search

openfga / helm-charts

Official Helm charts for the OpenFGA project.
https://openfga.dev
Apache License 2.0
18 stars 29 forks source link

`k8s-wait-for` image is inactively maintained and contains many vulnerabilities #132

Open rorynickolls-skyral opened 1 month ago

rorynickolls-skyral commented 1 month ago

The k8s-wait-for image has had no merged PRs for 2 years and contains many unaddressed vulnerabilities in its latest v2.0 release: https://github.com/groundnuty/k8s-wait-for/issues/71.

A previous PR to address this received no attention and was closed: https://github.com/groundnuty/k8s-wait-for/pull/65

Is this image strictly necessary or are there alternatives that could be used?

jon-whit commented 1 month ago

@rorynickolls-skyral without introducing anything more than an image or standard Helm or Kubernetes tooling, are you aware of other mechanisms to wait for a Kubernetes job to complete? That's the only reason we have k8s-wait-for. If we can achieve that same objective in other ways then we can drop it.

kubectl wait --for=condition=complete job/myjob

☝️ May be a good alternative. We could use the bitnami/kubectl image.

rorynickolls-skyral commented 1 month ago

I can see you have chart hooks already. I'm guessing the difficulty here is that the job always needs to come after OpenFGA spins up to put it on the latest schema? So a pre-upgrade hook won't work.

I think your suggestion would work nicely -- the image still has quite a few vulns but is better maintained so no doubt they will be fixed.

You may even get away with hitting the k8s REST API with curl and your service account credentials. A less maintainable and more complex option than your suggestion though.