https://rancher.com/ logo
#rke2
Title
# rke2
b

bright-farmer-78407

01/09/2023, 7:02 PM
Hi Everyone, I need some help parse the release metadata for rke2 releases. Is this release information (specifically, supported k8s version, system images etc.) available in some JSON format ? (https://github.com/rancher/rke2/releases/tag/v1.26.0%2Brke2r1
c

creamy-pencil-82913

01/09/2023, 7:03 PM
nope. just the markdown table.
what do you mean by “supported kubernetes version”? The Kubernetes version is right there in the RKE2 release version
and there is a text file for each release with the images listed in it
b

bright-farmer-78407

01/09/2023, 7:22 PM
right, I saw for manager there's data json report. I was hoping if there's a similar one I can parse that would help. https://github.com/rancher/rancher/releases/download/v2.7.2-rc1/rancher-data.json But, I guess txt file should work as well
c

creamy-pencil-82913

01/09/2023, 7:24 PM
the RKE2 version is the Kubernetes version
is there other metadata you were looking for?
b

bright-farmer-78407

01/09/2023, 7:29 PM
That is the one I am looking for. Although, going forward if you can provide signs and SBOM (similar to k8s release MD) that would be super useful.
In the image-list (.txt) I don;t see k8s-api-service, controller-manager images ?
also, is there any documentation on what
<http://docker.io/rancher/hardened-kubernetes:v1.26.0-rke2r1-build20221209|docker.io/rancher/hardened-kubernetes:v1.26.0-rke2r1-build20221209>
represents ?
c

creamy-pencil-82913

01/09/2023, 7:35 PM
there aren’t separate images for those, they all use hardened-kubernetes
that is a build of the Kubernetes components, at that version and RKE2 release, built on that date
b

bright-farmer-78407

01/09/2023, 7:37 PM
thank you, that's helpful!
c

creamy-pencil-82913

01/09/2023, 7:37 PM
I guess we considered the version tags pretty self-evident
There are some additional docs at https://docs.rke2.io/security/about_hardened_images and https://github.com/rancher/rke2/blob/master/developer-docs/image_sources.md although the latter is a bit out of date; the bas images are now SLE BCI not UBI7
1
👍 1
b

bright-farmer-78407

01/09/2023, 7:58 PM
Vulnerabilities are fixed in patched versions ? I just ran 1.26. image through snyk and its reporting few medium sev vulnerabilities.
Copy code
Testing <http://docker.io/rancher/hardened-kubernetes:v1.26.0-rke2r1-build20221209|docker.io/rancher/hardened-kubernetes:v1.26.0-rke2r1-build20221209>...

✗ Medium severity vulnerability found in <http://k8s.io/legacy-cloud-providers/vsphere|k8s.io/legacy-cloud-providers/vsphere>
  Description: Improper Output Neutralization for Logs
  Info: <https://security.snyk.io/vuln/SNYK-GOLANG-K8SIOLEGACYCLOUDPROVIDERSVSPHERE-1018868>
  Introduced through: <http://k8s.io/legacy-cloud-providers/vsphere@v0.0.0|k8s.io/legacy-cloud-providers/vsphere@v0.0.0>
  From: <http://k8s.io/legacy-cloud-providers/vsphere@v0.0.0|k8s.io/legacy-cloud-providers/vsphere@v0.0.0>
  Fixed in: 1.20.0-alpha.2

✗ Medium severity vulnerability found in <http://k8s.io/apiserver/pkg/server|k8s.io/apiserver/pkg/server>
  Description: Denial of Service (DoS)
  Info: <https://security.snyk.io/vuln/SNYK-GOLANG-K8SIOAPISERVERPKGSERVER-561502>
  Introduced through: <http://k8s.io/apiserver/pkg/server@v0.0.0|k8s.io/apiserver/pkg/server@v0.0.0>
  From: <http://k8s.io/apiserver/pkg/server@v0.0.0|k8s.io/apiserver/pkg/server@v0.0.0>
  Fixed in: 0.15.10, 0.16.7, 0.17.3

✗ Medium severity vulnerability found in <http://k8s.io/apimachinery/pkg/util/proxy|k8s.io/apimachinery/pkg/util/proxy>
  Description: Privilege Escalation
  Info: <https://security.snyk.io/vuln/SNYK-GOLANG-K8SIOAPIMACHINERYPKGUTILPROXY-590104>
  Introduced through: <http://k8s.io/apimachinery/pkg/util/proxy@v0.0.0|k8s.io/apimachinery/pkg/util/proxy@v0.0.0>
  From: <http://k8s.io/apimachinery/pkg/util/proxy@v0.0.0|k8s.io/apimachinery/pkg/util/proxy@v0.0.0>
  Fixed in: 0.19.0-rc.1

✗ Medium severity vulnerability found in <http://golang.org/x/net/http2|golang.org/x/net/http2>
  Description: Denial of Service (DoS)
  Info: <https://security.snyk.io/vuln/SNYK-GOLANG-GOLANGORGXNETHTTP2-3160322>
  Introduced through: <http://golang.org/x/net/http2@v0.3.1-0.20221206200815-1e63c2f08a10|golang.org/x/net/http2@v0.3.1-0.20221206200815-1e63c2f08a10>
  From: <http://golang.org/x/net/http2@v0.3.1-0.20221206200815-1e63c2f08a10|golang.org/x/net/http2@v0.3.1-0.20221206200815-1e63c2f08a10>
  Fixed in: 0.4.0
c

creamy-pencil-82913

01/09/2023, 8:18 PM
your vuln reporting tool doesn’t appear to be finding the versions correctly
Copy code
Introduced through: <http://k8s.io/apiserver/pkg/server@v0.0.0|k8s.io/apiserver/pkg/server@v0.0.0>
  From: <http://k8s.io/apiserver/pkg/server@v0.0.0|k8s.io/apiserver/pkg/server@v0.0.0>
b

bright-farmer-78407

01/09/2023, 8:56 PM
ahh, how about others?
Copy code
✗ Medium severity vulnerability found in <http://golang.org/x/net/http2|golang.org/x/net/http2>
  Description: Denial of Service (DoS)
  Info: <https://security.snyk.io/vuln/SNYK-GOLANG-GOLANGORGXNETHTTP2-3160322>
  Introduced through: <http://golang.org/x/net/http2@v0.3.1-0.20221206200815-1e63c2f08a10|golang.org/x/net/http2@v0.3.1-0.20221206200815-1e63c2f08a10>
  From: <http://golang.org/x/net/http2@v0.3.1-0.20221206200815-1e63c2f08a10|golang.org/x/net/http2@v0.3.1-0.20221206200815-1e63c2f08a10>
  Fixed in: 0.4.0
c

creamy-pencil-82913

01/09/2023, 9:34 PM
we just build Kubernetes using the upstream dependent module versions. When upstream updates, so do we.
x/net/http2 is part of x/net and it looks like upstream is still on 0.3.1 https://github.com/kubernetes/kubernetes/blob/v1.26.0/go.mod#L81
b

bright-farmer-78407

01/09/2023, 10:08 PM
thanks, that make sense.
6 Views