MongoDB Enterprise Kubernetes Operator
OTHER License
Bot releases are hidden (Show)
Published by rodrigovalin over 4 years ago
MongoDB Resource Security Fixes
Fixes CVE-2020-7922: Kubernetes Operator generates potentially insecure certificates
CVE description:
X.509 certificates generated by the MongoDB Enterprise Kubernetes Operator may allow an attacker with access to the Kubernetes cluster improper access to MongoDB instances. Customers who do not use X.509 authentication, and those who do not use the Operator to generate their X.509 certificates are unaffected.
Common Weakness Enumeration:
CWE-295: Improper Certificate Validation
CVSS score: 6.4
CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N
Affected versions:
Fixed Versions:
Published by chatton over 4 years ago
MongoDB Resource Security Fixes
Fixes CVE-2020-7922: Kubernetes Operator generates potentially insecure certificates
CVE description:
X.509 certificates generated by the MongoDB Enterprise Kubernetes Operator may allow an attacker with access to the Kubernetes cluster improper access to MongoDB instances. Customers who do not use X.509 authentication, and those who do not use the Operator to generate their X.509 certificates are unaffected.
Common Weakness Enumeration:
CWE-295: Improper Certificate Validation
CVSS score: 6.4
CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N
Affected versions:
Fixed Versions:
Published by rodrigovalin over 4 years ago
Published by antonlisovenko over 4 years ago
spec.podSpec.podTemplate
setting.SecurityContext
to allow privileged sidecar containers.spec.podSpec
configuration settings for Ops Manager, the Backup Daemon, and the Application Database.4.2.8
is available.spec.clusterDomain
setting for Ops Manager and Application Database resources.Published by antonlisovenko over 4 years ago
mongodb-enterprise-database-pods
.spec.podSpec.podTemplate
setting, which allows you to apply templates to Kubernetes pods that the Kubernetes Operator generates for each database StatefulSet.spec.clusterName
setting to spec.clusterDomain
.4.2.2
with the application database image. Internet access is not required to install the application database if spec.applicationDatabase.version
is set to 4.2.2-ent
or omitted.spec.clusterName
setting to spec.clusterDomain
.4.2.6
and 4.2.7
are available.spec.clusterDomain
setting.Published by rodrigovalin almost 5 years ago
Published by rodrigovalin almost 5 years ago
MongoDBOpsManager
has been promoted to beta! Ops Manager version 4.2.4 is available.spec.backup.enabled
attribute on the Ops Manager custom resource. The Head DB, Oplog Store and S3 Snapshot Store can be configured using MongoDBOpsManager
specification.spec.externalConnectivity
property.SCRAM-SHA1
authentication enabled by default.Please see the sample YAML files in the samples directory for more information on how to enable new features.
Published by antonlisovenko almost 5 years ago
spec.replicas
setting.Published by BenElgar almost 5 years ago
Important: This release introduces significant changes that may not be compatible with previous deployments or resource configurations. Read https://docs.mongodb.com/kubernetes-operator/stable/tutorial/migrate-to-single-resource/ before installing or upgrading the Kubernetes Operator.
This release introduces signficant changes to the Ops Manager resource’s architecture. The Ops Manager application database is now managed by the Kubernetes Operator, not by Ops Manager.
Published by chatton about 5 years ago
Published by rodrigovalin about 5 years ago
Published by LouisPlisso about 5 years ago
Security Fix: Clusters configured by Operator versions 1.0-1.2.1 used an insufficiently-strong keyfile for internal cluster authentication between mongoDs. This only affects clusters which are using x509 for user-authentication, but are not using x509 for internal cluster authentication. Users are advised to upgrade to 1.2.2, which will replace all managed keyfiles.
Security Fix: Clusters configured by with Operator versions 1.0-1.2.1 used an insufficiently-strong password to authenticate the MongoDB Agent. This only affects clusters which have been manually configured to enable SCRAM-SHA1, which is not a supported configuration. Users are advised to upgrade to 1.2.2, which will reset these passwords.
Published by chatton about 5 years ago
Fixed bug which caused the Operator to incorrectly generate CSRs for agent x509 certificates when approved CSRs have been deleted
If the OPERATOR_ENV environment variable is set to something unrecognized by the Operator, it will no longer result in a "CrashLoopBackOff" of the pod. A default value of "prod" is used.
The Operator now supports more than 100 agents in a given project
Published by rodrigovalin about 5 years ago
MongoDBOpsManager
has been added to allow Ops Manager 4.2 to be deployed into your Kubernetes cluster. This feature is in alpha stage.Published by rodrigovalin about 5 years ago
featureCompatibilityVersion
Published by rodrigovalin over 5 years ago
The MongoDB Enterprise Kubernetes Operator is now Generally Available and is ready to be used in production environments
If you have any questions regarding this release, reach us out at #enterprise-kubernetes Slack channel.
The MongoDB Enterprise Kubernetes Operator can be used to provision any kind of MongoDB deployment in the Kubernetes Cluster of your organization:
The Operator can automatically configure TLS on the MongoDB deployments and have all traffic encrypted, with servers and clients being able to verify each other’s identities.
It can manage MongoDB Users as well, enabling connections to your databases using x509 authentication.
Documentation on how to install and configure the Operator can be found here.
Published by rodrigovalin over 5 years ago
rs.stepDown()
is called for primary member (requires MongoDB version >= 4.0.8 or 4.1.10)featureCompatibilityVersion
field can be setMongoDBUser
Custom ResourcePublished by rodrigovalin over 5 years ago
samples/extended
directory for a full set of examples on how to achieve this.roles.yaml
mdb
objects with kubectl
will give more information about the MongoDB object (type, state and MongoDB Server version)Docker Images
A list of the packages installed, and any security vulnerabilities detected in our build process, are outlined here
For the MongoDB Enterprise Operator
https://quay.io/repository/mongodb/mongodb-enterprise-operator?tab=tags
For the MongoDB Enterprise Database
https://quay.io/repository/mongodb/mongodb-enterprise-database?tab=tags
Published by chatton over 5 years ago
A list of the packages installed, and any security vulnerabilities detected in our build process, are outlined here:
Published by rodrigovalin over 5 years ago