-
Notifications
You must be signed in to change notification settings - Fork 5.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Upgrade Kustomize to >= 4.5.6 to mitigate CVE-2021-29923 and fix bugs #10533
Comments
@Daemonslayer2048 that's a pretty big hop in versions for a patch release of Argo CD. If we had a really compelling description of how this vulnerability severely impacts Argo CD, I'd be okay with adding it to the 2.4.x series with clear release notes warning of any surprise issues. Alternatively, we could write some docs encouraging folks to install and use a new version of Kustomize for themselves. But we should definitely make sure we're not using a vulnerable version in 2.5. |
I wont say this issue severely impacts argo so rushing to get the updated binary in is probably not necessary. So I think waiting for 2.5 release is reasonable, I consider this more of a "chore" task and lacks urgency. Is there a release date scheduled for 2.5? If the release date is particularly far out I wouldn't mind helping write some docs for updating kustomize. |
@Daemonslayer2048 I'd put the first 2.5 release candidate about two weeks out. I know @34fathombelow has been keeping an eye on the Kustomize releases and plans to put up a PR to get a recent version bundled before we ship 2.5. It might still be worth writing the docs for the 2.4 branch. Folks don't always upgrade quickly. 😬 |
#10533 suggests we should upgrade due to kustomize bugs. I still think sticking to the 4.4.x series in 2.4.x is the right approach, but docs about upgrading would help. |
Hi, One workaround to the bug fixed on kustomize 4.5.3 is to duplicate the kustomize images from the kustomization.yaml on the argo application, like this:
But it is a complicate when you have a lot of applications to maintain and not sure if it will works well with argo-image-updater |
Hello @crenshaw-dev , did you forgot to update the kustomize on the version 2.5 ?? |
@vhsantos Kustomize was upgraded to 4.5.7 https://argo-cd.readthedocs.io/en/stable/operator-manual/upgrading/2.4-2.5/#upgraded-kustomize-version |
I just found the info here.
Thanks |
Summary
The argocd:v2.4.11 container ships with kustomize v4.4.1 which is vulnerable to CVE-2021-29923 as it is compiled with golang 1.16, there has been a similar chore task here to build argo with a more up to date compiler. In short simply bumping the kustomize version up would help resolve multiple security issues that are related to an EOL golang version.
I have read the security policy and believe this would be acceptable to make a public as per:
Motivation
At Platform One we use continuous scanning with tools like Twistlock and Anchore to scan our hardened images. We are encountering a number of CVEs regarding go1.16, which is EOL.
Proposal
Upgrade from kustomize v4.4.1 to kustomize 4.5.6
The text was updated successfully, but these errors were encountered: