From 75f43b5973a0596efefb1a9e6d73dacb837683f9 Mon Sep 17 00:00:00 2001 From: Richard Wall Date: Thu, 1 Feb 2024 15:00:27 +0000 Subject: [PATCH 1/3] Link to HTTPS metrics documentation Signed-off-by: Richard Wall --- content/docs/releases/release-notes/release-notes-1.14.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/docs/releases/release-notes/release-notes-1.14.md b/content/docs/releases/release-notes/release-notes-1.14.md index aa3f6cc21df..492453f36f1 100644 --- a/content/docs/releases/release-notes/release-notes-1.14.md +++ b/content/docs/releases/release-notes/release-notes-1.14.md @@ -50,7 +50,7 @@ This will help mitigate denial-of-service attacks against those important servic All the cert-manager containers are now configured with read only root file system by default, to prevent unexpected changes to the file system of the OCI image. -And it is now possible to configure the metrics server to use HTTPS rather than HTTP, +And it is now possible to [configure the metrics server to use HTTPS](../../devops-tips/prometheus-metrics.md#tls) rather than HTTP, so that clients can verify the identity of the metrics server. #### Other From f612faff23eeb173cc9920984613f7afec080c48 Mon Sep 17 00:00:00 2001 From: Richard Wall Date: Thu, 1 Feb 2024 15:04:27 +0000 Subject: [PATCH 2/3] Link to readOnlyRootFilesystem reference Signed-off-by: Richard Wall --- content/docs/releases/release-notes/release-notes-1.14.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/docs/releases/release-notes/release-notes-1.14.md b/content/docs/releases/release-notes/release-notes-1.14.md index 492453f36f1..92b427f65ef 100644 --- a/content/docs/releases/release-notes/release-notes-1.14.md +++ b/content/docs/releases/release-notes/release-notes-1.14.md @@ -47,7 +47,7 @@ An ongoing security audit of the cert-manager code revealed some weaknesses whic such as using more secure default settings in the HTTP servers that serve metrics, healthz and pprof endpoints. This will help mitigate denial-of-service attacks against those important services. -All the cert-manager containers are now configured with read only root file system by default, +All the cert-manager containers are now configured with [read only root file system](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) by default, to prevent unexpected changes to the file system of the OCI image. And it is now possible to [configure the metrics server to use HTTPS](../../devops-tips/prometheus-metrics.md#tls) rather than HTTP, From a84652724296d936e4f784be231ec5b9a197683a Mon Sep 17 00:00:00 2001 From: Richard Wall Date: Thu, 1 Feb 2024 15:18:16 +0000 Subject: [PATCH 3/3] Link to the CNCF graduation checklist which mentions the security audit Signed-off-by: Richard Wall --- content/docs/releases/release-notes/release-notes-1.14.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/docs/releases/release-notes/release-notes-1.14.md b/content/docs/releases/release-notes/release-notes-1.14.md index 92b427f65ef..a7026308dc3 100644 --- a/content/docs/releases/release-notes/release-notes-1.14.md +++ b/content/docs/releases/release-notes/release-notes-1.14.md @@ -43,7 +43,7 @@ To know more details on name constraints check out RFC section https://datatrack #### Security -An ongoing security audit of the cert-manager code revealed some weaknesses which we have addressed in this release, +An [ongoing CNCF security audit of the cert-manager code](https://github.com/cert-manager/cert-manager/issues/6132) revealed some weaknesses which we have addressed in this release, such as using more secure default settings in the HTTP servers that serve metrics, healthz and pprof endpoints. This will help mitigate denial-of-service attacks against those important services.