Upgrade sigs.k8s.io/controller-runtime to 0.15.x version

Question

Upgrade sigs.k8s.io/controller-runtime to 0.15.x version

spolti opened this issue a year ago · 8 comments

We came across a vulnerability where the controller-runtime pulls, as part of the apimachinery@v0.26.0, a dependency that has the following high vulnerability:

https://www.cve.org/CVERecord?id=CVE-2023-37788

As we can see in the dependency graph, apimachinery brings this vulnerable version of go proxy:

$ go mod graph  |grep github.com/elazarl/goproxy
k8s.io/apimachinery@v0.26.0 github.com/elazarl/goproxy@v0.0.0-20180725130230-947c36da3153

To address this, we have 2 options, first and easier:

Updating go.mod by including the goproxy there:

require (
   k8s.io/apimachinery v0.26.0
   github.com/elazarl/goproxy v<new-version>
)

Updating the controller-runtime to 0.15.0.
- The big point of this update is that, the goproxy� dependency was removed from apimachinery@v0.27.x:

However, this is a very large upgrade and have a lot of breaking changes that can be found here: https://github.com/kubernetes-sigs/controller-runtime/releases/tag/v0.15.0

Update.

The update to address the described vulnerability is done, however we will keep this issue open to track the controller-runtime update, as it is a large one and will require more tests.

I'm opening this issue to start a discussion around this and how can we proceed with this CVE fix at this moment.

Answer 1 · 2023-11-16T15:17:39.000Z

fyi @ckadner @rafvasq.

Answer 2 · 2023-11-16T20:41:09.000Z

I would go the quick and easy path right away to give us more time to work on the bigger upgrade.

i.e. add a required block for "indirect" dependencies that we forcefully upgrade to fix CVEs

// pull some of the indeirect dependency directly to get newer versions with fixed CVEs
require (
	k8s.io/apimachinery v0.27.0 //indirect
)

Answer 3 · 2023-11-17T18:11:50.000Z

The dependency updated will be addressed by kserve/rest-proxy#30.

@ckadner what do you think to keep this issue open to track the major controller-runtime update?

Answer 4 · 2023-11-21T16:58:12.000Z

The dependency updated will be addressed by kserve/rest-proxy#30.

@ckadner what do you think to keep this issue open to track the major controller-runtime update?

Sounds good 👍🏻

Answer 5 · 2024-01-25T19:02:10.000Z

Affected repositories:

~~KServe~~
modelmesh-serving
modelmesh-runtime-adapter
rest-proxy

Answer 6 · 2024-01-26T21:09:42.000Z

This will be done when we / along with the update to KServe v0.12.0 and Go 1.21

Answer 7 · 2024-02-01T02:07:26.000Z

modelmesh-serving is ready to go.

Answer 8 · 2024-04-16T16:56:46.000Z

For tracking, #497 includes an upgrade of controller-runtime from v0.14.6 to v0.16.3 for modelmesh-serving.