search

loft-sh / vcluster

vCluster - Create fully functional virtual Kubernetes clusters - Each vcluster runs inside a namespace of the underlying k8s cluster. It's cheaper than creating separate full-blown clusters and it offers better multi-tenancy and isolation than regular namespaces.
https://www.vcluster.com
Apache License 2.0
6.16k stars 372 forks source link

vcluster referencing images with vulnerabilities (library/alpine:3.13.1, coredns/coredns:1.10.0) #1764

Open joaocc opened 2 months ago

joaocc commented 2 months ago

What happened?

Trivy operator reports the use of images with vulnerabilities. In this case library/alpine:3.13.1 and coredns/coredns:1.11.0

What did you expect to happen?

Depending on the need to specify an older version, one of these would be better:

CoreDNS doesn't provide a Major+Minor version, so in this case a simple upgrade might do the trick:

How can we reproduce it (as minimally and precisely as possible)?

run trivy-operator on any vcluster deployment

Anything else we need to know?

No response

Host cluster Kubernetes version

N/A

Host cluster Kubernetes distribution

N/A

vlcuster version

v0.20.x

Vcluster Kubernetes distribution(k3s(default)), k8s, k0s)

N/A

OS and Arch

N/A

heiko-braun commented 1 month ago

Quick update: The latest images have a fresh alpine base which removes the vulnerabilities there.

With CoreDNS it's a bit more complicated. It seems the CoreDNS community struggles to release an updated version: https://github.com/coredns/coredns/issues/6661

We will come back to this once there is new CoreDNS release