Installer should use native package management for kubectl/helm install (allowing automatic security updates)
Opened this issue · 1 comments
Summary
On Ubuntu the installer will install kubectl by copying a pre-built binary to the system outside the normal distro package management mechanisms. There is no mechanism for security updates with this method. The official installation instructions point to installation of the kubectl snap which will receive regular security updates.
Additionally, the installer will initially install a particular version of kubectl based on interrogating the cloud. However if a kubectl binary is already present on the system it does not check the preferred version against the installed version and make the user aware of the difference. Also, if it does install a particular version for the user, it does not appear there is a mechanism to keep this in sync with the random binary placed on the system.
Steps to reproduce
(include tooling version, platform, etc)
- Run the installer without kubelet installed
- Observe that kubelet is not managed by any package management and is not updated for security issues
Operating System
Specify: (MacOS, Linux, Windows)
Ubuntu 19.04
Supporting details
(Logs, stack traces, images, etc. Wrap in <detail> ... </detail> tags as appropriate)
Development "done" checklist
- Test case to verify
- Public Documentation updated
- Change added to "release notes" as appropropriate
- Notification to stakeholders (OM, other squads, etc)
The same is true for Helm and the docs for Helm also provide instruction for installation of a managed snap which will address the issue of security and bugfix updates.