MongoDB Enterprise Kubernetes Operator 1.4.5

MongoDB Resource Security Fixes

Fixes CVE-2020-7922: Kubernetes Operator generates potentially insecure certificates

CVE description:
X.509 certificates generated by the MongoDB Enterprise Kubernetes Operator may allow an attacker with access to the Kubernetes cluster improper access to MongoDB instances. Customers who do not use X.509 authentication, and those who do not use the Operator to generate their X.509 certificates are unaffected.

Common Weakness Enumeration:
CWE-295: Improper Certificate Validation
CVSS score: 6.4
CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N

Affected versions:

• 1.0, 1.1
• 1.2.0 - 1.2.4
• 1.3.0 - 1.3.1
• 1.4.0 - 1.4.4

Fixed Versions:

• 1.4.5
• 1.2.5

MongoDB Enterprise Kubernetes Operator 1.2.5

MongoDB Resource Security Fixes

Fixes CVE-2020-7922: Kubernetes Operator generates potentially insecure certificates

CVE description:
X.509 certificates generated by the MongoDB Enterprise Kubernetes Operator may allow an attacker with access to the Kubernetes cluster improper access to MongoDB instances. Customers who do not use X.509 authentication, and those who do not use the Operator to generate their X.509 certificates are unaffected.

Common Weakness Enumeration:
CWE-295: Improper Certificate Validation
CVSS score: 6.4
CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N

Affected versions:

• 1.0, 1.1
• 1.2.0 - 1.2.4
• 1.3.0 - 1.3.1
• 1.4.0 - 1.4.4

Fixed Versions:

• 1.4.5
• 1.2.5

MongoDB Enterprise Kubernetes Operator 1.4.4

MongoDB Resource Changes

• Supports changes in the Cloud Manager API.

Ops Manager Resource Changes (Beta Release)

• Properly terminates resources with a termination hook.
• Implements stricter validations.

Bug Fixes

• Fixes an issue when working with Ops Manager with custom HTTPS certificates.

MongoDB Enterprise Kubernetes Operator 1.4.3

Kubernetes Operator Changes

• Added webhook to validate Kubernetes Operator configuration.

MongoDB Resource Changes

• Adds support for sidecars for MongoDB Kubernetes resource pods using the spec.podSpec.podTemplate setting.
• Allows users to change the pod SecurityContext to allow privileged sidecar containers.

Ops Manager Resource Changes (Beta Release)

• Adds the spec.podSpec configuration settings for Ops Manager, the Backup Daemon, and the Application Database.
• Ops Manager image for version 4.2.8 is available.

Bug Fixes

MongoDB resources:

• Fixes potential race conditions when deleting MongoDB Kubernetes resources.

Ops Manager resources:

• Supports the spec.clusterDomain setting for Ops Manager and Application Database resources.
• No longer starts monitoring and backup processes for the Application Database.

MongoDB Enterprise Kubernetes Operator 1.4.2

MongoDB Resource Changes

• Runs MongoDB database Kubernetes pods under a dedicated Kubernetes service account: mongodb-enterprise-database-pods.
• Adds the spec.podSpec.podTemplate setting, which allows you to apply templates to Kubernetes pods that the Kubernetes Operator generates for each database StatefulSet.
• Renames the spec.clusterName setting to spec.clusterDomain.

Ops Manager Resource Changes (Beta Release)

• Adds offline mode support for the application database. Bundles MongoDB Enterprise version 4.2.2 with the application database image. Internet access is not required to install the application database if spec.applicationDatabase.version is set to 4.2.2-ent or omitted.
• Renames the spec.clusterName setting to spec.clusterDomain.
• Ops Manager images for versions 4.2.6 and 4.2.7 are available.

Bug Fixes

MongoDB resources:

• Fixes the order of sharded cluster component creation.
• Allows TLS to be enabled on Amazon EKS.

Ops Manager resources:

• Enables the Kubernetes Operator to use the spec.clusterDomain setting.

MongoDB Enterprise Kubernetes Operator 1.4.1

CVE fixes

• CVE-2019-11729
   

Bug fixes

• Fixed a bug in Ops Manager Custom Resource which prevented running MongoDB backup for 3.6 and 4.0 versions
   

MongoDB Enterprise Kubernetes Operator 1.4.0

New Features

MongoDB Resource Changes

• Split horizon DNS support for MongoDB replica sets has been added, allowing clients to connect to replica set from outside of the Kubernetes cluster.
• Operator generated certificates can be requested with additional certificate domains, making them valid for the specified subdomains.

Ops Manager Resource Changes

• MongoDBOpsManager has been promoted to beta! Ops Manager version 4.2.4 is available.
• Backup and restore can be enabled in Operator-deployed Ops Manager instances. This is a semi-automated process that will deploy everything you need to enable backups in Ops Manager. Backup should be enabled by setting the spec.backup.enabled attribute on the Ops Manager custom resource. The Head DB, Oplog Store and S3 Snapshot Store can be configured using MongoDBOpsManager specification.
• Ops Manager can be accessed from outside the Kubernetes cluster by setting the spec.externalConnectivity property.
• Ops Manager's AppDB (the MongoDB database that Ops Manager runs on) has SCRAM-SHA1 authentication enabled by default.
• Support for Openshift (Red Hat UBI Images) has been added.

Please see the sample YAML files in the samples directory for more information on how to enable new features.

Bug fixes

• Overall stability of X509 user management has been improved.

MongoDB Enterprise Kubernetes Operator 1.3.1

MongoDB Resource Changes

• Important! Requires one MongoDB resource per Ops Manager project. If you have more than one MongoDB resource in a project, all resources will change to a Pending status and the Kubernetes Operator won’t perform any changes on them. The existing MongoDB databases will still be accessible. You must migrate to one resource per project.
• Supports SCRAM-SHA authentication mode. See the MongoDB Enterprise Kubernetes Operator GitHub repository for examples.
• Requires that the project (ConfigMap) and credentials (secret) referenced from a MongoDB resource be in the same namespace.
• Adds OpenShift installation files (YAML file and Helm chart configuration).

Ops Manager Resource Changes (Alpha Release)

• Supports highly available Ops Manager resources by introducing the spec.replicas setting.
• Runs pods as a non-root user.

MongoDB Enterprise Kubernetes Operator 1.3.0

Important: This release introduces significant changes that may not be compatible with previous deployments or resource configurations. Read https://docs.mongodb.com/kubernetes-operator/stable/tutorial/migrate-to-single-resource/ before installing or upgrading the Kubernetes Operator.

Specification Schema Changes

• Moves to a one cluster per project configuration. This follows the warnings introduced in a previous version of the operator. The operator now requires each cluster to be contained within a new project.
• Authentication settings are now contained within the security section of the MongoDB resource specification rather than the project ConfigMap.
• Replaces the project field with the spec.opsManager.configMapRef.name or spec.cloudManager.configMapRef.name fields.
• User resources now refer to MongoDB resources rather than project ConfigMaps.
• No longer requires data.projectName in the project ConfigMap. The name of the project defaults to the name of the MongoDB resource in Kubernetes.

Ops Manager Resource Changes

This release introduces signficant changes to the Ops Manager resource’s architecture. The Ops Manager application database is now managed by the Kubernetes Operator, not by Ops Manager.

Bug Fixes

• Stops unnecessary recreation of NodePorts.
• Fixes logging so it’s always in JSON format.
• Sets USER in the Kubernetes Operator Docker image.

MongoDB Enterprise Kubernetes Operator 1.2.4

• Increased stability of X509 enabled Sharded Cluster deployments.
• Internal testing infrastructure improvements.