The company I work for is trying to upgrade our k8s cluster. Unfortunately, our infra is cut off from the outside world so all sourcing has to be done manually. When trying to source the rancher/rke-tools image, which is a dependency on the rancher rke install, our Aquasec scan is picking up the CVE-2019-5736 vulnerability in the image due to the version of Docker in that image. So it's being blocked from entering our estate.
Could somebody explain how this image is used during the cluster creation, i.e is it ephemerally spun up to perform some action and then stopped, or does it remain running to perform further tasks within the cluster? We were unsure how to mitigate this vulnerability unless we understand its use in the cluster. We're aware we can update our Deployment yaml to ensure runNotAsRoot to true, but unsure of the best practice as this would be dependent on the usage of the images in the cluster. need some urgent help