Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update images before 1.7 release #47386

Closed
ixdy opened this issue Jun 13, 2017 · 9 comments · Fixed by #47877
Closed

Update images before 1.7 release #47386

ixdy opened this issue Jun 13, 2017 · 9 comments · Fixed by #47877
Assignees
@ixdy
Labels
area/security sig/auth Categorizes an issue or PR as relevant to SIG Auth. sig/release Categorizes an issue or PR as relevant to SIG Release.
Milestone
v1.7

Comments

@ixdy
Copy link
Member

ixdy commented Jun 13, 2017

A number of addon images have CVEs that have been fixed in the upstream base images.
We should update these images before the final 1.7 release.

cc @timstclair
@ixdy ixdy added this to the v1.7 milestone Jun 13, 2017
@ixdy ixdy self-assigned this Jun 13, 2017
@k8s-github-robot
Copy link

@ixdy There are no sig labels on this issue. Please add a sig label by:
(1) mentioning a sig: @kubernetes/sig-<team-name>-misc
(2) specifying the label manually: /sig <label>

Note: method (1) will trigger a notification to the team. You can find the team list here and label list here

@k8s-github-robot k8s-github-robot added the needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. label Jun 13, 2017
@ixdy ixdy mentioned this issue Jun 13, 2017
Merged
@ixdy
Copy link
Member Author

ixdy commented Jun 13, 2017

@kubernetes/sig-release-misc

@k8s-ci-robot k8s-ci-robot added the sig/release Categorizes an issue or PR as relevant to SIG Release. label Jun 13, 2017
@k8s-github-robot k8s-github-robot removed the needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. label Jun 13, 2017
@timstclair
Copy link

/cc @dchen1107

This was referenced Jun 13, 2017
Merged
Merged
Merged
Merged
Merged
@luxas
Copy link
Member

luxas commented Jun 13, 2017

cc @luxas

k8s-github-robot pushed a commit to kubernetes-retired/contrib that referenced this issue Jun 13, 2017
Merge pull request #2633 from ixdy/update-debian-base-images
60a7170 
Automatic merge from submit-queue

Bump images that use debian-base image

I recently updated the `debian-base-*` image off upstream with fixes for a number of CVEs.
The downstream images now need to be updated, which I've done in this PR, bumping the patch version for each.

I haven't yet pushed any of these images.
After doing so, I'll need to follow up with additional changes in the manifests.

x-ref kubernetes/kubernetes#47386
cc @Q-Lee @crassirostris
@dchen1107 dchen1107 added sig/auth Categorizes an issue or PR as relevant to SIG Auth. approved-for-milestone labels Jun 13, 2017
This was referenced Jun 13, 2017
Merged
Merged
k8s-github-robot pushed a commit that referenced this issue Jun 14, 2017
Merge pull request #47389 from ixdy/kube-addon-manager-update
d898369 
Automatic merge from submit-queue (batch tested with PRs 47302, 47389, 47402, 47468, 47459)

Update to kube-addon-manager:v6.4-beta.2: kubectl v1.6.4 and refreshed base images

**What this PR does / why we need it**: refreshes base images for kube-addon-manager with fixes for CVE-2016-9841 and CVE-2016-9843.

x-ref #47386

**Special notes for your reviewer**: the updated images are not yet pushed, so tests will fail until that's done.

**Release note**:

```release-note
```

/assign @MrHohn
@ixdy ixdy mentioned this issue Jun 14, 2017
Merged
k8s-github-robot pushed a commit that referenced this issue Jun 15, 2017
Merge pull request #47545 from ixdy/update-1.7-images
79eb0ab 
Automatic merge from submit-queue (batch tested with PRs 47492, 47542, 46800, 47545, 45764)

Update addons with upstream CVE fixes

**What this PR does / why we need it**: refreshes the cluster-proportional-autoscaler, metadata-proxy, and fluentd-gcp addons with new base images with fixes for the following vulnerabilities:
* CVE-2016-4448
* CVE-2016-8859
* CVE-2016-9841
* CVE-2016-9843
* CVE-2017-9526

**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: x-ref #47386, though there are still a few images left to update

**Release note**:

```release-note
Update cluster-proportional-autoscaler, metadata-proxy, and fluentd-gcp addons with fixes for CVE-2016-4448, CVE-2016-8859, CVE-2016-9841, CVE-2016-9843, and CVE-2017-9526.
```

/cc @timstclair @MrHohn @Q-Lee @crassirostris
@ixdy
Copy link
Member Author

ixdy commented Jun 15, 2017

The new debian-base-amd64 image appears to have removed libcap.so.2. I'm not sure if this was expected, but it caused at least fluentd to stop working on COS (#47600). This might also affect kubeproxy, which uses debian-iptables-amd64 (a derivative of debian-base).

@ixdy
Copy link
Member Author

ixdy commented Jun 15, 2017

also the metadata-proxy, prometheus-to-sd, the fluentd-event-exporter, and ip-masq-agent.

@ixdy ixdy mentioned this issue Jun 15, 2017
Merged
k8s-github-robot pushed a commit that referenced this issue Jun 16, 2017
Merge pull request #47616 from ixdy/debian-base-hold-libcap2
e7bd725 
Automatic merge from submit-queue (batch tested with PRs 47451, 47410, 47598, 47616, 47473)

debian-base: don't remove libcap2

**What this PR does / why we need it**: when I updated the `debian-base` image earlier this week, it apparently removed the libcap2 libraries needed for some dependent images (e.g. fluentd-gcp, #47600).

By holding this package, the library isn't removed from the base image. I've verified by running https://github.com/moul/docker-diff against the `debian-base` image from 2017-02-24.

**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: x-ref #47386

**Special notes for your reviewer**: nothing is pushed yet.

**Release note**:

```release-note
NONE
```

/cc @timstclair @dchen1107 @luxas @kubernetes/sig-release-misc
@luxas
Copy link
Member

luxas commented Jun 17, 2017

@ixdy anything more to do for this issue?

@ixdy
Copy link
Member Author

ixdy commented Jun 19, 2017
edited
Loading

yes, I need to get kubernetes-retired/contrib#2640 merged and update those images again. I also need to bump a few other images (dns and ip-masq-agent).

@ixdy ixdy mentioned this issue Jun 21, 2017
Merged
@ixdy
Copy link
Member Author

ixdy commented Jun 21, 2017

#47877 should be the last update needed.

k8s-github-robot pushed a commit that referenced this issue Jun 22, 2017
Merge pull request #47877 from ixdy/update-1.7-images
de4c381 
Automatic merge from submit-queue

Update addons with upstream CVE fixes

**What this PR does / why we need it**: refreshes the kube-dns, metadata-proxy, and fluentd-gcp, event-exporter, prometheus-to-sd, and ip-masq-agent addons with new base images containing fixes for the following vulnerabilities:
* CVE-2016-4448
* CVE-2016-9841
* CVE-2016-9843
* CVE-2017-1000366
* CVE-2017-2616
* CVE-2017-9526

**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #47386 (yay!)

**Special notes for your reviewer**:

**Release note**:

```release-note
Update kube-dns, metadata-proxy, and fluentd-gcp, event-exporter, prometheus-to-sd, and ip-masq-agent addons with new base images containing fixes for CVE-2016-4448, CVE-2016-9841, CVE-2016-9843,  CVE-2017-1000366, CVE-2017-2616, and CVE-2017-9526.
```
/assign @bowei @MrHohn @Q-Lee @crassirostris @dnardo 
/cc @dchen1107 @timstclair
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ixdy ixdy

Labels
area/security sig/auth Categorizes an issue or PR as relevant to SIG Auth. sig/release Categorizes an issue or PR as relevant to SIG Release.
Projects
None yet
Milestone
v1.7
Development

Successfully merging a pull request may close this issue.

Update addons with upstream CVE fixes ixdy/kubernetes
6 participants
@timstclair @luxas @dchen1107 @ixdy @k8s-github-robot @k8s-ci-robot