Dockerfile: bump debian image to bullseye-20210927

[hexfusion]

Debian buster has been replaced with bullseye v11.0 and is getting CVE fixes quicker. This PR moves us from buster to bullseye and also applies a hotfix for openssl to resolve CVE-2021-3711.

We recently moved to k8s.gcr.io/build-image/debian-base for our Debian base images to align with upstream k8s which just recently moved to bullseye[1]. The plan is to move back to this registry once these fixes are addressed. But as we are going to cut a new 3.5 release it seems prudent to improve our security profile now.

fixes: CVE-2021-3711, CVE-2021-35942, CVE-2019-9893

CVE testing was done using trivy[2]

[1] kubernetes/kubernetes@531eb71
[2] https://github.com/aquasecurity/trivy

cc @gyuho @ptabor @hasbro17 @lilic @serathius

[mrueg]

The change would switch it to a potentially rate-limited registry (dockerhub), will that impact builds?

[mrueg]

This one got a bullseye tag: https://console.cloud.google.com/gcr/images/k8s-staging-build-image/global/debian-base (these are staging images that are not promoted yet)

[hexfusion]

they do have bullseye-v1.0.0 which is still exposed to CVE-2021-3711. If there is a fix pending promotion we can consider that.

[justaugustus]

Working on this here: kubernetes/release#2371

[justaugustus]

Updated here: #13546

[codecov-commenter]

Codecov Report

Merging #13376 (1e1f113) into main (97756e3) will decrease coverage by 0.95%.
The diff coverage is n/a.

@@            Coverage Diff             @@
##             main   #13376      +/-   ##
==========================================
- Coverage   71.31%   70.35%   -0.96%     
==========================================
  Files         453      447       -6     
  Lines       38856    38032     -824     
==========================================
- Hits        27709    26759     -950     
- Misses       9114     9247     +133     
+ Partials     2033     2026       -7     

Flag	Coverage Δ
all	70.35% <ø> (-0.96%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files	Coverage Δ
pkg/report/report.go	0.00% <0.00%> (-94.25%)	⬇️
pkg/report/timeseries.go	0.00% <0.00%> (-88.47%)	⬇️
pkg/osutil/interrupt_unix.go	0.00% <0.00%> (-81.49%)	⬇️
pkg/osutil/osutil.go	0.00% <0.00%> (-80.00%)	⬇️
pkg/report/weighted.go	0.00% <0.00%> (-72.00%)	⬇️
pkg/crc/crc.go	45.45% <0.00%> (-54.55%)	⬇️
pkg/httputil/httputil.go	30.00% <0.00%> (-50.00%)	⬇️
pkg/flags/urls.go	0.00% <0.00%> (-45.00%)	⬇️
pkg/flags/strings.go	46.15% <0.00%> (-38.47%)	⬇️
pkg/netutil/netutil.go	34.42% <0.00%> (-33.61%)	⬇️
... and 52 more

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 97756e3...1e1f113. Read the comment docs.

[spzala]

lgtm. The CI errors seems not related but we may want to re-run.
Thank you so much for quickly addressing CVEs @hexfusion