Upgrade debian-base to 0.3.1 for CVEs

[satyasm]

What this PR does / why we need it:
Upgrade debian-base to 0.3.1 in response to CVE fixes in debian-base

Which issue(s) this PR fixes (optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when PR gets merged):
Fixes #

Special notes for your reviewer:
Bumps up the version number of related components.

Release note:

Bump up version number of debian-base, debian-hyperkube-base and debian-iptables. 
Also updates dependencies of users of debian-base. 
debian-base version 0.3.1 is already available.

[satyasm]

/assign @ixdy . Reopened PR for #66942.

[MrHohn]

/ok-to-test

[satyasm]

/assign @ixdy

[mkumatag]

/lgtm

[cblecker]

/lgtm cancel
/hold

[cblecker]

Has this image been pushed?

$ docker pull k8s.gcr.io/debian-hyperkube-base-amd64:0.11
Error response from daemon: manifest for k8s.gcr.io/debian-hyperkube-base-amd64:0.11 not found

[ixdy]

hm, though this is a different pattern than what we've done with CVE-only rebuilds in the past.

in those cases, we've either pushed over the existing tag, or added a revision number (if pushing over the existing tag wasn't possible).

I guess I have a slight preference for naming this 0.10.1 instead of 0.11, since there shouldn't really be any functional differences.

[cblecker]

Has this image been pushed?

$ docker pull k8s.gcr.io/debian-iptables-amd64:v11
Error response from daemon: manifest for k8s.gcr.io/debian-iptables-amd64:v11 not found

[ixdy]

this one is trickier, since v10.1 makes no sense. v10-r2? bleh.

[ixdy]

though we did have a v5.1. (also a v5, and a v5.0?)

[satyasm]

/cc @tallclair

@cblecker not sure what you are expecting here. My understanding of the process is as follows when we want to upgrade debian base.

1. Do a PR for the newer version and once merged build and push the new tag.
2. Once image from 1 is available, do a PR (this one) for the all the dependents of debian-base and once merged, build and push the new tags.
3. Once images from 2 is available, do a PR of the dependent images from 2 and once merged, build and push the new tags.
4. Once images from 3 are available, do the final update of the installation manifests and add-ons to refer to the updated tags.

In this case, due to some oversight, a PR for 1 was not done but the image was pushed. So I'm doing the back fill of the tag update for 1 as part of this PR. So the upgraded images for debian-iptables and debian-base-hyperkube will be built and pushed once this PR is approved and merged.

[cblecker]

I'll defer to @ixdy on the proper order. IIRC, we build/push, then PR. Either way, I'd like to see this documented more.

[tallclair]

I don't think the order is well defined. What matters is:

1. Update the FROM base image tag (locally)
2. Build & Push the image
3. Update the manifests to the new tag (& merge)

The parts that don't matter are:

• when the changes from (1) get merged - This is just in order to reflect the current state in the open source. I'd prefer to do this before (2), so that the pushed image is always built from merged code.
• updating the tag - This is purely symbolic, as our image promotion process ends up relabeling the image. The ordering here doesn't matter, so to decrease the number of PRs, I'd prefer to do this in the same PR as the above.

Given this, I think the current PR looks good.

[ixdy]

Right, in the past I would often cheat and build/push images before they were merged into master, which would result in fewer PRs.

It's probably better to separate these steps, though, especially since automation (which is something we eventually want) would probably require it.

hence
/lgtm

[satyasm]

/retest

[satyasm]

Thanks @ixdy, btw since I'm not sure, does the hold need to be removed?

[ixdy]

@satyasm yes, though can we maybe rename those tags to .1 instead of +1?

[satyasm]

yup, can do that if that makes more sense. Will update the PR.

[satyasm]

@ixdy updated debian-hyperkube-base to 0.10.1 and debian-iptables to v10.1 instead of 0.11 and v11 respectively.

[ixdy]

/lgtm

[ixdy]

/hold cancel

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: ixdy, mkumatag, satyasm

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• build/OWNERS [ixdy]
• test/images/OWNERS [ixdy]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[satyasm]

/retest

[k8s-github-robot]

/test all [submit-queue is verifying that this PR is safe to merge]

[k8s-ci-robot]

@satyasm: The following test failed, say /retest to rerun them all:

Test name	Commit	Details	Rerun command
pull-kubernetes-integration	025a0b3	link	/test pull-kubernetes-integration

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[k8s-github-robot]

Automatic merge from submit-queue (batch tested with PRs 67026, 62945, 66917). If you want to cherry-pick this change to another branch, please follow the instructions here.

[neolit123]

/sig release
(?)