Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove the kubernetes version dependency to reduce the risk of vulnerabilities #12288

Closed
fengshunli opened this issue Feb 3, 2023 · 7 comments
Closed

Remove the kubernetes version dependency to reduce the risk of vulnerabilities #12288

fengshunli opened this issue Feb 3, 2023 · 7 comments
Labels
enhancement New feature or request more-information-needed Further information is requested

Comments

@fengshunli
Copy link
Member

The currently used kubernetes version has a vulnerability of CVE-2020-8554, whether to consider refactoring the gitops-engine module, upgrade the kubernetes version to 1.26.x or above, and use new features to complete some required functions
@fengshunli fengshunli added the enhancement New feature or request label Feb 3, 2023
@crenshaw-dev
Copy link
Member

That vulnerability applies to <= 1.22.0. We're currently on 1.24.2.

@fengshunli
Copy link
Member Author

Whether to consider not introducing kubernetes's own dependencies, and complete the requirements by referencing other components

@jessesuen
Copy link
Member

Whether to consider not introducing kubernetes's own dependencies, and complete the requirements by referencing other components

Sorry, could you rephrase your question?

@jessesuen jessesuen added the more-information-needed Further information is requested label Feb 9, 2023
@fengshunli fengshunli changed the title Upgrade k8s version to 1.26.x Remove the kubernetes version dependency to reduce the risk of vulnerabilities Feb 9, 2023
@fengshunli
Copy link
Member Author

Whether to consider not introducing kubernetes's own dependencies, and complete the requirements by referencing other components

Sorry, could you rephrase your question?

updated @jessesuen

@fengshunli
Copy link
Member Author

Remove the kubernetes scheme module. Do you have any good ideas to discuss? I have researched for several days, but I can't find a better solution @crenshaw-dev @jessesuen

@fengshunli fengshunli mentioned this issue Feb 9, 2023
Closed
@pgr-mattgartman
Copy link

Security scanners also report ArgoCD containing CVE-2022-3294 which is a a k8s package vul in v1.24.2, fixed in 1.24.8 or 1.25.4. Bumping to 1.24.8 would at least check the security scanner's box.

@blakepettersson
Copy link
Member

If I understand correctly this is something which is a duplicate of #5173 and #4055, feel free to reopen if that's not the case.

@blakepettersson blakepettersson closed this as not planned Won't fix, can't repro, duplicate, stale Jan 27, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request more-information-needed Further information is requested
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@crenshaw-dev @blakepettersson @jessesuen @fengshunli @pgr-mattgartman