Open degant opened 1 year ago
julienlau
commented
1 year ago I would say more broadly speaking, that spark operator should follow basic contenerization best practises :
degant
commented
1 year ago Spark images is the easy part, because users of the spark operator can use the latest image to avoid CVEs. But in this issue I was referring to 6 vulnerabilities from the spark operator codebase and some of those are not patched from 2020. 5 out of the 6 are since the kubernetes golang library is running a version of 1.19.x that has vulnerabilities, and then there's one from x/net. They should all be easy package upgrades most likely so I was wondering if the maintainers or anyone else could consider fixing those?
Here's the full list:
github-actions[bot]
commented
3 months ago This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
julienlau
commented
3 months ago up
github-actions[bot]
commented
2 days ago This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
There's an older vulnerability from 2021 that gets flagged when we're trying to use the spark-operator: https://github.com/advisories/GHSA-f5f7-6478-qm6p
I haven't looked into the details of the vulnerability on whether it impacts the spark operator. But any chance we can update the k8s.io/kubernetes to a more recent 1.19.15+?
In addition, we're also seeing the following issues: