Closed CatherineF-dev closed 10 months ago
This issue is currently awaiting triage.
If kube-state-metrics contributors determine this is a relevant issue, they will accept it by applying the triage/accepted
label and provide further guidance.
The triage/accepted
label can be added by org members by writing /triage accepted
in a comment.
[APPROVALNOTIFIER] This PR is NOT APPROVED
This pull-request has been approved by: CatherineF-dev Once this PR has been reviewed and has the lgtm label, please assign mrueg for approval. For more information see the Kubernetes Code Review Process.
The full list of commands accepted by this bot can be found here.
Let's not bump it to 3.10.0 due to https://github.com/kubernetes/kubernetes/issues/118133 and please have that discussion in the right upstream repository.
Ok! Thx! I didn't notice this issue
I think we should bump into v3.11.0 https://github.com/kubernetes/kubernetes/pull/119865#issuecomment-1739082300, which OSS kubernetes has done it. cc @mrueg
We need to bump k8s dependency instead of this library directly. https://github.com/kubernetes/kube-state-metrics/commit/89403d239a47b75625d5939c8f26c73f4dc34245
I also don't know if this is necessary at all and we shouldn't consider this a false positive that is safe to ignore.
See: https://github.com/kubernetes/kubernetes/pull/119865#issuecomment-1739082300
To be crystal clear, Kubernetes is not affected at all by the go-restful security issue because we apply authentication / authorization directly to the incoming http.Request object / URL, not using go-restful filters.
The primary motivation for picking up this version update is to silence security scanners incorrectly flagging Kubernetes as impacted by the go-restful vulnerability. If PRISMA-2022-0227 decides to remark 3.11.0+ as vulnerable because the default behavior triggers the go-restful bug, picking up this update will not do anything to silence those scanners.
What this PR does / why we need it: #2253
How does this change affect the cardinality of KSM: (increases, decreases or does not change cardinality)
Which issue(s) this PR fixes (optional, in
fixes #<issue number>(, fixes #<issue_number>, ...)
format, will close the issue(s) when PR gets merged): Fixes #2253