Hi Everyone, I need some help parse the release metadata for rke2 releases. Is this release information (specifically, supported k8s version, system images etc.) available in some JSON format ? (https://github.com/rancher/rke2/releases/tag/v1.26.0%2Brke2r1

nope. just the markdown table.

right, I saw for manager there's data json report. I was hoping if there's a similar one I can parse that would help. https://github.com/rancher/rancher/releases/download/v2.7.2-rc1/rancher-data.json But, I guess txt file should work as well

the RKE2 version is the Kubernetes version

That is the one I am looking for. Although, going forward if you can provide signs and SBOM (similar to k8s release MD) that would be super useful.

there aren’t separate images for those, they all use hardened-kubernetes

thank you, that's helpful!

I guess we considered the version tags pretty self-evident

Vulnerabilities are fixed in patched versions ? I just ran 1.26. image through snyk and its reporting few medium sev vulnerabilities.

Testing <http://docker.io/rancher/hardened-kubernetes:v1.26.0-rke2r1-build20221209|docker.io/rancher/hardened-kubernetes:v1.26.0-rke2r1-build20221209>...

✗ Medium severity vulnerability found in <http://k8s.io/legacy-cloud-providers/vsphere|k8s.io/legacy-cloud-providers/vsphere>
  Description: Improper Output Neutralization for Logs
  Info: <https://security.snyk.io/vuln/SNYK-GOLANG-K8SIOLEGACYCLOUDPROVIDERSVSPHERE-1018868>
  Introduced through: <http://k8s.io/legacy-cloud-providers/vsphere@v0.0.0|k8s.io/legacy-cloud-providers/vsphere@v0.0.0>
  From: <http://k8s.io/legacy-cloud-providers/vsphere@v0.0.0|k8s.io/legacy-cloud-providers/vsphere@v0.0.0>
  Fixed in: 1.20.0-alpha.2

✗ Medium severity vulnerability found in <http://k8s.io/apiserver/pkg/server|k8s.io/apiserver/pkg/server>
  Description: Denial of Service (DoS)
  Info: <https://security.snyk.io/vuln/SNYK-GOLANG-K8SIOAPISERVERPKGSERVER-561502>
  Introduced through: <http://k8s.io/apiserver/pkg/server@v0.0.0|k8s.io/apiserver/pkg/server@v0.0.0>
  From: <http://k8s.io/apiserver/pkg/server@v0.0.0|k8s.io/apiserver/pkg/server@v0.0.0>
  Fixed in: 0.15.10, 0.16.7, 0.17.3

✗ Medium severity vulnerability found in <http://k8s.io/apimachinery/pkg/util/proxy|k8s.io/apimachinery/pkg/util/proxy>
  Description: Privilege Escalation
  Info: <https://security.snyk.io/vuln/SNYK-GOLANG-K8SIOAPIMACHINERYPKGUTILPROXY-590104>
  Introduced through: <http://k8s.io/apimachinery/pkg/util/proxy@v0.0.0|k8s.io/apimachinery/pkg/util/proxy@v0.0.0>
  From: <http://k8s.io/apimachinery/pkg/util/proxy@v0.0.0|k8s.io/apimachinery/pkg/util/proxy@v0.0.0>
  Fixed in: 0.19.0-rc.1

✗ Medium severity vulnerability found in <http://golang.org/x/net/http2|golang.org/x/net/http2>
  Description: Denial of Service (DoS)
  Info: <https://security.snyk.io/vuln/SNYK-GOLANG-GOLANGORGXNETHTTP2-3160322>
  Introduced through: <http://golang.org/x/net/http2@v0.3.1-0.20221206200815-1e63c2f08a10|golang.org/x/net/http2@v0.3.1-0.20221206200815-1e63c2f08a10>
  From: <http://golang.org/x/net/http2@v0.3.1-0.20221206200815-1e63c2f08a10|golang.org/x/net/http2@v0.3.1-0.20221206200815-1e63c2f08a10>
  Fixed in: 0.4.0

your vuln reporting tool doesn’t appear to be finding the versions correctly

ahh, how about others?

✗ Medium severity vulnerability found in <http://golang.org/x/net/http2|golang.org/x/net/http2>
  Description: Denial of Service (DoS)
  Info: <https://security.snyk.io/vuln/SNYK-GOLANG-GOLANGORGXNETHTTP2-3160322>
  Introduced through: <http://golang.org/x/net/http2@v0.3.1-0.20221206200815-1e63c2f08a10|golang.org/x/net/http2@v0.3.1-0.20221206200815-1e63c2f08a10>
  From: <http://golang.org/x/net/http2@v0.3.1-0.20221206200815-1e63c2f08a10|golang.org/x/net/http2@v0.3.1-0.20221206200815-1e63c2f08a10>
  Fixed in: 0.4.0

we just build Kubernetes using the upstream dependent module versions. When upstream updates, so do we.

thanks, that make sense.