Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

upgrade sdk to use kube-rbac-proxy:v0.7.0 instead of kube-rbac-proxy:v0.5.0 #3925

Closed
camilamacedo86 opened this issue Sep 21, 2020 · 5 comments · Fixed by #4498
Closed

upgrade sdk to use kube-rbac-proxy:v0.7.0 instead of kube-rbac-proxy:v0.5.0 #3925

camilamacedo86 opened this issue Sep 21, 2020 · 5 comments · Fixed by #4498
Assignees
@estroz
Labels
area/dependency Issues or PRs related to dependency changes language/ansible Issue is related to an Ansible operator project language/helm Issue is related to a Helm operator project priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release.
Milestone
v1.5.0

Comments

@camilamacedo86
Copy link
Contributor

camilamacedo86 commented Sep 21, 2020
edited
Loading

Describe the problem

Helm/Ansible/GO operators are using the image kube-rbac-proxy:v0.5.0. This image is not rootless and raises security concerns. This image is built from https://github.com/brancz/kube-rbac-proxy/. The project https://github.com/brancz/kube-rbac-proxy/ was updates and its 0.7.0 will provide an image that address these concerns.

Describe the solution you'd like.

  • V2+ and V3 plugins in upstream using an image built with the version 0.7.0 and these changes addressed
  • bump new kb version/commit after the sparkles: upgrade gcr.io/kubebuilder/kube-rbac-proxy from v0.5.0 to v0.7.0 kubernetes-sigs/kubebuilder#1686 get merged
  • check if the new commit/patch brings some cange/fixes that should be a patch for ansible and helm (note that from the current version of the common config manifests used for both until the commit it might have other bug fixes. So, it is important check it as well for we are able to address them)
  • update the kube-rbac-proxy version for ansible/helm templates
  • All SDK shell scripts which are using pulling the version 0.5.0 also should be updated.
@camilamacedo86 camilamacedo86 changed the title upgrade upgrade sdk to use kube-rbac-proxy:v0.7.0 instead of kube-rbac-proxy:v0.5.0 Sep 21, 2020
@kensipe kensipe added language/ansible Issue is related to an Ansible operator project language/helm Issue is related to a Helm operator project labels Sep 21, 2020
@kensipe kensipe added this to the Backlog milestone Sep 21, 2020
@camilamacedo86 camilamacedo86 added the area/dependency Issues or PRs related to dependency changes label Sep 21, 2020
@camilamacedo86
Copy link
Contributor Author

It is blocked by : kubernetes-sigs/kubebuilder#1785

@estroz
Copy link
Member

estroz commented Dec 18, 2020

@camilamacedo86 why does that kubebuilder issue block an image tag upgrade for anisble and helm?

@camilamacedo86
Copy link
Contributor Author

camilamacedo86 commented Dec 18, 2020
edited
Loading

HI @estroz,

Because we need to have the image in the google cloud. Otherwise we are unable to pull that. I already raised it twice in the Kubebuilder, Controller Runtime, and Controller Tools Meeting.

The kube-rbac-proxy images provided by Kubebuilder are running pods as root which brings a high-security concern over the projects which are using it. The solution is already in place but we need help from who has permission to build and push images for 0.7.0 and 0.8.0 releases in https://console.cloud.google.com/gcr/images/kubebuilder/GLOBAL/kube-rbac-proxy?gcrImageListsize=30.

The ultimate solution is to automate this process until its author is able to do the donation. However, the automation will not push the releases made already any away. Also, to be able to do that is required to have access to the cloud and the project to set it up which makes the goal very hard to get done by the community.

These images have been built and pushed manually (It was checked with @solly already). The issue: kubernetes-sigs/kubebuilder#1785 is for we have the images there and update the kubebuilder scaffold after that we can update the Ansible/Helm scaffold as well.

Why it is important we have the latest release for and update the kubebuilder scaffolds to use it as soon as possible?

The latest images contain a fix brancz/kube-rbac-proxy#86 to make the images rootless to solve critical security concerns. More info: kubernetes-sigs/kubebuilder#1637

Because of this, I am flagging it is a priority and adding to the milestone 1.5.0.

c/c @jmrodri @asmacdo @varshaprasad96

@camilamacedo86 camilamacedo86 added the priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. label Dec 18, 2020
@camilamacedo86 camilamacedo86 modified the milestones: Backlog, v1.5.0 Dec 18, 2020
@camilamacedo86 camilamacedo86 removed their assignment Dec 18, 2020
@estroz
Copy link
Member

estroz commented Dec 18, 2020

Alternative: why doesn't kubebuilder use the upstream image quay.io/brancz/kube-rbac-proxy?

@camilamacedo86
Copy link
Contributor Author

camilamacedo86 commented Dec 19, 2020
edited
Loading

The problem is to ship an image that we. or google has no control off. Indeed for downstream we might are building and storing our image.

c/c @jmrodri

@kensipe kensipe modified the milestones: v1.4.0, v1.5.0 Jan 13, 2021
@camilamacedo86 camilamacedo86 mentioned this issue Jan 21, 2021
Merged
2 tasks
@estroz estroz self-assigned this Feb 3, 2021
@camilamacedo86 camilamacedo86 mentioned this issue Feb 7, 2021
Merged
1 task
camilamacedo86 added a commit that referenced this issue Feb 10, 2021
@camilamacedo86
Fix kube rbac proxy (#4498)
d1c14c4 
**Description of the change:**

-   For Ansible/Helm based-operators, upgrade the `kube-rbac-proxy` image version from `0.5.0` to `0.8.0` to address security concerns. More info [#kubernetes-sigs/kubebuilder#1955](kubernetes-sigs/kubebuilder#1955).


**Motivation for the change:**

- Closes: #3925
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@estroz estroz

Labels
area/dependency Issues or PRs related to dependency changes language/ansible Issue is related to an Ansible operator project language/helm Issue is related to a Helm operator project priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release.
Projects
None yet
Milestone
v1.5.0
Development

Successfully merging a pull request may close this issue.

Fix kube rbac proxy camilamacedo86/operator-sdk
3 participants
@kensipe @camilamacedo86 @estroz