search

kairos-io / kairos

:penguin: The immutable Linux meta-distribution for edge Kubernetes.
https://kairos.io
Apache License 2.0
1.03k stars 90 forks source link

feat: support for managing critical/high severity CVEs #2696

Open jbalonso opened 2 weeks ago

jbalonso commented 2 weeks ago

Is your feature request related to a problem? Please describe. At times, critical or high severity vulnerabilities are discovered in the distro base images that kairos uses. There are two problems:

  1. Identifying risks on older releases of kairos standard images is a manual process for kairos devs (yes?) and for kairos users.

  2. Because kairos will architecturally immutable, the kairos release cycle is generally the "rate-limiting step" for rolling out fixes.

Describe the solution you'd like

  1. The kairos CLI should be able to report the known CVEs for the running image if it comes from the quay.io registry (this could be compiled into a json/yaml file by a periodic github action that the consults the quay.io scans)

  2. A github action that triggers hotfix releases when they are available.

mudler commented 1 week ago

If we complete the work on the #1914 - we can just expose a very simple way to rebuild images to fix CVEs at OS base image level.

However, this won't cover CVEs that might affect Kairos components versions, however - we can have a github action that trigger hotfixes to our framework images, which is considerably easier then having a full kairos release.