This message was deleted.
# rke2
a
This message was deleted.
c
nope. just the markdown table.
what do you mean by “supported kubernetes version”? The Kubernetes version is right there in the RKE2 release version
and there is a text file for each release with the images listed in it
b
right, I saw for manager there's data json report. I was hoping if there's a similar one I can parse that would help. https://github.com/rancher/rancher/releases/download/v2.7.2-rc1/rancher-data.json But, I guess txt file should work as well
c
the RKE2 version is the Kubernetes version
is there other metadata you were looking for?
b
That is the one I am looking for. Although, going forward if you can provide signs and SBOM (similar to k8s release MD) that would be super useful.
In the image-list (.txt) I don;t see k8s-api-service, controller-manager images ?
also, is there any documentation on what
<http://docker.io/rancher/hardened-kubernetes:v1.26.0-rke2r1-build20221209|docker.io/rancher/hardened-kubernetes:v1.26.0-rke2r1-build20221209>
represents ?
c
there aren’t separate images for those, they all use hardened-kubernetes
that is a build of the Kubernetes components, at that version and RKE2 release, built on that date
b
thank you, that's helpful!
c
I guess we considered the version tags pretty self-evident
There are some additional docs at https://docs.rke2.io/security/about_hardened_images and https://github.com/rancher/rke2/blob/master/developer-docs/image_sources.md although the latter is a bit out of date; the bas images are now SLE BCI not UBI7
1
👍 1
b
Vulnerabilities are fixed in patched versions ? I just ran 1.26. image through snyk and its reporting few medium sev vulnerabilities.
Copy code
Testing <http://docker.io/rancher/hardened-kubernetes:v1.26.0-rke2r1-build20221209|docker.io/rancher/hardened-kubernetes:v1.26.0-rke2r1-build20221209>...

✗ Medium severity vulnerability found in <http://k8s.io/legacy-cloud-providers/vsphere|k8s.io/legacy-cloud-providers/vsphere>
  Description: Improper Output Neutralization for Logs
  Info: <https://security.snyk.io/vuln/SNYK-GOLANG-K8SIOLEGACYCLOUDPROVIDERSVSPHERE-1018868>
  Introduced through: <http://k8s.io/legacy-cloud-providers/vsphere@v0.0.0|k8s.io/legacy-cloud-providers/vsphere@v0.0.0>
  From: <http://k8s.io/legacy-cloud-providers/vsphere@v0.0.0|k8s.io/legacy-cloud-providers/vsphere@v0.0.0>
  Fixed in: 1.20.0-alpha.2

✗ Medium severity vulnerability found in <http://k8s.io/apiserver/pkg/server|k8s.io/apiserver/pkg/server>
  Description: Denial of Service (DoS)
  Info: <https://security.snyk.io/vuln/SNYK-GOLANG-K8SIOAPISERVERPKGSERVER-561502>
  Introduced through: <http://k8s.io/apiserver/pkg/server@v0.0.0|k8s.io/apiserver/pkg/server@v0.0.0>
  From: <http://k8s.io/apiserver/pkg/server@v0.0.0|k8s.io/apiserver/pkg/server@v0.0.0>
  Fixed in: 0.15.10, 0.16.7, 0.17.3

✗ Medium severity vulnerability found in <http://k8s.io/apimachinery/pkg/util/proxy|k8s.io/apimachinery/pkg/util/proxy>
  Description: Privilege Escalation
  Info: <https://security.snyk.io/vuln/SNYK-GOLANG-K8SIOAPIMACHINERYPKGUTILPROXY-590104>
  Introduced through: <http://k8s.io/apimachinery/pkg/util/proxy@v0.0.0|k8s.io/apimachinery/pkg/util/proxy@v0.0.0>
  From: <http://k8s.io/apimachinery/pkg/util/proxy@v0.0.0|k8s.io/apimachinery/pkg/util/proxy@v0.0.0>
  Fixed in: 0.19.0-rc.1

✗ Medium severity vulnerability found in <http://golang.org/x/net/http2|golang.org/x/net/http2>
  Description: Denial of Service (DoS)
  Info: <https://security.snyk.io/vuln/SNYK-GOLANG-GOLANGORGXNETHTTP2-3160322>
  Introduced through: <http://golang.org/x/net/http2@v0.3.1-0.20221206200815-1e63c2f08a10|golang.org/x/net/http2@v0.3.1-0.20221206200815-1e63c2f08a10>
  From: <http://golang.org/x/net/http2@v0.3.1-0.20221206200815-1e63c2f08a10|golang.org/x/net/http2@v0.3.1-0.20221206200815-1e63c2f08a10>
  Fixed in: 0.4.0
c
your vuln reporting tool doesn’t appear to be finding the versions correctly
Copy code
Introduced through: <http://k8s.io/apiserver/pkg/server@v0.0.0|k8s.io/apiserver/pkg/server@v0.0.0>
  From: <http://k8s.io/apiserver/pkg/server@v0.0.0|k8s.io/apiserver/pkg/server@v0.0.0>
b
ahh, how about others?
Copy code
✗ Medium severity vulnerability found in <http://golang.org/x/net/http2|golang.org/x/net/http2>
  Description: Denial of Service (DoS)
  Info: <https://security.snyk.io/vuln/SNYK-GOLANG-GOLANGORGXNETHTTP2-3160322>
  Introduced through: <http://golang.org/x/net/http2@v0.3.1-0.20221206200815-1e63c2f08a10|golang.org/x/net/http2@v0.3.1-0.20221206200815-1e63c2f08a10>
  From: <http://golang.org/x/net/http2@v0.3.1-0.20221206200815-1e63c2f08a10|golang.org/x/net/http2@v0.3.1-0.20221206200815-1e63c2f08a10>
  Fixed in: 0.4.0
c
we just build Kubernetes using the upstream dependent module versions. When upstream updates, so do we.
x/net/http2 is part of x/net and it looks like upstream is still on 0.3.1 https://github.com/kubernetes/kubernetes/blob/v1.26.0/go.mod#L81
b
thanks, that make sense.