This message was deleted.
# rke2a
adamant-kite-43734
01/09/2023, 7:02 PMThis message was deleted.
c
creamy-pencil-82913
01/09/2023, 7:03 PMnope. just the markdown table.
creamy-pencil-82913
01/09/2023, 7:04 PMwhat do you mean by “supported kubernetes version”? The Kubernetes version is right there in the RKE2 release version
creamy-pencil-82913
01/09/2023, 7:04 PMand there is a text file for each release with the images listed in it
b
bright-farmer-78407
01/09/2023, 7:22 PMright, I saw for manager there's data json report. I was hoping if there's a similar one I can parse that would help. https://github.com/rancher/rancher/releases/download/v2.7.2-rc1/rancher-data.json
But, I guess txt file should work as well
c
creamy-pencil-82913
01/09/2023, 7:24 PMthe RKE2 version is the Kubernetes version
creamy-pencil-82913
01/09/2023, 7:25 PMIf you want the images for that release you can look at https://github.com/rancher/rke2/releases/download/v1.26.0%2Brke2r1/rke2-images-all.linux-amd64.txt
creamy-pencil-82913
01/09/2023, 7:25 PMis there other metadata you were looking for?
b
bright-farmer-78407
01/09/2023, 7:29 PMThat is the one I am looking for. Although, going forward if you can provide signs and SBOM (similar to k8s release MD) that would be super useful.
bright-farmer-78407
01/09/2023, 7:30 PMIn the image-list (.txt) I don;t see k8s-api-service, controller-manager images ?
bright-farmer-78407
01/09/2023, 7:32 PMalso, is there any documentation on what
<http://docker.io/rancher/hardened-kubernetes:v1.26.0-rke2r1-build20221209|docker.io/rancher/hardened-kubernetes:v1.26.0-rke2r1-build20221209>c
creamy-pencil-82913
01/09/2023, 7:35 PMthere aren’t separate images for those, they all use hardened-kubernetes
creamy-pencil-82913
01/09/2023, 7:35 PMthat is a build of the Kubernetes components, at that version and RKE2 release, built on that date
b
bright-farmer-78407
01/09/2023, 7:37 PMthank you, that's helpful!
c
creamy-pencil-82913
01/09/2023, 7:37 PMI guess we considered the version tags pretty self-evident
creamy-pencil-82913
01/09/2023, 7:39 PMThere are some additional docs at https://docs.rke2.io/security/about_hardened_images and https://github.com/rancher/rke2/blob/master/developer-docs/image_sources.md although the latter is a bit out of date; the bas images are now SLE BCI not UBI7
✅ 1
👍 1
b
bright-farmer-78407
01/09/2023, 7:58 PMVulnerabilities are fixed in patched versions ?
I just ran 1.26. image through snyk and its reporting few medium sev vulnerabilities.
Copy code
Testing <http://docker.io/rancher/hardened-kubernetes:v1.26.0-rke2r1-build20221209|docker.io/rancher/hardened-kubernetes:v1.26.0-rke2r1-build20221209>...
✗ Medium severity vulnerability found in <http://k8s.io/legacy-cloud-providers/vsphere|k8s.io/legacy-cloud-providers/vsphere>
Description: Improper Output Neutralization for Logs
Info: <https://security.snyk.io/vuln/SNYK-GOLANG-K8SIOLEGACYCLOUDPROVIDERSVSPHERE-1018868>
Introduced through: <http://k8s.io/legacy-cloud-providers/vsphere@v0.0.0|k8s.io/legacy-cloud-providers/vsphere@v0.0.0>
From: <http://k8s.io/legacy-cloud-providers/vsphere@v0.0.0|k8s.io/legacy-cloud-providers/vsphere@v0.0.0>
Fixed in: 1.20.0-alpha.2
✗ Medium severity vulnerability found in <http://k8s.io/apiserver/pkg/server|k8s.io/apiserver/pkg/server>
Description: Denial of Service (DoS)
Info: <https://security.snyk.io/vuln/SNYK-GOLANG-K8SIOAPISERVERPKGSERVER-561502>
Introduced through: <http://k8s.io/apiserver/pkg/server@v0.0.0|k8s.io/apiserver/pkg/server@v0.0.0>
From: <http://k8s.io/apiserver/pkg/server@v0.0.0|k8s.io/apiserver/pkg/server@v0.0.0>
Fixed in: 0.15.10, 0.16.7, 0.17.3
✗ Medium severity vulnerability found in <http://k8s.io/apimachinery/pkg/util/proxy|k8s.io/apimachinery/pkg/util/proxy>
Description: Privilege Escalation
Info: <https://security.snyk.io/vuln/SNYK-GOLANG-K8SIOAPIMACHINERYPKGUTILPROXY-590104>
Introduced through: <http://k8s.io/apimachinery/pkg/util/proxy@v0.0.0|k8s.io/apimachinery/pkg/util/proxy@v0.0.0>
From: <http://k8s.io/apimachinery/pkg/util/proxy@v0.0.0|k8s.io/apimachinery/pkg/util/proxy@v0.0.0>
Fixed in: 0.19.0-rc.1
✗ Medium severity vulnerability found in <http://golang.org/x/net/http2|golang.org/x/net/http2>
Description: Denial of Service (DoS)
Info: <https://security.snyk.io/vuln/SNYK-GOLANG-GOLANGORGXNETHTTP2-3160322>
Introduced through: <http://golang.org/x/net/http2@v0.3.1-0.20221206200815-1e63c2f08a10|golang.org/x/net/http2@v0.3.1-0.20221206200815-1e63c2f08a10>
From: <http://golang.org/x/net/http2@v0.3.1-0.20221206200815-1e63c2f08a10|golang.org/x/net/http2@v0.3.1-0.20221206200815-1e63c2f08a10>
Fixed in: 0.4.0c
creamy-pencil-82913
01/09/2023, 8:18 PMyour vuln reporting tool doesn’t appear to be finding the versions correctly
creamy-pencil-82913
01/09/2023, 8:18 PM Copy code
Introduced through: <http://k8s.io/apiserver/pkg/server@v0.0.0|k8s.io/apiserver/pkg/server@v0.0.0>
From: <http://k8s.io/apiserver/pkg/server@v0.0.0|k8s.io/apiserver/pkg/server@v0.0.0>b
bright-farmer-78407
01/09/2023, 8:56 PMahh, how about others?
Copy code
✗ Medium severity vulnerability found in <http://golang.org/x/net/http2|golang.org/x/net/http2>
Description: Denial of Service (DoS)
Info: <https://security.snyk.io/vuln/SNYK-GOLANG-GOLANGORGXNETHTTP2-3160322>
Introduced through: <http://golang.org/x/net/http2@v0.3.1-0.20221206200815-1e63c2f08a10|golang.org/x/net/http2@v0.3.1-0.20221206200815-1e63c2f08a10>
From: <http://golang.org/x/net/http2@v0.3.1-0.20221206200815-1e63c2f08a10|golang.org/x/net/http2@v0.3.1-0.20221206200815-1e63c2f08a10>
Fixed in: 0.4.0c
creamy-pencil-82913
01/09/2023, 9:34 PMwe just build Kubernetes using the upstream dependent module versions. When upstream updates, so do we.
creamy-pencil-82913
01/09/2023, 9:39 PMx/net/http2 is part of x/net and it looks like upstream is still on 0.3.1
https://github.com/kubernetes/kubernetes/blob/v1.26.0/go.mod#L81
b
bright-farmer-78407
01/09/2023, 10:08 PMthanks, that make sense.
8 Views