Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Upgrade sigs.k8s.io/controller-runtime to 0.15.x version #481

Open
spolti opened this issue Nov 16, 2023 · 8 comments
Open

Upgrade sigs.k8s.io/controller-runtime to 0.15.x version #481

spolti opened this issue Nov 16, 2023 · 8 comments
Assignees

Comments

@spolti
Copy link
Contributor

spolti commented Nov 16, 2023

We came across a vulnerability where the controller-runtime pulls, as part of the [email protected], a dependency that has the following high vulnerability:

As we can see in the dependency graph, apimachinery brings this vulnerable version of go proxy:

$ go mod graph  |grep github.com/elazarl/goproxy
k8s.io/[email protected] github.com/elazarl/[email protected]

To address this, we have 2 options, first and easier:

However, this is a very large upgrade and have a lot of breaking changes that can be found here: https://github.com/kubernetes-sigs/controller-runtime/releases/tag/v0.15.0

Update.

The update to address the described vulnerability is done, however we will keep this issue open to track the controller-runtime update, as it is a large one and will require more tests.

I'm opening this issue to start a discussion around this and how can we proceed with this CVE fix at this moment.

@spolti
Copy link
Contributor Author

spolti commented Nov 16, 2023

fyi @ckadner @rafvasq.

@ckadner
Copy link
Member

ckadner commented Nov 16, 2023

I would go the quick and easy path right away to give us more time to work on the bigger upgrade.

i.e. add a required block for "indirect" dependencies that we forcefully upgrade to fix CVEs

// pull some of the indeirect dependency directly to get newer versions with fixed CVEs
require (
	k8s.io/apimachinery v0.27.0 //indirect
)

@spolti
Copy link
Contributor Author

spolti commented Nov 17, 2023

The dependency updated will be addressed by kserve/rest-proxy#30.

@ckadner what do you think to keep this issue open to track the major controller-runtime update?

@ckadner
Copy link
Member

ckadner commented Nov 21, 2023

The dependency updated will be addressed by kserve/rest-proxy#30.

@ckadner what do you think to keep this issue open to track the major controller-runtime update?

Sounds good 👍🏻

@spolti spolti self-assigned this Nov 23, 2023
@ckadner ckadner transferred this issue from kserve/rest-proxy Jan 23, 2024
@spolti
Copy link
Contributor Author

spolti commented Jan 25, 2024

Affected repositories:

  • KServe
  • modelmesh-serving
  • modelmesh-runtime-adapter
  • rest-proxy

@ckadner
Copy link
Member

ckadner commented Jan 26, 2024

This will be done when we / along with the update to KServe v0.12.0 and Go 1.21

@spolti
Copy link
Contributor Author

spolti commented Feb 1, 2024

modelmesh-serving is ready to go.

@rafvasq
Copy link
Member

rafvasq commented Apr 16, 2024

For tracking, #497 includes an upgrade of controller-runtime from v0.14.6 to v0.16.3 for modelmesh-serving.

@rafvasq rafvasq changed the title Evaluate upgrading sigs.k8s.io/controller-runtime to 0.15.x version Upgrade sigs.k8s.io/controller-runtime to 0.15.x version Apr 16, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants