New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Revert "Build non-static binaries with PIE buildmode" #105352
Conversation
@saschagrunert @kubernetes/sig-release fyi |
/triage accepted |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/approve
/lgtm
/retest
/hold want to ensure tagged folks have a chance to review |
Ah, @saschagrunert is OOO for another week, looks like we got an ack from @justaugustus so I will remove the hold. /hold cancel |
/test pull-kubernetes-node-e2e-containerd |
The Kubernetes project has merge-blocking tests that are currently too flaky to consistently pass. This bot retests PRs for certain kubernetes repos according to the following rules:
You can:
/retest |
1 similar comment
The Kubernetes project has merge-blocking tests that are currently too flaky to consistently pass. This bot retests PRs for certain kubernetes repos according to the following rules:
You can:
/retest |
I wasn't particularly keen on that change 🙃 #102323 (comment) Regarding wider discussion: I don't think we have a good pattern for this more generally yet, (see previously: bazel, hyperkube, ...), it's hard to bring in everyone on anything and not clear what the right set is. I at least blocked this on SIG security input and we have build + SIG release OWNERS (incl myself). Clearly this change needs wider discussion though. /approve |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: BenTheElder, ehashman, spiffxp The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/retest |
err, and this part seems like a major oversight 😞
|
This PR should be backported to 1.22 if someone can get to it. |
pick open at #105452 |
…352-upstream-release-1.22 Automated cherry pick of #105352: Revert "Build non-static binaries with PIE buildmode"
Reverts #102323
In #105294 we identified that this change has caused a ~30% memory utilization increase for the Kubelet in 1.22.
As far as I'm aware, there were no comms from SIG Release on making this change on k-dev or in the release note regarding what the possible impact would be; we found the memory increase while investigating regressions and had to perform a full git tree bisect to pinpoint it.
I see there is discussion in #102323 around the individual binary sizes, but not on ASLR's impact on memory utilization. If this impacted Kubelet, it likely impacted other components as well.
I'd like to have a wider discussion on the impact of turning this feature on. Have we seen any evidence of attacks against Golang binaries that exploit this? +30% is a significant memory regression, especially in resource-constrained environments, and I want to make sure that we understand the tradeoffs.
/sig node release security
/kind regression
/priority important-soon