[feat] update support kubernetes v1.25.x and fix security risk

[dongjiang1989]

What type of PR is this?

/kind feature

• Unittest
• Coverage 80%+
• Build Success

What this PR does / why we need it:

1. support kubernetes ge v1.25.x
2. fix base image and package security risk
3. update golang to 1.19.x

Notes

[github-actions]

🎉 Successfully Build Images.
Now Support ARM Platforms.
Comment Post Time(CST): 2023-05-24 15:13
Git Version: b871212

Docker Registry

Overview: https://hub.docker.com/u/gocrane

Image	Pull Command
crane-scheduler:pr-43-b871212	docker pull gocrane/crane-scheduler:pr-43-b871212
crane-scheduler-controller:pr-43-b871212	docker pull gocrane/crane-scheduler-controller:pr-43-b871212

---

Coding Registry

Overview: https://finops.coding.net/public-artifacts/gocrane/crane/packages

Image	Pull Command
crane-scheduler:pr-43-b871212	docker pull finops-docker.pkg.coding.net/gocrane/crane/crane-scheduler:pr-43-b871212
crane-scheduler-controller:pr-43-b871212	docker pull finops-docker.pkg.coding.net/gocrane/crane/crane-scheduler-controller:pr-43-b871212

---

Ghcr Registry

Overview: https://github.com/orgs/gocrane/packages?repo_name=crane

Image	Pull Command
crane-scheduler:pr-43-b871212	docker pull ghcr.io/gocrane/crane/crane-scheduler:pr-43-b871212
crane-scheduler-controller:pr-43-b871212	docker pull ghcr.io/gocrane/crane/crane-scheduler-controller:pr-43-b871212

[dongjiang1989]

@qmhu PTAL

[qmhu]

Hi @dongjiang1989 :

Do you meet problems in 1.25? The risk for upgrade version is high, we need to think carefully.

[dongjiang1989]

Hi @dongjiang1989 :

Do you meet problems in 1.25? The risk for upgrade version is high, we need to think carefully.

In Kubernetes 1.24, scheduler framework PreFilter interface add return a PreFilterResult. so update major release version

kubernetes/kubernetes#108648

[qmhu]

Hi @dongjiang1989 :
Do you meet problems in 1.25? The risk for upgrade version is high, we need to think carefully.

In Kubernetes 1.24, scheduler framework PreFilter interface add return a PreFilterResult. so update major release version

kubernetes/kubernetes#108648

I mean do you deploy crane-scheduler in a 1.25 cluster and meet problem?

[dongjiang1989]

Hi @dongjiang1989 :
Do you meet problems in 1.25? The risk for upgrade version is high, we need to think carefully.

In Kubernetes 1.24, scheduler framework PreFilter interface add return a PreFilterResult. so update major release version
kubernetes/kubernetes#108648

I mean do you deploy crane-scheduler in a 1.25 cluster and meet problem?

Thank you for your response. While it's reassuring to know that the specific vulnerable features are not currently being used in our product, I would like to highlight that the identified vulnerability has been flagged in our recent security assessment. Our security team has thoroughly reviewed the issue and determined that it poses a significant risk to the overall security of our product. That's why we would like to incorporate latest vulnerability free binary in our system as soon as possible.

[duanmengkk]

Hi @dongjiang1989 :
Do you meet problems in 1.25? The risk for upgrade version is high, we need to think carefully.

In Kubernetes 1.24, scheduler framework PreFilter interface add return a PreFilterResult. so update major release version
kubernetes/kubernetes#108648

I mean do you deploy crane-scheduler in a 1.25 cluster and meet problem?

Thank you for your response. While it's reassuring to know that the specific vulnerable features are not currently being used in our product, I would like to highlight that the identified vulnerability has been flagged in our recent security assessment. Our security team has thoroughly reviewed the issue and determined that it poses a significant risk to the overall security of our product. That's why we would like to incorporate latest vulnerability free binary in our system as soon as possible.

What was the vulnerability that you discovered? I have reviewed the code you provided, but I didn't see any specific fixes for the identified vulnerability and security risk. Could you please provide more information? Do you mean there is some security risk in base image alpine:3.13.5?

[dongjiang1989]

Hi @dongjiang1989 :
Do you meet problems in 1.25? The risk for upgrade version is high, we need to think carefully.

In Kubernetes 1.24, scheduler framework PreFilter interface add return a PreFilterResult. so update major release version
kubernetes/kubernetes#108648

I mean do you deploy crane-scheduler in a 1.25 cluster and meet problem?

Thank you for your response. While it's reassuring to know that the specific vulnerable features are not currently being used in our product, I would like to highlight that the identified vulnerability has been flagged in our recent security assessment. Our security team has thoroughly reviewed the issue and determined that it poses a significant risk to the overall security of our product. That's why we would like to incorporate latest vulnerability free binary in our system as soon as possible.

What was the vulnerability that you discovered? I have reviewed the code you provided, but I didn't see any specific fixes for the identified vulnerability and security risk. Could you please provide more information? Do you mean there is some security risk in base image alpine:3.13.5?

about base packages and base image

[taomaree]

Hi @dongjiang1989 :
Do you meet problems in 1.25? The risk for upgrade version is high, we need to think carefully.

In Kubernetes 1.24, scheduler framework PreFilter interface add return a PreFilterResult. so update major release version
kubernetes/kubernetes#108648

I mean do you deploy crane-scheduler in a 1.25 cluster and meet problem?

deploy current verson crane-scheduler with k8s 1.27,1.28, running error:

pkg/mod/k8s.io/client-go@v0.23.3/tools/cache/reflector.go:167: Failed to watch *v1beta1.CSIStorageCapacity: failed to list *v1beta1.CSIStorageCapacity: the server could not find the requested resource

because since k8s 1.27 removed v1beta1.CSIStorageCapacity,and changed to v1.CSIStorageCapacity .
storage.k8s.io/v1 API since k8s 1.24.

this pr #43 version test works k8s 1.28.

https://kubernetes.io/blog/2023/03/17/upcoming-changes-in-kubernetes-v1-27/

so, we need a new version.
current version support k8s version 1.22 -1.26
this new pr version supprt k8s version >= 1.24

[qmhu]

Hi @dongjiang1989 :
Do you meet problems in 1.25? The risk for upgrade version is high, we need to think carefully.

In Kubernetes 1.24, scheduler framework PreFilter interface add return a PreFilterResult. so update major release version
kubernetes/kubernetes#108648

I mean do you deploy crane-scheduler in a 1.25 cluster and meet problem?

deploy current verson crane-scheduler with k8s 1.27,1.28, running error:

pkg/mod/k8s.io/client-go@v0.23.3/tools/cache/reflector.go:167: Failed to watch *v1beta1.CSIStorageCapacity: failed to list *v1beta1.CSIStorageCapacity: the server could not find the requested resource

because since k8s 1.27 removed v1beta1.CSIStorageCapacity,and changed to v1.CSIStorageCapacity . storage.k8s.io/v1 API since k8s 1.24.

this pr #43 version test works k8s 1.28.

https://kubernetes.io/blog/2023/03/17/upcoming-changes-in-kubernetes-v1-27/

so, we need a new version. current version support k8s version 1.22 -1.26 this new pr version supprt k8s version >= 1.24

Is this version works in 1.18? We want to make sure the main code works for at lease 1.18 version.