Ensure that snyk/kubernetes-monitor ships without major vulnerabilities [🙏]

[chrisnruud]

Describe the user need Using kubernetes-monitor in our setup introduces vulnerabilities in the kubernetes clusters which we cannot remediate or know if affects the health of the cluster

Describe expected behaviour

Snyk should "eat their own dog food" ie not ship products with known critical/high vulnerabilities :)

Additional context

Add any other context or screenshots about the feature request here.

[ivanstanev]

Hey @christophernruud! We're aware of the vulnerabilities and we definitely use our own product already to monitor for vulnerabilities.

Unfortunately, there are currently no fixes to any of these high severity vulnerabilities. We have been in touch with the Red Hat team to try and understand how to remediate them, since the vulnerabilities come from the base image. From what I understand there are simply no fixes at the moment.

We are considering releasing the snyk-monitor with alternative base images (e.g. alpine), is this something that would help?

[chrisnruud]

@ivanstanev alpine seems to have a better track record for security updates in my experience, that could work. Until a remediation path is found, we are forced to just ignore the issues to keep the pipeline from getting spammed by un-fixable issues :)

[ivanstanev]

Yeah unfortunately we do the same, we manually have to review and ignore the issues until a fix is available... We will discuss this with the team and see if we can prioritize releasing alternative base images. This alternative image would likely become the default image in the Helm chart so you don't have to switch to a different tag (e.g. 1.85.2-alpine vs 1.85.2-ubi8). Our OpenShift Operator will still have to use ubi8.

[snyksec]

:tada: This issue has been resolved in version 1.87.0 :tada:

The release is available on GitHub release

Your semantic-release bot :package::rocket:

[ivanstanev]

Hey @christophernruud, the change is merged but not yet released in the Helm chart. Just need to iron out the OpenShift Operator releases and we will then have the default Helm release vuln-free 😄

[ivanstanev]

@christophernruud this should now be resolved, the new Helm chart version is available 🙂

$ snyk container test --app-vulns snyk/kubernetes-monitor:1.87.0

...
✔ Tested 44 dependencies for known issues, no vulnerable paths found.

...
✔ Tested 357 dependencies for known issues, no vulnerable paths found.