cluster-autoscaler binary contains high and critical vulnerabilities #5343
Labels
area/cluster-autoscaler
area/core-autoscaler
Denotes an issue that is related to the core autoscaler and is not specific to any provider.
kind/feature
Categorizes issue or PR as related to a new feature.
lifecycle/stale
Denotes an issue or PR has remained open with no activity and has become stale.
Comments
zhouke1991
added
the
kind/feature
zhouke1991
changed the title
zhouke1991
changed the title
|
Cluster-autoscaler uses gcr.io/distroless/static:nonroot-amd64 as it's base image. Are those issues also present in the base image? |
|
This repo also has a security policy with instructions for reporting security issues to the appropriate contacts for triage and response. If you believe the answer to @WebSpider's question is yes, please follow the instructions there to report security issues. |
|
We released a 1.23.1 release back in June as well, so you should run the same scan against that rather than 1.23.0. |
|
@WebSpider @gjtempleton Thanks for replying. I think these CVEs are related to the golang dependencies but not the base image. Especially for the critical dependency "github.com/emicklei/go-restful", can you please verify if the autoscalser used it? |
|
@gjtempleton could you please guide how do we open a security issue for autoscaler repo? We found even for 1.24, autoscaler just released 1.24.0 around May. These CVEs are still suitable for them. |
|
And by the way, if we plan to submit the codes to fix them, when could we get the 1.24.1 release? |
|
The Kubernetes project currently lacks enough contributors to adequately respond to all issues. This bot triages un-triaged issues according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale |
k8s-ci-robot
added
the
lifecycle/stale
|
/remove-lifecycle stale |
k8s-ci-robot
removed
the
lifecycle/stale
|
just leaving an update here, it appears these have all been fixed in more recent versions:
i'm not sure how, or if, we can backport all of these, but i wanted to leave an update that they have been fixed in the most recent release (1.27.1) |
|
@elmiko thanks for the comment. We are at 1.23 which is EOL according to https://kubernetes.io/releases/ Guess I will start a thread and ask in #sig-autoscaling or raise this in the SIG meeting (not too hopeful about getting a patch for an EOL release). |
|
@yuyangbj The security policy for this repo, and other k8s repos is linked on the side of the root of the repo via the Github functionality, but can also currently be seen here. As @vadasambar says, 1.23 has dropped out of support, and the critical vulnerability ( As such we have no way of upgrading the CA 1.23 branch and publishing an image without this library without significant work (if it's even possible.) We have adopted a new policy of publishing CA patch releases every 2 months, and are now updating our upstream k8s/k8s dependencies as standard as part of this process which should help us with shipping fewer libraries marked as vulnerabilities by automated scanners. |
|
@gjtempleton thanks for responding on this issue. Seems like it's not in our hands anymore for 1.23 and 1.24. |
|
For anyone wondering, you can check the vulnerabilities using CLI tool like Seems like |
|
Would like to add that with scan tool Xray there are many more vulnerabilities reported in cluster-autoscaler |
|
Hi, Most of the warnings reported are currently fixed but there a few still there: |
|
Hi, This is the report for the latest release: Do you have any information about how you update the dependencies in your daily basis or in your release process? |
towca
added
the
area/core-autoscaler
Closed
|
Hi All, JFI: The result for vulnerability scanning on the CA 1.30.0(latest version), used trivy for vulnerability scanning. |
|
The Kubernetes project currently lacks enough contributors to adequately respond to all issues. This bot triages un-triaged issues according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale |
k8s-ci-robot
added
the
lifecycle/stale
|
/remove-lifecycle stale |
k8s-ci-robot
removed
the
lifecycle/stale
|
The Kubernetes project currently lacks enough contributors to adequately respond to all issues. This bot triages un-triaged issues according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale |
k8s-ci-robot
added
the
lifecycle/stale
|
/remove-lifecycle stale |
k8s-ci-robot
removed
the
lifecycle/stale
|
The Kubernetes project currently lacks enough contributors to adequately respond to all issues. This bot triages un-triaged issues according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale |
k8s-ci-robot
added
the
lifecycle/stale
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
There are lots of high and critical vulnerabilities that were scanned by trivy.
The scanning result of cluster-autoscaler:v1.23.0 is as follows, v1.22.0 and v1.24.0 are the same with it.
My question is if there is a plan to fix these vulnerabilities on these versions(1.22, 1.23, 1.24)?
The text was updated successfully, but these errors were encountered: