Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[v13] Update k8s.io to 0.29.0 to address PRISMA-2022-0227 #36240

Closed
wants to merge 1 commit into from
Closed

[v13] Update k8s.io to 0.29.0 to address PRISMA-2022-0227 #36240

wants to merge 1 commit into from

Conversation

jentfoo
Copy link
Contributor

@jentfoo jentfoo commented Jan 3, 2024

[v13] backport of k8s.io update to 0.29.0 to address PRISMA-2022-0227 (not currently tracked by dependabot), applied in master as part of #35810

@jentfoo jentfoo added security Security Issues go Issues related to Go builds/tooling dependencies Pull requests that update a dependency file labels Jan 3, 2024
@jentfoo jentfoo self-assigned this Jan 3, 2024
@github-actions GitHub Actions
Copy link

github-actions bot commented Jan 3, 2024

The PR changelog entry failed validation: Changelog entry not found in the PR body. Please add a "no-changelog" label to the PR, or changelog lines starting with changelog: followed by the changelog entries for the PR.

@jentfoo jentfoo added the no-changelog Indicates that a PR does not require a changelog entry label Jan 3, 2024
tigrato
tigrato approved these changes Jan 3, 2024
View reviewed changes
Copy link
Contributor

@tigrato tigrato left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

hopefully it doesn't break anything

@jentfoo
Copy link
Contributor Author

jentfoo commented Jan 3, 2024

It looks like some deprecation changes will also need to be backported to v13 and v12

@zmb3
Copy link
Collaborator

zmb3 commented Jan 3, 2024

hopefully it doesn't break anything

I don't feel good about making changes we are not confident in to appease some commercial vulnerability scanner that we are in no way affiliated with.

@tigrato
Copy link
Contributor

tigrato commented Jan 3, 2024

hopefully it doesn't break anything

I don't feel good about making changes we are not confident in to appease some commercial vulnerability scanner that we are in no way affiliated with.

Kube access will continue working - impersonation and stable apis kept the same and we don't use other APIs so we will continue working with all Kube versions - but for the operator, it's always a Schrödinger's cat paradox

@jentfoo
Copy link
Contributor Author

jentfoo commented Jan 3, 2024

After discussion on slack we are going to forgo the v12 and v13 backports due to risk. We should not be vulnerable to this as mentioned in the k8s issue: kubernetes/client-go#1254

We will backport v14 since there is less potential risk there and it will help with support load on this false positive. We may revive this PR if support loads increase.

@jentfoo jentfoo closed this Jan 3, 2024
@zmb3
Copy link
Collaborator

zmb3 commented Jan 3, 2024

After discussion on slack we are going to forgo the v12 and v13 backports due to risk.

Thank you for the pragmatism on this.

@jentfoo jentfoo mentioned this pull request Jan 3, 2024
Merged
@jentfoo jentfoo deleted the jent/update-k8s-client-v13 branch April 5, 2024 17:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tigrato tigrato tigrato approved these changes

@strideynet strideynet strideynet approved these changes

Assignees

@jentfoo jentfoo

Labels
backport dependencies Pull requests that update a dependency file go Issues related to Go builds/tooling no-changelog Indicates that a PR does not require a changelog entry security Security Issues size/sm
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@jentfoo @zmb3 @tigrato @strideynet