search

kubernetes / cloud-provider-aws

Cloud provider for AWS
https://cloud-provider-aws.sigs.k8s.io/
Apache License 2.0
381 stars 300 forks source link

/etc/eks/image-credential-provider/ecr-credential-provider #820

Closed Daniyar7785 closed 7 months ago

Daniyar7785 commented 7 months ago

Hello there I have eks cluster running in aws with 15 nodes. I use wiz tool to scan our servers on daily basis. new vulnerabilities popped up it is CVE-2023-39325 with high severity. The thing is go is not installed on those 15 servers. it is amazon linux2 ec2 machines. red hat. I know go lang binaries is the part of kubelet to be functionable. so removing the files is not an option. Wiz report says "The library golang.org/x/net version 0.0.0-20220127200216-cd36cc0744dd was detected in Golang binary located at /etc/eks/ecr-credential-provider/ecr-credential-provider and is vulnerable to CVE-2023-39325, which exists in versions < 0.17.0." but when I proceed to that location theres no such file. my location is following /etc/eks/image-credential-provider/ecr-credential-provider and there are two files config.json and ecr-credentials-provider. { "apiVersion": "kubelet.config.k8s.io/v1alpha1", "kind": "CredentialProviderConfig", "providers": [ { "name": "ecr-credential-provider", "matchImages": [ ".dkr.ecr..amazonaws.com", ".dkr.ecr..amazonaws.com.cn", ".dkr.ecr-fips..amazonaws.com", ".dkr.ecr..c2s.ic.gov", ".dkr.ecr..sc2s.sgov.gov" ], "defaultCacheDuration": "12h", "apiVersion": "credentialprovider.kubelet.k8s.io/v1alpha1" } ] }

I installed golang with yum and version is go version go1.20.10 linux/amd64 and tried to run go get -u golang.org/x/net

go: go.mod file not found in current directory or any parent directory. 'go get' is no longer supported outside a module. To build and install a command, use 'go install' with a version, like 'go install example.com/cmd@latest' For more information, see https://golang.org/doc/go-get-install-deprecation or run 'go help get' or 'go help install'.``

this is the output im getting. And with go install

flag provided but not defined: -u usage: go install [build flags] [packages] Run 'go help install' for details.``

any tips and help appreciated

k8s-ci-robot commented 7 months ago

This issue is currently awaiting triage.

If cloud-provider-aws contributors determine this is a relevant issue, they will accept it by applying the triage/accepted label and provide further guidance.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes/test-infra](https://github.com/kubernetes/test-infra/issues/new?title=Prow%20issue:) repository.