cert-manager
v1.21.0Security日本語 準備中cert-manager v1.21.0 is a hardening-and-features release: it closes a HIGH-severity RBAC escalation in the cert-manager-edit ClusterRole (GHSA-8rvj-mm4h-c258) and ships two other breaking Helm/RBAC changes, alongside new ARI, Vault AWS-IAM, and Gateway API capabilities.
securityRBAC tightened on cert-manager-edit ClusterRole (GHSA-8rvj-mm4h-c258)
The cert-manager-edit aggregate ClusterRole no longer grants create on challenges.acme.cert-manager.io or create/patch/update on orders.acme.cert-manager.io, closing a path where a user with only 'edit' access could escalate by crafting ACME Challenge/Order resources. Backported to v1.20.3; upgrade if you rely on cert-manager-edit permissions and audit any tooling that creates Challenge or Order resources directly.
breakingDefault tokenrequest RBAC removed from Helm chart
The Helm chart no longer creates a default Role/RoleBinding granting the controller serviceaccounts/token: create on its own ServiceAccount. This breaks the undocumented pattern of setting serviceAccountRef.name to the controller's ServiceAccount; review any such references before upgrading.
breakingPrometheus Helm values removed, metrics port renamed
The Helm values prometheus.servicemonitor.targetPort, prometheus.servicemonitor.path, and prometheus.podmonitor.path have been removed, and the metrics port was renamed from tcp-prometheus-servicemonitor to http-metrics. Any values override still setting the removed keys will fail Helm schema validation on upgrade; update your values files before upgrading.
主な変更 (7)
- Security: cert-manager-edit ClusterRole no longer grants create/patch/update on ACME Challenge/Order resources (GHSA-8rvj-mm4h-c258, HIGH, backported to v1.20.3)
- Breaking: default Role/RoleBinding for serviceaccounts/token: create removed from the Helm chart, affecting any undocumented serviceAccountRef.name usage
- Breaking: prometheus.servicemonitor/podmonitor Helm values removed and metrics port renamed to http-metrics; stale overrides will fail schema validation
- Deprecations: enableGatewayAPI/enableGatewayAPIListenerSet superseded by gatewayAPI.enabled/enableListenerSet (old fields still work); ServerSideApply feature gate deprecated as cainjector now uses SSA unconditionally; CAInjectorMerging promoted to GA
- New features: experimental ACME Renewal Information (ARI) support, Vault issuer AWS IAM authentication (IRSA/EKS Pod Identity/ambient credentials), new renewalPolicies field, and Gateway API listener improvements (parentref fallback, ignore-tls-listeners)
- Notable fixes: integer overflow in renewBeforePercentage mis-scheduling long-duration certs, infinite re-issuance loop on already-expired issuer certs, ACME challenges no longer terminally failing on transient network errors
- Plus several smaller fixes and hardening items: DoH response size capped at 128KB, Vault path traversal rejected, DNS issuer secret validation before ready, base images updated to Debian 13