-
Notifications
You must be signed in to change notification settings - Fork 1.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
upgrade sdk to use kube-rbac-proxy:v0.7.0 instead of kube-rbac-proxy:v0.5.0 #3925
Comments
It is blocked by : kubernetes-sigs/kubebuilder#1785 |
@camilamacedo86 why does that kubebuilder issue block an image tag upgrade for anisble and helm? |
HI @estroz, Because we need to have the image in the google cloud. Otherwise we are unable to pull that. I already raised it twice in the The kube-rbac-proxy images provided by Kubebuilder are running pods as root which brings a high-security concern over the projects which are using it. The solution is already in place but we need help from who has permission to build and push images for 0.7.0 and 0.8.0 releases in https://console.cloud.google.com/gcr/images/kubebuilder/GLOBAL/kube-rbac-proxy?gcrImageListsize=30. The ultimate solution is to automate this process until its author is able to do the donation. However, the automation will not push the releases made already any away. Also, to be able to do that is required to have access to the cloud and the project to set it up which makes the goal very hard to get done by the community. These images have been built and pushed manually (It was checked with @solly already). The issue: kubernetes-sigs/kubebuilder#1785 is for we have the images there and update the kubebuilder scaffold after that we can update the Ansible/Helm scaffold as well. Why it is important we have the latest release for and update the kubebuilder scaffolds to use it as soon as possible? The latest images contain a fix brancz/kube-rbac-proxy#86 to make the images rootless to solve critical security concerns. More info: kubernetes-sigs/kubebuilder#1637 Because of this, I am flagging it is a priority and adding to the milestone 1.5.0. |
Alternative: why doesn't kubebuilder use the upstream image |
The problem is to ship an image that we. or google has no control off. Indeed for downstream we might are building and storing our image. c/c @jmrodri |
**Description of the change:** - For Ansible/Helm based-operators, upgrade the `kube-rbac-proxy` image version from `0.5.0` to `0.8.0` to address security concerns. More info [#kubernetes-sigs/kubebuilder#1955](kubernetes-sigs/kubebuilder#1955). **Motivation for the change:** - Closes: #3925
Describe the problem
Helm/Ansible/GO operators are using the image
kube-rbac-proxy:v0.5.0
. This image is not rootless and raises security concerns. This image is built from https://github.com/brancz/kube-rbac-proxy/. The project https://github.com/brancz/kube-rbac-proxy/ was updates and its 0.7.0 will provide an image that address these concerns.Describe the solution you'd like.
The text was updated successfully, but these errors were encountered: