For more information about how to see the TLS versions that your clients use to access your apps, see this [{{site.data.keyword.cloud_notm}} Blog post](https://www.ibm.com/cloud/blog/ibm-cloud-kubernetes-service-alb-update-tls-1-0-and-1-1-disabled-by-default).
393 / 291	09 Jan 2019	Adds support for integration with multiple {{site.data.keyword.appid_full_notm}} instances.	-
393 / 282	29 Nov 2018	Improves performance for the integration with {{site.data.keyword.appid_full_notm}}.	-
384 / 246	14 Nov 2018	Improves logging and logout features for the integration with {{site.data.keyword.appid_full_notm}}.	Replaces the self-signed certificate for `*.containers.mybluemix.net` with the LetsEncrypt signed certificate that is automatically generated for and used by the cluster. The `*.containers.mybluemix.net` self-signed certificate is removed.
350 / 192	05 Nov 2018	Adds support for enabling and disabling automatic updates of the Ingress ALB component.	-

Fluentd for logging changelog

{: #fluentd_changelog}

View build version changes for the Fluentd component for logging in your {{site.data.keyword.containerlong_notm}} clusters. {:shortdesc}

By default, automatic updates to the component are enabled, but you can disable automatic updates and manually update the component. For more information, see Managing automatic updates for Fluentd.

Refer to the following table for a summary of changes for each build of the Fluentd component.

Changelog for the Fluentd component

Fluentd build	Release date	Non-disruptive changes	Disruptive changes
96f399cdea1c86c63a4ca4e043180f81f3559676	22 Jul 2019	Updates Alpine packages for [CVE-2019-8905 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8905), [CVE-2019-8906 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8906), and [CVE-2019-8907 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8907).	-
e7c10d74350dc64d4d92ba7f72bb4ff9219315d2	30 May 2019	Updates the Fluent config map to always ignore pod logs from IBM namespaces, even when the Kubernetes master is unavailable.	-
c16fe1602ab65db4af0a6ac008f99ca2a526e6f6	21 May 2019	Fixes a bug where worker node metrics did not display.	-
60fc11f7bd39d9c6cfed923c598bf6457b3f2037	10 May 2019	Updates Ruby packages for [CVE-2019-8320 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8320), [CVE-2019-8321 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8321), [CVE-2019-8322 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8322), [CVE-2019-8323 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8323), [CVE-2019-8324 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8324), and [CVE-2019-8325 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8325).	-
91a737f68f7d9e81b5d2223c910aaa7d7f91b76d	08 May 2019	Updates Ruby packages for [CVE-2019-8320 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8320), [CVE-2019-8321 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8321), [CVE-2019-8322 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8322), [CVE-2019-8323 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8323), [CVE-2019-8324 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8324), and [CVE-2019-8325 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8325).	-
d9af69e286986a05ed4a50469585b1cf978ddb1d	11 Apr 2019	Updates the cAdvisor plug-in to use TLS 1.2.	-
3100ddb62580a9f46ffdff7bab2ebec40b164de6	01 Apr 2019	Updates the Fluentd service account.	-
c85567b75bd7ad1c9428794cd63a8e239c3fd8f5	18 Mar 2019	Removes the dependency on cURL for [CVE-2019-8323 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8323).	-
320ffdf87de068ee2f7f34c0e7a47a111e8d457b	18 Feb 2019	Updates Fluend to version 1.3. Removes Git from the Fluentd image for [CVE-2018-19486 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19486).	-
972865196aefd3324105087878de12c518ed579f	01 Jan 2019	Enables UTF-8 encoding for the Fluentd `in_tail` plug-in. Minor bug fixes.	-