Comments (8)
Will check the other 2 bugs for cluster-api-provider-openstack and cluster-api-provider-vsphere.
from cluster-api-provider-ibmcloud.
may we we can change to use debian:stretch-slim as the base docker image
from cluster-api-provider-ibmcloud.
Why not use static
lib when building the go binary and replace the base image with scratch
, to minimize the image size?
from cluster-api-provider-ibmcloud.
Just ignore the last comment, we need ca-certificates
package to generate the cert/key pair.
from cluster-api-provider-ibmcloud.
Look like simply adding apt-get update && apt-get upgrade -y
can't upgrade the vulnerable package to fixed version.
Also checked the images of openstack and vsphere, the same security issues exist.
Should we consider changing the base image?
@gyliu513 Any comments?
from cluster-api-provider-ibmcloud.
@morvencao Yes, you can fix those issues together for OpenStack, vSphere as well.
from cluster-api-provider-ibmcloud.
@morvencao do we have best practice ?I think other k8s related project have similar question?
and do aws has this kind of issue? maybe we can refer to their stuffs?
from cluster-api-provider-ibmcloud.
@jichenjc Usually we fix this kind of security issues by upgrading the packages to the new version, because new versions contain the fix, however, it doesn't work in provider images, also tried to replace base image.
I found that the gcp provider is using the gcr.io/distroless/static:latest
as base image: https://github.com/kubernetes-sigs/cluster-api-provider-gcp/blob/master/Dockerfile#L20, but I don't think we can do that, because we need ca-certificate
package.
from cluster-api-provider-ibmcloud.
Related Issues (20)
- Set terminationMessagePolicy to FallbackToLogsOnError for all managers HOT 1
- Reason to keep VPC and ResourceGroup param in VPC Security Group HOT 3
- Refactor IsPowerVSZoneSupportsPER() to use interface HOT 3
- Multiple subnet creation fails when zone is not specified HOT 8
- Enhance the image building doc for the DHCP based network HOT 2
- Update CI to use 1.29 images HOT 1
- VPC cluster deletion fails with delete load balancer pool member
- kube-vip fails to run with Kubernetes 1.29 HOT 1
- Create prow job for release-0.8 branch HOT 4
- Enhance deletion logic HOT 6
- Do not ignore updating networking-go-sdk and trivy packages once we move to go 1.22
- Handle authz in kube-vip properly HOT 1
- Cluster deletion stuck with DHCP server deletion failure HOT 6
- Fetch VPC zone from VPC region instead of fetching it from PowerVS zone HOT 1
- EPIC: Add UT accross various files in repository HOT 4
- Stop cluster creation when image import job fails HOT 1
- Add webhook validation for transit gateway global routing param HOT 1
- Build Power VS DHCP enabled image with k8s version 1.29.3 HOT 4
- Experiment to rearrange resource creation invocation in recocile loop to find best minimal time for overall infra resource creation HOT 3
- Need a check on powervs service instance with zone since dup name is allowed
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from cluster-api-provider-ibmcloud.