cs_versions_changelog.md

copyright	lastupdated	keywords	subcollection
years 2014, 2019	2019-10-01	kubernetes, iks, versions, update	containers

{:new_window: target="_blank"} {:shortdesc: .shortdesc} {:screen: .screen} {:pre: .pre} {:table: .aria-labeledby="caption"} {:codeblock: .codeblock} {:tip: .tip} {:note: .note} {:important: .important} {:deprecated: .deprecated} {:download: .download} {:preview: .preview} {:external: target="_blank" .external}

Version changelog

{: #changelog}

View information of version changes for major, minor, and patch updates that are available for your {{site.data.keyword.containerlong}} Kubernetes clusters. Changes include updates to Kubernetes and {{site.data.keyword.cloud_notm}} Provider components. {:shortdesc}

Overview

{: #changelog_overview}

Unless otherwise noted in the changelogs, the {{site.data.keyword.containerlong_notm}} provider version enables Kubernetes APIs and features that are at beta. Kubernetes alpha features, which are subject to change, are disabled.

For more information about major, minor, and patch versions and preparation actions between minor versions, see Kubernetes versions. {: tip}

Check the Security Bulletins on {{site.data.keyword.cloud_notm}} Status for security vulnerabilities that affect {{site.data.keyword.containerlong_notm}}. You can filter the results to view only Kubernetes Cluster security bulletins that are relevant to {{site.data.keyword.containerlong_notm}}. Changelog entries that address other security vulnerabilities but do not also refer to an IBM security bulletin are for vulnerabilities that are not known to affect {{site.data.keyword.containerlong_notm}} in normal usage. If you run privileged containers, run commands on the workers, or execute untrusted code, then you might be at risk.

Some changelogs are for worker node fix packs, and apply only to worker nodes. You must apply these patches to ensure security compliance for your worker nodes. These worker node fix packs can be at a higher version than the master because some build fix packs are specific to worker nodes. Other changelogs are for master fix packs, and apply only to the cluster master. Master fix packs might not be automatically applied. You can choose to apply them manually. For more information about patch types, see Update types. {: note}

Version 1.15 changelog

{: #115_changelog}

Changelog for 1.15.4_1518, released 1 October 2019

{: #1154_1518}

The following table shows the changes that are included in the patch 1.15.4_1518. {: shortdesc}

Changes since version 1.15.3_1517

Component	Previous	Current	Description
Calico	v3.8.1	v3.8.2	See the [Calico release notes ](https://docs.projectcalico.org/v3.8/release-notes/).
Cluster master HA configuration	N/A	N/A	Updated configuration to improve performance of master update operations.
containerd	v1.2.9	v1.2.10	See the [containerd release notes ](https://github.com/containerd/containerd/releases/tag/v1.2.10). Update resolves [CVE-2019-16884 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16884) and [CVE-2019-16276 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16276).
Default IBM file storage class	N/A	N/A	Fixed a bug that might cause cluster master operations such as patch updates to clear the default IBM file storage class.
Gateway-enabled cluster controller	N/A	844	New! For [classic clusters with a gateway enabled](/docs/containers?topic=containers-clusters#gateway_cluster_cli), a `DaemonSet` is installed to configure settings for routing network traffic to worker nodes.
{{site.data.keyword.cloud_notm}} Provider	v1.15.3-112	v1.15.4-136	Updated to support the Kubernetes 1.15.4 release. In addition, version 1.0 and 2.0 network load balancers (NLBs) were updated to support [classic clusters with a gateway enabled](/docs/containers?topic=containers-clusters#gateway_cluster_cli).
Key Management Service provider	212	221	Improved Kubernetes [key management service provider](/docs/containers?topic=containers-encryption#keyprotect) caching of {{site.data.keyword.cloud_notm}} IAM tokens. In addition, fixed a problem with Kubernetes secret decryption when the cluster's root key is rotated.
Kubernetes	v1.15.3	v1.15.4	See the [Kubernetes release notes ](https://github.com/kubernetes/kubernetes/releases/tag/v1.15.4).
Kubernetes Metrics Server	v0.3.3	v0.3.4	See the [Kubernetes Metrics Server release notes ](https://github.com/kubernetes-incubator/metrics-server/releases/tag/v0.3.4).
Load balancer and load balancer monitor for {{site.data.keyword.cloud_notm}} provider	148	153	Fixed issues with version 2.0 network load balancers (NLBs) that might cause all network traffic to drop or to be sent only to pods on one worker node.
OpenVPN server	2.4.6-r3-IKS-115	2.4.6-r3-IKS-121	Updated images for [CVE-2019-1547 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1547) and [CVE-2019-1563 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1563).
Ubuntu 18.04 kernel and packages	4.15.0-62-generic	4.15.0-64-generic	Updated worker node images with kernel and package updates for [CVE-2019-15031 ](https://nvd.nist.gov/vuln/detail/CVE-2019-15031), [CVE-2019-15030 ](https://nvd.nist.gov/vuln/detail/CVE-2019-15030), and [CVE-2019-14835 ](https://nvd.nist.gov/vuln/detail/CVE-2019-14835).
Ubuntu 16.04 kernel and packages	4.4.0-161-generic	4.4.0-164-generic	Updated worker node images with kernel and package updates for [CVE-2019-14835 ](https://nvd.nist.gov/vuln/detail/CVE-2019-14835).

Changelog for worker node fix pack 1.15.3_1517, released 16 September 2019

{: #1153_1517_worker}

The following table shows the changes that are included in the worker node fix pack 1.15.3_1517. {: shortdesc}

Changes since version 1.15.3_1516

Component	Previous	Current	Description
containerd	v1.2.8	v1.2.9	See the [containerd release notes ](https://github.com/containerd/containerd/releases/tag/v1.2.9). Update resolves [CVE-2019-9515 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9515).
Ubuntu 16.04 packages and kernel	4.4.0-159-generic	4.4.0-161-generic	Updated worker node images with kernel and package updates for [CVE-2019-5481 ](https://nvd.nist.gov/vuln/detail/CVE-2019-5481), [CVE-2019-5482 ](https://nvd.nist.gov/vuln/detail/CVE-2019-5482), [CVE-2019-15903 ](https://nvd.nist.gov/vuln/detail/CVE-2019-15903), [CVE-2015-9383 ](https://nvd.nist.gov/vuln/detail/CVE-2015-9383), [CVE-2019-10638 ](https://nvd.nist.gov/vuln/detail/CVE-2019-10638), [CVE-2019-3900 ](https://nvd.nist.gov/vuln/detail/CVE-2019-3900), [CVE-2019-13648 ](https://nvd.nist.gov/vuln/detail/CVE-2019-13648), [CVE-2018-20856 ](https://nvd.nist.gov/vuln/detail/CVE-2018-20856), [CVE-2019-14283 ](https://nvd.nist.gov/vuln/detail/CVE-2019-14283), [CVE-2019-14284 ](https://nvd.nist.gov/vuln/detail/CVE-2019-14284), [CVE-2019-5010 ](https://nvd.nist.gov/vuln/detail/CVE-2019-5010), [CVE-2019-9636 ](https://nvd.nist.gov/vuln/detail/CVE-2019-9636), [CVE-2019-9740 ](https://nvd.nist.gov/vuln/detail/CVE-2019-9740), [CVE-2019-9947 ](https://nvd.nist.gov/vuln/detail/CVE-2019-9947), [CVE-2019-9948 ](https://nvd.nist.gov/vuln/detail/CVE-2019-9948), [CVE-2019-9636 ](https://nvd.nist.gov/vuln/detail/CVE-2019-9636), [CVE-2018-20852 ](https://nvd.nist.gov/vuln/detail/CVE-2018-20852), [CVE-2018-20406 ](https://nvd.nist.gov/vuln/detail/CVE-2018-20406), and [CVE-2019-10160 ](https://nvd.nist.gov/vuln/detail/CVE-2019-10160).
Ubuntu 18.04 packages and kernel	4.15.0-58-generic	4.15.0-62-generic	Updated worker node images with kernel and package updates for [CVE-2019-5481 ](https://nvd.nist.gov/vuln/detail/CVE-2019-5481), [CVE-2019-5482 ](https://nvd.nist.gov/vuln/detail/CVE-2019-5482), [CVE-2019-15903 ](https://nvd.nist.gov/vuln/detail/CVE-2019-15903), [CVE-2019-14283 ](https://nvd.nist.gov/vuln/detail/CVE-2019-14283), [CVE-2019-14284 ](https://nvd.nist.gov/vuln/detail/CVE-2019-14284), [CVE-2018-20852 ](https://nvd.nist.gov/vuln/detail/CVE-2018-20852), [CVE-2019-5010 ](https://nvd.nist.gov/vuln/detail/CVE-2019-5010), [CVE-2019-9636 ](https://nvd.nist.gov/vuln/detail/CVE-2019-9636), [CVE-2019-9740 ](https://nvd.nist.gov/vuln/detail/CVE-2019-9740), [CVE-2019-9947 ](https://nvd.nist.gov/vuln/detail/CVE-2019-9947), [CVE-2019-9948 ](https://nvd.nist.gov/vuln/detail/CVE-2019-9948), [CVE-2019-9636 ](https://nvd.nist.gov/vuln/detail/CVE-2019-9636), [CVE-2019-10160 ](https://nvd.nist.gov/vuln/detail/CVE-2019-10160), and [CVE-2019-15718 ](https://nvd.nist.gov/vuln/detail/CVE-2019-15718).

Changelog for worker node fix pack 1.15.3_1516, released 3 September 2019

{: #1153_1516_worker}

The following table shows the changes that are included in the worker node fix pack 1.15.3_1516. {: shortdesc}

Changes since version 1.15.2_1514

Component	Previous	Current	Description
containerd	v1.2.7	v1.2.8	See the [containerd release notes ](https://github.com/containerd/containerd/releases/tag/v1.2.8). Update resolves [CVE-2019-9512 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9512), [CVE-2019-9514 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9514), and [CVE-2019-14809 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14809).
Kubernetes	v1.15.2	v1.15.3	See the [Kubernetes release notes ](https://github.com/kubernetes/kubernetes/releases/tag/v1.15.3). Update resolves [CVE-2019-9512 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9512) (see [IBM security bulletin ](https://www.ibm.com/support/pages/security-bulletin-ibm-cloud-kubernetes-service-affected-kubernetes-security-vulnerabilities-cve-2019-9512-cve-2019-9514)), [CVE-2019-9514 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9514) (see [IBM security bulletin ](https://www.ibm.com/support/pages/security-bulletin-ibm-cloud-kubernetes-service-affected-kubernetes-security-vulnerabilities-cve-2019-9512-cve-2019-9514)), and [CVE-2019-14809 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14809).
Ubuntu 16.04 packages	N/A	N/A	Updated worker node images with package updates.
Ubuntu 18.04 packages	N/A	N/A	Updated worker node images with package updates for [CVE-2019-10222 ](https://nvd.nist.gov/vuln/detail/CVE-2019-10222) and [CVE-2019-11922 ](https://nvd.nist.gov/vuln/detail/CVE-2019-11922).

Changelog for master fix pack 1.15.3_1515, released 28 August 2019

{: #1153_1515}

The following table shows the changes that are included in the master fix pack 1.15.3_1515. {: shortdesc}

Changes since version 1.15.2_1514

Component	Previous	Current	Description
`etcd`	v3.3.13	v3.3.15	See the [`etcd` release notes ](https://github.com/etcd-io/etcd/releases/v3.3.15). Update resolves [CVE-2019-9512 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9512), [CVE-2019-9514 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14809), and [CVE-2019-14809 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14809).
GPU device plug-in and installer	07c9b67	de13f2a	Image updated for [CVE-2019-9512 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9512), [CVE-2019-9514 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9514), [CVE-2019-14697 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14697), and [CVE-2019-14809 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14809). Updated the GPU drivers to [430.40 ](https://www.nvidia.com/Download/driverResults.aspx/149138/).
{{site.data.keyword.cloud_notm}} File Storage plug-in	348	349	Image updated for [CVE-2019-9512 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9512), [CVE-2019-9514 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9514), and [CVE-2019-14809 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14809).
{{site.data.keyword.cloud_notm}} Provider	v1.15.2-94	v1.15.3-112	Updated to support the Kubernetes 1.15.3 release.
Key Management Service provider	207	212	Image updated for [CVE-2019-9512 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9512), [CVE-2019-9514 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9514), and [CVE-2019-14809 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14809).
Kubernetes	v1.15.2	v1.15.3	See the [Kubernetes release notes ](https://github.com/kubernetes/kubernetes/releases/tag/v1.15.3). Update resolves [CVE-2019-9512 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9512) (see [IBM security bulletin ](https://www.ibm.com/support/pages/security-bulletin-ibm-cloud-kubernetes-service-affected-kubernetes-security-vulnerabilities-cve-2019-9512-cve-2019-9514)), [CVE-2019-9514 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9514) (see [IBM security bulletin ](https://www.ibm.com/support/pages/security-bulletin-ibm-cloud-kubernetes-service-affected-kubernetes-security-vulnerabilities-cve-2019-9512-cve-2019-9514)), and [CVE-2019-14809 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14809).
Load balancer and load balancer monitor for {{site.data.keyword.cloud_notm}} Provider	147	148	Image updated for [CVE-2019-9512 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9512), [CVE-2019-9514 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9514), and [CVE-2019-14809 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14809).

Changelog for worker node fix pack 1.15.2_1514, released 19 August 2019

{: #1152_1514_worker}

The following table shows the changes that are included in the worker node fix pack 1.15.2_1514. {: shortdesc}

Changes since version 1.15.1_1511

Component	Previous	Current	Description
Cluster master HA Proxy	2.0.1-alpine	1.8.21-alpine	Moved to HA Proxy 1.8 to fix [socket leak in HA proxy ](haproxy/haproxy#136). Also added a liveliness check to monitor the health of HA Proxy. For more information, see [HA Proxy release notes ](https://www.haproxy.org/download/1.8/src/CHANGELOG).
Kubernetes	v1.15.1	v1.15.2	For more information, see the [Kubernetes release notes ](https://github.com/kubernetes/kubernetes/releases/tag/v1.15.2).
Ubuntu 16.04 kernel and packages	4.4.0-157-generic	4.4.0-159-generic	Updated worker node images with package updates for [CVE-2019-13012 ](https://nvd.nist.gov/vuln/detail/CVE-2019-13012), [CVE-2019-1125 ](https://nvd.nist.gov/vuln/detail/CVE-2019-1125), [CVE-2018-5383 ](https://nvd.nist.gov/vuln/detail/CVE-2018-5383), [CVE-2019-12614 ](https://nvd.nist.gov/vuln/detail/CVE-2019-12614), [CVE-2019-10126 ](https://nvd.nist.gov/vuln/detail/CVE-2019-10126), and [CVE-2019-3846 ](https://nvd.nist.gov/vuln/detail/CVE-2019-3846).
Ubuntu 18.04 kernel and packages	4.15.0-55-generic	4.15.0-58-generic	Updated worker node images with package updates for [CVE-2019-1125 ](https://nvd.nist.gov/vuln/detail/CVE-2019-1125), [CVE-2019-2101 ](https://nvd.nist.gov/vuln/detail/CVE-2019-2101), [CVE-2018-5383 ](https://nvd.nist.gov/vuln/detail/CVE-2018-5383), [CVE-2019-13233 ](https://nvd.nist.gov/vuln/detail/CVE-2019-13233), [CVE-2019-13272 ](https://nvd.nist.gov/vuln/detail/CVE-2019-13272), [CVE-2000-1134 ](https://nvd.nist.gov/vuln/detail/CVE-2000-1134), [CVE-2007-3852 ](https://nvd.nist.gov/vuln/detail/CVE-2007-3852), [CVE-2008-0525 ](https://nvd.nist.gov/vuln/detail/CVE-2008-0525), [CVE-2009-0416 ](https://nvd.nist.gov/vuln/detail/CVE-2009-0416), [CVE-2011-4834 ](https://nvd.nist.gov/vuln/detail/CVE-2011-4834), [CVE-2015-1838 ](https://nvd.nist.gov/vuln/detail/CVE-2015-1838), [CVE-2015-7442 ](https://nvd.nist.gov/vuln/detail/CVE-2015-7442), [CVE-2016-7489 ](https://nvd.nist.gov/vuln/detail/CVE-2016-7489), [CVE-2019-12614 ](https://nvd.nist.gov/vuln/detail/CVE-2019-12614), [CVE-2019-10126](https://nvd.nist.gov/vuln/detail/CVE-2019-10126), [CVE-2019-3846 ](https://nvd.nist.gov/vuln/detail/CVE-2019-3846), [CVE-2019-12818 ](https://nvd.nist.gov/vuln/detail/CVE-2019-12818), [CVE-2019-12984 ](https://nvd.nist.gov/vuln/detail/CVE-2019-12984), and [CVE-2019-12819 ](https://nvd.nist.gov/vuln/detail/CVE-2019-12819).

Changelog for master fix pack 1.15.2_1514, released 17 August 2019

{: #1152_1514}

The following table shows the changes that are included in the master fix pack 1.15.2_1514. {: shortdesc}

Changes since version 1.15.1_1513

Component	Previous	Current	Description
Key Management Service provider	167	207	Fixed an issue that causes the Kubernetes [key management service (KMS) provider](/docs/containers?topic=containers-encryption#keyprotect) to fail to manage Kubernetes secrets.

Changelog for master fix pack 1.15.2_1513, released 15 August 2019

{: #1152_1513}

The following table shows the changes that are included in the master fix pack 1.15.2_1513. {: shortdesc}

Changes since version 1.15.1_1511

Component	Previous	Current	Description
Calico configuration	N/A	N/A	Calico `calico-kube-controllers` deployment in the `kube-system` namespace sets a memory limit on the `calico-kube-controllers` container. In addition, the `calico-node` deployment in the `kube-system` namespace no longer includes the `flexvol-driver` init container.
Cluster health	N/A	N/A	Cluster health shows `Warning` state if a cluster control plane operation failed or was cancelled. For more information, see [Debugging clusters](/docs/containers?topic=containers-cs_troubleshoot#debug_clusters).
GPU device plug-in and installer	d91d200	07c9b67	Image updated for [CVE-2019-14697 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14697).
{{site.data.keyword.cloud_notm}} Provider	v1.15.1-86	v1.15.2-94	Updated to support the Kubernetes 1.15.2 release.
{{site.data.keyword.cloud_notm}} File Storage plug-in	347	348	Image updated for [CVE-2019-14697 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14697).
Kubernetes	v1.15.1	v1.15.2	See the [Kubernetes release notes ](https://github.com/kubernetes/kubernetes/releases/tag/v1.15.2). Updates resolves [CVE-2019-11247 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11247) (see [IBM security bulletin ](https://www.ibm.com/support/docview.wss?uid=ibm10967115)) and [CVE-2019-11249 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11249) (see [IBM security bulletin ](https://www.ibm.com/support/docview.wss?uid=ibm10967123)).
Load balancer and load balancer monitor for {{site.data.keyword.cloud_notm}} Provider	146	147	Image updated for [CVE-2019-14697 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14697).
OpenVPN client	2.4.6-r3-IKS-90	2.4.6-r3-IKS-116	Image updated for [CVE-2019-14697 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14697).
OpenVPN server	2.4.6-r3-IKS-25	2.4.6-r3-IKS-115	Image updated for [CVE-2019-14697 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14697).

Changelog for 1.15.1_1511, released 5 August 2019

{: #1151_1511}

The following table shows the changes that are included in the patch 1.15.1_1511. {: shortdesc}

Changes since version 1.14.4_1526

Component	Previous	Current	Description
Calico	v3.6.4	v3.8.1	See the [Calico release notes ](https://docs.projectcalico.org/v3.8/release-notes/). In addition, Kubernetes version 1.15 clusters now have a new `allow-all-private-default` global network policy to allow all ingress and egress network traffic on private interface. For more information, see [Isolating clusters on the private network](/docs/containers?topic=containers-network_policies#isolate_workers).
{{site.data.keyword.cloud_notm}} Provider	v1.14.4-139	v1.15.1-86	Updated to support the Kubernetes 1.15.1 release. `calicoctl` version is updated to 3.8.1. Virtual Private Cloud (VPC) load balancer support is added for VPC clusters. .
Kubernetes	v1.14.4	v1.15.1	See the [Kubernetes release notes ](https://github.com/kubernetes/kubernetes/releases/tag/v1.15.1) and [Kubernetes 1.15 blog ](https://kubernetes.io/blog/2019/06/19/kubernetes-1-15-release-announcement/). Update resolves [CVE-2019-11248 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11248) (see [IBM security bulletin ](https://www-01.ibm.com/support/docview.wss?uid=ibm10967113)).
Kubernetes configuration	N/A	N/A	Updated Kubernetes API server default toleration seconds to 600 for the Kubernetes default `node.kubernetes.io/not-ready` and `node.kubernetes.io/unreachable` pod tolerations. For more information about tolerations, see [Taints and Tolerations ](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/).
Kubernetes add-on resizer	1.8.4	1.8.5	For more information, see the [Kubernetes addon resizer release notes ](https://github.com/kubernetes/autoscaler/releases/tag/addon-resizer-1.8.5).
Kubernetes DNS autoscaler	1.4.0	1.6.0	For more information, see the [Kubernetes DNS autoscaler release notes ](https://github.com/kubernetes-incubator/cluster-proportional-autoscaler/releases/tag/1.6.0).
Kubernetes nodelocal DNS cache	N/A	1.15.4	For more information, see the [Kubernetes nodelocal DNS cache release notes ](https://github.com/kubernetes/dns/releases/tag/1.15.4). For more information about this new beta feature, see [Setting up Nodelocal DNS Cache (beta)](/docs/containers?topic=containers-cluster_dns#dns_enablecache).
Cluster master HA proxy	1.9.7-alpine	2.0.1-alpine	See the [HAProxy release notes ](https://www.haproxy.org/download/2.0/src/CHANGELOG).
GPU device plug-in and installer	a7e8ece	d91d200	Updated image for [CVE-2019-9924 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9924).
Ubuntu 18.04 kernel and packages	4.15.0-54-generic	4.15.0-55-generic	Updated worker node images with package updates for [CVE-2019-11815 ](https://nvd.nist.gov/vuln/detail/CVE-2019-11815), [CVE-2019-11833 ](https://nvd.nist.gov/vuln/detail/CVE-2019-11833), [CVE-2019-11884 ](https://nvd.nist.gov/vuln/detail/CVE-2019-11884), [CVE-2018-12126 ](https://nvd.nist.gov/vuln/detail/CVE-2018-12126), [CVE-2018-12127 ](https://nvd.nist.gov/vuln/detail/CVE-2018-12127), [CVE-2018-12130 ](https://nvd.nist.gov/vuln/detail/CVE-2018-12130), [CVE-2019-11091 ](https://nvd.nist.gov/vuln/detail/CVE-2019-11091), [CVE-2019-13057 ](https://nvd.nist.gov/vuln/detail/CVE-2019-13057), [CVE-2019-13565 ](https://nvd.nist.gov/vuln/detail/CVE-2019-13565), [CVE-2019-13636 ](https://nvd.nist.gov/vuln/detail/CVE-2019-13636), [CVE-2019-13638 ](https://nvd.nist.gov/vuln/detail/CVE-2019-13638), and [CVE-2019-2054 ](https://nvd.nist.gov/vuln/detail/CVE-2019-2054).
Ubuntu 16.04 kernel and packages	4.4.0-154-generic	4.4.0-157-generic	Updated worker node images with package updates for [CVE-2019-11815 ](https://nvd.nist.gov/vuln/detail/CVE-2019-11815), [CVE-2019-11833 ](https://nvd.nist.gov/vuln/detail/CVE-2019-11833), [CVE-2019-11884 ](https://nvd.nist.gov/vuln/detail/CVE-2019-11884), [CVE-2018-12126 ](https://nvd.nist.gov/vuln/detail/CVE-2018-12126), [CVE-2018-12127 ](https://nvd.nist.gov/vuln/detail/CVE-2018-12127), [CVE-2018-12130 ](https://nvd.nist.gov/vuln/detail/CVE-2018-12130), [CVE-2019-11091 ](https://nvd.nist.gov/vuln/detail/CVE-2019-11091), [CVE-2019-13057 ](https://nvd.nist.gov/vuln/detail/CVE-2019-13057), [CVE-2019-13565 ](https://nvd.nist.gov/vuln/detail/CVE-2019-13565), [CVE-2019-13636 ](https://nvd.nist.gov/vuln/detail/CVE-2019-13636), and [CVE-2019-13638 ](https://nvd.nist.gov/vuln/detail/CVE-2019-13638).

Version 1.14 changelog

{: #114_changelog}

Changelog for 1.14.7_1534, released 1 October 2019

{: #1147_1534}

The following table shows the changes that are included in the patch 1.14.7_1534. {: shortdesc}

Changes since version 1.14.6_1533

Component	Previous	Current	Description
Calico	v3.6.4	v3.6.5	See the [Calico release notes ](https://docs.projectcalico.org/v3.6/release-notes/).
Cluster master HA configuration	N/A	N/A	Updated configuration to improve performance of master update operations.
containerd	v1.2.9	v1.2.10	See the [containerd release notes ](https://github.com/containerd/containerd/releases/tag/v1.2.10). Update resolves [CVE-2019-16884 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16884) and [CVE-2019-16276 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16276).
Default IBM file storage class	N/A	N/A	Fixed a bug that might cause cluster master operations such as patch updates to clear the default IBM file storage class.
{{site.data.keyword.cloud_notm}} Provider	v1.14.6-172	v1.14.7-199	Updated to support the Kubernetes 1.14.7 release.
Key Management Service provider	212	221	Improved Kubernetes [key management service provider](/docs/containers?topic=containers-encryption#keyprotect) caching of {{site.data.keyword.cloud_notm}} IAM tokens. In addition, fixed a problem with Kubernetes secret decryption when the cluster's root key is rotated.
Kubernetes	v1.14.6	v1.14.7	See the [Kubernetes release notes ](https://github.com/kubernetes/kubernetes/releases/tag/v1.14.7).
Load balancer and load balancer monitor for {{site.data.keyword.cloud_notm}} provider	148	153	Fixed issues with version 2.0 network load balancers (NLBs) that might cause all network traffic to drop or to be sent only to pods on one worker node.
OpenVPN server	2.4.6-r3-IKS-115	2.4.6-r3-IKS-121	Updated images for [CVE-2019-1547 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1547) and [CVE-2019-1563 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1563).
Ubuntu 18.04 kernel and packages	4.15.0-62-generic	4.15.0-64-generic	Updated worker node images with kernel and package updates for [CVE-2019-15031 ](https://nvd.nist.gov/vuln/detail/CVE-2019-15031), [CVE-2019-15030 ](https://nvd.nist.gov/vuln/detail/CVE-2019-15030), and [CVE-2019-14835 ](https://nvd.nist.gov/vuln/detail/CVE-2019-14835).
Ubuntu 16.04 kernel and packages	4.4.0-161-generic	4.4.0-164-generic	Updated worker node images with kernel and package updates for [CVE-2019-14835 ](https://nvd.nist.gov/vuln/detail/CVE-2019-14835).

Changelog for worker node fix pack 1.14.6_1533, released 16 September 2019

{: #1146_1533_worker}

The following table shows the changes that are included in the worker node fix pack 1.14.6_1533. {: shortdesc}

Changes since version 1.14.6_1532

Component	Previous	Current	Description
containerd	v1.2.8	v1.2.9	See the [containerd release notes ](https://github.com/containerd/containerd/releases/tag/v1.2.9). Update resolves [CVE-2019-9515 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9515).
Ubuntu 16.04 packages and kernel	4.4.0-159-generic	4.4.0-161-generic	Updated worker node images with kernel and package updates for [CVE-2019-5481 ](https://nvd.nist.gov/vuln/detail/CVE-2019-5481), [CVE-2019-5482 ](https://nvd.nist.gov/vuln/detail/CVE-2019-5482), [CVE-2019-15903 ](https://nvd.nist.gov/vuln/detail/CVE-2019-15903), [CVE-2015-9383 ](https://nvd.nist.gov/vuln/detail/CVE-2015-9383), [CVE-2019-10638 ](https://nvd.nist.gov/vuln/detail/CVE-2019-10638), [CVE-2019-3900 ](https://nvd.nist.gov/vuln/detail/CVE-2019-3900), [CVE-2019-13648 ](https://nvd.nist.gov/vuln/detail/CVE-2019-13648), [CVE-2018-20856 ](https://nvd.nist.gov/vuln/detail/CVE-2018-20856), [CVE-2019-14283 ](https://nvd.nist.gov/vuln/detail/CVE-2019-14283), [CVE-2019-14284 ](https://nvd.nist.gov/vuln/detail/CVE-2019-14284), [CVE-2019-5010 ](https://nvd.nist.gov/vuln/detail/CVE-2019-5010), [CVE-2019-9636 ](https://nvd.nist.gov/vuln/detail/CVE-2019-9636), [CVE-2019-9740 ](https://nvd.nist.gov/vuln/detail/CVE-2019-9740), [CVE-2019-9947 ](https://nvd.nist.gov/vuln/detail/CVE-2019-9947), [CVE-2019-9948 ](https://nvd.nist.gov/vuln/detail/CVE-2019-9948), [CVE-2019-9636 ](https://nvd.nist.gov/vuln/detail/CVE-2019-9636), [CVE-2018-20852 ](https://nvd.nist.gov/vuln/detail/CVE-2018-20852), [CVE-2018-20406 ](https://nvd.nist.gov/vuln/detail/CVE-2018-20406), and [CVE-2019-10160 ](https://nvd.nist.gov/vuln/detail/CVE-2019-10160).
Ubuntu 18.04 packages and kernel	4.15.0-58-generic	4.15.0-62-generic	Updated worker node images with kernel and package updates for [CVE-2019-5481 ](https://nvd.nist.gov/vuln/detail/CVE-2019-5481), [CVE-2019-5482 ](https://nvd.nist.gov/vuln/detail/CVE-2019-5482), [CVE-2019-15903 ](https://nvd.nist.gov/vuln/detail/CVE-2019-15903), [CVE-2019-14283 ](https://nvd.nist.gov/vuln/detail/CVE-2019-14283), [CVE-2019-14284 ](https://nvd.nist.gov/vuln/detail/CVE-2019-14284), [CVE-2018-20852 ](https://nvd.nist.gov/vuln/detail/CVE-2018-20852), [CVE-2019-5010 ](https://nvd.nist.gov/vuln/detail/CVE-2019-5010), [CVE-2019-9636 ](https://nvd.nist.gov/vuln/detail/CVE-2019-9636), [CVE-2019-9740 ](https://nvd.nist.gov/vuln/detail/CVE-2019-9740), [CVE-2019-9947 ](https://nvd.nist.gov/vuln/detail/CVE-2019-9947), [CVE-2019-9948 ](https://nvd.nist.gov/vuln/detail/CVE-2019-9948), [CVE-2019-9636 ](https://nvd.nist.gov/vuln/detail/CVE-2019-9636), [CVE-2019-10160 ](https://nvd.nist.gov/vuln/detail/CVE-2019-10160), and [CVE-2019-15718 ](https://nvd.nist.gov/vuln/detail/CVE-2019-15718).

Changelog for worker node fix pack 1.14.6_1532, released 3 September 2019

{: #1146_1532_worker}

The following table shows the changes that are included in the worker node fix pack 1.14.6_1532. {: shortdesc}

Changes since version 1.14.5_1530

Component	Previous	Current	Description
containerd	v1.2.7	v1.2.8	See the [containerd release notes ](https://github.com/containerd/containerd/releases/tag/v1.2.8). Update resolves [CVE-2019-9512 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9512), [CVE-2019-9514 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9514), and [CVE-2019-14809 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14809).
Kubernetes	v1.14.5	v1.14.6	See the [Kubernetes release notes ](https://github.com/kubernetes/kubernetes/releases/tag/v1.14.6). Update resolves [CVE-2019-9512 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9512) (see [IBM security bulletin ](https://www.ibm.com/support/pages/security-bulletin-ibm-cloud-kubernetes-service-affected-kubernetes-security-vulnerabilities-cve-2019-9512-cve-2019-9514)), [CVE-2019-9514 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9514) (see [IBM security bulletin ](https://www.ibm.com/support/pages/security-bulletin-ibm-cloud-kubernetes-service-affected-kubernetes-security-vulnerabilities-cve-2019-9512-cve-2019-9514)), and [CVE-2019-14809 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14809).
Ubuntu 16.04 packages	N/A	N/A	Updated worker node images with package updates.
Ubuntu 18.04 packages	N/A	N/A	Updated worker node images with package updates for [CVE-2019-10222 ](https://nvd.nist.gov/vuln/detail/CVE-2019-10222) and [CVE-2019-11922 ](https://nvd.nist.gov/vuln/detail/CVE-2019-11922).

Changelog for master fix pack 1.14.6_1531, released 28 August 2019

{: #1146_1531}

The following table shows the changes that are included in the master fix pack 1.14.6_1531. {: shortdesc}

Changes since version 1.14.5_1530

Component	Previous	Current	Description
`etcd`	v3.3.13	v3.3.15	See the [`etcd` release notes ](https://github.com/etcd-io/etcd/releases/v3.3.15). Update resolves [CVE-2019-9512 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9512), [CVE-2019-9514 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14809), and [CVE-2019-14809 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14809).
GPU device plug-in and installer	07c9b67	de13f2a	Image updated for [CVE-2019-9512 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9512), [CVE-2019-9514 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9514), [CVE-2019-14697 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14697), and [CVE-2019-14809 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14809). Updated the GPU drivers to [430.40 ](https://www.nvidia.com/Download/driverResults.aspx/149138/).
{{site.data.keyword.cloud_notm}} File Storage plug-in	348	349	Image updated for [CVE-2019-9512 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9512), [CVE-2019-9514 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9514), and [CVE-2019-14809 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14809).
{{site.data.keyword.cloud_notm}} Provider	v1.14.5-160	v1.14.6-172	Updated to support the Kubernetes 1.14.6 release.
Key Management Service provider	207	212	Image updated for [CVE-2019-9512 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9512), [CVE-2019-9514 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9514), and [CVE-2019-14809 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14809).
Kubernetes	v1.14.5	v1.14.6	See the [Kubernetes release notes ](https://github.com/kubernetes/kubernetes/releases/tag/v1.14.6). Update resolves [CVE-2019-9512 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9512) (see [IBM security bulletin ](https://www.ibm.com/support/pages/security-bulletin-ibm-cloud-kubernetes-service-affected-kubernetes-security-vulnerabilities-cve-2019-9512-cve-2019-9514)), [CVE-2019-9514 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9514) (see [IBM security bulletin ](https://www.ibm.com/support/pages/security-bulletin-ibm-cloud-kubernetes-service-affected-kubernetes-security-vulnerabilities-cve-2019-9512-cve-2019-9514)), and [CVE-2019-14809 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14809).
Load balancer and load balancer monitor for {{site.data.keyword.cloud_notm}} Provider	147	148	Image updated for [CVE-2019-9512 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9512), [CVE-2019-9514 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9514), and [CVE-2019-14809 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14809).

Changelog for worker node fix pack 1.14.5_1530, released 19 August 2019

{: #1145_1530_worker}

The following table shows the changes that are included in the worker node fix pack 1.14.5_1530. {: shortdesc}

Changes since version 1.14.4_1527

Component	Previous	Current	Description
Cluster master HA proxy	2.0.1-alpine	1.8.21-alpine	Moved to HA proxy 1.8 to fix [socket leak in HA proxy ](haproxy/haproxy#136). Also added a liveliness check to monitor the health of HA proxy. For more information, see [HA proxy release notes ](https://www.haproxy.org/download/1.8/src/CHANGELOG).
Kubernetes	v1.14.4	v1.14.5	For more information, see the [Kubernetes release notes ](https://github.com/kubernetes/kubernetes/releases/tag/v1.14.5).
Ubuntu 16.04 kernel and packages	4.4.0-157-generic	4.4.0-159-generic	Updated worker node images with package updates for [CVE-2019-13012 ](https://nvd.nist.gov/vuln/detail/CVE-2019-13012), [CVE-2019-1125 ](https://nvd.nist.gov/vuln/detail/CVE-2019-1125), [CVE-2018-5383 ](https://nvd.nist.gov/vuln/detail/CVE-2018-5383), [CVE-2019-12614 ](https://nvd.nist.gov/vuln/detail/CVE-2019-12614), [CVE-2019-10126 ](https://nvd.nist.gov/vuln/detail/CVE-2019-10126), and [CVE-2019-3846 ](https://nvd.nist.gov/vuln/detail/CVE-2019-3846).
Ubuntu 18.04 kernel and packages	4.15.0-55-generic	4.15.0-58-generic	Updated worker node images with package updates for [CVE-2019-1125 ](https://nvd.nist.gov/vuln/detail/CVE-2019-1125), [CVE-2019-2101 ](https://nvd.nist.gov/vuln/detail/CVE-2019-2101), [CVE-2018-5383 ](https://nvd.nist.gov/vuln/detail/CVE-2018-5383), [CVE-2019-13233 ](https://nvd.nist.gov/vuln/detail/CVE-2019-13233), [CVE-2019-13272 ](https://nvd.nist.gov/vuln/detail/CVE-2019-13272), [CVE-2000-1134 ](https://nvd.nist.gov/vuln/detail/CVE-2000-1134), [CVE-2007-3852 ](https://nvd.nist.gov/vuln/detail/CVE-2007-3852), [CVE-2008-0525 ](https://nvd.nist.gov/vuln/detail/CVE-2008-0525), [CVE-2009-0416 ](https://nvd.nist.gov/vuln/detail/CVE-2009-0416), [CVE-2011-4834 ](https://nvd.nist.gov/vuln/detail/CVE-2011-4834), [CVE-2015-1838 ](https://nvd.nist.gov/vuln/detail/CVE-2015-1838), [CVE-2015-7442 ](https://nvd.nist.gov/vuln/detail/CVE-2015-7442), [CVE-2016-7489 ](https://nvd.nist.gov/vuln/detail/CVE-2016-7489), [CVE-2019-12614 ](https://nvd.nist.gov/vuln/detail/CVE-2019-12614), [CVE-2019-10126](https://nvd.nist.gov/vuln/detail/CVE-2019-10126), [CVE-2019-3846 ](https://nvd.nist.gov/vuln/detail/CVE-2019-3846), [CVE-2019-12818 ](https://nvd.nist.gov/vuln/detail/CVE-2019-12818), [CVE-2019-12984 ](https://nvd.nist.gov/vuln/detail/CVE-2019-12984), and [CVE-2019-12819 ](https://nvd.nist.gov/vuln/detail/CVE-2019-12819).

Changelog for master fix pack 1.14.5_1530, released 17 August 2019

{: #1145_1530}

The following table shows the changes that are included in the master fix pack 1.14.5_1530. {: shortdesc}

Changes since version 1.14.5_1529

Component	Previous	Current	Description
Key Management Service provider	167	207	Fixed an issue that causes the Kubernetes [key management service (KMS) provider](/docs/containers?topic=containers-encryption#keyprotect) to fail to manage Kubernetes secrets.

Changelog for master fix pack 1.14.5_1529, released 15 August 2019

{: #1145_1529}

The following table shows the changes that are included in the master fix pack 1.14.5_1529. {: shortdesc}

Changes since version 1.14.4_1527

Component	Previous	Current	Description
Calico configuration	N/A	N/A	Calico `calico-kube-controllers` deployment in the `kube-system` namespace sets a memory limit on the `calico-kube-controllers` container.
Cluster health	N/A	N/A	Cluster health shows `Warning` state if a cluster control plane operation failed or was cancelled. For more information, see [Debugging clusters](/docs/containers?topic=containers-cs_troubleshoot#debug_clusters).
GPU device plug-in and installer	a7e8ece	07c9b67	Image updated for [CVE-2019-9924 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9924) and [CVE-2019-14697 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14697).
{{site.data.keyword.cloud_notm}} File Storage plug-in	347	348	Image updated for [CVE-2019-14697 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14697).
{{site.data.keyword.cloud_notm}} Provider	v1.14.4-139	v1.14.5-160	Updated to support the Kubernetes 1.14.5 release.
Kubernetes	v1.14.4	v1.14.5	See the [Kubernetes release notes ](https://github.com/kubernetes/kubernetes/releases/tag/v1.14.5). Updates resolves [CVE-2019-11247 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11247) (see [IBM security bulletin ](https://www.ibm.com/support/docview.wss?uid=ibm10967115)) and [CVE-2019-11249 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11249) (see [IBM security bulletin ](https://www.ibm.com/support/docview.wss?uid=ibm10967123)).
Load balancer and load balancer monitor for {{site.data.keyword.cloud_notm}} Provider	146	147	Image updated for [CVE-2019-14697 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14697).
OpenVPN client	2.4.6-r3-IKS-13	2.4.6-r3-IKS-116	Image updated for [CVE-2019-14697 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14697).
OpenVPN server	2.4.6-r3-IKS-25	2.4.6-r3-IKS-115	Image updated for [CVE-2019-14697 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14697).

Changelog for worker node fix pack 1.14.4_1527, released 5 August 2019

{: #1144_1527_worker}

The following table shows the changes that are included in the worker node fix pack 1.14.4_1527. {: shortdesc}

Changes since version 1.14.4_1526

Component	Previous	Current	Description
Ubuntu 18.04 kernel and packages	4.15.0-54-generic	4.15.0-55-generic	Updated worker node images with package updates for [CVE-2019-11815 ](https://nvd.nist.gov/vuln/detail/CVE-2019-11815), [CVE-2019-11833 ](https://nvd.nist.gov/vuln/detail/CVE-2019-11833), [CVE-2019-11884 ](https://nvd.nist.gov/vuln/detail/CVE-2019-11884), [CVE-2018-12126 ](https://nvd.nist.gov/vuln/detail/CVE-2018-12126), [CVE-2018-12127 ](https://nvd.nist.gov/vuln/detail/CVE-2018-12127), [CVE-2018-12130 ](https://nvd.nist.gov/vuln/detail/CVE-2018-12130), [CVE-2019-11091 ](https://nvd.nist.gov/vuln/detail/CVE-2019-11091), [CVE-2019-13057 ](https://nvd.nist.gov/vuln/detail/CVE-2019-13057), [CVE-2019-13565 ](https://nvd.nist.gov/vuln/detail/CVE-2019-13565), [CVE-2019-13636 ](https://nvd.nist.gov/vuln/detail/CVE-2019-13636), [CVE-2019-13638 ](https://nvd.nist.gov/vuln/detail/CVE-2019-13638), and [CVE-2019-2054 ](https://nvd.nist.gov/vuln/detail/CVE-2019-2054).
Ubuntu 16.04 kernel and packages	4.4.0-154-generic	4.4.0-157-generic	Updated worker node images with package updates for [CVE-2019-11815 ](https://nvd.nist.gov/vuln/detail/CVE-2019-11815), [CVE-2019-11833 ](https://nvd.nist.gov/vuln/detail/CVE-2019-11833), [CVE-2019-11884 ](https://nvd.nist.gov/vuln/detail/CVE-2019-11884), [CVE-2018-12126 ](https://nvd.nist.gov/vuln/detail/CVE-2018-12126), [CVE-2018-12127 ](https://nvd.nist.gov/vuln/detail/CVE-2018-12127), [CVE-2018-12130 ](https://nvd.nist.gov/vuln/detail/CVE-2018-12130), [CVE-2019-11091 ](https://nvd.nist.gov/vuln/detail/CVE-2019-11091), [CVE-2019-13057 ](https://nvd.nist.gov/vuln/detail/CVE-2019-13057), [CVE-2019-13565 ](https://nvd.nist.gov/vuln/detail/CVE-2019-13565), [CVE-2019-13636 ](https://nvd.nist.gov/vuln/detail/CVE-2019-13636), and [CVE-2019-13638 ](https://nvd.nist.gov/vuln/detail/CVE-2019-13638).

Changelog for worker node fix pack 1.14.4_1526, released 22 July 2019

{: #1144_1526_worker}

The following table shows the changes that are included in the worker node fix pack 1.14.4_1526. {: shortdesc}

Changes since version 1.14.3_1525

Component	Previous	Current	Description
Kubernetes	v1.14.3	v1.14.4	See the [Kubernetes release notes ](https://github.com/kubernetes/kubernetes/releases/tag/v1.14.4). Update resolves [CVE-2019-11248 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11248). For more information, see [IBM security bulletin ](https://www.ibm.com/support/docview.wss?uid=ibm10967113)).
Ubuntu packages	N/A	N/A	Updated worker node images with package updates for [CVE-2019-13012 ](https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-13012) and [CVE-2019-7307 ](https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-7307.html).

Changelog for master fix pack 1.14.4_1526, released 15 July 2019

{: #1144_1526}

The following table shows the changes that are included in the master fix pack 1.14.4_1526. {: shortdesc}

Changes since version 1.14.3_1525

Component	Previous	Current	Description
Calico	v3.6.1	v3.6.4	See the [Calico release notes ](https://docs.projectcalico.org/v3.6/release-notes/). Update resolves [TTA-2019-001 ](https://www.projectcalico.org/security-bulletins/#TTA-2019-001). For more information, see the [IBM security bulletin ](https://www.ibm.com/support/docview.wss?uid=ibm10959551).
CoreDNS configuration	N/A	N/A	Changed the default CoreDNS configuration from a 5 to 30 second TTL for DNS records in the `kubernetes` zone. This change aligns with the default KubeDNS configuration. Existing CoreDNS configurations are unchanged. For more information about changing your CoreDNS configuration, see [Customizing the cluster DNS provider](/docs/containers?topic=containers-cluster_dns#dns_customize).
GPU device plug-in and installer	5d34347	a7e8ece	Updated base image packages.
Kubernetes	v1.14.3	v1.14.4	See the [Kubernetes release notes ](https://github.com/kubernetes/kubernetes/releases/tag/v1.14.4).
{{site.data.keyword.cloud_notm}} Provider	v1.14.3-113	v1.14.4-139	Updated to support the Kubernetes 1.14.4 release. Additionally, `calicoctl` version is updated to 3.6.4.

Changelog for worker node fix pack 1.14.3_1525, released 8 July 2019

{: #1143_1525}

The following table shows the changes that are included in the worker node patch 1.14.3_1525. {: shortdesc}

Changes since version 1.14.3_1524

Component	Previous	Current	Description
Ubuntu 16.04 kernel	4.4.0-151-generic	4.4.0-154-generic	Updated worker node images with kernel and package updates for [CVE-2019-11478 ](https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-11478.html) and [CVE-2019-11479 ](https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-11479.html). For more information, see the [IBM security bulletin ](https://www.ibm.com/support/docview.wss?uid=ibm10958863).
Ubuntu 18.04 kernel	4.15.0-52-generic	4.15.0-54-generic	Updated worker node images with kernel and package updates for [CVE-2019-11478 ](https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-11478.html) and [CVE-2019-11479 ](https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-11479.html). For more information, see the [IBM security bulletin ](https://www.ibm.com/support/docview.wss?uid=ibm10958863).

Changelog for worker node fix pack 1.14.3_1524, released 24 June 2019

{: #1143_1524}

The following table shows the changes that are included in the worker node patch 1.14.3_1524. {: shortdesc}

Changes since version 1.14.3_1523

Component	Previous	Current	Description
Ubuntu 16.04 kernel	4.4.0-150-generic	4.4.0-151-generic	Updated worker node images with kernel and package updates for [CVE-2019-11477 ](https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-11477.html) and [CVE-2019-11478 ](https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-11478.html). For more information, see the [IBM security bulletin ](https://www.ibm.com/support/docview.wss?uid=ibm10958863).
Ubuntu 18.04 kernel	4.15.0-51-generic	4.15.0-52-generic	Updated worker node images with kernel and package updates for [CVE-2019-11477 ](https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-11477.html) and [CVE-2019-11478 ](https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-11478.html). For more information, see the [IBM security bulletin ](https://www.ibm.com/support/docview.wss?uid=ibm10958863).
containerd	1.2.6	1.2.7	See the [containerd release notes ](https://github.com/containerd/containerd/releases/tag/v1.2.7).
Max pods	N/A	N/A	Increased the limit of maximum number of pods for worker nodes with more than 11 CPU cores to be 10 pods per core, up to a maximum of 250 pods per worker node.

Changelog for 1.14.3_1523, released 17 June 2019

{: #1143_1523}

The following table shows the changes that are included in the patch 1.14.3_1523. {: shortdesc}

Changes since version 1.14.2_1521

Component	Previous	Current	Description
GPU device plug-in and installer	32257d3	5d34347	Updated image for [CVE-2019-8457 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8457). Updated the GPU drivers to [430.14 ](https://www.nvidia.com/Download/driverResults.aspx/147582/).
{{site.data.keyword.cloud_notm}} File Storage plug-in	346	347	Updated so that the IAM API key can be either encrypted or unencrypted.
{{site.data.keyword.cloud_notm}} Provider	v1.14.2-100	v1.14.3-113	Updated to support the Kubernetes 1.14.3 release.
Kubernetes	v1.14.2	v1.14.3	See the [Kubernetes release notes ](https://github.com/kubernetes/kubernetes/releases/tag/v1.14.3).
Kubernetes feature gates configuration	N/A	N/A	Added the `SupportNodePidsLimit=true` configuration to reserve process IDs (PIDs) for use by the operating system and Kubernetes components. Added the `CustomCPUCFSQuotaPeriod=true` configuration to mitigate CPU throttling problems.
Public service endpoint for Kubernetes master	N/A	N/A	Fixed an issue to [enable the public service endpoint](/docs/containers?topic=containers-cs_network_cluster#set-up-public-se).
Ubuntu 16.04 kernel	4.4.0-148-generic	4.4.0-150-generic	Updated worker node images with kernel and package updates for [CVE-2019-10906 ](https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-10906.html?_ga=2.184456110.929090212.1560547312-1880639276.1557078470).
Ubuntu 18.04 kernel	4.15.0-50-generic	4.15.0-51-generic	Updated worker node images with kernel and package updates for [CVE-2019-10906 ](https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-10906.html?_ga=2.184456110.929090212.1560547312-1880639276.1557078470).

Changelog for 1.14.2_1521, released 4 June 2019

{: #1142_1521}

The following table shows the changes that are included in the patch 1.14.2_1521. {: shortdesc}

Changes since version 1.14.1_1519

Component	Previous	Current	Description
Cluster DNS configuration	N/A	N/A	Fixed a bug that might leave both Kubernetes DNS and CoreDNS pods running after cluster `create` or `update` operations.
Cluster master HA configuration	N/A	N/A	Updated configuration to minimize intermittent master network connectivity failures during a master update.
etcd	v3.3.11	v3.3.13	See the [etcd release notes ](https://github.com/etcd-io/etcd/releases/v3.3.13).
GPU device plug-in and installer	55c1f66	32257d3	Updated image for [CVE-2018-10844 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10844), [CVE-2018-10845 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10845), [CVE-2018-10846 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10846), [CVE-2019-3829 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3829), [CVE-2019-3836 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3836), [CVE-2019-9893 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9893), [CVE-2019-5435 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5435), and [CVE-2019-5436 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5436).
{{site.data.keyword.cloud_notm}} Provider	v1.14.1-71	v1.14.2-100	Updated to support the Kubernetes 1.14.2 release.
Kubernetes	v1.14.1	v1.14.2	See the [Kubernetes release notes ](https://github.com/kubernetes/kubernetes/releases/tag/v1.14.2).
Kubernetes Metrics Server	v0.3.1	v0.3.3	See the [Kubernetes Metrics Server release notes ](https://github.com/kubernetes-incubator/metrics-server/releases/tag/v0.3.3).
Trusted compute agent	13c7ef0	e8c6d72	Updated image for [CVE-2018-10844 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10844), [CVE-2018-10845 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10845), [CVE-2018-10846 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10846), [CVE-2019-3829 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3829), [CVE-2019-3836 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3836), [CVE-2019-9893 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9893), [CVE-2019-5435 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5435), and [CVE-2019-5436 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5436).

Changelog for worker node fix pack 1.14.1_1519, released 20 May 2019

{: #1141_1519}

The following table shows the changes that are included in the patch 1.14.1_1519. {: shortdesc}

Changes since version 1.14.1_1518

Component	Previous	Current	Description
Ubuntu 16.04 kernel	4.4.0-145-generic	4.4.0-148-generic	Updated worker node images with kernel update for [CVE-2018-12126 ](https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-12126.html), [CVE-2018-12127 ](https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-12127.html), and [CVE-2018-12130 ](https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-12130.html).
Ubuntu 18.04 kernel	4.15.0-47-generic	4.15.0-50-generic	Updated worker node images with kernel update for [CVE-2018-12126 ](https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-12126.html), [CVE-2018-12127 ](https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-12127.html), and [CVE-2018-12130 ](https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-12130.html).

Changelog for 1.14.1_1518, released 13 May 2019

{: #1141_1518}

The following table shows the changes that are included in the patch 1.14.1_1518. {: shortdesc}

Changes since version 1.14.1_1516

Component	Previous	Current	Description
Cluster master HA proxy	1.9.6-alpine	1.9.7-alpine	See the [HAProxy release notes ](https://www.haproxy.org/download/1.9/src/CHANGELOG). Update resolves [CVE-2019-6706 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6706).
Kubernetes configuration	N/A	N/A	The Kubernetes API server audit policy configuration is updated to not log the `/openapi/v2*` read-only URL. In addition, the Kubernetes controller manager configuration increased the validity duration of signed `kubelet` certificates from 1 to 3 years.
OpenVPN client configuration	N/A	N/A	The OpenVPN client `vpn-*` pod in the `kube-system` namespace now sets `dnsPolicy` to `Default` to prevent the pod from failing when cluster DNS is down.
Trusted compute agent	e7182c7	13c7ef0	Updated image for [CVE-2016-7076 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7076) and [CVE-2017-1000368 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000368).

Changelog for 1.14.1_1516, released 7 May 2019

{: #1141_1516}

The following table shows the changes that are included in the patch 1.14.1_1516. {: shortdesc}

Changes since version 1.13.5_1519

Component	Previous	Current	Description
Calico	v3.4.4	v3.6.1	See the [Calico release notes ](https://docs.projectcalico.org/v3.6/release-notes/).
CoreDNS	1.2.6	1.3.1	See the [CoreDNS release notes ](https://coredns.io/2019/01/13/coredns-1.3.1-release/). The update includes the addition of a [metrics port ](https://coredns.io/plugins/metrics/) on the cluster DNS service. CoreDNS is now the only supported cluster DNS provider. If you update a cluster to Kubernetes version 1.14 from an earlier version and used KubeDNS, KubeDNS is automatically migrated to CoreDNS during the cluster update. For more information or to test out CoreDNS before you update, see [Configure the cluster DNS provider](https://cloud.ibm.com/docs/containers?topic=containers-cluster_dns#cluster_dns).
GPU device plug-in and installer	9ff3fda	ed0dafc	Updated image for [CVE-2019-1543 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1543).
{{site.data.keyword.cloud_notm}} Provider	v1.13.5-107	v1.14.1-71	Updated to support the Kubernetes 1.14.1 release. Additionally, `calicoctl` version is updated to 3.6.1. Fixed updates to version 2.0 network load balancers (NLBs) with only one available worker node for the load balancer pods. Private load balancers now support running on [private edge workers nodes](/docs/containers?topic=containers-edge#edge).
IBM pod security policies	N/A	N/A	[IBM pod security policies](/docs/containers?topic=containers-psp#ibm_psp) are updated to support the Kubernetes [RunAsGroup ](https://kubernetes.io/docs/concepts/policy/pod-security-policy/#users-and-groups) feature.
`kubelet` configuration	N/A	N/A	Set the `--pod-max-pids` option to `14336` to prevent a single pod from consuming all process IDs on a worker node.
Kubernetes	v1.13.5	v1.14.1	See the [Kubernetes release notes ](https://github.com/kubernetes/kubernetes/releases/tag/v1.14.1) and [Kubernetes 1.14 blog ](https://kubernetes.io/blog/2019/03/25/kubernetes-1-14-release-announcement/). The Kubernetes default role-based access control (RBAC) policies no longer grant access to [discovery and permission-checking APIs to unauthenticated users ](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#discovery-roles). This change applies only to new version 1.14 clusters. If you update a cluster from a prior version, unauthenticated users still have access to the discovery and permission-checking APIs.
Kubernetes admission controllers configuration	N/A	N/A	Added `NodeRestriction` to the `--enable-admission-plugins` option for the cluster's Kubernetes API server and configured the related cluster resources to support this security enhancement. Removed `Initializers` from the `--enable-admission-plugins` option and `admissionregistration.k8s.io/v1alpha1=true` from the `--runtime-config` option for the cluster's Kubernetes API server because these APIs are no longer supported. Instead, you can use [Kubernetes admission webhooks ](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/).
Kubernetes DNS autoscaler	1.3.0	1.4.0	See the [Kubernetes DNS autoscaler release notes ](https://github.com/kubernetes-incubator/cluster-proportional-autoscaler/releases/tag/1.4.0).
Kubernetes feature gates configuration	N/A	N/A	Added `RuntimeClass=false` to disable selection of the container runtime configuration. Removed `ExperimentalCriticalPodAnnotation=true` because the `scheduler.alpha.kubernetes.io/critical-pod` pod annotation is no longer supported. Instead, you can use [Kubernetes pod priority ](https://cloud.ibm.com/docs/containers?topic=containers-pod_priority#pod_priority).
Trusted compute agent	e132aa4	e7182c7	Updated image for [CVE-2019-11068 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11068).

Version 1.13 changelog

{: #113_changelog}

Review the version 1.13 changelog. {: shortdesc}

Changelog for 1.13.11_1537, released 1 October 2019

{: #11311_1537}

The following table shows the changes that are included in the patch 1.13.11_1537. {: shortdesc}

Changes since version 1.13.10_1536

Component	Previous	Current	Description
Calico	v3.6.4	v3.6.5	See the [Calico release notes ](https://docs.projectcalico.org/v3.6/release-notes/).
Cluster master HA configuration	N/A	N/A	Updated configuration to improve performance of master update operations.
containerd	v1.2.9	v1.2.10	See the [containerd release notes ](https://github.com/containerd/containerd/releases/tag/v1.2.10). Update resolves [CVE-2019-16884 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16884) and [CVE-2019-16276 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16276).
Default IBM file storage class	N/A	N/A	Fixed a bug that might cause cluster master operations such as patch updates to clear the default IBM file storage class.
{{site.data.keyword.cloud_notm}} Provider	v1.13.10-221	v1.13.11-248	Updated to support the Kubernetes 1.13.11 release.
Key Management Service provider	212	221	Improved Kubernetes [key management service provider](/docs/containers?topic=containers-encryption#keyprotect) caching of {{site.data.keyword.cloud_notm}} IAM tokens. In addition, fixed a problem with Kubernetes secret decryption when the cluster's root key is rotated.
Kubernetes	v1.13.10	v1.13.11	See the [Kubernetes release notes ](https://github.com/kubernetes/kubernetes/releases/tag/v1.13.11).
Load balancer and load balancer monitor for {{site.data.keyword.cloud_notm}} provider	148	153	Fixed issues with version 2.0 network load balancers (NLBs) that might cause all network traffic to drop or to be sent only to pods on one worker node.
OpenVPN server	2.4.6-r3-IKS-115	2.4.6-r3-IKS-121	Updated images for [CVE-2019-1547 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1547) and [CVE-2019-1563 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1563).
Ubuntu 18.04 kernel and packages	4.15.0-62-generic	4.15.0-64-generic	Updated worker node images with kernel and package updates for [CVE-2019-15031 ](https://nvd.nist.gov/vuln/detail/CVE-2019-15031), [CVE-2019-15030 ](https://nvd.nist.gov/vuln/detail/CVE-2019-15030), and [CVE-2019-14835 ](https://nvd.nist.gov/vuln/detail/CVE-2019-14835).
Ubuntu 16.04 kernel and packages	4.4.0-161-generic	4.4.0-164-generic	Updated worker node images with kernel and package updates for [CVE-2019-14835 ](https://nvd.nist.gov/vuln/detail/CVE-2019-14835).

Changelog for worker node fix pack 1.13.10_1536, released 16 September 2019

{: #11310_1536_worker}

The following table shows the changes that are included in the worker node fix pack 1.13.10_1536. {: shortdesc}

Changes since version 1.13.10_1535

Component	Previous	Current	Description
containerd	v1.2.8	v1.2.9	See the [containerd release notes ](https://github.com/containerd/containerd/releases/tag/v1.2.9). Update resolves [CVE-2019-9515 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9515).
Ubuntu 16.04 packages and kernel	4.4.0-159-generic	4.4.0-161-generic	Updated worker node images with kernel and package updates for [CVE-2019-5481 ](https://nvd.nist.gov/vuln/detail/CVE-2019-5481), [CVE-2019-5482 ](https://nvd.nist.gov/vuln/detail/CVE-2019-5482), [CVE-2019-15903 ](https://nvd.nist.gov/vuln/detail/CVE-2019-15903), [CVE-2015-9383 ](https://nvd.nist.gov/vuln/detail/CVE-2015-9383), [CVE-2019-10638 ](https://nvd.nist.gov/vuln/detail/CVE-2019-10638), [CVE-2019-3900 ](https://nvd.nist.gov/vuln/detail/CVE-2019-3900), [CVE-2019-13648 ](https://nvd.nist.gov/vuln/detail/CVE-2019-13648), [CVE-2018-20856 ](https://nvd.nist.gov/vuln/detail/CVE-2018-20856), [CVE-2019-14283 ](https://nvd.nist.gov/vuln/detail/CVE-2019-14283), [CVE-2019-14284 ](https://nvd.nist.gov/vuln/detail/CVE-2019-14284), [CVE-2019-5010 ](https://nvd.nist.gov/vuln/detail/CVE-2019-5010), [CVE-2019-9636 ](https://nvd.nist.gov/vuln/detail/CVE-2019-9636), [CVE-2019-9740 ](https://nvd.nist.gov/vuln/detail/CVE-2019-9740), [CVE-2019-9947 ](https://nvd.nist.gov/vuln/detail/CVE-2019-9947), [CVE-2019-9948 ](https://nvd.nist.gov/vuln/detail/CVE-2019-9948), [CVE-2019-9636 ](https://nvd.nist.gov/vuln/detail/CVE-2019-9636), [CVE-2018-20852 ](https://nvd.nist.gov/vuln/detail/CVE-2018-20852), [CVE-2018-20406 ](https://nvd.nist.gov/vuln/detail/CVE-2018-20406), and [CVE-2019-10160 ](https://nvd.nist.gov/vuln/detail/CVE-2019-10160).
Ubuntu 18.04 packages and kernel	4.15.0-58-generic	4.15.0-62-generic	Updated worker node images with kernel and package updates for [CVE-2019-5481 ](https://nvd.nist.gov/vuln/detail/CVE-2019-5481), [CVE-2019-5482 ](https://nvd.nist.gov/vuln/detail/CVE-2019-5482), [CVE-2019-15903 ](https://nvd.nist.gov/vuln/detail/CVE-2019-15903), [CVE-2019-14283 ](https://nvd.nist.gov/vuln/detail/CVE-2019-14283), [CVE-2019-14284 ](https://nvd.nist.gov/vuln/detail/CVE-2019-14284), [CVE-2018-20852 ](https://nvd.nist.gov/vuln/detail/CVE-2018-20852), [CVE-2019-5010 ](https://nvd.nist.gov/vuln/detail/CVE-2019-5010), [CVE-2019-9636 ](https://nvd.nist.gov/vuln/detail/CVE-2019-9636), [CVE-2019-9740 ](https://nvd.nist.gov/vuln/detail/CVE-2019-9740), [CVE-2019-9947 ](https://nvd.nist.gov/vuln/detail/CVE-2019-9947), [CVE-2019-9948 ](https://nvd.nist.gov/vuln/detail/CVE-2019-9948), [CVE-2019-9636 ](https://nvd.nist.gov/vuln/detail/CVE-2019-9636), [CVE-2019-10160 ](https://nvd.nist.gov/vuln/detail/CVE-2019-10160), and [CVE-2019-15718 ](https://nvd.nist.gov/vuln/detail/CVE-2019-15718).

Changelog for worker node fix pack 1.13.10_1535, released 3 September 2019

{: #11310_1535_worker}

The following table shows the changes that are included in the worker node fix pack 1.13.10_1535. {: shortdesc}

Changes since version 1.13.9_1533

Component	Previous	Current	Description
containerd	v1.2.7	v1.2.8	See the [containerd release notes ](https://github.com/containerd/containerd/releases/tag/v1.2.8). Update resolves [CVE-2019-9512 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9512), [CVE-2019-9514 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9514), and [CVE-2019-14809 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14809).
Kubernetes	v1.13.9	v1.13.10	See the [Kubernetes release notes ](https://github.com/kubernetes/kubernetes/releases/tag/v1.13.10). Update resolves [CVE-2019-9512 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9512) (see [IBM security bulletin ](https://www.ibm.com/support/pages/security-bulletin-ibm-cloud-kubernetes-service-affected-kubernetes-security-vulnerabilities-cve-2019-9512-cve-2019-9514)), [CVE-2019-9514 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9514) (see [IBM security bulletin ](https://www.ibm.com/support/pages/security-bulletin-ibm-cloud-kubernetes-service-affected-kubernetes-security-vulnerabilities-cve-2019-9512-cve-2019-9514)), and [CVE-2019-14809 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14809).
Ubuntu 16.04 packages	N/A	N/A	Updated worker node images with package updates.
Ubuntu 18.04 packages	N/A	N/A	Updated worker node images with package updates for [CVE-2019-10222 ](https://nvd.nist.gov/vuln/detail/CVE-2019-10222) and [CVE-2019-11922 ](https://nvd.nist.gov/vuln/detail/CVE-2019-11922).

Changelog for master fix pack 1.13.10_1534, released 28 August 2019

{: #11310_1534}

The following table shows the changes that are included in the master fix pack 1.13.10_1534. {: shortdesc}

Changes since version 1.13.9_1533

Component	Previous	Current	Description
`etcd`	v3.3.13	v3.3.15	See the [`etcd` release notes ](https://github.com/etcd-io/etcd/releases/v3.3.15). Update resolves [CVE-2019-9512 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9512), [CVE-2019-9514 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14809), and [CVE-2019-14809 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14809).
GPU device plug-in and installer	07c9b67	de13f2a	Image updated for [CVE-2019-9512 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9512), [CVE-2019-9514 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9514), [CVE-2019-14697 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14697), and [CVE-2019-14809 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14809). Updated the GPU drivers to [430.40 ](https://www.nvidia.com/Download/driverResults.aspx/149138/).
{{site.data.keyword.cloud_notm}} File Storage plug-in	348	349	Image updated for [CVE-2019-9512 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9512), [CVE-2019-9514 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9514), and [CVE-2019-14809 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14809).
{{site.data.keyword.cloud_notm}} Provider	v1.13.9-209	v1.13.10-221	Updated to support the Kubernetes 1.13.10 release.
Key Management Service provider	207	212	Image updated for [CVE-2019-9512 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9512), [CVE-2019-9514 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9514), and [CVE-2019-14809 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14809).
Kubernetes	v1.13.9	v1.13.10	See the [Kubernetes release notes ](https://github.com/kubernetes/kubernetes/releases/tag/v1.13.10). Update resolves [CVE-2019-9512 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9512) (see [IBM security bulletin ](https://www.ibm.com/support/pages/security-bulletin-ibm-cloud-kubernetes-service-affected-kubernetes-security-vulnerabilities-cve-2019-9512-cve-2019-9514)), [CVE-2019-9514 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9514) (see [IBM security bulletin ](https://www.ibm.com/support/pages/security-bulletin-ibm-cloud-kubernetes-service-affected-kubernetes-security-vulnerabilities-cve-2019-9512-cve-2019-9514)), and [CVE-2019-14809 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14809).
Load balancer and load balancer monitor for {{site.data.keyword.cloud_notm}} Provider	147	148	Image updated for [CVE-2019-9512 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9512), [CVE-2019-9514 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9514), and [CVE-2019-14809 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14809).

Changelog for worker node fix pack 1.13.9_1533, released 19 August 2019

{: #1139_1533_worker}

The following table shows the changes that are included in the worker node fix pack 1.13.9_1533. {: shortdesc}

Changes since version 1.13.8_1530

Component	Previous	Current	Description
Cluster master HA proxy	2.0.1-alpine	1.8.21-alpine	Moved to HA proxy 1.8 to fix [socket leak in HA proxy ](haproxy/haproxy#136). Also added a liveliness check to monitor the health of HA proxy. For more information, see [HA proxy release notes ](https://www.haproxy.org/download/1.8/src/CHANGELOG).
Kubernetes	v1.13.8	v1.13.9	For more information, see the [Kubernetes release notes ](https://github.com/kubernetes/kubernetes/releases/tag/v1.13.9).
Ubuntu 16.04 kernel and packages	4.4.0-157-generic	4.4.0-159-generic	Updated worker node images with package updates for [CVE-2019-13012 ](https://nvd.nist.gov/vuln/detail/CVE-2019-13012), [CVE-2019-1125 ](https://nvd.nist.gov/vuln/detail/CVE-2019-1125), [CVE-2018-5383 ](https://nvd.nist.gov/vuln/detail/CVE-2018-5383), [CVE-2019-12614 ](https://nvd.nist.gov/vuln/detail/CVE-2019-12614), [CVE-2019-10126 ](https://nvd.nist.gov/vuln/detail/CVE-2019-10126), and [CVE-2019-3846 ](https://nvd.nist.gov/vuln/detail/CVE-2019-3846).
Ubuntu 18.04 kernel and packages	4.15.0-55-generic	4.15.0-58-generic	Updated worker node images with package updates for [CVE-2019-1125 ](https://nvd.nist.gov/vuln/detail/CVE-2019-1125), [CVE-2019-2101 ](https://nvd.nist.gov/vuln/detail/CVE-2019-2101), [CVE-2018-5383 ](https://nvd.nist.gov/vuln/detail/CVE-2018-5383), [CVE-2019-13233 ](https://nvd.nist.gov/vuln/detail/CVE-2019-13233), [CVE-2019-13272 ](https://nvd.nist.gov/vuln/detail/CVE-2019-13272), [CVE-2000-1134 ](https://nvd.nist.gov/vuln/detail/CVE-2000-1134), [CVE-2007-3852 ](https://nvd.nist.gov/vuln/detail/CVE-2007-3852), [CVE-2008-0525 ](https://nvd.nist.gov/vuln/detail/CVE-2008-0525), [CVE-2009-0416 ](https://nvd.nist.gov/vuln/detail/CVE-2009-0416), [CVE-2011-4834 ](https://nvd.nist.gov/vuln/detail/CVE-2011-4834), [CVE-2015-1838 ](https://nvd.nist.gov/vuln/detail/CVE-2015-1838), [CVE-2015-7442 ](https://nvd.nist.gov/vuln/detail/CVE-2015-7442), [CVE-2016-7489 ](https://nvd.nist.gov/vuln/detail/CVE-2016-7489), [CVE-2019-12614 ](https://nvd.nist.gov/vuln/detail/CVE-2019-12614), [CVE-2019-10126](https://nvd.nist.gov/vuln/detail/CVE-2019-10126), [CVE-2019-3846 ](https://nvd.nist.gov/vuln/detail/CVE-2019-3846), [CVE-2019-12818 ](https://nvd.nist.gov/vuln/detail/CVE-2019-12818), [CVE-2019-12984 ](https://nvd.nist.gov/vuln/detail/CVE-2019-12984), and [CVE-2019-12819 ](https://nvd.nist.gov/vuln/detail/CVE-2019-12819).

Changelog for master fix pack 1.13.9_1533, released 17 August 2019

{: #1139_1533}

The following table shows the changes that are included in the master fix pack 1.13.9_1533. {: shortdesc}

Changes since version 1.13.9_1532

Component	Previous	Current	Description
Key Management Service provider	167	207	Fixed an issue that causes the Kubernetes [key management service (KMS) provider](/docs/containers?topic=containers-encryption#keyprotect) to fail to manage Kubernetes secrets.

Changelog for master fix pack 1.13.9_1532, released 15 August 2019

{: #1139_1532}

The following table shows the changes that are included in the master fix pack 1.13.9_1532. {: shortdesc}

Changes since version 1.13.8_1530

Component	Previous	Current	Description
Calico configuration	N/A	N/A	Calico `calico-kube-controllers` deployment in the `kube-system` namespace sets a memory limit on the `calico-kube-controllers` container.
GPU device plug-in and installer	a7e8ece	07c9b67	Image updated for [CVE-2019-9924 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9924) and [CVE-2019-14697 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14697).
{{site.data.keyword.filestorage_full_notm}} plug-in	347	348	Image updated for [CVE-2019-14697 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14697).
{{site.data.keyword.cloud_notm}} Provider	v1.13.8-188	v1.13.9-209	Updated to support the Kubernetes 1.13.9 release.
Kubernetes	v1.13.8	v1.13.9	See the [Kubernetes release notes ](https://github.com/kubernetes/kubernetes/releases/tag/v1.13.9). Updates resolves [CVE-2019-11247 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11247) (see [IBM security bulletin ](https://www.ibm.com/support/docview.wss?uid=ibm10967115)) and [CVE-2019-11249 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11249) (see [IBM security bulletin ](https://www.ibm.com/support/docview.wss?uid=ibm10967123)).
Kubernetes DNS	1.14.13	1.15.4	See the [Kubernetes DNS release notes ](https://github.com/kubernetes/dns/releases/tag/1.15.4). Image update resolves [CVE-2019-14697 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14697).
Load balancer and load balancer monitor for {{site.data.keyword.cloud_notm}} Provider	146	147	Image updated for [CVE-2019-14697 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14697).
OpenVPN client	2.4.6-r3-IKS-13	2.4.6-r3-IKS-116	Image updated for [CVE-2019-14697 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14697).
OpenVPN server	2.4.6-r3-IKS-25	2.4.6-r3-IKS-115	Image updated for [CVE-2019-14697 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14697).

Changelog for worker node fix pack 1.13.8_1530, released 5 August 2019

{: #1138_1530_worker}

The following table shows the changes that are included in the worker node fix pack 1.13.8_1530. {: shortdesc}

Changes since version 1.13.8_1529

Component	Previous	Current	Description
Ubuntu 18.04 kernel and packages	4.15.0-54-generic	4.15.0-55-generic	Updated worker node images with package updates for [CVE-2019-11815 ](https://nvd.nist.gov/vuln/detail/CVE-2019-11815), [CVE-2019-11833 ](https://nvd.nist.gov/vuln/detail/CVE-2019-11833), [CVE-2019-11884 ](https://nvd.nist.gov/vuln/detail/CVE-2019-11884), [CVE-2018-12126 ](https://nvd.nist.gov/vuln/detail/CVE-2018-12126), [CVE-2018-12127 ](https://nvd.nist.gov/vuln/detail/CVE-2018-12127), [CVE-2018-12130 ](https://nvd.nist.gov/vuln/detail/CVE-2018-12130), [CVE-2019-11091 ](https://nvd.nist.gov/vuln/detail/CVE-2019-11091), [CVE-2019-13057 ](https://nvd.nist.gov/vuln/detail/CVE-2019-13057), [CVE-2019-13565 ](https://nvd.nist.gov/vuln/detail/CVE-2019-13565), [CVE-2019-13636 ](https://nvd.nist.gov/vuln/detail/CVE-2019-13636), [CVE-2019-13638 ](https://nvd.nist.gov/vuln/detail/CVE-2019-13638), and [CVE-2019-2054 ](https://nvd.nist.gov/vuln/detail/CVE-2019-2054).
Ubuntu 16.04 kernel and packages	4.4.0-154-generic	4.4.0-157-generic	Updated worker node images with package updates for [CVE-2019-11815 ](https://nvd.nist.gov/vuln/detail/CVE-2019-11815), [CVE-2019-11833 ](https://nvd.nist.gov/vuln/detail/CVE-2019-11833), [CVE-2019-11884 ](https://nvd.nist.gov/vuln/detail/CVE-2019-11884), [CVE-2018-12126 ](https://nvd.nist.gov/vuln/detail/CVE-2018-12126), [CVE-2018-12127 ](https://nvd.nist.gov/vuln/detail/CVE-2018-12127), [CVE-2018-12130 ](https://nvd.nist.gov/vuln/detail/CVE-2018-12130), [CVE-2019-11091 ](https://nvd.nist.gov/vuln/detail/CVE-2019-11091), [CVE-2019-13057 ](https://nvd.nist.gov/vuln/detail/CVE-2019-13057), [CVE-2019-13565 ](https://nvd.nist.gov/vuln/detail/CVE-2019-13565), [CVE-2019-13636 ](https://nvd.nist.gov/vuln/detail/CVE-2019-13636), and [CVE-2019-13638 ](https://nvd.nist.gov/vuln/detail/CVE-2019-13638).

Changelog for worker node fix pack 1.13.8_1529, released 22 July 2019

{: #1138_1529_worker}

The following table shows the changes that are included in the worker node fix pack 1.13.8_1529. {: shortdesc}

Changes since version 1.13.7_1528

Component	Previous	Current	Description
Kubernetes	v1.13.7	v1.13.8	See the [Kubernetes release notes ](https://github.com/kubernetes/kubernetes/releases/tag/v1.13.8). Update resolves [CVE-2019-11248 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11248) (see [IBM security bulletin ](https://www.ibm.com/support/docview.wss?uid=ibm10967113)).
Ubuntu packages	N/A	N/A	Updated worker node images with package updates for [CVE-2019-13012 ](https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-13012) and [CVE-2019-7307 ](https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-7307.html).

Changelog for master fix pack 1.13.8_1529, released 15 July 2019

{: #1138_1529}

The following table shows the changes that are included in the master fix pack 1.13.8_1529. {: shortdesc}

Changes since version 1.13.7_1528

Component	Previous	Current	Description
Calico	v3.4.4	v3.6.4	See the [Calico release notes ](https://docs.projectcalico.org/v3.6/release-notes/). Update resolves [TTA-2019-001 ](https://www.projectcalico.org/security-bulletins/#TTA-2019-001). For more information, see the [IBM security bulletin ](https://www.ibm.com/support/docview.wss?uid=ibm10959551).
CoreDNS configuration	N/A	N/A	Changed the default CoreDNS configuration from a 5 to 30 second TTL for DNS records in the `kubernetes` zone. This change aligns with the default KubeDNS configuration. Existing CoreDNS configurations are unchanged. For more information about changing your CoreDNS configuration, see [Customizing the cluster DNS provider](/docs/containers?topic=containers-cluster_dns#dns_customize).
GPU device plug-in and installer	5d34347	a7e8ece	Updated base image packages.
Kubernetes	v1.13.7	v1.13.8	See the [Kubernetes release notes ](https://github.com/kubernetes/kubernetes/releases/tag/v1.13.8).
{{site.data.keyword.cloud_notm}} Provider	v1.13.7-162	v1.13.8-188	Updated to support the Kubernetes 1.13.8 release. Additionally, `calicoctl` version is updated to 3.6.4.

Changelog for worker node fix pack 1.13.7_1528, released 8 July 2019

{: #1137_1528}

The following table shows the changes that are included in the worker node patch 1.13.7_1528. {: shortdesc}

Changes since version 1.13.7_1527

Component	Previous	Current	Description
Ubuntu 16.04 kernel	4.4.0-151-generic	4.4.0-154-generic	Updated worker node images with kernel and package updates for [CVE-2019-11478 ](https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-11478.html) and [CVE-2019-11479 ](https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-11479.html). For more information, see the [IBM security bulletin ](https://www.ibm.com/support/docview.wss?uid=ibm10958863).
Ubuntu 18.04 kernel	4.15.0-52-generic	4.15.0-54-generic	Updated worker node images with kernel and package updates for [CVE-2019-11478 ](https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-11478.html) and [CVE-2019-11479 ](https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-11479.html). For more information, see the [IBM security bulletin ](https://www.ibm.com/support/docview.wss?uid=ibm10958863).

Changelog for worker node fix pack 1.13.7_1527, released 24 June 2019

{: #1137_1527}

The following table shows the changes that are included in the worker node patch 1.13.7_1527. {: shortdesc}

Changes since version 1.13.7_1526

Component	Previous	Current	Description
Ubuntu 16.04 kernel	4.4.0-150-generic	4.4.0-151-generic	Updated worker node images with kernel and package updates for [CVE-2019-11477 ](https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-11477.html) and [CVE-2019-11478 ](https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-11478.html). For more information, see the [IBM security bulletin ](https://www.ibm.com/support/docview.wss?uid=ibm10958863).
Ubuntu 18.04 kernel	4.15.0-51-generic	4.15.0-52-generic	Updated worker node images with kernel and package updates for [CVE-2019-11477 ](https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-11477.html) and [CVE-2019-11478 ](https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-11478.html). For more information, see the [IBM security bulletin ](https://www.ibm.com/support/docview.wss?uid=ibm10958863).
containerd	1.2.6	1.2.7	See the [containerd release notes ](https://github.com/containerd/containerd/releases/tag/v1.2.7).
Max pods	N/A	N/A	Increased the limit of maximum number of pods for worker nodes with more than 11 CPU cores to be 10 pods per core, up to a maximum of 250 pods per worker node.

Changelog for 1.13.7_1526, released 17 June 2019

{: #1137_1526}

The following table shows the changes that are included in the patch 1.13.7_1526. {: shortdesc}

Changes since version 1.13.6_1524

Component	Previous	Current	Description
GPU device plug-in and installer	32257d3	5d34347	Updated image for [CVE-2019-8457 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8457). Updated the GPU drivers to [430.14 ](https://www.nvidia.com/Download/driverResults.aspx/147582/).
{{site.data.keyword.cloud_notm}} File Storage plug-in	346	347	Updated so that the IAM API key can be either encrypted or unencrypted.
{{site.data.keyword.cloud_notm}} Provider	v1.13.6-139	v1.13.7-162	Updated to support the Kubernetes 1.13.7 release.
Kubernetes	v1.13.6	v1.13.7	See the [Kubernetes release notes ](https://github.com/kubernetes/kubernetes/releases/tag/v1.13.7).
Public service endpoint for Kubernetes master	N/A	N/A	Fixed an issue to [enable the public service endpoint](/docs/containers?topic=containers-cs_network_cluster#set-up-public-se).
Ubuntu 16.04 kernel	4.4.0-148-generic	4.4.0-150-generic	Updated worker node images with kernel and package updates for [CVE-2019-10906 ](https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-10906.html?_ga=2.184456110.929090212.1560547312-1880639276.1557078470).
Ubuntu 18.04 kernel	4.15.0-50-generic	4.15.0-51-generic	Updated worker node images with kernel and package updates for [CVE-2019-10906 ](https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-10906.html?_ga=2.184456110.929090212.1560547312-1880639276.1557078470).

Changelog for 1.13.6_1524, released 4 June 2019

{: #1136_1524}

The following table shows the changes that are included in the patch 1.13.6_1524. {: shortdesc}

Changes since version 1.13.6_1522

Component	Previous	Current	Description
Cluster DNS configuration	N/A	N/A	Fixed a bug that might leave both Kubernetes DNS and CoreDNS pods running after cluster `create` or `update` operations.
Cluster master HA configuration	N/A	N/A	Updated configuration to minimize intermittent master network connectivity failures during a master update.
etcd	v3.3.11	v3.3.13	See the [etcd release notes ](https://github.com/etcd-io/etcd/releases/v3.3.13).
GPU device plug-in and installer	55c1f66	32257d3	Updated image for [CVE-2018-10844 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10844), [CVE-2018-10845 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10845), [CVE-2018-10846 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10846), [CVE-2019-3829 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3829), [CVE-2019-3836 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3836), [CVE-2019-9893 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9893), [CVE-2019-5435 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5435), and [CVE-2019-5436 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5436).
Kubernetes Metrics Server	v0.3.1	v0.3.3	See the [Kubernetes Metrics Server release notes ](https://github.com/kubernetes-incubator/metrics-server/releases/tag/v0.3.3).
Trusted compute agent	13c7ef0	e8c6d72	Updated image for [CVE-2018-10844 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10844), [CVE-2018-10845 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10845), [CVE-2018-10846 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10846), [CVE-2019-3829 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3829), [CVE-2019-3836 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3836), [CVE-2019-9893 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9893), [CVE-2019-5435 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5435), and [CVE-2019-5436 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5436).

Changelog for worker node fix pack 1.13.6_1522, released 20 May 2019

{: #1136_1522}

The following table shows the changes that are included in the patch 1.13.6_1522. {: shortdesc}

Changes since version 1.13.6_1521

Component	Previous	Current	Description
Ubuntu 16.04 kernel	4.4.0-145-generic	4.4.0-148-generic	Updated worker node images with kernel update for [CVE-2018-12126 ](https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-12126.html), [CVE-2018-12127 ](https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-12127.html), and [CVE-2018-12130 ](https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-12130.html).
Ubuntu 18.04 kernel	4.15.0-47-generic	4.15.0-50-generic	Updated worker node images with kernel update for [CVE-2018-12126 ](https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-12126.html), [CVE-2018-12127 ](https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-12127.html), and [CVE-2018-12130 ](https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-12130.html).

Changelog for 1.13.6_1521, released 13 May 2019

{: #1136_1521}

The following table shows the changes that are included in the patch 1.13.6_1521. {: shortdesc}

Changes since version 1.13.5_1519

Component	Previous	Current	Description
Cluster master HA proxy	1.9.6-alpine	1.9.7-alpine	See the [HAProxy release notes ](https://www.haproxy.org/download/1.9/src/CHANGELOG). Update resolves [CVE-2019-6706 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6706).
GPU device plug-in and installer	9ff3fda	55c1f66	Updated image for [CVE-2019-1543 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1543).
{{site.data.keyword.cloud_notm}} Provider	v1.13.5-107	v1.13.6-139	Updated to support the Kubernetes 1.13.6 release. Also, fixed the update process for version 2.0 network load balancer that have only one available worker node for the load balancer pods.
Kubernetes	v1.13.5	v1.13.6	See the [Kubernetes release notes ](https://github.com/kubernetes/kubernetes/releases/tag/v1.13.6).
Kubernetes configuration	N/A	N/A	The Kubernetes API server audit policy configuration is updated to not log the `/openapi/v2*` read-only URL. In addition, the Kubernetes controller manager configuration increased the validity duration of signed `kubelet` certificates from 1 to 3 years.
OpenVPN client configuration	N/A	N/A	The OpenVPN client `vpn-*` pod in the `kube-system` namespace now sets `dnsPolicy` to `Default` to prevent the pod from failing when cluster DNS is down.
Trusted compute agent	e132aa4	13c7ef0	Updated image for [CVE-2016-7076 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7076), [CVE-2017-1000368 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000368), and [CVE-2019-11068 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11068).

Changelog for worker node fix pack 1.13.5_1519, released 29 April 2019

{: #1135_1519}

The following table shows the changes that are included in the worker node fix pack 1.13.5_1519. {: shortdesc}

Changes since version 1.13.5_1518

Component	Previous	Current	Description
Ubuntu packages	N/A	N/A	Updates to installed Ubuntu packages.
containerd	1.2.5	1.2.6	See the [containerd release notes ](https://github.com/containerd/containerd/releases/tag/v1.2.6).

Changelog for worker node fix pack 1.13.5_1518, released 15 April 2019

{: #1135_1518}

The following table shows the changes that are included in the worker node fix pack 1.13.5_1518. {: shortdesc}

Changes since version 1.13.5_1517

Component	Previous	Current	Description
Ubuntu packages	N/A	N/A	Updates to installed Ubuntu packages including `systemd` for [CVE-2019-3842 ](https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-3842.html).

Changelog for 1.13.5_1517, released 8 April 2019

{: #1135_1517}

The following table shows the changes that are included in the patch 1.13.5_1517. {: shortdesc}

Changes since version 1.13.4_1516

Component	Previous	Current	Description
Calico	v3.4.0	v3.4.4	See the [Calico release notes ](https://docs.projectcalico.org/v3.4/releases/#v344). Update resolves [CVE-2019-9946 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9946). For more information, see the [IBM security bulletin ](https://www.ibm.com/support/docview.wss?uid=ibm10879585).
Cluster master HA proxy	1.8.12-alpine	1.9.6-alpine	See the [HAProxy release notes ](https://www.haproxy.org/download/1.9/src/CHANGELOG). Update resolves [CVE-2018-0732 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0732), [CVE-2018-0734 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0734), [CVE-2018-0737 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0737), [CVE-2018-5407 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5407), [CVE-2019-1543 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1543), and [CVE-2019-1559 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1559).
{{site.data.keyword.cloud_notm}} Provider	v1.13.4-86	v1.13.5-107	Updated to support the Kubernetes 1.13.5 and Calico 3.4.4 releases.
Kubernetes	v1.13.4	v1.13.5	See the [Kubernetes release notes ](https://github.com/kubernetes/kubernetes/releases/tag/v1.13.5).
Trusted compute agent	a02f765	e132aa4	Updated image for [CVE-2017-12447 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12447).
Ubuntu 16.04 kernel	4.4.0-143-generic	4.4.0-145-generic	Updated worker node images with kernel update for [CVE-2019-9213 ](https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-9213.html).
Ubuntu 18.04 kernel	4.15.0-46-generic	4.15.0-47-generic	Updated worker node images with kernel update for [CVE-2019-9213 ](https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-9213.html).

Changelog for worker node fix pack 1.13.4_1516, released 1 April 2019

{: #1134_1516}

The following table shows the changes that are included in the worker node fix pack 1.13.4_1516. {: shortdesc}

Changes since version 1.13.4_1515

Component	Previous	Current	Description
Worker node resource utilization	N/A	N/A	Increased memory reservations for the kubelet and containerd to prevent these components from running out of resources. For more information, see [Worker node resource reserves](/docs/containers?topic=containers-planning_worker_nodes#resource_limit_node).

Changelog for master fix pack 1.13.4_1515, released 26 March 2019

{: #1134_1515}

The following table shows the changes that are included in the master fix pack 1.13.4_1515. {: shortdesc}

Changes since version 1.13.4_1513

Component	Previous	Current	Description
Cluster DNS configuration	N/A	N/A	Fixed the update process from Kubernetes version 1.11 to prevent the update from switching the cluster DNS provider to CoreDNS. You can still [set up CoreDNS as the cluster DNS provider](/docs/containers?topic=containers-cluster_dns#set_coredns) after the update.
{{site.data.keyword.cloud_notm}} File Storage plug-in	345	346	Updated image for [CVE-2019-9741 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9741).
Key Management Service provider	166	167	Fixes intermittent `context deadline exceeded` and `timeout` errors for managing Kubernetes secrets. In addition, fixes updates to the key management service that might leave existing Kubernetes secrets unencrypted. Update includes fix for [CVE-2019-9741 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9741).
Load balancer and load balancer monitor for {{site.data.keyword.cloud_notm}} Provider	143	146	Updated image for [CVE-2019-9741 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9741).

Changelog for 1.13.4_1513, released 20 March 2019

{: #1134_1513}

The following table shows the changes that are included in the patch 1.13.4_1513. {: shortdesc}

Changes since version 1.13.4_1510

Component	Previous	Current	Description
Cluster DNS configuration	N/A	N/A	Fixed a bug that might cause cluster master operations, such as `refresh` or `update`, to fail when the unused cluster DNS must be scaled down.
Cluster master HA proxy configuration	N/A	N/A	Updated configuration to better handle intermittent connection failures to the cluster master.
CoreDNS configuration	N/A	N/A	Updated the CoreDNS configuration to support [multiple Corefiles ](https://coredns.io/2017/07/23/corefile-explained/) after updating the cluster Kubernetes version from 1.12.
containerd	1.2.4	1.2.5	See the [containerd release notes ](https://github.com/containerd/containerd/releases/tag/v1.2.5). Update includes improved fix for [CVE-2019-5736 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5736). For more information, see the [IBM security bulletin ](https://www.ibm.com/support/docview.wss?uid=ibm10871600).
GPU device plug-in and installer	e32d51c	9ff3fda	Updated the GPU drivers to [418.43 ](https://www.nvidia.com/object/unix.html). Update includes fix for [CVE-2019-9741 ](https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-9741.html).
{{site.data.keyword.cloud_notm}} File Storage plug-in	344	345	Added support for [private service endpoints](/docs/containers?topic=containers-cs_network_cluster#set-up-private-se).
Kernel	4.4.0-141	4.4.0-143	Updated worker node images with kernel update for [CVE-2019-6133 ](https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-6133.html).
Key Management Service provider	136	166	Updated image for [CVE-2018-16890 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16890), [CVE-2019-3822 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3822), and [CVE-2019-3823 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3823).
Trusted compute agent	5f3d092	a02f765	Updated image for [CVE-2018-10779 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10779), [CVE-2018-12900 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12900), [CVE-2018-17000 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17000), [CVE-2018-19210 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19210), [CVE-2019-6128 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6128), and [CVE-2019-7663 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7663).

Changelog for 1.13.4_1510, released 4 March 2019

{: #1134_1510}

The following table shows the changes that are included in the patch 1.13.4_1510. {: shortdesc}

Changes since version 1.13.2_1509

Component	Previous	Current	Description
Cluster DNS provider	N/A	N/A	Increased Kubernetes DNS and CoreDNS pod memory limit from `170Mi` to `400Mi` in order to handle more cluster services.
GPU device plug-in and installer	eb3a259	e32d51c	Updated images for [CVE-2019-6454 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6454).
{{site.data.keyword.cloud_notm}} Provider	v1.13.2-62	v1.13.4-86	Updated to support the Kubernetes 1.13.4 release. Fixed periodic connectivity problems for version 1.0 load balancers that set `externalTrafficPolicy` to `local`. Updated load balancer version 1.0 and 2.0 events to use the latest {{site.data.keyword.cloud_notm}} documentation links.
{{site.data.keyword.cloud_notm}} File Storage plug-in	342	344	Changed the base operating system for the image from Fedora to Alpine. Updated image for [CVE-2019-6486 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6486).
Key Management Service provider	122	136	Increased client timeout to {{site.data.keyword.keymanagementservicefull_notm}}. Updated image for [CVE-2019-6486 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6486).
Kubernetes	v1.13.2	v1.13.4	See the [Kubernetes release notes ](https://github.com/kubernetes/kubernetes/releases/tag/v1.13.4). Update resolves [CVE-2019-6486 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6486) and [CVE-2019-1002100 ](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1002100). For more information, see the [IBM security bulletin ](https://www.ibm.com/support/docview.wss?uid=ibm10873324).
Kubernetes configuration	N/A	N/A	Added `ExperimentalCriticalPodAnnotation=true` to the `--feature-gates` option. This setting helps migrate pods from the deprecated `scheduler.alpha.kubernetes.io/critical-pod` annotation to [Kubernetes pod priority support](/docs/containers?topic=containers-pod_priority#pod_priority).
Load balancer and load balancer monitor for {{site.data.keyword.cloud_notm}} Provider	132	143	Updated image for [CVE-2019-6486 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6486).
OpenVPN client and server	2.4.6-r3-IKS-13	2.4.6-r3-IKS-25	Updated image for [CVE-2019-1559 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1559).
Trusted compute agent	1ea5ad3	5f3d092	Updated image for [CVE-2019-6454 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6454).

Changelog for worker node fix pack 1.13.2_1509, released 27 February 2019

{: #1132_1509}

The following table shows the changes that are included in the worker node fix pack 1.13.2_1509. {: shortdesc}

Changes since version 1.13.2_1508

Component	Previous	Current	Description
Kernel	4.4.0-141	4.4.0-142	Updated worker node images with kernel update for [CVE-2018-19407 ](https://changelogs.ubuntu.com/changelogs/pool/main/l/linux/linux_4.4.0-142.168/changelog).

Changelog for worker node fix pack 1.13.2_1508, released 15 February 2019

{: #1132_1508}

The following table shows the changes that are included in the worker node fix pack 1.13.2_1508. {: shortdesc}

Changes since version 1.13.2_1507

Component	Previous	Current	Description
Cluster master HA proxy configuration	N/A	N/A	Changed the pod configuration `spec.priorityClassName` value to `system-node-critical` and set the `spec.priority` value to `2000001000`.
containerd	1.2.2	1.2.4	See the [containerd release notes ](https://github.com/containerd/containerd/releases/tag/v1.2.4). Update resolves [CVE-2019-5736 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5736). For more information, see the [IBM security bulletin ](https://www.ibm.com/support/docview.wss?uid=ibm10871600).
Kubernetes `kubelet` configuration	N/A	N/A	Enabled the `ExperimentalCriticalPodAnnotation` feature gate to prevent critical static pod eviction. Set the `event-qps` option to `0` to prevent rate limiting event creation.

Changelog for 1.13.2_1507, released 5 February 2019

{: #1132_1507}

The following table shows the changes that are included in the patch 1.13.2_1507. {: shortdesc}

Changes since version 1.12.4_1535

Component	Previous	Current	Description
Calico	v3.3.1	v3.4.0	See the [Calico release notes ](https://docs.projectcalico.org/v3.4/releases/#v340).
Cluster DNS provider	N/A	N/A	CoreDNS is now the default cluster DNS provider for new clusters. If you update an existing cluster to 1.13 that uses KubeDNS as the cluster DNS provider, KubeDNS continues to be the cluster DNS provider. However, you can choose to [use CoreDNS instead](/docs/containers?topic=containers-cluster_dns#dns_set).
containerd	1.1.5	1.2.2	See the [containerd release notes ](https://github.com/containerd/containerd/releases/tag/v1.2.2).
CoreDNS	1.2.2	1.2.6	See the [CoreDNS release notes ](https://github.com/coredns/coredns/releases/tag/v1.2.6). Additionally, the CoreDNS configuration is updated to [support multiple Corefiles ](https://coredns.io/2017/07/23/corefile-explained/).
etcd	v3.3.1	v3.3.11	See the [etcd release notes ](https://github.com/etcd-io/etcd/releases/v3.3.11). Additionally, the supported cipher suites to etcd are now restricted to a subset with high strength encryption (128 bits or more).
GPU device plug-in and installer	13fdc0d	eb3a259	Updated images for [CVE-2019-3462 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3462) and [CVE-2019-6486 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6486).
{{site.data.keyword.cloud_notm}} Provider	v1.12.4-118	v1.13.2-62	Updated to support the Kubernetes 1.13.2 release. Additionally, `calicoctl` version is updated to 3.4.0. Fixed unnecessary configuration updates to version 2.0 network load balancers on worker node status changes.
{{site.data.keyword.cloud_notm}} File Storage plug-in	338	342	The file storage plug-in is updated as follows: Supports dynamic provisioning with [volume topology-aware scheduling](/docs/containers?topic=containers-file_storage#file-topology). Ignores persistent volume claim (PVC) delete errors if the storage is already deleted. Adds a failure message annotation to failed PVCs. Optimizes the storage provisioner controller's leader election and resync period settings, and increases the provisioning timeout from 30 minutes to 1 hour. Checks user permissions before starting the provisioning. Adds a `CriticalAddonsOnly` toleration to the `ibm-file-plugin` and `ibm-storage-watcher` deployments in the `kube-system` namespace.
Key Management Service provider	111	122	Added retry logic to avoid temporary failures when Kubernetes secrets are managed by {{site.data.keyword.keymanagementservicefull_notm}}.
Kubernetes	v1.12.4	v1.13.2	See the [Kubernetes release notes ](https://github.com/kubernetes/kubernetes/releases/tag/v1.13.2).
Kubernetes configuration	N/A	N/A	The Kubernetes API server audit policy configuration is updated to include logging metadata for `cluster-admin` requests and logging the request body of workload `create`, `update`, and `patch` requests.
Kubernetes DNS autoscaler	1.2.0	1.3.0	See the [Kubernetes DNS autoscaler release notes ](https://github.com/kubernetes-incubator/cluster-proportional-autoscaler/releases/tag/1.3.0).
OpenVPN client	2.4.6-r3-IKS-8	2.4.6-r3-IKS-13	Updated image for [CVE-2018-0734 ](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0734) and [CVE-2018-5407 ](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5407). Added `CriticalAddonsOnly` toleration to the `vpn` deployment in the `kube-system` namespace. Additionally, the pod configuration is now obtained from a secret instead of from a configmap.
OpenVPN server	2.4.6-r3-IKS-8	2.4.6-r3-IKS-13	Updated image for [CVE-2018-0734 ](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0734) and [CVE-2018-5407 ](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5407).
systemd	230	229	Security patch for [CVE-2018-16864 ](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16864).

Deprecated: Version 1.12 changelog

{: #112_changelog}

Review the version 1.12 changelog. {: shortdesc}

Changelog for worker node fix pack 1.12.10_1568, released 1 October 2019

{: #11210_1568_worker}

The following table shows the changes that are included in the patch 1.12.10_1568. {: shortdesc}

Changes since version 1.12.10_1567

Component	Previous	Current	Description
Ubuntu 18.04 kernel and packages	4.15.0-62-generic	4.15.0-64-generic	Updated worker node images with kernel and package updates for [CVE-2019-15031 ](https://nvd.nist.gov/vuln/detail/CVE-2019-15031), [CVE-2019-15030 ](https://nvd.nist.gov/vuln/detail/CVE-2019-15030), and [CVE-2019-14835 ](https://nvd.nist.gov/vuln/detail/CVE-2019-14835).
Ubuntu 16.04 kernel and packages	4.4.0-161-generic	4.4.0-164-generic	Updated worker node images with kernel and package updates for [CVE-2019-14835 ](https://nvd.nist.gov/vuln/detail/CVE-2019-14835).

Changelog for worker node fix pack 1.12.10_1567, released 16 September 2019

{: #11210_1567_worker}

The following table shows the changes that are included in the worker node fix pack 1.12.10_1567. {: shortdesc}

Changes since version 1.12.10_1566

Component	Previous	Current	Description
Ubuntu 16.04 packages and kernel	4.4.0-159-generic	4.4.0-161-generic	Updated worker node images with kernel and package updates for [CVE-2019-5481 ](https://nvd.nist.gov/vuln/detail/CVE-2019-5481), [CVE-2019-5482 ](https://nvd.nist.gov/vuln/detail/CVE-2019-5482), [CVE-2019-15903 ](https://nvd.nist.gov/vuln/detail/CVE-2019-15903), [CVE-2015-9383 ](https://nvd.nist.gov/vuln/detail/CVE-2015-9383), [CVE-2019-10638 ](https://nvd.nist.gov/vuln/detail/CVE-2019-10638), [CVE-2019-3900 ](https://nvd.nist.gov/vuln/detail/CVE-2019-3900), [CVE-2019-13648 ](https://nvd.nist.gov/vuln/detail/CVE-2019-13648), [CVE-2018-20856 ](https://nvd.nist.gov/vuln/detail/CVE-2018-20856), [CVE-2019-14283 ](https://nvd.nist.gov/vuln/detail/CVE-2019-14283), [CVE-2019-14284 ](https://nvd.nist.gov/vuln/detail/CVE-2019-14284), [CVE-2019-5010 ](https://nvd.nist.gov/vuln/detail/CVE-2019-5010), [CVE-2019-9636 ](https://nvd.nist.gov/vuln/detail/CVE-2019-9636), [CVE-2019-9740 ](https://nvd.nist.gov/vuln/detail/CVE-2019-9740), [CVE-2019-9947 ](https://nvd.nist.gov/vuln/detail/CVE-2019-9947), [CVE-2019-9948 ](https://nvd.nist.gov/vuln/detail/CVE-2019-9948), [CVE-2019-9636 ](https://nvd.nist.gov/vuln/detail/CVE-2019-9636), [CVE-2018-20852 ](https://nvd.nist.gov/vuln/detail/CVE-2018-20852), [CVE-2018-20406 ](https://nvd.nist.gov/vuln/detail/CVE-2018-20406), and [CVE-2019-10160 ](https://nvd.nist.gov/vuln/detail/CVE-2019-10160).
Ubuntu 18.04 packages and kernel	4.15.0-58-generic	4.15.0-62-generic	Updated worker node images with kernel and package updates for [CVE-2019-5481 ](https://nvd.nist.gov/vuln/detail/CVE-2019-5481), [CVE-2019-5482 ](https://nvd.nist.gov/vuln/detail/CVE-2019-5482), [CVE-2019-15903 ](https://nvd.nist.gov/vuln/detail/CVE-2019-15903), [CVE-2019-14283 ](https://nvd.nist.gov/vuln/detail/CVE-2019-14283), [CVE-2019-14284 ](https://nvd.nist.gov/vuln/detail/CVE-2019-14284), [CVE-2018-20852 ](https://nvd.nist.gov/vuln/detail/CVE-2018-20852), [CVE-2019-5010 ](https://nvd.nist.gov/vuln/detail/CVE-2019-5010), [CVE-2019-9636 ](https://nvd.nist.gov/vuln/detail/CVE-2019-9636), [CVE-2019-9740 ](https://nvd.nist.gov/vuln/detail/CVE-2019-9740), [CVE-2019-9947 ](https://nvd.nist.gov/vuln/detail/CVE-2019-9947), [CVE-2019-9948 ](https://nvd.nist.gov/vuln/detail/CVE-2019-9948), [CVE-2019-9636 ](https://nvd.nist.gov/vuln/detail/CVE-2019-9636), [CVE-2019-10160 ](https://nvd.nist.gov/vuln/detail/CVE-2019-10160), and [CVE-2019-15718 ](https://nvd.nist.gov/vuln/detail/CVE-2019-15718).

Changelog for worker node fix pack 1.12.10_1566, released 3 September 2019

{: #11210_1566_worker}

The following table shows the changes that are included in the worker node fix pack 1.12.10_1566. {: shortdesc}

Changes since version 1.12.10_1564

Component	Previous	Current	Description
Ubuntu 16.04 packages	N/A	N/A	Updated worker node images with package updates.
Ubuntu 18.04 packages	N/A	N/A	Updated worker node images with package updates for [CVE-2019-10222 ](https://nvd.nist.gov/vuln/detail/CVE-2019-10222) and [CVE-2019-11922 ](https://nvd.nist.gov/vuln/detail/CVE-2019-11922).

Changelog for master fix pack 1.12.10_1565, released 28 August 2019

{: #11210_1565}

The following table shows the changes that are included in the master fix pack 1.12.10_1565. {: shortdesc}

Changes since version 1.12.10_1564

Component	Previous	Current	Description
`etcd`	v3.3.13	v3.3.15	See the [`etcd` release notes ](https://github.com/etcd-io/etcd/releases/v3.3.15). Update resolves [CVE-2019-9512 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9512), [CVE-2019-9514 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14809), and [CVE-2019-14809 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14809).
GPU device plug-in and installer	07c9b67	de13f2a	Image updated for [CVE-2019-9512 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9512), [CVE-2019-9514 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9514), [CVE-2019-14697 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14697), and [CVE-2019-14809 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14809). Updated the GPU drivers to [430.40 ](https://www.nvidia.com/Download/driverResults.aspx/149138/).
{{site.data.keyword.cloud_notm}} File Storage plug-in	348	349	Image updated for [CVE-2019-9512 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9512), [CVE-2019-9514 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9514), and [CVE-2019-14809 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14809).
Key Management Service provider	207	212	Image updated for [CVE-2019-9512 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9512), [CVE-2019-9514 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9514), and [CVE-2019-14809 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14809).
Load balancer and load balancer monitor for {{site.data.keyword.cloud_notm}} Provider	147	148	Image updated for [CVE-2019-9512 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9512), [CVE-2019-9514 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9514), and [CVE-2019-14809 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14809).

Changelog for worker node fix pack 1.12.10_1564, released 19 August 2019

{: #11210_1564_worker}

The following table shows the changes that are included in the worker node fix pack 1.12.10_1564. {: shortdesc}

Changes since version 1.12.10_1561

Component	Previous	Current	Description
Cluster master HA proxy	2.0.1-alpine	1.8.21-alpine	Moved to HA proxy 1.8 to fix [socket leak in HA proxy ](haproxy/haproxy#136). Also added a liveliness check to monitor the health of HA proxy. For more information, see [HA proxy release notes ](https://www.haproxy.org/download/1.8/src/CHANGELOG).
Ubuntu 16.04 kernel and packages	4.4.0-157-generic	4.4.0-159-generic	Updated worker node images with package updates for [CVE-2019-13012 ](https://nvd.nist.gov/vuln/detail/CVE-2019-13012), [CVE-2019-1125 ](https://nvd.nist.gov/vuln/detail/CVE-2019-1125), [CVE-2018-5383 ](https://nvd.nist.gov/vuln/detail/CVE-2018-5383), [CVE-2019-12614 ](https://nvd.nist.gov/vuln/detail/CVE-2019-12614), [CVE-2019-10126 ](https://nvd.nist.gov/vuln/detail/CVE-2019-10126), and [CVE-2019-3846 ](https://nvd.nist.gov/vuln/detail/CVE-2019-3846).
Ubuntu 18.04 kernel and packages	4.15.0-55-generic	4.15.0-58-generic	Updated worker node images with package updates for [CVE-2019-1125 ](https://nvd.nist.gov/vuln/detail/CVE-2019-1125), [CVE-2019-2101 ](https://nvd.nist.gov/vuln/detail/CVE-2019-2101), [CVE-2018-5383 ](https://nvd.nist.gov/vuln/detail/CVE-2018-5383), [CVE-2019-13233 ](https://nvd.nist.gov/vuln/detail/CVE-2019-13233), [CVE-2019-13272 ](https://nvd.nist.gov/vuln/detail/CVE-2019-13272), [CVE-2000-1134 ](https://nvd.nist.gov/vuln/detail/CVE-2000-1134), [CVE-2007-3852 ](https://nvd.nist.gov/vuln/detail/CVE-2007-3852), [CVE-2008-0525 ](https://nvd.nist.gov/vuln/detail/CVE-2008-0525), [CVE-2009-0416 ](https://nvd.nist.gov/vuln/detail/CVE-2009-0416), [CVE-2011-4834 ](https://nvd.nist.gov/vuln/detail/CVE-2011-4834), [CVE-2015-1838 ](https://nvd.nist.gov/vuln/detail/CVE-2015-1838), [CVE-2015-7442 ](https://nvd.nist.gov/vuln/detail/CVE-2015-7442), [CVE-2016-7489 ](https://nvd.nist.gov/vuln/detail/CVE-2016-7489), [CVE-2019-12614 ](https://nvd.nist.gov/vuln/detail/CVE-2019-12614), [CVE-2019-10126](https://nvd.nist.gov/vuln/detail/CVE-2019-10126), [CVE-2019-3846 ](https://nvd.nist.gov/vuln/detail/CVE-2019-3846), [CVE-2019-12818 ](https://nvd.nist.gov/vuln/detail/CVE-2019-12818), [CVE-2019-12984 ](https://nvd.nist.gov/vuln/detail/CVE-2019-12984), and [CVE-2019-12819 ](https://nvd.nist.gov/vuln/detail/CVE-2019-12819).

Changelog for master fix pack 1.12.10_1564, released 17 August 2019

{: #11210_1564}

The following table shows the changes that are included in the master fix pack 1.12.10_1564. {: shortdesc}

Changes since version 1.12.10_1563

Component	Previous	Current	Description
Key Management Service provider	167	207	Fixed an issue that causes the Kubernetes [key management service (KMS) provider](/docs/containers?topic=containers-encryption#keyprotect) to fail to manage Kubernetes secrets.

Changelog for master fix pack 1.12.10_1563, released 15 August 2019

{: #11210_1563}

The following table shows the changes that are included in the master fix pack 1.12.10_1563. {: shortdesc}

Changes since version 1.12.10_1561

Component	Previous	Current	Description
Calico configuration	N/A	N/A	Calico `calico-kube-controllers` deployment in the `kube-system` namespace sets a memory limit on the `calico-kube-controllers` container.
GPU device plug-in and installer	a7e8ece	07c9b67	Image updated for [CVE-2019-9924 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9924) and [CVE-2019-14697 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14697).
{{site.data.keyword.cloud_notm}} File Storage plug-in	347	348	Image updated for [CVE-2019-14697 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14697).
Kubernetes DNS	1.14.13	1.15.4	See the [Kubernetes DNS release notes ](https://github.com/kubernetes/dns/releases/tag/1.15.4). Image update resolves [CVE-2019-14697 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14697).
Kubernetes DNS autoscaler	1.2.0	1.3.0	See the [Kubernetes DNS autoscaler release notes ](https://github.com/kubernetes-incubator/cluster-proportional-autoscaler/releases/tag/1.3.0). Image update resolves [CVE-2019-14697 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14697).
Load balancer and load balancer monitor for {{site.data.keyword.cloud_notm}} Provider	146	147	Image updated for [CVE-2019-14697 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14697).
OpenVPN client	2.4.6-r3-IKS-13	2.4.6-r3-IKS-116	Image updated for [CVE-2019-14697 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14697).
OpenVPN server	2.4.6-r3-IKS-25	2.4.6-r3-IKS-115	Image updated for [CVE-2019-14697 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14697).

Changelog for worker node fix pack 1.12.10_1561, released 5 August 2019

{: #11210_1561_worker}

The following table shows the changes that are included in the worker node fix pack 1.12.10_1561. {: shortdesc}

Changes since version 1.12.10_1560

Component	Previous	Current	Description
Ubuntu 18.04 kernel and packages	4.15.0-54-generic	4.15.0-55-generic	Updated worker node images with package updates for [CVE-2019-11815 ](https://nvd.nist.gov/vuln/detail/CVE-2019-11815), [CVE-2019-11833 ](https://nvd.nist.gov/vuln/detail/CVE-2019-11833), [CVE-2019-11884 ](https://nvd.nist.gov/vuln/detail/CVE-2019-11884), [CVE-2018-12126 ](https://nvd.nist.gov/vuln/detail/CVE-2018-12126), [CVE-2018-12127 ](https://nvd.nist.gov/vuln/detail/CVE-2018-12127), [CVE-2018-12130 ](https://nvd.nist.gov/vuln/detail/CVE-2018-12130), [CVE-2019-11091 ](https://nvd.nist.gov/vuln/detail/CVE-2019-11091), [CVE-2019-13057 ](https://nvd.nist.gov/vuln/detail/CVE-2019-13057), [CVE-2019-13565 ](https://nvd.nist.gov/vuln/detail/CVE-2019-13565), [CVE-2019-13636 ](https://nvd.nist.gov/vuln/detail/CVE-2019-13636), [CVE-2019-13638 ](https://nvd.nist.gov/vuln/detail/CVE-2019-13638), and [CVE-2019-2054 ](https://nvd.nist.gov/vuln/detail/CVE-2019-2054).
Ubuntu 16.04 kernel and packages	4.4.0-154-generic	4.4.0-157-generic	Updated worker node images with package updates for [CVE-2019-11815 ](https://nvd.nist.gov/vuln/detail/CVE-2019-11815), [CVE-2019-11833 ](https://nvd.nist.gov/vuln/detail/CVE-2019-11833), [CVE-2019-11884 ](https://nvd.nist.gov/vuln/detail/CVE-2019-11884), [CVE-2018-12126 ](https://nvd.nist.gov/vuln/detail/CVE-2018-12126), [CVE-2018-12127 ](https://nvd.nist.gov/vuln/detail/CVE-2018-12127), [CVE-2018-12130 ](https://nvd.nist.gov/vuln/detail/CVE-2018-12130), [CVE-2019-11091 ](https://nvd.nist.gov/vuln/detail/CVE-2019-11091), [CVE-2019-13057 ](https://nvd.nist.gov/vuln/detail/CVE-2019-13057), [CVE-2019-13565 ](https://nvd.nist.gov/vuln/detail/CVE-2019-13565), [CVE-2019-13636 ](https://nvd.nist.gov/vuln/detail/CVE-2019-13636), and [CVE-2019-13638 ](https://nvd.nist.gov/vuln/detail/CVE-2019-13638).

Changelog for worker node fix pack 1.12.10_1560, released 22 July 2019

{: #11210_1560_worker}

The following table shows the changes that are included in the worker node fix pack 1.12.10_1560. {: shortdesc}

Changes since version 1.12.9_1559

Component	Previous	Current	Description
Kubernetes	v1.12.9	v1.12.10	See the [Kubernetes release notes ](https://github.com/kubernetes/kubernetes/releases/tag/v1.12.10). Update resolves [CVE-2019-11248 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11248). For more information, see [IBM security bulletin ](https://www.ibm.com/support/docview.wss?uid=ibm10967113)).
Ubuntu packages	N/A	N/A	Updated worker node images with package updates for [CVE-2019-13012 ](https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-13012) and [CVE-2019-7307 ](https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-7307.html).

Changelog for master fix pack 1.12.10_1560, released 15 July 2019

{: #11210_1560}

The following table shows the changes that are included in the master fix pack 1.12.10_1560. {: shortdesc}

Changes since version 1.12.9_1559

Component	Previous	Current	Description
Calico	v3.3.6	v3.6.4	See the [Calico release notes ](https://docs.projectcalico.org/v3.6/release-notes/). Update resolves [TTA-2019-001 ](https://www.projectcalico.org/security-bulletins/#TTA-2019-001). For more information, see the [IBM security bulletin ](https://www.ibm.com/support/docview.wss?uid=ibm10959551).
CoreDNS configuration	N/A	N/A	Changed the default CoreDNS configuration from a 5 to 30 second TTL for DNS records in the `kubernetes` zone. This change aligns with the default KubeDNS configuration. Existing CoreDNS configurations are unchanged. For more information about changing your CoreDNS configuration, see [Customizing the cluster DNS provider](/docs/containers?topic=containers-cluster_dns#dns_customize).
GPU device plug-in and installer	5d34347	a7e8ece	Updated base image packages.
Kubernetes	v1.12.9	v1.12.10	See the [Kubernetes release notes ](https://github.com/kubernetes/kubernetes/releases/tag/v1.12.10).
{{site.data.keyword.cloud_notm}} Provider	v1.12.9-227	v1.12.10-259	Updated to support the Kubernetes 1.12.10 release. Additionally, `calicoctl` version is updated to 3.6.4.

Changelog for worker node fix pack 1.12.9_1559, released 8 July 2019

{: #1129_1559}

The following table shows the changes that are included in the worker node patch 1.12.9_1559. {: shortdesc}

Changes since version 1.12.9_1558

Component	Previous	Current	Description
Ubuntu 16.04 kernel	4.4.0-151-generic	4.4.0-154-generic	Updated worker node images with kernel and package updates for [CVE-2019-11478 ](https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-11478.html) and [CVE-2019-11479 ](https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-11479.html). For more information, see the [IBM security bulletin ](https://www.ibm.com/support/docview.wss?uid=ibm10958863).
Ubuntu 18.04 kernel	4.15.0-52-generic	4.15.0-54-generic	Updated worker node images with kernel and package updates for [CVE-2019-11478 ](https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-11478.html) and [CVE-2019-11479 ](https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-11479.html). For more information, see the [IBM security bulletin ](https://www.ibm.com/support/docview.wss?uid=ibm10958863).

Changelog for worker node fix pack 1.12.9_1558, released 24 June 2019

{: #1129_1558}

The following table shows the changes that are included in the worker node patch 1.12.9_1558. {: shortdesc}

Changes since version 1.12.9_1557

Component	Previous	Current	Description
Ubuntu 16.04 kernel	4.4.0-150-generic	4.4.0-151-generic	Updated worker node images with kernel and package updates for [CVE-2019-11477 ](https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-11477.html) and [CVE-2019-11478 ](https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-11478.html). For more information, see the [IBM security bulletin ](https://www.ibm.com/support/docview.wss?uid=ibm10958863).
Ubuntu 18.04 kernel	4.15.0-51-generic	4.15.0-52-generic	Updated worker node images with kernel and package updates for [CVE-2019-11477 ](https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-11477.html) and [CVE-2019-11478 ](https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-11478.html). For more information, see the [IBM security bulletin ](https://www.ibm.com/support/docview.wss?uid=ibm10958863).
containerd	1.2.6	1.2.7	See the [containerd release notes ](https://github.com/containerd/containerd/releases/tag/v1.2.7).

Changelog for 1.12.9_1557, released 17 June 2019

{: #1129_1557}

The following table shows the changes that are included in the patch 1.12.9_1557. {: shortdesc}

Changes since version 1.12.9_1555

Component	Previous	Current	Description
GPU device plug-in and installer	32257d3	5d34347	Updated image for [CVE-2019-8457 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8457). Updated the GPU drivers to [430.14 ](https://www.nvidia.com/Download/driverResults.aspx/147582/).
{{site.data.keyword.cloud_notm}} File Storage plug-in	346	347	Updated so that the IAM API key can be either encrypted or unencrypted.
Public service endpoint for Kubernetes master	N/A	N/A	Fixed an issue to [enable the public service endpoint](/docs/containers?topic=containers-cs_network_cluster#set-up-public-se).
Ubuntu 16.04 kernel	4.4.0-148-generic	4.4.0-150-generic	Updated worker node images with kernel and package updates for [CVE-2019-10906 ](https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-10906.html?_ga=2.184456110.929090212.1560547312-1880639276.1557078470).
Ubuntu 18.04 kernel	4.15.0-50-generic	4.15.0-51-generic	Updated worker node images with kernel and package updates for [CVE-2019-10906 ](https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-10906.html?_ga=2.184456110.929090212.1560547312-1880639276.1557078470).

Changelog for 1.12.9_1555, released 4 June 2019

{: #1129_1555}

The following table shows the changes that are included in the patch 1.12.9_1555. {: shortdesc}

Changes since version 1.12.8_1553

Component	Previous	Current	Description
Cluster DNS configuration	N/A	N/A	Fixed a bug that might leave both Kubernetes DNS and CoreDNS pods running after cluster `create` or `update` operations.
Cluster master HA configuration	N/A	N/A	Updated configuration to minimize intermittent master network connectivity failures during a master update.
etcd	v3.3.11	v3.3.13	See the [etcd release notes ](https://github.com/etcd-io/etcd/releases/v3.3.13).
GPU device plug-in and installer	55c1f66	32257d3	Updated image for [CVE-2018-10844 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10844), [CVE-2018-10845 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10845), [CVE-2018-10846 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10846), [CVE-2019-3829 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3829), [CVE-2019-3836 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3836), [CVE-2019-9893 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9893), [CVE-2019-5435 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5435), and [CVE-2019-5436 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5436).
{{site.data.keyword.cloud_notm}} Provider	v1.12.8-210	v1.12.9-227	Updated to support the Kubernetes 1.12.9 release.
Kubernetes	v1.12.8	v1.12.9	See the [Kubernetes release notes ](https://github.com/kubernetes/kubernetes/releases/tag/v1.12.9).
Kubernetes Metrics Server	v0.3.1	v0.3.3	See the [Kubernetes Metrics Server release notes ](https://github.com/kubernetes-incubator/metrics-server/releases/tag/v0.3.3).
Trusted compute agent	13c7ef0	e8c6d72	Updated image for [CVE-2018-10844 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10844), [CVE-2018-10845 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10845), [CVE-2018-10846 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10846), [CVE-2019-3829 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3829), [CVE-2019-3836 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3836), [CVE-2019-9893 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9893), [CVE-2019-5435 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5435), and [CVE-2019-5436 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5436).

Changelog for worker node fix pack 1.12.8_1553, released 20 May 2019

{: #1128_1533}

The following table shows the changes that are included in the patch 1.12.8_1553. {: shortdesc}

Changes since version 1.12.8_1553

Component	Previous	Current	Description
Ubuntu 16.04 kernel	4.4.0-145-generic	4.4.0-148-generic	Updated worker node images with kernel update for [CVE-2018-12126 ](https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-12126.html), [CVE-2018-12127 ](https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-12127.html), and [CVE-2018-12130 ](https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-12130.html).
Ubuntu 18.04 kernel	4.15.0-47-generic	4.15.0-50-generic	Updated worker node images with kernel update for [CVE-2018-12126 ](https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-12126.html), [CVE-2018-12127 ](https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-12127.html), and [CVE-2018-12130 ](https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-12130.html).

Changelog for 1.12.8_1552, released 13 May 2019

{: #1128_1552}

The following table shows the changes that are included in the patch 1.12.8_1552. {: shortdesc}

Changes since version 1.12.7_1550

Component	Previous	Current	Description
Cluster master HA proxy	1.9.6-alpine	1.9.7-alpine	See the [HAProxy release notes ](https://www.haproxy.org/download/1.9/src/CHANGELOG). Update resolves [CVE-2019-6706 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6706).
GPU device plug-in and installer	9ff3fda	55c1f66	Updated image for [CVE-2019-1543 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1543).
{{site.data.keyword.cloud_notm}} Provider	v1.12.7-180	v1.12.8-210	Updated to support the Kubernetes 1.12.8 release. Also, fixed the update process for version 2.0 network load balancer that have only one available worker node for the load balancer pods.
Kubernetes	v1.12.7	v1.12.8	See the [Kubernetes release notes ](https://github.com/kubernetes/kubernetes/releases/tag/v1.12.8).
Kubernetes configuration	N/A	N/A	The Kubernetes API server audit policy configuration is updated to not log the `/openapi/v2*` read-only URL. In addition, the Kubernetes controller manager configuration increased the validity duration of signed `kubelet` certificates from 1 to 3 years.
OpenVPN client configuration	N/A	N/A	The OpenVPN client `vpn-*` pod in the `kube-system` namespace now sets `dnsPolicy` to `Default` to prevent the pod from failing when cluster DNS is down.
Trusted compute agent	e132aa4	13c7ef0	Updated image for [CVE-2016-7076 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7076), [CVE-2017-1000368 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000368), and [CVE-2019-11068 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11068).

Changelog for worker node fix pack 1.12.7_1550, released 29 April 2019

{: #1127_1550}

The following table shows the changes that are included in the worker node fix pack 1.12.7_1550. {: shortdesc}

Changes since version 1.12.7_1549

Component	Previous	Current	Description
Ubuntu packages	N/A	N/A	Updates to installed Ubuntu packages.
containerd	1.1.6	1.1.7	See the [containerd release notes ](https://github.com/containerd/containerd/releases/tag/v1.1.7).

Changelog for worker node fix pack 1.12.7_1549, released 15 April 2019

{: #1127_1549}

The following table shows the changes that are included in the worker node fix pack 1.12.7_1549. {: shortdesc}

Changes since version 1.12.7_1548

Component	Previous	Current	Description
Ubuntu packages	N/A	N/A	Updates to installed Ubuntu packages including `systemd` for [CVE-2019-3842 ](https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-3842.html).

Changelog for 1.12.7_1548, released 8 April 2019

{: #1127_1548}

The following table shows the changes that are included in the patch 1.12.7_1548. {: shortdesc}

Changes since version 1.12.6_1547

Component	Previous	Current	Description
Calico	v3.3.1	v3.3.6	See the [Calico release notes ](https://docs.projectcalico.org/v3.3/releases/#v336). Update resolves [CVE-2019-9946 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9946). For more information, see the [IBM security bulletin ](https://www.ibm.com/support/docview.wss?uid=ibm10879585).
Cluster master HA proxy	1.8.12-alpine	1.9.6-alpine	See the [HAProxy release notes ](https://www.haproxy.org/download/1.9/src/CHANGELOG). Update resolves [CVE-2018-0732 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0732), [CVE-2018-0734 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0734), [CVE-2018-0737 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0737), [CVE-2018-5407 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5407), [CVE-2019-1543 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1543), and [CVE-2019-1559 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1559).
{{site.data.keyword.cloud_notm}} Provider	v1.12.6-157	v1.12.7-180	Updated to support the Kubernetes 1.12.7 and Calico 3.3.6 releases.
Kubernetes	v1.12.6	v1.12.7	See the [Kubernetes release notes ](https://github.com/kubernetes/kubernetes/releases/tag/v1.12.7).
Trusted compute agent	a02f765	e132aa4	Updated image for [CVE-2017-12447 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12447).
Ubuntu 16.04 kernel	4.4.0-143-generic	4.4.0-145-generic	Updated worker node images with kernel update for [CVE-2019-9213 ](https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-9213.html).
Ubuntu 18.04 kernel	4.15.0-46-generic	4.15.0-47-generic	Updated worker node images with kernel update for [CVE-2019-9213 ](https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-9213.html).

Changelog for worker node fix pack 1.12.6_1547, released 1 April 2019

{: #1126_1547}

The following table shows the changes that are included in the worker node fix pack 1.12.6_1547. {: shortdesc}

Changes since version 1.12.6_1546

Component	Previous	Current	Description
Worker node resource utilization	N/A	N/A	Increased memory reservations for the kubelet and containerd to prevent these components from running out of resources. For more information, see [Worker node resource reserves](/docs/containers?topic=containers-planning_worker_nodes#resource_limit_node).

Changelog for master fix pack 1.12.6_1546, released 26 March 2019

{: #1126_1546}

The following table shows the changes that are included in the master fix pack 1.12.6_1546. {: shortdesc}

Changes since version 1.12.6_1544

Component	Previous	Current	Description
{{site.data.keyword.cloud_notm}} File Storage plug-in	345	346	Updated image for [CVE-2019-9741 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9741).
Key Management Service provider	166	167	Fixes intermittent `context deadline exceeded` and `timeout` errors for managing Kubernetes secrets. In addition, fixes updates to the key management service that might leave existing Kubernetes secrets unencrypted. Update includes fix for [CVE-2019-9741 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9741).
Load balancer and load balancer monitor for {{site.data.keyword.cloud_notm}} Provider	143	146	Updated image for [CVE-2019-9741 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9741).

Changelog for 1.12.6_1544, released 20 March 2019

{: #1126_1544}

The following table shows the changes that are included in the patch 1.12.6_1544. {: shortdesc}

Changes since version 1.12.6_1541

Component	Previous	Current	Description
Cluster DNS configuration	N/A	N/A	Fixed a bug that might cause cluster master operations, such as `refresh` or `update`, to fail when the unused cluster DNS must be scaled down.
Cluster master HA proxy configuration	N/A	N/A	Updated configuration to better handle intermittent connection failures to the cluster master.
CoreDNS configuration	N/A	N/A	Updated the CoreDNS configuration to support [multiple Corefiles ](https://coredns.io/2017/07/23/corefile-explained/).
GPU device plug-in and installer	e32d51c	9ff3fda	Updated the GPU drivers to [418.43 ](https://www.nvidia.com/object/unix.html). Update includes fix for [CVE-2019-9741 ](https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-9741.html).
{{site.data.keyword.cloud_notm}} File Storage plug-in	344	345	Added support for [private service endpoints](/docs/containers?topic=containers-cs_network_cluster#set-up-private-se).
Kernel	4.4.0-141	4.4.0-143	Updated worker node images with kernel update for [CVE-2019-6133 ](https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-6133.html).
Key Management Service provider	136	166	Updated image for [CVE-2018-16890 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16890), [CVE-2019-3822 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3822), and [CVE-2019-3823 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3823).
Trusted compute agent	5f3d092	a02f765	Updated image for [CVE-2018-10779 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10779), [CVE-2018-12900 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12900), [CVE-2018-17000 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17000), [CVE-2018-19210 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19210), [CVE-2019-6128 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6128), and [CVE-2019-7663 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7663).

Changelog for 1.12.6_1541, released 4 March 2019

{: #1126_1541}

The following table shows the changes that are included in the patch 1.12.6_1541. {: shortdesc}

Changes since version 1.12.5_1540

Component	Previous	Current	Description
Cluster DNS provider	N/A	N/A	Increased Kubernetes DNS and CoreDNS pod memory limit from `170Mi` to `400Mi` in order to handle more cluster services.
GPU device plug-in and installer	eb3a259	e32d51c	Updated images for [CVE-2019-6454 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6454).
{{site.data.keyword.cloud_notm}} Provider	v1.12.5-137	v1.12.6-157	Updated to support the Kubernetes 1.12.6 release. Fixed periodic connectivity problems for version 1.0 load balancers that set `externalTrafficPolicy` to `local`. Updated load balancer version 1.0 and 2.0 events to use the latest {{site.data.keyword.cloud_notm}} documentation links.
{{site.data.keyword.cloud_notm}} File Storage plug-in	342	344	Changed the base operating system for the image from Fedora to Alpine. Updated image for [CVE-2019-6486 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6486).
Key Management Service provider	122	136	Increased client timeout to {{site.data.keyword.keymanagementservicefull_notm}}. Updated image for [CVE-2019-6486 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6486).
Kubernetes	v1.12.5	v1.12.6	See the [Kubernetes release notes ](https://github.com/kubernetes/kubernetes/releases/tag/v1.12.6). Update resolves [CVE-2019-6486 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6486) and [CVE-2019-1002100 ](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1002100). For more information, see the [IBM security bulletin ](https://www.ibm.com/support/docview.wss?uid=ibm10873324).
Kubernetes configuration	N/A	N/A	Added `ExperimentalCriticalPodAnnotation=true` to the `--feature-gates` option. This setting helps migrate pods from the deprecated `scheduler.alpha.kubernetes.io/critical-pod` annotation to [Kubernetes pod priority support](/docs/containers?topic=containers-pod_priority#pod_priority).
Load balancer and load balancer monitor for {{site.data.keyword.cloud_notm}} Provider	132	143	Updated image for [CVE-2019-6486 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6486).
OpenVPN client and server	2.4.6-r3-IKS-13	2.4.6-r3-IKS-25	Updated image for [CVE-2019-1559 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1559).
Trusted compute agent	1ea5ad3	5f3d092	Updated image for [CVE-2019-6454 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6454).

Changelog for worker node fix pack 1.12.5_1540, released 27 February 2019

{: #1125_1540}

The following table shows the changes that are included in the worker node fix pack 1.12.5_1540. {: shortdesc}

Changes since version 1.12.5_1538

Component	Previous	Current	Description
Kernel	4.4.0-141	4.4.0-142	Updated worker node images with kernel update for [CVE-2018-19407 ](https://changelogs.ubuntu.com/changelogs/pool/main/l/linux/linux_4.4.0-142.168/changelog).

Changelog for worker node fix pack 1.12.5_1538, released 15 February 2019

{: #1125_1538}

The following table shows the changes that are included in the worker node fix pack 1.12.5_1538. {: shortdesc}

Changes since version 1.12.5_1537

Component	Previous	Current	Description
Cluster master HA proxy configuration	N/A	N/A	Changed the pod configuration `spec.priorityClassName` value to `system-node-critical` and set the `spec.priority` value to `2000001000`.
containerd	1.1.5	1.1.6	See the [containerd release notes ](https://github.com/containerd/containerd/releases/tag/v1.1.6). Update resolves [CVE-2019-5736 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5736). For more information, see the [IBM security bulletin ](https://www.ibm.com/support/docview.wss?uid=ibm10871600).
Kubernetes `kubelet` configuration	N/A	N/A	Enabled the `ExperimentalCriticalPodAnnotation` feature gate to prevent critical static pod eviction.

Changelog for 1.12.5_1537, released 5 February 2019

{: #1125_1537}

The following table shows the changes that are included in the patch 1.12.5_1537. {: shortdesc}

Changes since version 1.12.4_1535

Component	Previous	Current	Description
etcd	v3.3.1	v3.3.11	See the [etcd release notes ](https://github.com/etcd-io/etcd/releases/v3.3.11). Additionally, the supported cipher suites to etcd are now restricted to a subset with high strength encryption (128 bits or more).
GPU device plug-in and installer	13fdc0d	eb3a259	Updated images for [CVE-2019-3462 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3462) and [CVE-2019-6486 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6486).
{{site.data.keyword.cloud_notm}} Provider	v1.12.4-118	v1.12.5-137	Updated to support the Kubernetes 1.12.5 release. Additionally, `calicoctl` version is updated to 3.3.1. Fixed unnecessary configuration updates to version 2.0 network load balancers on worker node status changes.
{{site.data.keyword.cloud_notm}} File Storage plug-in	338	342	The file storage plug-in is updated as follows: Supports dynamic provisioning with [volume topology-aware scheduling](/docs/containers?topic=containers-file_storage#file-topology). Ignores persistent volume claim (PVC) delete errors if the storage is already deleted. Adds a failure message annotation to failed PVCs. Optimizes the storage provisioner controller's leader election and resync period settings, and increases the provisioning timeout from 30 minutes to 1 hour. Checks user permissions before starting the provisioning.
Key Management Service provider	111	122	Added retry logic to avoid temporary failures when Kubernetes secrets are managed by {{site.data.keyword.keymanagementservicefull_notm}}.
Kubernetes	v1.12.4	v1.12.5	See the [Kubernetes release notes ](https://github.com/kubernetes/kubernetes/releases/tag/v1.12.5).
Kubernetes configuration	N/A	N/A	The Kubernetes API server audit policy configuration is updated to include logging metadata for `cluster-admin` requests and logging the request body of workload `create`, `update`, and `patch` requests.
OpenVPN client	2.4.6-r3-IKS-8	2.4.6-r3-IKS-13	Updated image for [CVE-2018-0734 ](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0734) and [CVE-2018-5407 ](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5407). Additionally, the pod configuration is now obtained from a secret instead of from a configmap.
OpenVPN server	2.4.6-r3-IKS-8	2.4.6-r3-IKS-13	Updated image for [CVE-2018-0734 ](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0734) and [CVE-2018-5407 ](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5407).
systemd	230	229	Security patch for [CVE-2018-16864 ](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16864).

Changelog for worker node fix pack 1.12.4_1535, released 28 January 2019

{: #1124_1535}

The following table shows the changes that are included in the worker node fix pack 1.12.4_1535. {: shortdesc}

Changes since version 1.12.4_1534

Component	Previous	Current	Description
Ubuntu packages	N/A	N/A	Updates to installed Ubuntu packages including `apt` for [CVE-2019-3462 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3462) and [USN-3863-1 ](https://usn.ubuntu.com/3863-1).

Changelog for 1.12.4_1534, released 21 January 2019

{: #1124_1534}

The following table shows the changes that are included in the patch 1.12.3_1534. {: shortdesc}

Changes since version 1.12.3_1533

Component	Previous	Current	Description
{{site.data.keyword.cloud_notm}} Provider	v1.12.3-91	v1.12.4-118	Updated to support the Kubernetes 1.12.4 release.
Kubernetes	v1.12.3	v1.12.4	See the [Kubernetes release notes ](https://github.com/kubernetes/kubernetes/releases/tag/v1.12.4).
Kubernetes add-on resizer	1.8.1	1.8.4	See the [Kubernetes add-on resizer release notes ](https://github.com/kubernetes/autoscaler/releases/tag/addon-resizer-1.8.4).
Kubernetes dashboard	v1.8.3	v1.10.1	See the [Kubernetes dashboard release notes ](https://github.com/kubernetes/dashboard/releases/tag/v1.10.1). Update resolves [CVE-2018-18264 ](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18264).
GPU installer	390.12	410.79	Updated the installed GPU drivers to 410.79.

Changelog for worker node fix pack 1.12.3_1533, released 7 January 2019

{: #1123_1533}

The following table shows the changes that are included in the worker node fix pack 1.12.3_1533. {: shortdesc}

Changes since version 1.12.3_1532

Component	Previous	Current	Description
Kernel	4.4.0-139	4.4.0-141	Updated worker node images with kernel update for [CVE-2017-5753, CVE-2018-18690 ](https://changelogs.ubuntu.com/changelogs/pool/main/l/linux/linux_4.4.0-141.167/changelog).

Changelog for worker node fix pack 1.12.3_1532, released 17 December 2018

{: #1123_1532}

The following table shows the changes that are included in the worker node fix pack 1.12.2_1532. {: shortdesc}

Changes since version 1.12.3_1531

Component	Previous	Current	Description
Ubuntu packages	N/A	N/A	Updates to installed Ubuntu packages.

Changelog for 1.12.3_1531, released 5 December 2018

{: #1123_1531}

The following table shows the changes that are included in the patch 1.12.3_1531. {: shortdesc}

Changes since version 1.12.2_1530

Component	Previous	Current	Description
{{site.data.keyword.cloud_notm}} Provider	v1.12.2-68	v1.12.3-91	Updated to support the Kubernetes 1.12.3 release.
Kubernetes	v1.12.2	v1.12.3	See the [Kubernetes release notes ](https://github.com/kubernetes/kubernetes/releases/tag/v1.12.3). Update resolves [CVE-2018-1002105 ](kubernetes/kubernetes#71411). For more information, see the [IBM security bulletin ](https://www.ibm.com/support/docview.wss?uid=ibm10743917).

Changelog for worker node fix pack 1.12.2_1530, released 4 December 2018

{: #1122_1530}

The following table shows the changes that are included in the worker node fix pack 1.12.2_1530. {: shortdesc}

Changes since version 1.12.2_1529

Component	Previous	Current	Description
Worker node resource utilization	N/A	N/A	Added dedicated cgroups for the kubelet and containerd to prevent these components from running out of resources. For more information, see [Worker node resource reserves](/docs/containers?topic=containers-planning_worker_nodes#resource_limit_node).

Changelog for 1.12.2_1529, released 27 November 2018

{: #1122_1529}

The following table shows the changes that are included in patch 1.12.2_1529. {: shortdesc}

Changes since version 1.12.2_1528

Component	Previous	Current	Description
Calico	v3.2.1	v3.3.1	See the [Calico release notes ](https://docs.projectcalico.org/v3.3/releases/#v331). Update resolves [Tigera Technical Advisory TTA-2018-001 ](https://www.projectcalico.org/security-bulletins/). For more information, see the [IBM security bulletin ](https://www.ibm.com/support/docview.wss?uid=ibm10740799).
Cluster DNS configuration	N/A	N/A	Fixed a bug that could result in both Kubernetes DNS and CoreDNS pods to run after cluster creation or update operations.
containerd	v1.2.0	v1.1.5	See the [containerd release notes ](https://github.com/containerd/containerd/releases/tag/v1.1.5). Updated containerd to fix a deadlock that can [stop pods from terminating ](containerd/containerd#2744).
OpenVPN client and server	2.4.4-r1-6	2.4.6-r3-IKS-8	Updated image for [CVE-2018-0732 ](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0732) and [CVE-2018-0737 ](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0737).

Changelog for worker node fix pack 1.12.2_1528, released 19 November 2018

{: #1122_1528}

The following table shows the changes that are included in the worker node fix pack 1.12.2_1528. {: shortdesc}

Changes since version 1.12.2_1527

Component	Previous	Current	Description
Kernel	4.4.0-137	4.4.0-139	Updated worker node images with kernel update for [CVE-2018-7755 ](https://changelogs.ubuntu.com/changelogs/pool/main/l/linux/linux_4.4.0-139.165/changelog).

Changelog for 1.12.2_1527, released 7 November 2018

{: #1122_1527}

The following table shows the changes that are included in patch 1.12.2_1527. {: shortdesc}

Changes since version 1.11.3_1533

Component	Previous	Current	Description
Calico configuration	N/A	N/A	Calico `calico-*` pods in the `kube-system` namespace now set CPU and memory resource requests for all containers.
Cluster DNS provider	N/A	N/A	Kubernetes DNS (KubeDNS) remains the default cluster DNS provider. However, you now have the option to [change the cluster DNS provide to CoreDNS](/docs/containers?topic=containers-cluster_dns#dns_set).
Cluster metrics provider	N/A	N/A	Kubernetes Metrics Server replaces Kubernetes Heapster (deprecated since Kubernetes version 1.8) as the cluster metrics provider. For action items, see [the `metrics-server` preparation action](/docs/containers?topic=containers-cs_versions#metrics-server).
containerd	1.1.4	1.2.0	See the [containerd release notes](https://github.com/containerd/containerd/releases/tag/v1.2.0).
CoreDNS	N/A	1.2.2	See the [CoreDNS release notes](https://github.com/coredns/coredns/releases/tag/v1.2.2).
Kubernetes	v1.11.3	v1.12.2	See the [Kubernetes release notes](https://github.com/kubernetes/kubernetes/releases/tag/v1.12.2).
Kubernetes configuration	N/A	N/A	Added three new IBM pod security policies and their associated cluster roles. For more information, see [Understanding default resources for IBM cluster management](/docs/containers?topic=containers-psp#ibm_psp).
Kubernetes Dashboard	v1.8.3	v1.10.0	See the [Kubernetes Dashboard release notes](https://github.com/kubernetes/dashboard/releases/tag/v1.10.0). If you access the dashboard via `kubectl proxy`, the **SKIP** button on the login page is removed. Instead, [use a **Token** to log in](/docs/containers?topic=containers-app#cli_dashboard). Additionally, you can now scale up the number of Kubernetes Dashboard pods by running `kubectl -n kube-system scale deploy kubernetes-dashboard --replicas=3`.
Kubernetes DNS	1.14.10	1.14.13	See the [Kubernetes DNS release notes](https://github.com/kubernetes/dns/releases/tag/1.14.13).
Kubernetes Metrics Server	N/A	v0.3.1	See the [Kubernetes Metrics Server release notes](https://github.com/kubernetes-incubator/metrics-server/releases/tag/v0.3.1).
{{site.data.keyword.cloud_notm}} Provider	v1.11.3-118	v1.12.2-68	Updated to support the Kubernetes 1.12 release. Additional changes include the following: Load balancer pods (`ibm-cloud-provider-ip-*` in `ibm-system` namespace) now set CPU and memory resource requests. The `service.kubernetes.io/ibm-load-balancer-cloud-provider-vlan` annotation is added to specify the VLAN that the load balancer service deploys to. To see available VLANs in your cluster, run `ibmcloud ks vlan ls --zone `. A new [load balancer 2.0](/docs/containers?topic=containers-loadbalancer-about#planning_ipvs) is available as a beta.
OpenVPN client configuration	N/A	N/A	OpenVPN client `vpn-* pod` in the `kube-system` namespace now sets CPU and memory resource requests.

Archive

{: #changelog_archive}

Unsupported Kubernetes versions:

• Version 1.11
• Version 1.10
• Version 1.9
• Version 1.8
• Version 1.7

Version 1.11 changelog (unsupported as of 20 July 2019)

{: #111_changelog}

Review the version 1.11 changelog. {: shortdesc}

• Changelog for worker node fix pack 1.11.10_1564, released 8 July 2019
• Changelog for worker node fix pack 1.11.10_1563, released 24 June 2019
• Changelog for worker node fix pack 1.11.10_1562, released 17 June 2019
• Changelog for 1.11.10_1561, released 4 June 2019
• Changelog for worker node fix pack 1.11.10_1559, released 20 May 2019
• Changelog for 1.11.10_1558, released 13 May 2019
• Changelog for worker node fix pack 1.11.9_1556, released 29 April 2019
• Changelog for worker node fix pack 1.11.9_1555, released 15 April 2019
• Changelog for 1.11.9_1554, released 8 April 2019
• Changelog for worker node fix pack 1.11.8_1553, released 1 April 2019
• Changelog for master fix pack 1.11.8_1552, released 26 March 2019
• Changelog for 1.11.8_1550, released 20 March 2019
• Changelog for 1.11.8_1547, released 4 March 2019
• Changelog for worker node fix pack 1.11.7_1546, released 27 February 2019
• Changelog for worker node fix pack 1.11.7_1544, released 15 February 2019
• Changelog for 1.11.7_1543, released 5 February 2019
• Changelog for worker node fix pack 1.11.6_1541, released 28 January 2019
• Changelog for 1.11.6_1540, released 21 January 2019
• Changelog for worker node fix pack 1.11.5_1539, released 7 January 2019
• Changelog for worker node fix pack 1.11.5_1538, released 17 December 2018
• Changelog for 1.11.5_1537, released 5 December 2018
• Changelog for worker node fix pack 1.11.4_1536, released 4 December 2018
• Changelog for 1.11.4_1535, released 27 November 2018
• Changelog for worker node fix pack 1.11.3_1534, released 19 November 2018
• Changelog for 1.11.3_1533, released 7 November 2018
• Changelog for master fix pack 1.11.3_1531, released 1 November 2018
• Changelog for worker node fix pack 1.11.3_1531, released 26 October 2018
• Changelog for master fix pack 1.11.3_1527, released 15 October 2018
• Changelog for worker node fix pack 1.11.3_1525, released 10 October 2018
• Changelog for 1.11.3_1524, released 2 October 2018
• Changelog for 1.11.3_1521, released 20 September 2018
• Changelog for 1.11.2_1516, released 4 September 2018
• Changelog for worker node fix pack 1.11.2_1514, released 23 August 2018
• Changelog for 1.11.2_1513, released 14 August 2018

Changelog for worker node fix pack 1.11.10_1564, released 8 July 2019

{: #11110_1564}

The following table shows the changes that are included in the worker node patch 1.11.10_1564. {: shortdesc}

Changes since version 1.11.10_1563

Component	Previous	Current	Description
Ubuntu 16.04 kernel	4.4.0-151-generic	4.4.0-154-generic	Updated worker node images with kernel and package updates for [CVE-2019-11478 ](https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-11478.html) and [CVE-2019-11479 ](https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-11479.html).
Ubuntu 18.04 kernel	4.15.0-52-generic	4.15.0-54-generic	Updated worker node images with kernel and package updates for [CVE-2019-11478 ](https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-11478.html) and [CVE-2019-11479 ](https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-11479.html).

Changelog for worker node fix pack 1.11.10_1563, released 24 June 2019

{: #11110_1563}

The following table shows the changes that are included in the worker node patch 1.11.10_1563. {: shortdesc}

Changes since version 1.11.10_1562

Component	Previous	Current	Description
Ubuntu 16.04 kernel	4.4.0-150-generic	4.4.0-151-generic	Updated worker node images with kernel and package updates for [CVE-2019-11477 ](https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-11477.html) and [CVE-2019-11478 ](https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-11478.html).
Ubuntu 18.04 kernel	4.15.0-51-generic	4.15.0-52-generic	Updated worker node images with kernel and package updates for [CVE-2019-11477 ](https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-11477.html) and [CVE-2019-11478 ](https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-11478.html).

Changelog for worker node fix pack 1.11.10_1562, released 17 June 2019

{: #11110_1562}

The following table shows the changes that are included in the worker node patch 1.11.10_1562. {: shortdesc}

Changes since version 1.11.10_1561

Component	Previous	Current	Description
Ubuntu 16.04 kernel	4.4.0-148-generic	4.4.0-150-generic	Updated worker node images with kernel and package updates for [CVE-2019-10906 ](https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-10906.html?_ga=2.184456110.929090212.1560547312-1880639276.1557078470).
Ubuntu 18.04 kernel	4.15.0-50-generic	4.15.0-51-generic	Updated worker node images with kernel and package updates for [CVE-2019-10906 ](https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-10906.html?_ga=2.184456110.929090212.1560547312-1880639276.1557078470).

Changelog for 1.11.10_1561, released 4 June 2019

{: #11110_1561}

The following table shows the changes that are included in the patch 1.11.10_1561. {: shortdesc}

Changes since version 1.11.10_1559

Component	Previous	Current	Description
Cluster master HA configuration	N/A	N/A	Updated configuration to minimize intermittent master network connectivity failures during a master update.
etcd	v3.3.11	v3.3.13	See the [etcd release notes ](https://github.com/etcd-io/etcd/releases/v3.3.13).
GPU device plug-in and installer	55c1f66	32257d3	Updated image for [CVE-2018-10844 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10844), [CVE-2018-10845 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10845), [CVE-2018-10846 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10846), [CVE-2019-3829 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3829), [CVE-2019-3836 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3836), [CVE-2019-9893 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9893), [CVE-2019-5435 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5435), and [CVE-2019-5436 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5436).
Trusted compute agent	13c7ef0	e8c6d72	Updated image for [CVE-2018-10844 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10844), [CVE-2018-10845 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10845), [CVE-2018-10846 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10846), [CVE-2019-3829 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3829), [CVE-2019-3836 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3836), [CVE-2019-9893 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9893), [CVE-2019-5435 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5435), and [CVE-2019-5436 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5436).

Changelog for worker node fix pack 1.11.10_1559, released 20 May 2019

{: #11110_1559}

The following table shows the changes that are included in the patch pack 1.11.10_1559. {: shortdesc}

Changes since version 1.11.10_1558

Component	Previous	Current	Description
Ubuntu 16.04 kernel	4.4.0-145-generic	4.4.0-148-generic	Updated worker node images with kernel update for [CVE-2018-12126 ](https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-12126.html), [CVE-2018-12127 ](https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-12127.html), and [CVE-2018-12130 ](https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-12130.html).
Ubuntu 18.04 kernel	4.15.0-47-generic	4.15.0-50-generic	Updated worker node images with kernel update for [CVE-2018-12126 ](https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-12126.html), [CVE-2018-12127 ](https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-12127.html), and [CVE-2018-12130 ](https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-12130.html).

Changelog for 1.11.10_1558, released 13 May 2019

{: #11110_1558}

The following table shows the changes that are included in the patch 1.11.10_1558. {: shortdesc}

Changes since version 1.11.9_1556

Component	Previous	Current	Description
Cluster master HA proxy	1.9.6-alpine	1.9.7-alpine	See the [HAProxy release notes ](https://www.haproxy.org/download/1.9/src/CHANGELOG). Update resolves [CVE-2019-6706 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6706).
GPU device plug-in and installer	9ff3fda	55c1f66	Updated image for [CVE-2019-1543 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1543).
{{site.data.keyword.cloud_notm}} Provider	v1.11.9-241	v1.11.10-270	Updated to support the Kubernetes 1.11.10 release.
Kubernetes	v1.11.9	v1.11.10	See the [Kubernetes release notes ](https://github.com/kubernetes/kubernetes/releases/tag/v1.11.10).
Kubernetes configuration	N/A	N/A	The Kubernetes API server audit policy configuration is updated to not log the `/openapi/v2*` read-only URL. In addition, the Kubernetes controller manager configuration increased the validity duration of signed `kubelet` certificates from 1 to 3 years.
OpenVPN client configuration	N/A	N/A	The OpenVPN client `vpn-*` pod in the `kube-system` namespace now sets `dnsPolicy` to `Default` to prevent the pod from failing when cluster DNS is down.
Trusted compute agent	e132aa4	13c7ef0	Updated image for [CVE-2016-7076 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7076), [CVE-2017-1000368 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000368), and [CVE-2019-11068 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11068).

Changelog for worker node fix pack 1.11.9_1556, released 29 April 2019

{: #1119_1556}

The following table shows the changes that are included in the worker node fix pack 1.11.9_1556. {: shortdesc}

Changes since version 1.11.9_1555

Component	Previous	Current	Description
Ubuntu packages	N/A	N/A	Updates to installed Ubuntu packages.
containerd	1.1.6	1.1.7	See the [containerd release notes ](https://github.com/containerd/containerd/releases/tag/v1.1.7).

Changelog for worker node fix pack 1.11.9_1555, released 15 April 2019

{: #1119_1555}

The following table shows the changes that are included in the worker node fix pack 1.11.9_1555. {: shortdesc}

Changes since 1.11.9_1554

Component	Previous	Current	Description
Ubuntu packages	N/A	N/A	Updates to installed Ubuntu packages including `systemd` for [CVE-2019-3842 ](https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-3842.html).

Changelog for 1.11.9_1554, released 8 April 2019

{: #1119_1554}

The following table shows the changes that are included in the patch 1.11.9_1554. {: shortdesc}

Changes since version 1.11.8_1553

Component	Previous	Current	Description
Calico	v3.3.1	v3.3.6	See the [Calico release notes ](https://docs.projectcalico.org/v3.3/releases/#v336). Update resolves [CVE-2019-9946 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9946).
Cluster master HA proxy	1.8.12-alpine	1.9.6-alpine	See the [HAProxy release notes ](https://www.haproxy.org/download/1.9/src/CHANGELOG). Update resolves [CVE-2018-0732 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0732), [CVE-2018-0734 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0734), [CVE-2018-0737 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0737), [CVE-2018-5407 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5407), [CVE-2019-1543 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1543), and [CVE-2019-1559 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1559).
{{site.data.keyword.cloud_notm}} Provider	v1.11.8-219	v1.11.9-241	Updated to support the Kubernetes 1.11.9 and Calico 3.3.6 releases.
Kubernetes	v1.11.8	v1.11.9	See the [Kubernetes release notes ](https://github.com/kubernetes/kubernetes/releases/tag/v1.11.9).
Kubernetes DNS	1.14.10	1.14.13	See the [Kubernetes DNS release notes ](https://github.com/kubernetes/dns/releases/tag/1.14.13).
Trusted compute agent	a02f765	e132aa4	Updated image for [CVE-2017-12447 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12447).
Ubuntu 16.04 kernel	4.4.0-143-generic	4.4.0-145-generic	Updated worker node images with kernel update for [CVE-2019-9213 ](https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-9213.html).
Ubuntu 18.04 kernel	4.15.0-46-generic	4.15.0-47-generic	Updated worker node images with kernel update for [CVE-2019-9213 ](https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-9213.html).

Changelog for worker node fix pack 1.11.8_1553, released 1 April 2019

{: #1118_1553}

The following table shows the changes that are included in the worker node fix 1.11.8_1553. {: shortdesc}

Changes since version 1.11.8_1552

Component	Previous	Current	Description
Worker node resource utilization	N/A	N/A	Increased memory reservations for the kubelet and containerd to prevent these components from running out of resources. For more information, see [Worker node resource reserves](/docs/containers?topic=containers-planning_worker_nodes#resource_limit_node).

Changelog for master fix pack 1.11.8_1552, released 26 March 2019

{: #1118_1552}

The following table shows the changes that are included in the master fix pack 1.11.8_1552. {: shortdesc}

Changes since version 1.11.8_1550

Component	Previous	Current	Description
{{site.data.keyword.cloud_notm}} File Storage plug-in	345	346	Updated image for [CVE-2019-9741 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9741).
Key Management Service provider	166	167	Fixes intermittent `context deadline exceeded` and `timeout` errors for managing Kubernetes secrets. In addition, fixes updates to the key management service that might leave existing Kubernetes secrets unencrypted. Update includes fix for [CVE-2019-9741 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9741).
Load balancer and load balancer monitor for {{site.data.keyword.cloud_notm}} Provider	143	146	Updated image for [CVE-2019-9741 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9741).

Changelog for 1.11.8_1550, released 20 March 2019

{: #1118_1550}

The following table shows the changes that are included in the patch 1.11.8_1550. {: shortdesc}

Changes since version 1.11.8_1547

Component	Previous	Current	Description
Cluster master HA proxy configuration	N/A	N/A	Updated configuration to better handle intermittent connection failures to the cluster master.
GPU device plug-in and installer	e32d51c	9ff3fda	Updated the GPU drivers to [418.43 ](https://www.nvidia.com/object/unix.html). Update includes fix for [CVE-2019-9741 ](https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-9741.html).
{{site.data.keyword.cloud_notm}} File Storage plug-in	344	345	Added support for [private service endpoints](/docs/containers?topic=containers-cs_network_cluster#set-up-private-se).
Kernel	4.4.0-141	4.4.0-143	Updated worker node images with kernel update for [CVE-2019-6133 ](https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-6133.html).
Key Management Service provider	136	166	Updated image for [CVE-2018-16890 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16890), [CVE-2019-3822 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3822), and [CVE-2019-3823 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3823).
Trusted compute agent	5f3d092	a02f765	Updated image for [CVE-2018-10779 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10779), [CVE-2018-12900 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12900), [CVE-2018-17000 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17000), [CVE-2018-19210 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19210), [CVE-2019-6128 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6128), and [CVE-2019-7663 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7663).

Changelog for 1.11.8_1547, released 4 March 2019

{: #1118_1547}

The following table shows the changes that are included in the patch 1.11.8_1547. {: shortdesc}

Changes since version 1.11.7_1546

Component	Previous	Current	Description
GPU device plug-in and installer	eb3a259	e32d51c	Updated images for [CVE-2019-6454 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6454).
{{site.data.keyword.cloud_notm}} Provider	v1.11.7-198	v1.11.8-219	Updated to support the Kubernetes 1.11.8 release. Fixed periodic connectivity problems for load balancers that set `externalTrafficPolicy` to `local`. Updated load balancer events to use the latest {{site.data.keyword.cloud_notm}} documentation links.
{{site.data.keyword.cloud_notm}} File Storage plug-in	342	344	Changed the base operating system for the image from Fedora to Alpine. Updated image for [CVE-2019-6486 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6486).
Key Management Service provider	122	136	Increased client timeout to {{site.data.keyword.keymanagementservicefull_notm}}. Updated image for [CVE-2019-6486 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6486).
Kubernetes	v1.11.7	v1.11.8	See the [Kubernetes release notes ](https://github.com/kubernetes/kubernetes/releases/tag/v1.11.8). Update resolves [CVE-2019-6486 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6486) and [CVE-2019-1002100 ](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1002100).
Kubernetes configuration	N/A	N/A	Added `ExperimentalCriticalPodAnnotation=true` to the `--feature-gates` option. This setting helps migrate pods from the deprecated `scheduler.alpha.kubernetes.io/critical-pod` annotation to [Kubernetes pod priority support](/docs/containers?topic=containers-pod_priority#pod_priority).
Kubernetes DNS	N/A	N/A	Increased Kubernetes DNS pod memory limit from `170Mi` to `400Mi` in order to handle more cluster services.
Load balancer and load balancer monitor for {{site.data.keyword.cloud_notm}} Provider	132	143	Updated image for [CVE-2019-6486 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6486).
OpenVPN client and server	2.4.6-r3-IKS-13	2.4.6-r3-IKS-25	Updated image for [CVE-2019-1559 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1559).
Trusted compute agent	1ea5ad3	5f3d092	Updated image for [CVE-2019-6454 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6454).

Changelog for worker node fix pack 1.11.7_1546, released 27 February 2019

{: #1117_1546}

The following table shows the changes that are included in the worker node fix pack 1.11.7_1546. {: shortdesc}

Changes since version 1.11.7_1546

Component	Previous	Current	Description
Kernel	4.4.0-141	4.4.0-142	Updated worker node images with kernel update for [CVE-2018-19407 ](https://changelogs.ubuntu.com/changelogs/pool/main/l/linux/linux_4.4.0-142.168/changelog).

Changelog for worker node fix pack 1.11.7_1544, released 15 February 2019

{: #1117_1544}

The following table shows the changes that are included in the worker node fix pack 1.11.7_1544. {: shortdesc}

Changes since version 1.11.7_1543

Component	Previous	Current	Description
Cluster master HA proxy configuration	N/A	N/A	Changed the pod configuration `spec.priorityClassName` value to `system-node-critical` and set the `spec.priority` value to `2000001000`.
containerd	1.1.5	1.1.6	See the [containerd release notes ](https://github.com/containerd/containerd/releases/tag/v1.1.6). Update resolves [CVE-2019-5736 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5736).
Kubernetes `kubelet` configuration	N/A	N/A	Enabled the `ExperimentalCriticalPodAnnotation` feature gate to prevent critical static pod eviction.

Changelog for 1.11.7_1543, released 5 February 2019

{: #1117_1543}

The following table shows the changes that are included in the patch 1.11.7_1543. {: shortdesc}

Changes since version 1.11.6_1541

Component	Previous	Current	Description
etcd	v3.3.1	v3.3.11	See the [etcd release notes ](https://github.com/etcd-io/etcd/releases/v3.3.11). Additionally, the supported cipher suites to etcd are now restricted to a subset with high strength encryption (128 bits or more).
GPU device plug-in and installer	13fdc0d	eb3a259	Updated images for [CVE-2019-3462 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3462) and [CVE-2019-6486 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6486).
{{site.data.keyword.cloud_notm}} Provider	v1.11.6-180	v1.11.7-198	Updated to support the Kubernetes 1.11.7 release. Additionally, `calicoctl` version is updated to 3.3.1. Fixed unnecessary configuration updates to version 2.0 network load balancers on worker node status changes.
{{site.data.keyword.cloud_notm}} File Storage plug-in	338	342	The file storage plug-in is updated as follows: Supports dynamic provisioning with [volume topology-aware scheduling](/docs/containers?topic=containers-file_storage#file-topology). Ignores persistent volume claim (PVC) delete errors if the storage is already deleted. Adds a failure message annotation to failed PVCs. Optimizes the storage provisioner controller's leader election and resync period settings, and increases the provisioning timeout from 30 minutes to 1 hour. Checks user permissions before starting the provisioning.
Key Management Service provider	111	122	Added retry logic to avoid temporary failures when Kubernetes secrets are managed by {{site.data.keyword.keymanagementservicefull_notm}}.
Kubernetes	v1.11.6	v1.11.7	See the [Kubernetes release notes ](https://github.com/kubernetes/kubernetes/releases/tag/v1.11.7).
Kubernetes configuration	N/A	N/A	The Kubernetes API server audit policy configuration is updated to include logging metadata for `cluster-admin` requests and logging the request body of workload `create`, `update`, and `patch` requests.
OpenVPN client	2.4.6-r3-IKS-8	2.4.6-r3-IKS-13	Updated image for [CVE-2018-0734 ](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0734) and [CVE-2018-5407 ](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5407). Additionally, the pod configuration is now obtained from a secret instead of from a configmap.
OpenVPN server	2.4.6-r3-IKS-8	2.4.6-r3-IKS-13	Updated image for [CVE-2018-0734 ](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0734) and [CVE-2018-5407 ](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5407).
systemd	230	229	Security patch for [CVE-2018-16864 ](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16864).

Changelog for worker node fix pack 1.11.6_1541, released 28 January 2019

{: #1116_1541}

The following table shows the changes that are included in the worker node fix pack 1.11.6_1541. {: shortdesc}

Changes since version 1.11.6_1540

Component	Previous	Current	Description
Ubuntu packages	N/A	N/A	Updates to installed Ubuntu packages including `apt` for [CVE-2019-3462 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3462) / [USN-3863-1 ](https://usn.ubuntu.com/3863-1).

Changelog for 1.11.6_1540, released 21 January 2019

{: #1116_1540}

The following table shows the changes that are included in the patch 1.11.6_1540. {: shortdesc}

Changes since version 1.11.5_1539

Component	Previous	Current	Description
{{site.data.keyword.cloud_notm}} Provider	v1.11.5-152	v1.11.6-180	Updated to support the Kubernetes 1.11.6 release.
Kubernetes	v1.11.5	v1.11.6	See the [Kubernetes release notes ](https://github.com/kubernetes/kubernetes/releases/tag/v1.11.6).
Kubernetes add-on resizer	1.8.1	1.8.4	See the [Kubernetes add-on resizer release notes ](https://github.com/kubernetes/autoscaler/releases/tag/addon-resizer-1.8.4).
Kubernetes dashboard	v1.8.3	v1.10.1	See the [Kubernetes dashboard release notes ](https://github.com/kubernetes/dashboard/releases/tag/v1.10.1). Update resolves [CVE-2018-18264 ](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18264). If you access the dashboard via `kubectl proxy`, the **SKIP** button on the login page is removed. Instead, [use a **Token** to log in](/docs/containers?topic=containers-app#cli_dashboard).
GPU installer	390.12	410.79	Updated the installed GPU drivers to 410.79.

Changelog for worker node fix pack 1.11.5_1539, released 7 January 2019

{: #1115_1539}

The following table shows the changes that are included in the worker node fix pack 1.11.5_1539. {: shortdesc}

Changes since version 1.11.5_1538

Component	Previous	Current	Description
Kernel	4.4.0-139	4.4.0-141	Updated worker node images with kernel update for [CVE-2017-5753, CVE-2018-18690 ](https://changelogs.ubuntu.com/changelogs/pool/main/l/linux/linux_4.4.0-141.167/changelog).

Changelog for worker node fix pack 1.11.5_1538, released 17 December 2018

{: #1115_1538}

The following table shows the changes that are included in the worker node fix pack 1.11.5_1538. {: shortdesc}

Changes since version 1.11.5_1537

Component	Previous	Current	Description
Ubuntu packages	N/A	N/A	Updates to installed Ubuntu packages.

Changelog for 1.11.5_1537, released 5 December 2018

{: #1115_1537}

The following table shows the changes that are included in the patch 1.11.5_1537. {: shortdesc}

Changes since version 1.11.4_1536

Component	Previous	Current	Description
{{site.data.keyword.cloud_notm}} Provider	v1.11.4-142	v1.11.5-152	Updated to support the Kubernetes 1.11.5 release.
Kubernetes	v1.11.4	v1.11.5	See the [Kubernetes release notes ](https://github.com/kubernetes/kubernetes/releases/tag/v1.11.5). Update resolves [CVE-2018-1002105 ](kubernetes/kubernetes#71411).

Changelog for worker node fix pack 1.11.4_1536, released 4 December 2018

{: #1114_1536}

The following table shows the changes that are included in the worker node fix pack 1.11.4_1536. {: shortdesc}

Changes since version 1.11.4_1535

Component	Previous	Current	Description
Worker node resource utilization	N/A	N/A	Added dedicated cgroups for the kubelet and containerd to prevent these components from running out of resources. For more information, see [Worker node resource reserves](/docs/containers?topic=containers-planning_worker_nodes#resource_limit_node).

Changelog for 1.11.4_1535, released 27 November 2018

{: #1114_1535}

The following table shows the changes that are included in patch 1.11.4_1535. {: shortdesc}

Changes since version 1.11.3_1534

Component	Previous	Current	Description
Calico	v3.2.1	v3.3.1	See the [Calico release notes ](https://docs.projectcalico.org/v3.3/releases/#v331). Update resolves [Tigera Technical Advisory TTA-2018-001 ](https://www.projectcalico.org/security-bulletins/).
containerd	v1.1.4	v1.1.5	See the [containerd release notes ](https://github.com/containerd/containerd/releases/tag/v1.1.5). Updated containerd to fix a deadlock that can [stop pods from terminating ](containerd/containerd#2744).
{{site.data.keyword.cloud_notm}} Provider	v1.11.3-127	v1.11.4-142	Updated to support the Kubernetes 1.11.4 release.
Kubernetes	v1.11.3	v1.11.4	See the [Kubernetes release notes ](https://github.com/kubernetes/kubernetes/releases/tag/v1.11.4).
OpenVPN client and server	2.4.4-r1-6	2.4.6-r3-IKS-8	Updated image for [CVE-2018-0732 ](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0732) and [CVE-2018-0737 ](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0737).

Changelog for worker node fix pack 1.11.3_1534, released 19 November 2018

{: #1113_1534}

The following table shows the changes that are included in the worker node fix pack 1.11.3_1534. {: shortdesc}

Changes since version 1.11.3_1533

Component	Previous	Current	Description
Kernel	4.4.0-137	4.4.0-139	Updated worker node images with kernel update for [CVE-2018-7755 ](https://changelogs.ubuntu.com/changelogs/pool/main/l/linux/linux_4.4.0-139.165/changelog).

Changelog for 1.11.3_1533, released 7 November 2018

{: #1113_1533}

The following table shows the changes that are included in patch 1.11.3_1533. {: shortdesc}

Changes since version 1.11.3_1531

Component	Previous	Current	Description
Cluster master HA update	N/A	N/A	Fixed the update to highly available (HA) masters for clusters that use admission webhooks such as `initializerconfigurations`, `mutatingwebhookconfigurations`, or `validatingwebhookconfigurations`. You might use these webhooks with Helm charts such as for [Container Image Security Enforcement](/docs/services/Registry?topic=registry-security_enforce#security_enforce).
{{site.data.keyword.cloud_notm}} Provider	v1.11.3-100	v1.11.3-127	Added the `service.kubernetes.io/ibm-load-balancer-cloud-provider-vlan` annotation to specify the VLAN that the load balancer service deploys to. To see available VLANs in your cluster, run `ibmcloud ks vlan ls --zone `.
TPM-enabled kernel	N/A	N/A	Bare metal worker nodes with TPM chips for Trusted Compute use the default Ubuntu kernel until trust is enabled. If you [enable trust](/docs/containers?topic=containers-cli-plugin-kubernetes-service-cli#cs_cluster_feature_enable) on an existing cluster, you need to [reload](/docs/containers?topic=containers-cli-plugin-kubernetes-service-cli#cs_worker_reload) any existing bare metal worker nodes with TPM chips. To check if a bare metal worker node has a TPM chip, review the **Trustable** field after running the `ibmcloud ks flavors --zone` [command](/docs/containers?topic=containers-cli-plugin-kubernetes-service-cli#cs_machine_types).

Changelog for master fix pack 1.11.3_1531, released 1 November 2018

{: #1113_1531_ha-master}

The following table shows the changes that are included in the master fix pack 1.11.3_1531. {: shortdesc}

Changes since version 1.11.3_1527

Component	Previous	Current	Description
Cluster master	N/A	N/A	Updated the cluster master configuration to increase high availability (HA). Clusters now have three Kubernetes master replicas that are set up with a highly available (HA) configuration, with each master deployed on separate physical hosts.
Cluster master HA proxy	N/A	1.8.12-alpine	Added an `ibm-master-proxy-*` pod for client-side load balancing on all worker nodes, so that each worker node client can route requests to an available HA master replica.
etcd	v3.2.18	v3.3.1	See the [etcd release notes](https://github.com/etcd-io/etcd/releases/v3.3.1).
Encrypting data in etcd	N/A	N/A	Previously, etcd data was stored on a master’s NFS file storage instance that is encrypted at rest. Now, etcd data is stored on the master’s local disk and backed up to {{site.data.keyword.cos_full_notm}}. Data is encrypted during transit to {{site.data.keyword.cos_full_notm}} and at rest. However, the etcd data on the master’s local disk is not encrypted. If you want your master’s local etcd data to be encrypted, [enable {{site.data.keyword.keymanagementservicelong_notm}} in your cluster](/docs/containers?topic=containers-encryption#keyprotect).

Changelog for worker node fix pack 1.11.3_1531, released 26 October 2018

{: #1113_1531}

The following table shows the changes that are included in the worker node fix pack 1.11.3_1531. {: shortdesc}

Changes since version 1.11.3_1525

Component	Previous	Current	Description
OS interrupt handling	N/A	N/A	Replaced the interrupt request (IRQ) system daemon with a more performant interrupt handler.

Changelog for master fix pack 1.11.3_1527, released 15 October 2018

{: #1113_1527}

The following table shows the changes that are included in the master fix pack 1.11.3_1527. {: shortdesc}

Changes since version 1.11.3_1524

Component	Previous	Current	Description
Calico configuration	N/A	N/A	Fixed `calico-node` container readiness probe to better handle node failures.
Cluster update	N/A	N/A	Fixed problem with updating cluster add-ons when the master is updated from an unsupported version.

Changelog for worker node fix pack 1.11.3_1525, released 10 October 2018

{: #1113_1525}

The following table shows the changes that are included in the worker node fix pack 1.11.3_1525. {: shortdesc}

Changes since version 1.11.3_1524

Component	Previous	Current	Description
Kernel	4.4.0-133	4.4.0-137	Updated worker node images with kernel update for [CVE-2018-14633, CVE-2018-17182 ](https://changelogs.ubuntu.com/changelogs/pool/main/l/linux/linux_4.4.0-137.163/changelog).
Inactive session timeout	N/A	N/A	Set the inactive session timeout to 5 minutes for compliance reasons.

Changelog for 1.11.3_1524, released 2 October 2018

{: #1113_1524}

The following table shows the changes that are included in patch 1.11.3_1524. {: shortdesc}

Changes since version 1.11.3_1521

Component	Previous	Current	Description
containerd	1.1.3	1.1.4	See the [containerd release notes](https://github.com/containerd/containerd/releases/tag/v1.1.4).
{{site.data.keyword.cloud_notm}} Provider	v1.11.3-91	v1.11.3-100	Updated the documentation link in load balancer error messages.
IBM file storage classes	N/A	N/A	Removed duplicate `reclaimPolicy` parameter in the IBM file storage classes. Also, now when you update the cluster master, the default IBM file storage class remains unchanged. If you want to change the default storage class, run `kubectl patch storageclass -p '{"metadata": {"annotations":{"storageclass.kubernetes.io/is-default-class":"true"}}}'` and replace `` with the name of the storage class.

Changelog for 1.11.3_1521, released 20 September 2018

{: #1113_1521}

The following table shows the changes that are included in patch 1.11.3_1521. {: shortdesc}

Changes since version 1.11.2_1516

Component	Previous	Current	Description
{{site.data.keyword.cloud_notm}} Provider	v1.11.2-71	v1.11.3-91	Updated to support Kubernetes 1.11.3 release.
IBM file storage classes	N/A	N/A	Removed `mountOptions` in the IBM file storage classes to use the default that is provided by the worker node. Also, now when you update the cluster master, the default IBM file storage class remains `ibmc-file-bronze`. If you want to change the default storage class, run `kubectl patch storageclass -p '{"metadata": {"annotations":{"storageclass.kubernetes.io/is-default-class":"true"}}}'` and replace `` with the name of the storage class.
Key Management Service Provider	N/A	N/A	Added the ability to use the Kubernetes [key management service (KMS) provider](/docs/containers?topic=containers-encryption#keyprotect) in the cluster, to support {{site.data.keyword.keymanagementservicefull}}. When you [enable {{site.data.keyword.keymanagementserviceshort}} in your cluster](/docs/containers?topic=containers-encryption#keyprotect), all your Kubernetes secrets are encrypted.
Kubernetes	v1.11.2	v1.11.3	See the [Kubernetes release notes ](https://github.com/kubernetes/kubernetes/releases/tag/v1.11.3).
Kubernetes DNS autoscaler	1.1.2-r2	1.2.0	See the [Kubernetes DNS autoscaler release notes ](https://github.com/kubernetes-incubator/cluster-proportional-autoscaler/releases/tag/1.2.0).
Log rotate	N/A	N/A	Switched to use `systemd` timers instead of `cronjobs` to prevent `logrotate` from failing on worker nodes that are not reloaded or updated within 90 days. **Note**: In all earlier versions for this minor release, the primary disk fills up after the cron job fails because the logs are not rotated. The cron job fails after the worker node is active for 90 days without being updated or reloaded. If the logs fill up the entire primary disk, the worker node enters a failed state. The worker node can be fixed by using the `ibmcloud ks worker reload` [command](/docs/containers?topic=containers-cli-plugin-kubernetes-service-cli#cs_worker_reload) or the `ibmcloud ks worker update` [command](/docs/containers?topic=containers-cli-plugin-kubernetes-service-cli#cs_worker_update).
Root password expiration	N/A	N/A	Root passwords for the worker nodes expire after 90 days for compliance reasons. If your automation tooling needs to log in to the worker node as root or relies on cron jobs that run as root, you can disable the password expiration by logging into the worker node and running `chage -M -1 root`. **Note**: If you have security compliance requirements that prevent running as root or removing password expiration, do not disable the expiration. Instead, you can [update](/docs/containers?topic=containers-cli-plugin-kubernetes-service-cli#cs_worker_update) or [reload](/docs/containers?topic=containers-cli-plugin-kubernetes-service-cli#cs_worker_reload) your worker nodes at least every 90 days.
Worker node runtime components (`kubelet`, `kube-proxy`, `containerd`)	N/A	N/A	Removed dependencies of runtime components on the primary disk. This enhancement prevents worker nodes from failing when the primary disk is filled up.
systemd	N/A	N/A	Periodically clean transient mount units to prevent them from becoming unbounded. This action addresses [Kubernetes issue 57345 ](kubernetes/kubernetes#57345).

Changelog for 1.11.2_1516, released 4 September 2018

{: #1112_1516}

The following table shows the changes that are included in patch 1.11.2_1516. {: shortdesc}

Changes since version 1.11.2_1514

Component	Previous	Current	Description
Calico	v3.1.3	v3.2.1	See the [Calico release notes ](https://docs.projectcalico.org/v3.2/releases/#v321).
containerd	1.1.2	1.1.3	See the [`containerd` release notes ](https://github.com/containerd/containerd/releases/tag/v1.1.3).
{{site.data.keyword.cloud_notm}} Provider	v1.11.2-60	v1.11.2-71	Changed the cloud provider configuration to better handle updates for load balancer services with `externalTrafficPolicy` set to `local`.
{{site.data.keyword.cloud_notm}} File Storage plug-in configuration	N/A	N/A	Removed the default NFS version from the mount options in the IBM-provided file storage classes. The host's operating system now negotiates the NFS version with the IBM Cloud infrastructure NFS server. To manually set a specific NFS version, or to change the NFS version of your PV that was negotiated by the host's operating system, see [Changing the default NFS version](/docs/containers?topic=containers-file_storage#nfs_version_class).

Changelog for worker node fix pack 1.11.2_1514, released 23 August 2018

{: #1112_1514}

The following table shows the changes that are included in the worker node fix pack 1.11.2_1514. {: shortdesc}

Changes since version 1.11.2_1513

Component	Previous	Current	Description
`systemd`	229	230	Updated `systemd` to fix `cgroup` leak.
Kernel	4.4.0-127	4.4.0-133	Updated worker node images with kernel update for [CVE-2018-3620,CVE-2018-3646 ](https://usn.ubuntu.com/3741-1/).

Changelog for 1.11.2_1513, released 14 August 2018

{: #1112_1513}

The following table shows the changes that are included in patch 1.11.2_1513. {: shortdesc}

Changes since version 1.10.5_1518

Component	Previous	Current	Description
containerd	N/A	1.1.2	`containerd` replaces Docker as the new container runtime for Kubernetes. See the [`containerd` release notes ](https://github.com/containerd/containerd/releases/tag/v1.1.2).
Docker	N/A	N/A	`containerd` replaces Docker as the new container runtime for Kubernetes, to enhance performance.
etcd	v3.2.14	v3.2.18	See the [etcd release notes ](https://github.com/etcd-io/etcd/releases/v3.2.18).
{{site.data.keyword.cloud_notm}} Provider	v1.10.5-118	v1.11.2-60	Updated to support Kubernetes 1.11 release. In addition, load balancer pods now use the new `ibm-app-cluster-critical` pod priority class.
{{site.data.keyword.cloud_notm}} File Storage plug-in	334	338	Updated `incubator` version to 1.8. File storage is provisioned to the specific zone that you select. You cannot update an existing (static) PV instance labels.
Kubernetes	v1.10.5	v1.11.2	See the [Kubernetes release notes ](https://github.com/kubernetes/kubernetes/releases/tag/v1.11.2).
Kubernetes configuration	N/A	N/A	Updated the OpenID Connect configuration for the cluster's Kubernetes API server to support {{site.data.keyword.cloud_notm}} Identity Access and Management (IAM) access groups. Added `Priority` to the `--enable-admission-plugins` option for the cluster's Kubernetes API server and configured the cluster to support pod priority. For more information, see: [{{site.data.keyword.cloud_notm}} IAM access groups](/docs/containers?topic=containers-users#rbac) [Configuring pod priority](/docs/containers?topic=containers-pod_priority#pod_priority)
Kubernetes Heapster	v1.5.2	v.1.5.4	Increased resource limits for the `heapster-nanny` container. See the [Kubernetes Heapster release notes ](https://github.com/kubernetes/heapster/releases/tag/v1.5.4).
Logging configuration	N/A	N/A	The container log directory is now `/var/log/pods/` instead of the previous `/var/lib/docker/containers/`.

Version 1.10 changelog (unsupported as of 16 May 2019)

{: #110_changelog}

Review the version 1.10 changelogs. {: shortdesc}

• Changelog for worker node fix pack 1.10.13_1558, released 13 May 2019
• Changelog for worker node fix pack 1.10.13_1557, released 29 April 2019
• Changelog for worker node fix pack 1.10.13_1556, released 15 April 2019
• Changelog for 1.10.13_1555, released 8 April 2019
• Changelog for worker node fix pack 1.10.13_1554, released 1 April 2019
• Changelog for master fix pack 1.10.13_1553, released 26 March 2019
• Changelog for 1.10.13_1551, released 20 March 2019
• Changelog for 1.10.13_1548, released 4 March 2019
• Changelog for worker node fix pack 1.10.12_1546, released 27 February 2019
• Changelog for worker node fix pack 1.10.12_1544, released 15 February 2019
• Changelog for 1.10.12_1543, released 5 February 2019
• Changelog for worker node fix pack 1.10.12_1541, released 28 January 2019
• Changelog for 1.10.12_1540, released 21 January 2019
• Changelog for worker node fix pack 1.10.11_1538, released 7 January 2019
• Changelog for worker node fix pack 1.10.11_1537, released 17 December 2018
• Changelog for 1.10.11_1536, released 4 December 2018
• Changelog for worker node fix pack 1.10.8_1532, released 27 November 2018
• Changelog for worker node fix pack 1.10.8_1531, released 19 November 2018
• Changelog for 1.10.8_1530, released 7 November 2018
• Changelog for worker node fix pack 1.10.8_1528, released 26 October 2018
• Changelog for worker node fix pack 1.10.8_1525, released 10 October 2018
• Changelog for 1.10.8_1524, released 2 October 2018
• Changelog for worker node fix pack 1.10.7_1521, released 20 September 2018
• Changelog for 1.10.7_1520, released 4 September 2018
• Changelog for worker node fix pack 1.10.5_1519, released 23 August 2018
• Changelog for worker node fix pack 1.10.5_1518, released 13 August 2018
• Changelog for 1.10.5_1517, released 27 July 2018
• Changelog for worker node fix pack 1.10.3_1514, released 3 July 2018
• Changelog for worker node fix pack 1.10.3_1513, released 21 June 2018
• Changelog for 1.10.3_1512, released 12 June 2018
• Changelog for worker node fix pack 1.10.1_1510, released 18 May 2018
• Changelog for worker node fix pack 1.10.1_1509, released 16 May 2018
• Changelog for 1.10.1_1508, released 01 May 2018

Changelog for worker node fix pack 1.10.13_1558, released 13 May 2019

{: #11013_1558}

The following table shows the changes that are included in the worker node fix pack 1.10.13_1558. {: shortdesc}

Changes since version 1.10.13_1557

Component	Previous	Current	Description
Cluster master HA proxy	1.9.6-alpine	1.9.7-alpine	See the [HAProxy release notes ](https://www.haproxy.org/download/1.9/src/CHANGELOG). Update resolves [CVE-2019-6706 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6706).

Changelog for worker node fix pack 1.10.13_1557, released 29 April 2019

{: #11013_1557}

The following table shows the changes that are included in the worker node fix pack 1.10.13_1557. {: shortdesc}

Changes since 1.10.13_1556

Component	Previous	Current	Description
Ubuntu packages	N/A	N/A	Updates to installed Ubuntu packages.

Changelog for worker node fix pack 1.10.13_1556, released 15 April 2019

{: #11013_1556}

The following table shows the changes that are included in the worker node fix pack 1.10.13_1556. {: shortdesc}

Changes since 1.10.13_1555

Component	Previous	Current	Description
Ubuntu packages	N/A	N/A	Updates to installed Ubuntu packages including `systemd` for [CVE-2019-3842 ](https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-3842.html).

Changelog for 1.10.13_1555, released 8 April 2019

{: #11013_1555}

The following table shows the changes that are included in the patch 1.10.13_1555. {: shortdesc}

Changes since version 1.10.13_1554

Component	Previous	Current	Description
Cluster master HA proxy	1.8.12-alpine	1.9.6-alpine	See the [HAProxy release notes ](https://www.haproxy.org/download/1.9/src/CHANGELOG). Update resolves [CVE-2018-0732 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0732), [CVE-2018-0734 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0734), [CVE-2018-0737 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0737), [CVE-2018-5407 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5407), [CVE-2019-1543 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1543), and [CVE-2019-1559 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1559).
Kubernetes DNS	1.14.10	1.14.13	See the [Kubernetes DNS release notes ](https://github.com/kubernetes/dns/releases/tag/1.14.13).
Trusted compute agent	a02f765	e132aa4	Updated image for [CVE-2017-12447 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12447).
Ubuntu 16.04 kernel	4.4.0-143-generic	4.4.0-145-generic	Updated worker node images with kernel update for [CVE-2019-9213 ](https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-9213.html).
Ubuntu 18.04 kernel	4.15.0-46-generic	4.15.0-47-generic	Updated worker node images with kernel update for [CVE-2019-9213 ](https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-9213.html).

Changelog for worker node fix pack 1.10.13_1554, released 1 April 2019

{: #11013_1554}

The following table shows the changes that are included in the worker node fix 1.10.13_1554. {: shortdesc}

Changes since version 1.10.13_1553

Component	Previous	Current	Description
Worker node resource utilization	N/A	N/A	Increased memory reservations for the kubelet and containerd to prevent these components from running out of resources. For more information, see [Worker node resource reserves](/docs/containers?topic=containers-planning_worker_nodes#resource_limit_node).

Changelog for master fix pack 1.10.13_1553, released 26 March 2019

{: #11118_1553}

The following table shows the changes that are included in the master fix pack 1.10.13_1553. {: shortdesc}

Changes since version 1.10.13_1551

Component	Previous	Current	Description
{{site.data.keyword.cloud_notm}} File Storage plug-in	345	346	Updated image for [CVE-2019-9741 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9741).
Key Management Service provider	166	167	Fixes intermittent `context deadline exceeded` and `timeout` errors for managing Kubernetes secrets. In addition, fixes updates to the key management service that might leave existing Kubernetes secrets unencrypted. Update includes fix for [CVE-2019-9741 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9741).
Load balancer and load balancer monitor for {{site.data.keyword.cloud_notm}} Provider	143	146	Updated image for [CVE-2019-9741 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9741).

Changelog for 1.10.13_1551, released 20 March 2019

{: #11013_1551}

The following table shows the changes that are included in the patch 1.10.13_1551. {: shortdesc}

Changes since version 1.10.13_1548

Component	Previous	Current	Description
Cluster master HA proxy configuration	N/A	N/A	Updated configuration to better handle intermittent connection failures to the cluster master.
GPU device plug-in and installer	e32d51c	9ff3fda	Updated the GPU drivers to [418.43 ](https://www.nvidia.com/object/unix.html). Update includes fix for [CVE-2019-9741 ](https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-9741.html).
{{site.data.keyword.cloud_notm}} File Storage plug-in	344	345	Added support for [private service endpoints](/docs/containers?topic=containers-cs_network_cluster#set-up-private-se).
Kernel	4.4.0-141	4.4.0-143	Updated worker node images with kernel update for [CVE-2019-6133 ](https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-6133.html).
Key Management Service provider	136	166	Updated image for [CVE-2018-16890 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16890), [CVE-2019-3822 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3822), and [CVE-2019-3823 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3823).
Trusted compute agent	5f3d092	a02f765	Updated image for [CVE-2018-10779 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10779), [CVE-2018-12900 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12900), [CVE-2018-17000 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17000), [CVE-2018-19210 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19210), [CVE-2019-6128 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6128), and [CVE-2019-7663 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7663).

Changelog for 1.10.13_1548, released 4 March 2019

{: #11013_1548}

The following table shows the changes that are included in the patch 1.10.13_1548. {: shortdesc}

Changes since version 1.10.12_1546

Component	Previous	Current	Description
GPU device plug-in and installer	eb3a259	e32d51c	Updated images for [CVE-2019-6454 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6454).
{{site.data.keyword.cloud_notm}} Provider	v1.10.12-252	v1.10.13-288	Updated to support the Kubernetes 1.10.13 release. Fixed periodic connectivity problems for load balancers that set `externalTrafficPolicy` to `local`. Updated load balancer events to use the latest {{site.data.keyword.cloud_notm}} documentation links.
{{site.data.keyword.cloud_notm}} File Storage plug-in	342	344	Changed the base operating system for the image from Fedora to Alpine. Updated image for [CVE-2019-6486 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6486).
Key Management Service provider	122	136	Increased client timeout to {{site.data.keyword.keymanagementservicefull_notm}}. Updated image for [CVE-2019-6486 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6486).
Kubernetes	v1.10.12	v1.10.13	See the [Kubernetes release notes ](https://github.com/kubernetes/kubernetes/releases/tag/v1.10.13).
Kubernetes DNS	N/A	N/A	Increased Kubernetes DNS pod memory limit from `170Mi` to `400Mi` in order to handle more cluster services.
Load balancer and load balancer monitor for {{site.data.keyword.cloud_notm}} Provider	132	143	Updated image for [CVE-2019-6486 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6486).
OpenVPN client and server	2.4.6-r3-IKS-13	2.4.6-r3-IKS-25	Updated image for [CVE-2019-1559 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1559).
Trusted compute agent	1ea5ad3	5f3d092	Updated image for [CVE-2019-6454 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6454).

Changelog for worker node fix pack 1.10.12_1546, released 27 February 2019

{: #11012_1546}

The following table shows the changes that are included in the worker node fix pack 1.10.12_1546. {: shortdesc}

Changes since version 1.10.12_1544

Component	Previous	Current	Description
Kernel	4.4.0-141	4.4.0-142	Updated worker node images with kernel update for [CVE-2018-19407 ](https://changelogs.ubuntu.com/changelogs/pool/main/l/linux/linux_4.4.0-142.168/changelog).

Changelog for worker node fix pack 1.10.12_1544, released 15 February 2019

{: #11012_1544}

The following table shows the changes that are included in the worker node fix pack 1.10.12_1544. {: shortdesc}

Changes since version 1.10.12_1543

Component	Previous	Current	Description
Docker	18.06.1-ce	18.06.2-ce	See the [Docker Community Edition release notes ](https://github.com/docker/docker-ce/releases/tag/v18.06.2-ce). Update resolves [CVE-2019-5736 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5736).
Kubernetes `kubelet` configuration	N/A	N/A	Enabled the `ExperimentalCriticalPodAnnotation` feature gate to prevent critical static pod eviction.

Changelog for 1.10.12_1543, released 5 February 2019

{: #11012_1543}

The following table shows the changes that are included in the patch 1.10.12_1543. {: shortdesc}

Changes since version 1.10.12_1541

Component	Previous	Current	Description
etcd	v3.3.1	v3.3.11	See the [etcd release notes ](https://github.com/etcd-io/etcd/releases/v3.3.11). Additionally, the supported cipher suites to etcd are now restricted to a subset with high strength encryption (128 bits or more).
GPU device plug-in and installer	13fdc0d	eb3a259	Updated images for [CVE-2019-3462 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3462) and [CVE-2019-6486 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6486).
{{site.data.keyword.cloud_notm}} File Storage plug-in	338	342	The file storage plug-in is updated as follows: Supports dynamic provisioning with [volume topology-aware scheduling](/docs/containers?topic=containers-file_storage#file-topology). Ignores persistent volume claim (PVC) delete errors if the storage is already deleted. Adds a failure message annotation to failed PVCs. Optimizes the storage provisioner controller's leader election and resync period settings, and increases the provisioning timeout from 30 minutes to 1 hour. Checks user permissions before starting the provisioning.
Key Management Service provider	111	122	Added retry logic to avoid temporary failures when Kubernetes secrets are managed by {{site.data.keyword.keymanagementservicefull_notm}}.
Kubernetes configuration	N/A	N/A	The Kubernetes API server audit policy configuration is updated to include logging metadata for `cluster-admin` requests and logging the request body of workload `create`, `update`, and `patch` requests.
OpenVPN client	2.4.6-r3-IKS-8	2.4.6-r3-IKS-13	Updated image for [CVE-2018-0734 ](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0734) and [CVE-2018-5407 ](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5407). Additionally, the pod configuration is now obtained from a secret instead of from a configmap.
OpenVPN server	2.4.6-r3-IKS-8	2.4.6-r3-IKS-13	Updated image for [CVE-2018-0734 ](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0734) and [CVE-2018-5407 ](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5407).
systemd	230	229	Security patch for [CVE-2018-16864 ](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16864).

Changelog for worker node fix pack 1.10.12_1541, released 28 January 2019

{: #11012_1541}

The following table shows the changes that are included in the worker node fix pack 1.10.12_1541. {: shortdesc}

Changes since version 1.10.12_1540

Component	Previous	Current	Description
Ubuntu packages	N/A	N/A	Updates to installed Ubuntu packages including `apt` for [CVE-2019-3462 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3462) and [USN-3863-1 ](https://usn.ubuntu.com/3863-1).

Changelog for 1.10.12_1540, released 21 January 2019

{: #11012_1540}

The following table shows the changes that are included in the patch 1.10.12_1540. {: shortdesc}

Changes since version 1.10.11_1538

Component	Previous	Current	Description
{{site.data.keyword.cloud_notm}} Provider	v1.10.11-219	v1.10.12-252	Updated to support the Kubernetes 1.10.12 release.
Kubernetes	v1.10.11	v1.10.12	See the [Kubernetes release notes ](https://github.com/kubernetes/kubernetes/releases/tag/v1.10.12).
Kubernetes add-on resizer	1.8.1	1.8.4	See the [Kubernetes add-on resizer release notes ](https://github.com/kubernetes/autoscaler/releases/tag/addon-resizer-1.8.4).
Kubernetes dashboard	v1.8.3	v1.10.1	See the [Kubernetes dashboard release notes ](https://github.com/kubernetes/dashboard/releases/tag/v1.10.1). Update resolves [CVE-2018-18264 ](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18264). If you access the dashboard via `kubectl proxy`, the **SKIP** button on the login page is removed. Instead, [use a **Token** to log in](/docs/containers?topic=containers-app#cli_dashboard).
GPU installer	390.12	410.79	Updated the installed GPU drivers to 410.79.

Changelog for worker node fix pack 1.10.11_1538, released 7 January 2019

{: #11011_1538}

The following table shows the changes that are included in the worker node fix pack 1.10.11_1538. {: shortdesc}

Changes since version 1.10.11_1537

Component	Previous	Current	Description
Kernel	4.4.0-139	4.4.0-141	Updated worker node images with kernel update for [CVE-2017-5753, CVE-2018-18690 ](https://changelogs.ubuntu.com/changelogs/pool/main/l/linux/linux_4.4.0-141.167/changelog).

Changelog for worker node fix pack 1.10.11_1537, released 17 December 2018

{: #11011_1537}

The following table shows the changes that are included in the worker node fix pack 1.10.11_1537. {: shortdesc}

Changes since version 1.10.11_1536

Component	Previous	Current	Description
Ubuntu packages	N/A	N/A	Updates to installed Ubuntu packages.

Changelog for 1.10.11_1536, released 4 December 2018

{: #11011_1536}

The following table shows the changes that are included in patch 1.10.11_1536. {: shortdesc}

Changes since version 1.10.8_1532

Component	Previous	Current	Description
Calico	v3.2.1	v3.3.1	See the [Calico release notes ](https://docs.projectcalico.org/v3.3/releases/#v331). Update resolves [Tigera Technical Advisory TTA-2018-001 ](https://www.projectcalico.org/security-bulletins/).
{{site.data.keyword.cloud_notm}} Provider	v1.10.8-197	v1.10.11-219	Updated to support the Kubernetes 1.10.11 release.
Kubernetes	v1.10.8	v1.10.11	See the [Kubernetes release notes ](https://github.com/kubernetes/kubernetes/releases/tag/v1.10.11). Update resolves [CVE-2018-1002105 ](kubernetes/kubernetes#71411).
OpenVPN client and server	2.4.4-r1-6	2.4.6-r3-IKS-8	Updated image for [CVE-2018-0732 ](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0732) and [CVE-2018-0737 ](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0737).
Worker node resource utilization	N/A	N/A	Added dedicated cgroups for the kubelet and docker to prevent these components from running out of resources. For more information, see [Worker node resource reserves](/docs/containers?topic=containers-planning_worker_nodes#resource_limit_node).

Changelog for worker node fix pack 1.10.8_1532, released 27 November 2018

{: #1108_1532}

The following table shows the changes that are included in the worker node fix pack 1.10.8_1532. {: shortdesc}

Changes since version 1.10.8_1531

Component	Previous	Current	Description
Docker	17.06.2	18.06.1	See the [Docker release notes ](https://docs.docker.com/engine/release-notes/#18061-ce).

Changelog for worker node fix pack 1.10.8_1531, released 19 November 2018

{: #1108_1531}

The following table shows the changes that are included in the worker node fix pack 1.10.8_1531. {: shortdesc}

Changes since version 1.10.8_1530

Component	Previous	Current	Description
Kernel	4.4.0-137	4.4.0-139	Updated worker node images with kernel update for [CVE-2018-7755 ](https://changelogs.ubuntu.com/changelogs/pool/main/l/linux/linux_4.4.0-139.165/changelog).

Changelog for 1.10.8_1530, released 7 November 2018

{: #1108_1530_ha-master}

The following table shows the changes that are included in patch 1.10.8_1530. {: shortdesc}

Changes since version 1.10.8_1528

Component	Previous	Current	Description
Cluster master	N/A	N/A	Updated the cluster master configuration to increase high availability (HA). Clusters now have three Kubernetes master replicas that are set up with a highly available (HA) configuration, with each master deployed on separate physical hosts. Further, if your cluster is in a multizone-capable zone, the masters are spread across zones.
Cluster master HA proxy	N/A	1.8.12-alpine	Added an `ibm-master-proxy-*` pod for client-side load balancing on all worker nodes, so that each worker node client can route requests to an available HA master replica.
etcd	v3.2.18	v3.3.1	See the [etcd release notes](https://github.com/etcd-io/etcd/releases/v3.3.1).
Encrypting data in etcd	N/A	N/A	Previously, etcd data was stored on a master’s NFS file storage instance that is encrypted at rest. Now, etcd data is stored on the master’s local disk and backed up to {{site.data.keyword.cos_full_notm}}. Data is encrypted during transit to {{site.data.keyword.cos_full_notm}} and at rest. However, the etcd data on the master’s local disk is not encrypted. If you want your master’s local etcd data to be encrypted, [enable {{site.data.keyword.keymanagementservicelong_notm}} in your cluster](/docs/containers?topic=containers-encryption#keyprotect).
{{site.data.keyword.cloud_notm}} Provider	v1.10.8-172	v1.10.8-197	Added the `service.kubernetes.io/ibm-load-balancer-cloud-provider-vlan` annotation to specify the VLAN that the load balancer service deploys to. To see available VLANs in your cluster, run `ibmcloud ks vlan ls --zone `.
TPM-enabled kernel	N/A	N/A	Bare metal worker nodes with TPM chips for Trusted Compute use the default Ubuntu kernel until trust is enabled. If you [enable trust](/docs/containers?topic=containers-cli-plugin-kubernetes-service-cli#cs_cluster_feature_enable) on an existing cluster, you need to [reload](/docs/containers?topic=containers-cli-plugin-kubernetes-service-cli#cs_worker_reload) any existing bare metal worker nodes with TPM chips. To check if a bare metal worker node has a TPM chip, review the **Trustable** field after running the `ibmcloud ks flavors --zone` [command](/docs/containers?topic=containers-cli-plugin-kubernetes-service-cli#cs_machine_types).

Changelog for worker node fix pack 1.10.8_1528, released 26 October 2018

{: #1108_1528}

The following table shows the changes that are included in the worker node fix pack 1.10.8_1528. {: shortdesc}

Changes since version 1.10.8_1527

Component	Previous	Current	Description
OS interrupt handling	N/A	N/A	Replaced the interrupt request (IRQ) system daemon with a more performant interrupt handler.

Changelog for master fix pack 1.10.8_1527, released 15 October 2018

{: #1108_1527}

The following table shows the changes that are included in the master fix pack 1.10.8_1527. {: shortdesc}

Changes since version 1.10.8_1524

Component	Previous	Current	Description
Calico configuration	N/A	N/A	Fixed `calico-node` container readiness probe to better handle node failures.
Cluster update	N/A	N/A	Fixed problem with updating cluster add-ons when the master is updated from an unsupported version.

Changelog for worker node fix pack 1.10.8_1525, released 10 October 2018

{: #1108_1525}

The following table shows the changes that are included in the worker node fix pack 1.10.8_1525. {: shortdesc}

Changes since version 1.10.8_1524

Component	Previous	Current	Description
Kernel	4.4.0-133	4.4.0-137	Updated worker node images with kernel update for [CVE-2018-14633, CVE-2018-17182 ](https://changelogs.ubuntu.com/changelogs/pool/main/l/linux/linux_4.4.0-137.163/changelog).
Inactive session timeout	N/A	N/A	Set the inactive session timeout to 5 minutes for compliance reasons.

Changelog for 1.10.8_1524, released 2 October 2018

{: #1108_1524}

The following table shows the changes that are included in patch 1.10.8_1524. {: shortdesc}

Changes since version 1.10.7_1520

Component	Previous	Current	Description
Key Management Service Provider	N/A	N/A	Added the ability to use the Kubernetes [key management service (KMS) provider](/docs/containers?topic=containers-encryption#keyprotect) in the cluster, to support {{site.data.keyword.keymanagementservicefull}}. When you [enable {{site.data.keyword.keymanagementserviceshort}} in your cluster](/docs/containers?topic=containers-encryption#keyprotect), all your Kubernetes secrets are encrypted.
Kubernetes	v1.10.7	v1.10.8	See the [Kubernetes release notes](https://github.com/kubernetes/kubernetes/releases/tag/v1.10.8).
Kubernetes DNS autoscaler	1.1.2-r2	1.2.0	See the [Kubernetes DNS autoscaler release notes](https://github.com/kubernetes-incubator/cluster-proportional-autoscaler/releases/tag/1.2.0).
{{site.data.keyword.cloud_notm}} Provider	v1.10.7-146	v1.10.8-172	Updated to support Kubernetes 1.10.8 release. Also, updated the documentation link in load balancer error messages.
IBM file storage classes	N/A	N/A	Removed `mountOptions` in the IBM file storage classes to use the default that is provided by the worker node. Removed duplicate `reclaimPolicy` parameter in the IBM file storage classes. Also, now when you update the cluster master, the default IBM file storage class remains unchanged. If you want to change the default storage class, run `kubectl patch storageclass -p '{"metadata": {"annotations":{"storageclass.kubernetes.io/is-default-class":"true"}}}'` and replace `` with the name of the storage class.

Changelog for worker node fix pack 1.10.7_1521, released 20 September 2018

{: #1107_1521}

The following table shows the changes that are included in the worker node fix pack 1.10.7_1521. {: shortdesc}

Changes since version 1.10.7_1520

Component	Previous	Current	Description
Log rotate	N/A	N/A	Switched to use `systemd` timers instead of `cronjobs` to prevent `logrotate` from failing on worker nodes that are not reloaded or updated within 90 days. **Note**: In all earlier versions for this minor release, the primary disk fills up after the cron job fails because the logs are not rotated. The cron job fails after the worker node is active for 90 days without being updated or reloaded. If the logs fill up the entire primary disk, the worker node enters a failed state. The worker node can be fixed by using the `ibmcloud ks worker reload` [command](/docs/containers?topic=containers-cli-plugin-kubernetes-service-cli#cs_worker_reload) or the `ibmcloud ks worker update` [command](/docs/containers?topic=containers-cli-plugin-kubernetes-service-cli#cs_worker_update).
Worker node runtime components (`kubelet`, `kube-proxy`, `docker`)	N/A	N/A	Removed dependencies of runtime components on the primary disk. This enhancement prevents worker nodes from failing when the primary disk is filled up.
Root password expiration	N/A	N/A	Root passwords for the worker nodes expire after 90 days for compliance reasons. If your automation tooling needs to log in to the worker node as root or relies on cron jobs that run as root, you can disable the password expiration by logging into the worker node and running `chage -M -1 root`. **Note**: If you have security compliance requirements that prevent running as root or removing password expiration, do not disable the expiration. Instead, you can [update](/docs/containers?topic=containers-cli-plugin-kubernetes-service-cli#cs_worker_update) or [reload](/docs/containers?topic=containers-cli-plugin-kubernetes-service-cli#cs_worker_reload) your worker nodes at least every 90 days.
systemd	N/A	N/A	Periodically clean transient mount units to prevent them from becoming unbounded. This action addresses [Kubernetes issue 57345 ](kubernetes/kubernetes#57345).
Docker	N/A	N/A	Disabled the default Docker bridge so that the `172.17.0.0/16` IP range is now used for private routes. If you rely on building Docker containers in worker nodes by executing `docker` commands on the host directly or by using a pod that mounts the Docker socket, choose from the following options. To ensure external network connectivity when you build the container, run `docker build . --network host`. To explicitly create a network to use when you build the container, run `docker network create` and then use this network. **Note**: Have dependencies on the Docker socket or Docker directly? Update to `containerd` instead of `docker` as the container runtime so that your clusters are prepared to run Kubernetes version 1.11 or later.

Changelog for 1.10.7_1520, released 4 September 2018

{: #1107_1520}

The following table shows the changes that are included in patch 1.10.7_1520. {: shortdesc}

Changes since version 1.10.5_1519

Component	Previous	Current	Description
Calico	v3.1.3	v3.2.1	See the Calico [release notes ](https://docs.projectcalico.org/v3.2/releases/#v321).
{{site.data.keyword.cloud_notm}} Provider	v1.10.5-118	v1.10.7-146	Updated to support Kubernetes 1.10.7 release. In addition, changed the cloud provider configuration to better handle updates for load balancer services with `externalTrafficPolicy` set to `local`.
{{site.data.keyword.cloud_notm}} File Storage plug-in	334	338	Updated incubator version to 1.8. File storage is provisioned to the specific zone that you select. You cannot update an existing (static) PV instance's labels, unless you are using a multizone cluster and need to add the region and zone labels. Removed the default NFS version from the mount options in the IBM-provided file storage classes. The host's operating system now negotiates the NFS version with the IBM Cloud infrastructure NFS server. To manually set a specific NFS version, or to change the NFS version of your PV that was negotiated by the host's operating system, see [Changing the default NFS version](/docs/containers?topic=containers-file_storage#nfs_version_class).
Kubernetes	v1.10.5	v1.10.7	See the Kubernetes [release notes ](https://github.com/kubernetes/kubernetes/releases/tag/v1.10.7).
Kubernetes Heapster configuration	N/A	N/A	Increased resource limits for the `heapster-nanny` container.

Changelog for worker node fix pack 1.10.5_1519, released 23 August 2018

{: #1105_1519}

The following table shows the changes that are included in the worker node fix pack 1.10.5_1519. {: shortdesc}

Changes since version 1.10.5_1518

Component	Previous	Current	Description
`systemd`	229	230	Updated `systemd` to fix `cgroup` leak.
Kernel	4.4.0-127	4.4.0-133	Updated worker node images with kernel update for [CVE-2018-3620,CVE-2018-3646 ](https://usn.ubuntu.com/3741-1/).

Changelog for worker node fix pack 1.10.5_1518, released 13 August 2018

{: #1105_1518}

The following table shows the changes that are included in the worker node fix pack 1.10.5_1518. {: shortdesc}

Changes since version 1.10.5_1517

Component	Previous	Current	Description
Ubuntu packages	N/A	N/A	Updates to installed Ubuntu packages.

Changelog for 1.10.5_1517, released 27 July 2018

{: #1105_1517}

The following table shows the changes that are included in patch 1.10.5_1517. {: shortdesc}

Changes since version 1.10.3_1514

Component	Previous	Current	Description
Calico	v3.1.1	v3.1.3	See the Calico [release notes ](https://docs.projectcalico.org/v3.1/releases/#v313).
{{site.data.keyword.cloud_notm}} Provider	v1.10.3-85	v1.10.5-118	Updated to support Kubernetes 1.10.5 release. In addition, LoadBalancer service `create failure` events now include any portable subnet errors.
{{site.data.keyword.cloud_notm}} File Storage plug-in	320	334	Increased the timeout for persistent volume creation from 15 to 30 minutes. Changed the default billing type to `hourly`. Added mount options to the pre-defined storage classes. In the NFS file storage instance in your IBM Cloud infrastructure account, changed the **Notes** field to JSON format and added the Kubernetes namespace that the PV is deployed to. To support multizone clusters, added zone and region labels to persistent volumes.
Kubernetes	v1.10.3	v1.10.5	See the Kubernetes [release notes ](https://github.com/kubernetes/kubernetes/releases/tag/v1.10.5).
Kernel	N/A	N/A	Minor improvements to worker node network settings for high performance networking workloads.
OpenVPN client	N/A	N/A	The OpenVPN client `vpn` deployment that runs in the `kube-system` namespace is now managed by the Kubernetes `addon-manager`.

Changelog for worker node fix pack 1.10.3_1514, released 3 July 2018

{: #1103_1514}

The following table shows the changes that are included in the worker node fix pack 1.10.3_1514. {: shortdesc}

Changes since version 1.10.3_1513

Component	Previous	Current	Description
Kernel	N/A	N/A	Optimized `sysctl` for high performance networking workloads.

Changelog for worker node fix pack 1.10.3_1513, released 21 June 2018

{: #1103_1513}

The following table shows the changes that are included in the worker node fix pack 1.10.3_1513. {: shortdesc}

Changes since version 1.10.3_1512

Component	Previous	Current	Description
Docker	N/A	N/A	For non-encrypted flavors, the secondary disk is cleaned by getting a fresh file system when you reload or update the worker node.

Changelog for 1.10.3_1512, released 12 June 2018

{: #1103_1512}

The following table shows the changes that are included in patch 1.10.3_1512. {: shortdesc}

Changes since version 1.10.1_1510

Component	Previous	Current	Description
Kubernetes	v1.10.1	v1.10.3	See the Kubernetes [release notes ](https://github.com/kubernetes/kubernetes/releases/tag/v1.10.3).
Kubernetes Configuration	N/A	N/A	Added `PodSecurityPolicy` to the `--enable-admission-plugins` option for the cluster's Kubernetes API server and configured the cluster to support pod security policies. For more information, see [Configuring pod security policies](/docs/containers?topic=containers-psp).
Kubelet Configuration	N/A	N/A	Enabled the `--authentication-token-webhook` option to support API bearer and service account tokens for authenticating to the `kubelet` HTTPS endpoint.
{{site.data.keyword.cloud_notm}} Provider	v1.10.1-52	v1.10.3-85	Updated to support Kubernetes 1.10.3 release.
OpenVPN client	N/A	N/A	Added `livenessProbe` to the OpenVPN client `vpn` deployment that runs in the `kube-system` namespace.
Kernel update	4.4.0-116	4.4.0-127	New worker node images with kernel update for [CVE-2018-3639 ](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3639).

Changelog for worker node fix pack 1.10.1_1510, released 18 May 2018

{: #1101_1510}

The following table shows the changes that are included in the worker node fix pack 1.10.1_1510. {: shortdesc}

Changes since version 1.10.1_1509

Component	Previous	Current	Description
Kubelet	N/A	N/A	Fix to address a bug that occurred if you used the block storage plug-in.

Changelog for worker node fix pack 1.10.1_1509, released 16 May 2018

{: #1101_1509}

The following table shows the changes that are included in the worker node fix pack 1.10.1_1509. {: shortdesc}

Changes since version 1.10.1_1508

Component	Previous	Current	Description
Kubelet	N/A	N/A	The data that you store in the `kubelet` root directory is now saved on the larger, secondary disk of your worker node machine.

Changelog for 1.10.1_1508, released 01 May 2018

{: #1101_1508}

The following table shows the changes that are included in patch 1.10.1_1508. {: shortdesc}

Changes since version 1.9.7_1510

Component	Previous	Current	Description
Calico	v2.6.5	v3.1.1	See the Calico [release notes ](https://docs.projectcalico.org/v3.1/releases/#v311).
Kubernetes Heapster	v1.5.0	v1.5.2	See the Kubernetes Heapster [release notes ](https://github.com/kubernetes-retired/heapster/releases/tag/v1.5.2).
Kubernetes	v1.9.7	v1.10.1	See the Kubernetes [release notes ](https://github.com/kubernetes/kubernetes/releases/tag/v1.10.1).
Kubernetes Configuration	N/A	N/A	Added StorageObjectInUseProtection to the --enable-admission-plugins option for the cluster's Kubernetes API server.
Kubernetes DNS	1.14.8	1.14.10	See the Kubernetes DNS [release notes ](https://github.com/kubernetes/dns/releases/tag/1.14.10).
{{site.data.keyword.cloud_notm}} Provider	v1.9.7-102	v1.10.1-52	Updated to support Kubernetes 1.10 release.
GPU support	N/A	N/A	Support for [graphics processing unit (GPU) container workloads](/docs/containers?topic=containers-app#gpu_app) is now available for scheduling and execution. For a list of available GPU flavors, see [Hardware for worker nodes](/docs/containers?topic=containers-planning_worker_nodes#planning_worker_nodes). For more information, see the Kubernetes documentation to [Schedule GPUs ](https://kubernetes.io/docs/tasks/manage-gpus/scheduling-gpus/).

Version 1.9 changelog (unsupported as of 27 December 2018)

{: #19_changelog}

Review the version 1.9 changelogs. {: shortdesc}

• Changelog for worker node fix pack 1.9.11_1539, released 17 December 2018
• Changelog for worker node fix pack 1.9.11_1538, released 4 December 2018
• Changelog for worker node fix pack 1.9.11_1537, released 27 November 2018
• Changelog for 1.9.11_1536, released 19 November 2018
• Changelog for worker node fix 1.9.10_1532, released 7 November 2018
• Changelog for worker node fix pack 1.9.10_1531, released 26 October 2018
• Changelog for master fix pack 1.9.10_1530 released 15 October 2018
• Changelog for worker node fix pack 1.9.10_1528, released 10 October 2018
• Changelog for 1.9.10_1527, released 2 October 2018
• Changelog for worker node fix pack 1.9.10_1524, released 20 September 2018
• Changelog for 1.9.10_1523, released 4 September 2018
• Changelog for worker node fix pack 1.9.9_1522, released 23 August 2018
• Changelog for worker node fix pack 1.9.9_1521, released 13 August 2018
• Changelog for 1.9.9_1520, released 27 July 2018
• Changelog for worker node fix pack 1.9.8_1517, released 3 July 2018
• Changelog for worker node fix pack 1.9.8_1516, released 21 June 2018
• Changelog for 1.9.8_1515, released 19 June 2018
• Changelog for worker node fix pack 1.9.7_1513, released 11 June 2018
• Changelog for worker node fix pack 1.9.7_1512, released 18 May 2018
• Changelog for worker node fix pack 1.9.7_1511, released 16 May 2018
• Changelog for 1.9.7_1510, released 30 April 2018

Changelog for worker node fix pack 1.9.11_1539, released 17 December 2018

{: #1911_1539}

The following table shows the changes that are included in the worker node fix pack 1.9.11_1539. {: shortdesc}

Changes since version 1.9.11_1538

Component	Previous	Current	Description
Ubuntu packages	N/A	N/A	Updates to installed Ubuntu packages.

Changelog for worker node fix pack 1.9.11_1538, released 4 December 2018

{: #1911_1538}

The following table shows the changes that are included in the worker node fix pack 1.9.11_1538. {: shortdesc}

Changes since version 1.9.11_1537

Component	Previous	Current	Description
Worker node resource utilization	N/A	N/A	Added dedicated cgroups for the kubelet and docker to prevent these components from running out of resources. For more information, see [Worker node resource reserves](/docs/containers?topic=containers-planning_worker_nodes#resource_limit_node).

Changelog for worker node fix pack 1.9.11_1537, released 27 November 2018

{: #1911_1537}

The following table shows the changes that are included in the worker node fix pack 1.9.11_1537. {: shortdesc}

Changes since version 1.9.11_1536

Component	Previous	Current	Description
Docker	17.06.2	18.06.1	See the [Docker release notes ](https://docs.docker.com/engine/release-notes/#18061-ce).

Changelog for 1.9.11_1536, released 19 November 2018

{: #1911_1536}

The following table shows the changes that are included in patch 1.9.11_1536. {: shortdesc}

Changes since version 1.9.10_1532

Component	Previous	Current	Description
Calico	v2.6.5	v2.6.12	See the [Calico release notes ](https://docs.projectcalico.org/v2.6/releases/#v2612). Update resolves [Tigera Technical Advisory TTA-2018-001 ](https://www.projectcalico.org/security-bulletins/).
Kernel	4.4.0-137	4.4.0-139	Updated worker node images with kernel update for [CVE-2018-7755 ](https://changelogs.ubuntu.com/changelogs/pool/main/l/linux/linux_4.4.0-139.165/changelog).
Kubernetes	v1.9.10	v1.9.11	See the [Kubernetes release notes ](https://github.com/kubernetes/kubernetes/releases/tag/v1.9.11).
{{site.data.keyword.cloud_notm}}	v1.9.10-219	v1.9.11-249	Updated to support the Kubernetes 1.9.11 release.
OpenVPN client and server	2.4.4-r2	2.4.6-r3-IKS-8	Updated image for [CVE-2018-0732 ](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0732) and [CVE-2018-0737 ](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0737).

Changelog for worker node fix 1.9.10_1532, released 7 November 2018

{: #1910_1532}

The following table shows the changes that are included in the worker node fix pack 1.9.11_1532. {: shortdesc}

Changes since version 1.9.10_1531

Component	Previous	Current	Description
TPM-enabled kernel	N/A	N/A	Bare metal worker nodes with TPM chips for Trusted Compute use the default Ubuntu kernel until trust is enabled. If you [enable trust](/docs/containers?topic=containers-cli-plugin-kubernetes-service-cli#cs_cluster_feature_enable) on an existing cluster, you need to [reload](/docs/containers?topic=containers-cli-plugin-kubernetes-service-cli#cs_worker_reload) any existing bare metal worker nodes with TPM chips. To check if a bare metal worker node has a TPM chip, review the **Trustable** field after running the `ibmcloud ks flavors --zone` [command](/docs/containers?topic=containers-cli-plugin-kubernetes-service-cli#cs_machine_types).

Changelog for worker node fix pack 1.9.10_1531, released 26 October 2018

{: #1910_1531}

The following table shows the changes that are included in the worker node fix pack 1.9.10_1531. {: shortdesc}

Changes since version 1.9.10_1530

Component	Previous	Current	Description
OS interrupt handling	N/A	N/A	Replaced the interrupt request (IRQ) system daemon with a more performant interrupt handler.

Changelog for master fix pack 1.9.10_1530 released 15 October 2018

{: #1910_1530}

The following table shows the changes that are included in the worker node fix pack 1.9.10_1530. {: shortdesc}

Changes since version 1.9.10_1527

Component	Previous	Current	Description
Cluster update	N/A	N/A	Fixed problem with updating cluster add-ons when the master is updated from an unsupported version.

Changelog for worker node fix pack 1.9.10_1528, released 10 October 2018

{: #1910_1528}

The following table shows the changes that are included in the worker node fix pack 1.9.10_1528. {: shortdesc}

Changes since version 1.9.10_1527

Component	Previous	Current	Description
Kernel	4.4.0-133	4.4.0-137	Updated worker node images with kernel update for [CVE-2018-14633, CVE-2018-17182 ](https://changelogs.ubuntu.com/changelogs/pool/main/l/linux/linux_4.4.0-137.163/changelog).
Inactive session timeout	N/A	N/A	Set the inactive session timeout to 5 minutes for compliance reasons.

Changelog for 1.9.10_1527, released 2 October 2018

{: #1910_1527}

The following table shows the changes that are included in patch 1.9.10_1527. {: shortdesc}

Changes since version 1.9.10_1523

Component	Previous	Current	Description
{{site.data.keyword.cloud_notm}} Provider	v1.9.10-192	v1.9.10-219	Updated the documentation link in load balancer error messages.
IBM file storage classes	N/A	N/A	Removed `mountOptions` in the IBM file storage classes to use the default that is provided by the worker node. Removed duplicate `reclaimPolicy` parameter in the IBM file storage classes. Also, now when you update the cluster master, the default IBM file storage class remains unchanged. If you want to change the default storage class, run `kubectl patch storageclass -p '{"metadata": {"annotations":{"storageclass.kubernetes.io/is-default-class":"true"}}}'` and replace `` with the name of the storage class.

Changelog for worker node fix pack 1.9.10_1524, released 20 September 2018

{: #1910_1524}

The following table shows the changes that are included in the worker node fix pack 1.9.10_1524. {: shortdesc}

Changes since version 1.9.10_1523

Component	Previous	Current	Description
Log rotate	N/A	N/A	Switched to use `systemd` timers instead of `cronjobs` to prevent `logrotate` from failing on worker nodes that are not reloaded or updated within 90 days. **Note**: In all earlier versions for this minor release, the primary disk fills up after the cron job fails because the logs are not rotated. The cron job fails after the worker node is active for 90 days without being updated or reloaded. If the logs fill up the entire primary disk, the worker node enters a failed state. The worker node can be fixed by using the `ibmcloud ks worker reload` [command](/docs/containers?topic=containers-cli-plugin-kubernetes-service-cli#cs_worker_reload) or the `ibmcloud ks worker update` [command](/docs/containers?topic=containers-cli-plugin-kubernetes-service-cli#cs_worker_update).
Worker node runtime components (`kubelet`, `kube-proxy`, `docker`)	N/A	N/A	Removed dependencies of runtime components on the primary disk. This enhancement prevents worker nodes from failing when the primary disk is filled up.
Root password expiration	N/A	N/A	Root passwords for the worker nodes expire after 90 days for compliance reasons. If your automation tooling needs to log in to the worker node as root or relies on cron jobs that run as root, you can disable the password expiration by logging into the worker node and running `chage -M -1 root`. **Note**: If you have security compliance requirements that prevent running as root or removing password expiration, do not disable the expiration. Instead, you can [update](/docs/containers?topic=containers-cli-plugin-kubernetes-service-cli#cs_worker_update) or [reload](/docs/containers?topic=containers-cli-plugin-kubernetes-service-cli#cs_worker_reload) your worker nodes at least every 90 days.
systemd	N/A	N/A	Periodically clean transient mount units to prevent them from becoming unbounded. This action addresses [Kubernetes issue 57345 ](kubernetes/kubernetes#57345).
Docker	N/A	N/A	Disabled the default Docker bridge so that the `172.17.0.0/16` IP range is now used for private routes. If you rely on building Docker containers in worker nodes by executing `docker` commands on the host directly or by using a pod that mounts the Docker socket, choose from the following options. To ensure external network connectivity when you build the container, run `docker build . --network host`. To explicitly create a network to use when you build the container, run `docker network create` and then use this network. **Note**: Have dependencies on the Docker socket or Docker directly? Update to `containerd` instead of `docker` as the container runtime so that your clusters are prepared to run Kubernetes version 1.11 or later.

Changelog for 1.9.10_1523, released 4 September 2018

{: #1910_1523}

The following table shows the changes that are included in patch 1.9.10_1523. {: shortdesc}

Changes since version 1.9.9_1522

Component	Previous	Current	Description
{{site.data.keyword.cloud_notm}} Provider	v1.9.9-167	v1.9.10-192	Updated to support Kubernetes 1.9.10 release. In addition, changed the cloud provider configuration to better handle updates for load balancer services with `externalTrafficPolicy` set to `local`.
{{site.data.keyword.cloud_notm}} File Storage plug-in	334	338	Updated incubator version to 1.8. File storage is provisioned to the specific zone that you select. You cannot update an existing (static) PV instance's labels, unless you are using a multizone cluster and need to add the region and zone labels. Removed the default NFS version from the mount options in the IBM-provided file storage classes. The host's operating system now negotiates the NFS version with the IBM Cloud infrastructure NFS server. To manually set a specific NFS version, or to change the NFS version of your PV that was negotiated by the host's operating system, see [Changing the default NFS version](/docs/containers?topic=containers-file_storage#nfs_version_class).
Kubernetes	v1.9.9	v1.9.10	See the Kubernetes [release notes ](https://github.com/kubernetes/kubernetes/releases/tag/v1.9.10).
Kubernetes Heapster configuration	N/A	N/A	Increased resource limits for the `heapster-nanny` container.

Changelog for worker node fix pack 1.9.9_1522, released 23 August 2018

{: #199_1522}

The following table shows the changes that are included in the worker node fix pack 1.9.9_1522. {: shortdesc}

Changes since version 1.9.9_1521

Component	Previous	Current	Description
`systemd`	229	230	Updated `systemd` to fix `cgroup` leak.
Kernel	4.4.0-127	4.4.0-133	Updated worker node images with kernel update for [CVE-2018-3620,CVE-2018-3646 ](https://usn.ubuntu.com/3741-1/).

Changelog for worker node fix pack 1.9.9_1521, released 13 August 2018

{: #199_1521}

The following table shows the changes that are included in the worker node fix pack 1.9.9_1521. {: shortdesc}

Changes since version 1.9.9_1520

Component	Previous	Current	Description
Ubuntu packages	N/A	N/A	Updates to installed Ubuntu packages.

Changelog for 1.9.9_1520, released 27 July 2018

{: #199_1520}

The following table shows the changes that are included in patch 1.9.9_1520. {: shortdesc}

Changes since version 1.9.8_1517

Component	Previous	Current	Description
{{site.data.keyword.cloud_notm}} Provider	v1.9.8-141	v1.9.9-167	Updated to support Kubernetes 1.9.9 release. In addition, LoadBalancer service `create failure` events now include any portable subnet errors.
{{site.data.keyword.cloud_notm}} File Storage plug-in	320	334	Increased the timeout for persistent volume creation from 15 to 30 minutes. Changed the default billing type to `hourly`. Added mount options to the pre-defined storage classes. In the NFS file storage instance in your IBM Cloud infrastructure account, changed the **Notes** field to JSON format and added the Kubernetes namespace that the PV is deployed to. To support multizone clusters, added zone and region labels to persistent volumes.
Kubernetes	v1.9.8	v1.9.9	See the Kubernetes [release notes ](https://github.com/kubernetes/kubernetes/releases/tag/v1.9.9).
Kernel	N/A	N/A	Minor improvements to worker node network settings for high performance networking workloads.
OpenVPN client	N/A	N/A	The OpenVPN client `vpn` deployment that runs in the `kube-system` namespace is now managed by the Kubernetes `addon-manager`.

Changelog for worker node fix pack 1.9.8_1517, released 3 July 2018

{: #198_1517}

The following table shows the changes that are included in the worker node fix pack 1.9.8_1517. {: shortdesc}

Changes since version 1.9.8_1516

Component	Previous	Current	Description
Kernel	N/A	N/A	Optimized `sysctl` for high performance networking workloads.

Changelog for worker node fix pack 1.9.8_1516, released 21 June 2018

{: #198_1516}

The following table shows the changes that are included in the worker node fix pack 1.9.8_1516. {: shortdesc}

Changes since version 1.9.8_1515

Component	Previous	Current	Description
Docker	N/A	N/A	For non-encrypted flavors, the secondary disk is cleaned by getting a fresh file system when you reload or update the worker node.

Changelog for 1.9.8_1515, released 19 June 2018

{: #198_1515}

The following table shows the changes that are included in patch 1.9.8_1515. {: shortdesc}

Changes since version 1.9.7_1513

Component	Previous	Current	Description
Kubernetes	v1.9.7	v1.9.8	See the [Kubernetes release notes](https://github.com/kubernetes/kubernetes/releases/tag/v1.9.8).
Kubernetes Configuration	N/A	N/A	Added `PodSecurityPolicy` to the `--admission-control` option for the cluster's Kubernetes API server and configured the cluster to support pod security policies. For more information, see [Configuring pod security policies](/docs/containers?topic=containers-psp).
IBM Cloud Provider	v1.9.7-102	v1.9.8-141	Updated to support Kubernetes 1.9.8 release.
OpenVPN client	N/A	N/A	Added livenessProbe to the OpenVPN client vpn deployment that runs in the kube-system namespace.

Changelog for worker node fix pack 1.9.7_1513, released 11 June 2018

{: #197_1513}

The following table shows the changes that are included in the worker node fix pack 1.9.7_1513. {: shortdesc}

Changes since version 1.9.7_1512

Component	Previous	Current	Description
Kernel update	4.4.0-116	4.4.0-127	New worker node images with kernel update for [CVE-2018-3639 ](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3639).

Changelog for worker node fix pack 1.9.7_1512, released 18 May 2018

{: #197_1512}

The following table shows the changes that are included in the worker node fix pack 1.9.7_1512. {: shortdesc}

Changes since version 1.9.7_1511

Component	Previous	Current	Description
Kubelet	N/A	N/A	Fix to address a bug that occurred if you used the block storage plug-in.

Changelog for worker node fix pack 1.9.7_1511, released 16 May 2018

{: #197_1511}

The following table shows the changes that are included in the worker node fix pack 1.9.7_1511. {: shortdesc}

Changes since version 1.9.7_1510

Component	Previous	Current	Description
Kubelet	N/A	N/A	The data that you store in the `kubelet` root directory is now saved on the larger, secondary disk of your worker node machine.

Changelog for 1.9.7_1510, released 30 April 2018

{: #197_1510}

The following table shows the changes that are included in patch 1.9.7_1510. {: shortdesc}

Changes since version 1.9.3_1506

Component	Previous	Current	Description
Kubernetes	v1.9.3	v1.9.7	See the [Kubernetes release notes](https://github.com/kubernetes/kubernetes/releases/tag/v1.9.7). This release addresses [CVE-2017-1002101 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1002101) and [CVE-2017-1002102 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1002102) vulnerabilities. Note: Now `secret`, `configMap`, `downwardAPI`, and projected volumes are mounted as read-only. Previously, apps could write data to these volumes, but the system could automatically revert the data. If your apps rely on the previous insecure behavior, modify them accordingly.
Kubernetes configuration	N/A	N/A	Added `admissionregistration.k8s.io/v1alpha1=true` to the `--runtime-config` option for the cluster's Kubernetes API server.
{{site.data.keyword.cloud_notm}} Provider	v1.9.3-71	v1.9.7-102	`NodePort` and `LoadBalancer` services now support [preserving the client source IP](/docs/containers?topic=containers-loadbalancer#node_affinity_tolerations) by setting `service.spec.externalTrafficPolicy` to `Local`.
			Fix [edge node](/docs/containers?topic=containers-edge#edge) toleration setup for older clusters.

Version 1.8 changelog (Unsupported)

{: #18_changelog}

Review the version 1.8 changelogs. {: shortdesc}

• Changelog for worker node fix pack 1.8.15_1521, released 20 September 2018
• Changelog for worker node fix pack 1.8.15_1520, released 23 August 2018
• Changelog for worker node fix pack 1.8.15_1519, released 13 August 2018
• Changelog for 1.8.15_1518, released 27 July 2018
• Changelog for worker node fix pack 1.8.13_1516, released 3 July 2018
• Changelog for worker node fix pack 1.8.13_1515, released 21 June 2018
• Changelog 1.8.13_1514, released 19 June 2018
• Changelog for worker node fix pack 1.8.11_1512, released 11 June 2018
• Changelog for worker node fix pack 1.8.11_1511, released 18 May 2018
• Changelog for worker node fix pack 1.8.11_1510, released 16 May 2018
• Changelog for 1.8.11_1509, released 19 April 2018

Changelog for worker node fix pack 1.8.15_1521, released 20 September 2018

{: #1815_1521}

Changes since version 1.8.15_1520

Component	Previous	Current	Description
Log rotate	N/A	N/A	Switched to use `systemd` timers instead of `cronjobs` to prevent `logrotate` from failing on worker nodes that are not reloaded or updated within 90 days. **Note**: In all earlier versions for this minor release, the primary disk fills up after the cron job fails because the logs are not rotated. The cron job fails after the worker node is active for 90 days without being updated or reloaded. If the logs fill up the entire primary disk, the worker node enters a failed state. The worker node can be fixed by using the `ibmcloud ks worker reload` [command](/docs/containers?topic=containers-cli-plugin-kubernetes-service-cli#cs_worker_reload) or the `ibmcloud ks worker update` [command](/docs/containers?topic=containers-cli-plugin-kubernetes-service-cli#cs_worker_update).
Worker node runtime components (`kubelet`, `kube-proxy`, `docker`)	N/A	N/A	Removed dependencies of runtime components on the primary disk. This enhancement prevents worker nodes from failing when the primary disk is filled up.
Root password expiration	N/A	N/A	Root passwords for the worker nodes expire after 90 days for compliance reasons. If your automation tooling needs to log in to the worker node as root or relies on cron jobs that run as root, you can disable the password expiration by logging into the worker node and running `chage -M -1 root`. **Note**: If you have security compliance requirements that prevent running as root or removing password expiration, do not disable the expiration. Instead, you can [update](/docs/containers?topic=containers-cli-plugin-kubernetes-service-cli#cs_worker_update) or [reload](/docs/containers?topic=containers-cli-plugin-kubernetes-service-cli#cs_worker_reload) your worker nodes at least every 90 days.
systemd	N/A	N/A	Periodically clean transient mount units to prevent them from becoming unbounded. This action addresses [Kubernetes issue 57345 ](kubernetes/kubernetes#57345).

Changelog for worker node fix pack 1.8.15_1520, released 23 August 2018

{: #1815_1520}

Changes since version 1.8.15_1519

Component	Previous	Current	Description
`systemd`	229	230	Updated `systemd` to fix `cgroup` leak.
Kernel	4.4.0-127	4.4.0-133	Updated worker node images with kernel update for [CVE-2018-3620,CVE-2018-3646 ](https://usn.ubuntu.com/3741-1/).

Changelog for worker node fix pack 1.8.15_1519, released 13 August 2018

{: #1815_1519}

Changes since version 1.8.15_1518

Component	Previous	Current	Description
Ubuntu packages	N/A	N/A	Updates to installed Ubuntu packages.

Changelog for 1.8.15_1518, released 27 July 2018

{: #1815_1518}

Changes since version 1.8.13_1516

Component	Previous	Current	Description
{{site.data.keyword.cloud_notm}} Provider	v1.8.13-176	v1.8.15-204	Updated to support Kubernetes 1.8.15 release. In addition, LoadBalancer service `create failure` events now include any portable subnet errors.
{{site.data.keyword.cloud_notm}} File Storage plug-in	320	334	Increased the timeout for persistent volume creation from 15 to 30 minutes. Changed the default billing type to `hourly`. Added mount options to the pre-defined storage classes. In the NFS file storage instance in your IBM Cloud infrastructure account, changed the **Notes** field to JSON format and added the Kubernetes namespace that the PV is deployed to. To support multizone clusters, added zone and region labels to persistent volumes.
Kubernetes	v1.8.13	v1.8.15	See the Kubernetes [release notes ](https://github.com/kubernetes/kubernetes/releases/tag/v1.8.15).
Kernel	N/A	N/A	Minor improvements to worker node network settings for high performance networking workloads.
OpenVPN client	N/A	N/A	The OpenVPN client `vpn` deployment that runs in the `kube-system` namespace is now managed by the Kubernetes `addon-manager`.

Changelog for worker node fix pack 1.8.13_1516, released 3 July 2018

{: #1813_1516}

Changes since version 1.8.13_1515

Component	Previous	Current	Description
Kernel	N/A	N/A	Optimized `sysctl` for high performance networking workloads.

Changelog for worker node fix pack 1.8.13_1515, released 21 June 2018

{: #1813_1515}

Changes since version 1.8.13_1514

Component	Previous	Current	Description
Docker	N/A	N/A	For non-encrypted flavors, the secondary disk is cleaned by getting a fresh file system when you reload or update the worker node.

Changelog 1.8.13_1514, released 19 June 2018

{: #1813_1514}

Changes since version 1.8.11_1512

Component	Previous	Current	Description
Kubernetes	v1.8.11	v1.8.13	See the [Kubernetes release notes](https://github.com/kubernetes/kubernetes/releases/tag/v1.8.13).
Kubernetes Configuration	N/A	N/A	Added `PodSecurityPolicy` to the `--admission-control` option for the cluster's Kubernetes API server and configured the cluster to support pod security policies. For more information, see [Configuring pod security policies](/docs/containers?topic=containers-psp).
IBM Cloud Provider	v1.8.11-126	v1.8.13-176	Updated to support Kubernetes 1.8.13 release.
OpenVPN client	N/A	N/A	Added livenessProbe to the OpenVPN client vpn deployment that runs in the kube-system namespace.

Changelog for worker node fix pack 1.8.11_1512, released 11 June 2018

{: #1811_1512}

Changes since version 1.8.11_1511

Component	Previous	Current	Description
Kernel update	4.4.0-116	4.4.0-127	New worker node images with kernel update for [CVE-2018-3639 ](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3639).

Changelog for worker node fix pack 1.8.11_1511, released 18 May 2018

{: #1811_1511}

Changes since version 1.8.11_1510

Component	Previous	Current	Description
Kubelet	N/A	N/A	Fix to address a bug that occurred if you used the block storage plug-in.

Changelog for worker node fix pack 1.8.11_1510, released 16 May 2018

{: #1811_1510}

Changes since version 1.8.11_1509

Component	Previous	Current	Description
Kubelet	N/A	N/A	The data that you store in the `kubelet` root directory is now saved on the larger, secondary disk of your worker node machine.

Changelog for 1.8.11_1509, released 19 April 2018

{: #1811_1509}

Changes since version 1.8.8_1507

Component	Previous	Current	Description
Kubernetes	v1.8.8	v1.8.11	See the [Kubernetes release notes](https://github.com/kubernetes/kubernetes/releases/tag/v1.8.11). This release addresses [CVE-2017-1002101 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1002101) and [CVE-2017-1002102 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1002102) vulnerabilities. Now `secret`, `configMap`, `downwardAPI`, and projected volumes are mounted as read-only. Previously, apps could write data to these volumes, but the system could automatically revert the data. If your apps rely on the previous insecure behavior, modify them accordingly.
Pause container image	3.0	3.1	Removes inherited orphaned zombie processes.
{{site.data.keyword.cloud_notm}} Provider	v1.8.8-86	v1.8.11-126	`NodePort` and `LoadBalancer` services now support [preserving the client source IP](/docs/containers?topic=containers-loadbalancer#node_affinity_tolerations) by setting `service.spec.externalTrafficPolicy` to `Local`.
			Fix [edge node](/docs/containers?topic=containers-edge#edge) toleration setup for older clusters.

Version 1.7 changelog (Unsupported)

{: #17_changelog}

Review the version 1.7 changelogs. {: shortdesc}

• Changelog for worker node fix pack 1.7.16_1514, released 11 June 2018
• Changelog for worker node fix pack 1.7.16_1513, released 18 May 2018
• Changelog for worker node fix pack 1.7.16_1512, released 16 May 2018
• Changelog for 1.7.16_1511, released 19 April 2018

Changelog for worker node fix pack 1.7.16_1514, released 11 June 2018

{: #1716_1514}

Changes since version 1.7.16_1513

Component	Previous	Current	Description
Kernel update	4.4.0-116	4.4.0-127	New worker node images with kernel update for [CVE-2018-3639 ](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3639).

Changelog for worker node fix pack 1.7.16_1513, released 18 May 2018

{: #1716_1513}

Changes since version 1.7.16_1512

Component	Previous	Current	Description
Kubelet	N/A	N/A	Fix to address a bug that occurred if you used the block storage plug-in.

Changelog for worker node fix pack 1.7.16_1512, released 16 May 2018

{: #1716_1512}

Changes since version 1.7.16_1511

Component	Previous	Current	Description
Kubelet	N/A	N/A	The data that you store in the `kubelet` root directory is now saved on the larger, secondary disk of your worker node machine.

Changelog for 1.7.16_1511, released 19 April 2018

{: #1716_1511}

Changes since version 1.7.4_1509

Component	Previous	Current	Description
Kubernetes	v1.7.4	v1.7.16	See the [Kubernetes release notes](https://github.com/kubernetes/kubernetes/releases/tag/v1.7.16). This release addresses [CVE-2017-1002101 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1002101) and [CVE-2017-1002102 ](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1002102) vulnerabilities. Now `secret`, `configMap`, `downwardAPI`, and projected volumes are mounted as read-only. Previously, apps could write data to these volumes, but the system could automatically revert the data. If your apps rely on the previous insecure behavior, modify them accordingly.
{{site.data.keyword.cloud_notm}} Provider	v1.7.4-133	v1.7.16-17	`NodePort` and `LoadBalancer` services now support [preserving the client source IP](/docs/containers?topic=containers-loadbalancer#node_affinity_tolerations) by setting `service.spec.externalTrafficPolicy` to `Local`.
			Fix [edge node](/docs/containers?topic=containers-edge#edge) toleration setup for older clusters.