April 16, 2019
This advisory was first communicated by email, on the date mentioned above, to all Rancher customers with a then active support subscription.
Dear Rancher User,
The wait is over. Rancher v2.2.2, our first 2.2.x release carrying the
stable tag released today. As you may already be aware, a
stable tagged release is what is recommended by Rancher Support for your production use cases.
So what are the top-5 items that you need to know about in Rancher v2.2.2?
Fix for Rancher CVE-2019-11202
We have discovered the following security issue: the default admin account that is created when Rancher is first launched will be recreated on subsequent restarts of Rancher even if the account was explicitly deleted by a Rancher administrator. This poses a security risk because the account is recreated with Rancher's default username and password. So, an attacker could use these default credentials to gain admin access to a vulnerable Rancher server.
This issue affects the following versions of Rancher: v2.0.0-v2.0.13, v2.1.0-v2.1.8, and v2.2.0-2.2.1.
The fix for CVE-2019-11202 is now available in Rancher v2.2.2. It will prevent Rancher from recreating this admin account upon restart. Note: A fix for versions v2.1.x and v2.0.x will be released in the near future, but until then this flaw can be easily mitigated in all versions of Rancher by disabling the default admin account rather than deleting it entirely.
Performance improvements to UI and API
Project-related resource API calls, particularly pods, that were taking a long time to load now complete much faster making the page usable in a fraction of the time. See issues  and  on GitHub for more details.
Rotating auto-generated certificates for Rancher-provisioned clusters from the Rancher UI
In Rancher 2.0 and 2.1, the auto-generated certificates for Rancher-provisioned clusters have 1 year of expiry. It means if you created a Rancher-provisioned cluster about 1 year ago, you need to rotate the certificates, otherwise the cluster will go into a bad state when the certificate expires. In Rancher 2.2.2, the rotation can be performed from Rancher UI, more details are here. We are working on providing a back-port solution for users on 2.0 and 2.1, which will help to rotate the certificates on existing clusters without the requirement to upgrade to 2.2.2.
Project Monitoring feature revoked
Due to stability issues, the Project Monitoring feature has been revoked in this release. We are going to address the issues, and add the feature back to the next planned maintenance release. Note: Cluster-level Monitoring is unaffected by this change and will continue to work as before.
Experimental support for Kubernetes v1.14.1
We have added Kubernetes v1.14.1 as experimental version in v2.2.2. This sets us on a path to offer support for Windows in a later version. Kubernetes 1.14 is the first Kubernetes version to officially announce production-level support for Windows nodes, as communicated in this announcement from Kubernetes last month.
To view the entire release notes of Rancher v2.2.2, please visit this page on GitHub: https://github.com/rancher/rancher/releases/tag/v2.2.2
If there are any questions, simply submit a request via this portal referencing this article and we will track and respond to your question as a Support Ticket.
Rancher Support Team