Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update the Debian images to pick up CVE fixes in the base images #102302

Merged
merged 3 commits into from
May 25, 2021
Merged

Update the Debian images to pick up CVE fixes in the base images #102302

merged 3 commits into from
May 25, 2021

Conversation

xmudrii
Copy link
Member

@xmudrii xmudrii commented May 25, 2021
edited
Loading

What type of PR is this?

/kind feature

What this PR does / why we need it:

Update the Debian images to pick up CVE fixes in the base images:

  • Update the debian-base image to v1.7.0
  • Update the debian-iptables image to v1.6.1

Which issue(s) this PR fixes:

Related to #102215

Does this PR introduce a user-facing change?

Update the Debian images to pick up CVE fixes in the base images:
- Update the `debian-base` image to v1.7.0
- Update the `debian-iptables` image to v1.6.1

Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.:

/assign @justaugustus @dims
/sig release
/area release-eng

xmudrii added 3 commits May 25, 2021 22:49
@xmudrii
Update debian-iptables to buster-v1.6.1
3bcc15e 
Signed-off-by: Marko Mudrinić <mudrinic.mare@gmail.com>
@xmudrii
Update debian-base to buster-v1.7.0
33fe4bb 
Signed-off-by: Marko Mudrinić <mudrinic.mare@gmail.com>
@xmudrii
Update etcd image revision
80fa50e 
Signed-off-by: Marko Mudrinić <mudrinic.mare@gmail.com>
@k8s-ci-robot k8s-ci-robot added size/S Denotes a PR that changes 10-29 lines, ignoring generated files. kind/feature Categorizes issue or PR as related to a new feature. do-not-merge/release-note-label-needed Indicates that a PR should not merge because it's missing one of the release note labels. sig/release Categorizes an issue or PR as relevant to SIG Release. area/release-eng Issues or PRs related to the Release Engineering subproject cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. needs-priority Indicates a PR lacks a `priority/foo` label and requires one. release-note Denotes a PR that will be considered when it comes time to generate release notes. and removed do-not-merge/release-note-label-needed Indicates that a PR should not merge because it's missing one of the release note labels. labels May 25, 2021
@xmudrii
Copy link
Member Author

xmudrii commented May 25, 2021

/area security
/area dependency
(from the issue)

/priority important-soon
/triage accepted

@k8s-ci-robot k8s-ci-robot added area/test sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. sig/testing Categorizes an issue or PR as relevant to SIG Testing. area/security area/dependency Issues or PRs related to dependency changes priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. triage/accepted Indicates an issue or PR is ready to be actively worked on. and removed needs-priority Indicates a PR lacks a `priority/foo` label and requires one. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. labels May 25, 2021
@k8s-ci-robot k8s-ci-robot requested review from dims and fejta May 25, 2021 20:53
xmudrii
xmudrii commented May 25, 2021
View reviewed changes
cluster/images/etcd/Makefile
# artifacts. It should start at zero for each LATEST_ETCD_VERSION and increment
# for each revision of this image at that etcd version.
REVISION?=0
REVISION?=1
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We did this the last time we bumped images (reference: https://github.com/kubernetes/kubernetes/pull/100976/files#diff-de315dbb88d6d341b1682ef2fb0798723139fb4202ac607a334fc301e9359ec7R37), so I thought we should do it this time too.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

doesn't hurt usually to do this. however we still haven't updated to the 3.5 beta image yet (

kubernetes/build/dependencies.yaml

Lines 79 to 93 in fd82c69

# etcd
- name: "etcd"
version: 3.4.13
refPaths:
- path: cluster/gce/manifests/etcd.manifest
match: etcd_docker_tag|etcd_version
- path: cluster/gce/upgrade-aliases.sh
match: ETCD_IMAGE|ETCD_VERSION
- path: cmd/kubeadm/app/constants/constants.go
- path: hack/lib/etcd.sh
match: ETCD_VERSION=
- path: staging/src/k8s.io/sample-apiserver/artifacts/example/deployment.yaml
match: quay.io/coreos/etcd
- path: test/e2e/framework/nodes_util.go
match: const etcdImage
) so we could keep REVISION to 0 . But will defer to the @kubernetes/sig-release-leads

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It seems like the etcd 3.5.0-beta.3-1 image has been already built, so I believe it doesn't make sense to revert the REVISION to 0 any longer. Ref: kubernetes/k8s.io#2101

@justaugustus justaugustus changed the title Debian iptables update Debian base image updates May 25, 2021
@xmudrii xmudrii changed the title Debian base image updates Update the Debian images to pick up CVE fixes in the base images May 25, 2021
@justaugustus
Copy link
Member

/lgtm
/approve

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label May 25, 2021
@dims
Copy link
Member

dims commented May 25, 2021

/approve

@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: dims, justaugustus, xmudrii

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label May 25, 2021
@k8s-ci-robot k8s-ci-robot merged commit 5640c64 into kubernetes:master May 25, 2021
@k8s-ci-robot k8s-ci-robot added this to the v1.22 milestone May 25, 2021
@github-actions github-actions bot mentioned this pull request May 26, 2021
Open
@xmudrii xmudrii deleted the debian-iptables-update branch May 26, 2021 11:50
This was referenced May 26, 2021
Merged
Merged
Merged
k8s-ci-robot added a commit that referenced this pull request May 27, 2021
@k8s-ci-robot
Merge pull request #102340 from cpanato/automated-cherry-pick-of-#102…
5d96d97 
…302-upstream-release-1.21

Automated cherry pick of #102302: Update debian-iptables to buster-v1.6.1
k8s-ci-robot added a commit that referenced this pull request May 27, 2021
@k8s-ci-robot
Merge pull request #102341 from cpanato/automated-cherry-pick-of-#102…
5f6b1fa 
…302-upstream-release-1.20

Automated cherry pick of #102302: Update debian-iptables to buster-v1.6.1
k8s-ci-robot added a commit that referenced this pull request May 27, 2021
@k8s-ci-robot
Merge pull request #102342 from cpanato/automated-cherry-pick-of-#102…
27ffcba 
…302-upstream-release-1.19

Automated cherry pick of #102302: Update debian-iptables to buster-v1.6.1
@justaugustus justaugustus mentioned this pull request May 27, 2021
Closed
dghubble added a commit to poseidon/kubelet that referenced this pull request Jun 4, 2021
@dghubble
Update debian-iptables base from v1.6.0 to v1.6.2
42a41f0 
* kubernetes/kubernetes#102302
* kubernetes/kubernetes#102590
@dghubble dghubble mentioned this pull request Jun 4, 2021
Merged
@PushkarJ PushkarJ mentioned this pull request Sep 14, 2021
Open
17 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dims dims Awaiting requested review from dims

@fejta fejta Awaiting requested review from fejta

Assignees

@dims dims

@justaugustus justaugustus

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/dependency Issues or PRs related to dependency changes area/release-eng Issues or PRs related to the Release Engineering subproject area/security area/test cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/feature Categorizes issue or PR as related to a new feature. lgtm "Looks good to me", indicates that a PR is ready to be merged. priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. release-note Denotes a PR that will be considered when it comes time to generate release notes. sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. sig/release Categorizes an issue or PR as relevant to SIG Release. sig/testing Categorizes an issue or PR as relevant to SIG Testing. size/S Denotes a PR that changes 10-29 lines, ignoring generated files. triage/accepted Indicates an issue or PR is ready to be actively worked on.
Projects
None yet
Milestone
v1.22
Development

Successfully merging this pull request may close these issues.
4 participants
@xmudrii @justaugustus @dims @k8s-ci-robot