KNIME Documentation

KNIME Business Hub 1.13 Release Notes

KNIME Business Hub 1.13.3

(released March 28, 2025)

Security fix

This release resolves a security vulnerability in all prior versions of KNIME Business Hub.

On March 24, 2025, a high-severity vulnerability in the widely used ingress-nginx component for Kubernetes was publicly disclosed. By sending specially crafted HTTP requests from within the cluster to the ingress-nginx controller, attackers could achieve remote code execution. Since ingress-nginx holds access to all cluster credentials, this vulnerability could lead to a full cluster takeover.

For full details, refer to the KNIME Security Advisory: CVE-2025-2787.

We recommend all users update to this version.

KNIME Business Hub 1.13.2

(released March 05, 2025)

Important bug fixes

  • Basic account information such as team membership is not shown anymore to unauthenticated users
  • Business Hub version number is not shown anymore to unauthenticated users
  • Fixed a bug that affected the presentation of the application password creation menu
  • Fixed a bug where jobs were marked as vanished in case a load error occurred
  • Fixed an issue where data in catalog could end up in an inconsistent state following migrations from older versions
  • Fixed an issue where deployments only showed default configuration values when editing a deployment
  • SCIM: User provisioning uses partial instead of exact user matching
  • Single pod Postgres clusters now default to failsafe mode to prevent any communication outages with the Kubernetes control plane from causing patroni to demote that pod from its leader status. This issue could, for example, show executed jobs in a Running state even though they have already Completed

Security fix

This release addresses a security vulnerability affecting all previous versions of KNIME Business Hub. We’ve identified that the existing Kubernetes secret configuration could potentially allow parties with specific credential knowledge to interact with job-related data on accessible KNIME Business Hub installations.

For more details, see the KNIME Security Advisory: CVE-2025-2402.

Additional changes

  • Existing execution contexts are switched to set defaultMaxScheduleFailures to unlimited, effectively removing the disabling of deployments as a consequence of load errors. This migration is only applied to execution contexts where defaultMaxScheduleFailures is left at the default value of 3.

KNIME Business Hub 1.13.1

(released January 24, 2025)

Important installation notes (please read carefully)

  • In case you need to apply tolerations to kotsadm pods, KNIME Business Hub 1.13.1 requires an update of KOTS to version 1.123.0. Make sure to perform this update before updating Business Hub. In case you don’t require such a setup, no KOTS update is needed.
    • To do so use the following command: curl -sSL [https://kurl.sh/knime-hub](https://kurl.sh/knime-hub) | sudo bash.

New features

  • KNIME Business Hub now supports using taints and tolerations to control which pods can be scheduled on specific nodes by allowing nodes to repel certain pods unless those pods explicitly tolerate the taints. (See Documentation)

Important bug fixes

  • Fixed a bug where executors configured to use a proxy could not communicate with Hub anymore
  • Fixed a bug where a database migration could lead to incorrect data for the job instrumentation service
  • Fixed a bug from the 1.13.0 release where clusters using an older version of kots would not be able to deploy namespace migration jobs

KNIME Business Hub 1.13.0

(released January 07, 2025)

Important installation notes (please read carefully)

  • During update, all executors will be terminated. Due to this, any running jobs will be cancelled and will not be retrievable. In order to avoid data loss, please make sure that no jobs are running during the update (e.g. by stopping all execution contexts before performing the update).
  • Customers managing their own CRDs need to update these before performing the Business Hub update.
  • Keycloak is updated to a new version. In case you have changed the automatically assigned password for the Keycloak admin console, a new password will be assigned. You can retrieve this password as described here.
  • If the cluster allows only specific domains, for the cluster to be able to pull Docker images, a new host cr.fluentbit.io needs to be added to the list of accessible hosts before updating.
  • Airgapped bundles now come with KNIME Analytics Platform 5.3.3 as executor.

Infrastructure changes

  • Keycloak has been updated to version 25
  • Installing into existing clusters supports custom defined namespace names
  • Namespaces consolidated in this version. With provided Istio instance new existing cluster installs can use a single namespace
  • Kubernetes version updated to 1.30 for embedded cluster installs
  • Kots version updated to 1.121
  • Postgres read replicas enabled to improve performance and resilience

Improvements

New features

  • Validation service: Execution contexts can now be configured to require certain labels to be set when trying to execute a workflow or to create a deployment. If the workflow’s version label does not match the executor’s requirement, it is not accepted. (See Documentation)
  • Private search: It is now possible to use Hub search to find items located in private spaces.
  • Execution context log file download: Global admin users can download execution context’s log files from the Hub UI. This feature works irrespective of current execution context status. I.e., it is also possible to retrieve log files from crashed executors, facilitating debugging.
  • Global admin secrets: Global admin users can manage secrets on a Hub-wide level and share them with teams or individual users.
  • Databricks secret: Added support for Databricks authentication methods, allowing easy and secure access to your Databricks workspace. (See Documentation)
  • Salesforce secret: Added support for Salesforce authentication methods, allowing easy and secure access to your Salesforce data. (See Documentation)
  • AI service:
    • Added the possibility to configure the disclaimer displayed by K-AI in scripting editors (e.g. Expression or Python Script) on the KOTS admin page.
    • Added the possibility to configure the retention period of the AI history via the KOTS admin page. Note: The default is set to 180 days.
    • It is now possible to configure whether K-AI should include public workflows and components in its answers. In order to include them, K-AI uses their name and description which means that those are shared with the GenAI provider.

Further changes

  • Improved workflow and job states: Ensures that users can, at any time, find out the precise status of a job. (See Documentation)

  • Select executor images via dropdown

  • Improved handling of configuration nodes for ad-hoc execution and deployments

    • Added support for more configuration nodes to be used while creating jobs or deployments

  • Easier period input for advanced deployment and execution context settings

  • Control executor heap requirements from UI

    • Needed if memory intensive processes run alongside the executor container, e.g. Python

  • Enable iframe embedding for shared data apps. (See Documentation)

  • Performance improvements when uploading items to Hub, including parallel upload of multiple items

  • Added the ability to upload workflows and files from the Hub UI

  • Added live update of content on the secrets pages (e.g. no refresh needed after adding a new secret)

  • Listing jobs via /jobs endpoint does not return configuration and/or input/output data anymore. In case this information is needed, the job needs to be queried directly via /jobs/jobId. This change reduces load caused by large job listings.

  • Team members can now retrieve information on other team members' jobs via the instrumentation endpoint (was: users could only see their own jobs)

    • This is now in line with visibility of existing jobs

  • SCIM functionality is now also available for Business Hub Standard Edition licenses

    • This facilitates sharing deployments with externally managed groups of consumers

  • Increased default job swap retries to “unlimited” (i.e. jobs stuck from swapping will eventually be swapped)

    • New defaults only apply to newly created execution contexts and deployments. Please update existing execution contexts / deployments if needed.

  • Increased default schedule load attempts until schedule is disabled to “unlimited” (i.e. schedules will not be disabled anymore if the job fails loading x times in a row)

    • New defaults only apply to newly created execution contexts. Please update existing execution contexts if needed.

Notable bug fixes

  • In embedded cluster installs, garbage collection was not disabled by default for the embedded image registry
  • Jobs created by a now deleted user were not discarded
  • Executor IPs were also shown to non-admin users
  • Updated execution context settings were only shown after page refresh

New/improved Data Apps

  • Version label/validation service admin workflows

  • Manage List of Executor Images (new) (Link)

    • Allows to manipulate the dropdown list when configuring an execution context.

  • Proxy Diagnostics (new) (Link)

    • Investigate the current proxy related settings on either a local AP or remote executor to help debug proxy/networking issues. Check the reachability of a URL directly in a data app, i.e. check if a URL is reachable from an execution context.

  • Admin Dashboard (new) (Link)

    • Gain insight about the usage of the current Hub usage, e.g. how many users, items, execution contexts each team has.

  • Customization Profile Application (improved) (Link)

    • Manage customization profiles with a better UI and e.g. edit settings directly in the data app.

  • Monitor User Usage (improved) (Link)

    • Monitor the sessions users have on the KNIME Business Hub to identify e.g. inactive users and times of high load.

  • Delete Old Item Versions (improved) (Link)

    • Data app to free disk space by deleting workflow versions that are older than a certain date and not involved in any deployments.

  • Executor Image Builder (improved) (Link)

    • Build executor images now directly from dockerfiles, add proxies, and updated the python support.

  • Published data apps adapted to new job states in 1.13.0:

    • Manage All Existing Jobs (Link)
    • Workflow Jobs Monitoring (Link)