-
Notifications
You must be signed in to change notification settings - Fork 38.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
debian-base: purge libsystemd0 to eliminate CVE false-positives #69995
debian-base: purge libsystemd0 to eliminate CVE false-positives #69995
Conversation
/lgtm |
/sig release |
/hold I forgot to add the sig, but I've already promoted the debian-base image, so I'm going to bump the child images in this PR too. |
566e74a
to
68a960a
Compare
VERSION=v8.8 | ||
KUBECTL_VERSION?=v1.10.7 | ||
VERSION=v8.9 | ||
KUBECTL_VERSION?=v1.10.9 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@MrHohn does this version of kubectl still make sense? or should we bump to 1.11.x?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for adding me, bumping to 1.11.x sounds good to me.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
updated to kubectl v1.11.3.
pushed a commit bumping the debian-base references, PTAL. |
Additionally, update the addon-manager to use kubectl v1.11.3.
68a960a
to
7a8696c
Compare
@@ -16,12 +16,12 @@ | |||
|
|||
REGISTRY?="staging-k8s.gcr.io" | |||
IMAGE=$(REGISTRY)/debian-iptables | |||
TAG?=v10.2 | |||
TAG?=v11.0 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
why not v10.3
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I generally reserve the .N bumps for rebases of the existing image. We actually removed a package here.
/lgtm |
/assign @zmerlynn for cluster/ approval |
/retest |
/lgtm |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: ixdy, zmerlynn The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/hold cancel |
Update images after kubernetes#69995
This actually breaks node-problem-detector. :P kubernetes/node-problem-detector#232 Is there any other way to fix the CVE? I can install the libsystemd0 back when building node-problem-detector for now. |
I'd rather not add libsystemd back to the base image, since we don't need it in the core kubernetes images. If you need it in your image, you should be able to add it back with |
What type of PR is this?
/kind cleanup
What this PR does / why we need it: we already purge
systemd
andsystemd-sysv
from thedebian-base
container, since we don't use them, butlibsystemd0
is still part of the image, which is causing false CVE alerts from the GCR Container Analysis service.Does this PR introduce a user-facing change?:
I don't expect this change to have any user-facing changes. We'll need to be more cautious once we update debian-iptables and debian-hyperkube-base; there shouldn't be any issues, but hyperkube in particular has surprised me before.
/assign @ihmccreery @awly @tallclair