New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update conformance image to use debian-base:buster-v1.9.0 #104696
Update conformance image to use debian-base:buster-v1.9.0 #104696
Conversation
/release-note-none |
/retest-required |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not sure, how can these images be promoted to k8s.gcr.io, but I am assuming it will happen as part of next release build getting published. If not, happy to submit a PR to promote these images
the conformance image would be automatically build / published as part of the release process, but the base image should be promoted manually AFAIK.
here is an example PR:
kubernetes/k8s.io#2546
the docs are here:
https://github.com/kubernetes/k8s.io/blob/5f267ada6aeca5d271416a3490bc6ba7023b6839/k8s.gcr.io/README.md
/triage accepted |
/milestone v1.23 |
Thank you @neolit123 for the pointers. AFAIK, the base image does not need promotion as we have been pulling Long term it seems the idea is to use |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for filing this, @PushkarJ!
A few changes/notes:
-
We need to add entries for this file in
dependencies.yaml
to ensure the bump doesn't get missed in future -
I'm still working on the bullseye images in images: Build bullseye variants (part two) release#2210, so we should use buster here to be consistent
-
I might suggest parameterizing the image versions or tags to minimize the places we have to update versions.
Examples:
DEBIAN_BASE_VERSION
: https://github.com/kubernetes/release/blob/3224e8eb0316fc4c198f12e81aa6209ccfd1ca06/images/build/debian-iptables/Makefile#L23
DISTROLESS_IMAGE
: https://github.com/kubernetes/release/blob/3224e8eb0316fc4c198f12e81aa6209ccfd1ca06/images/build/go-runner/Makefile#L26
/hold
d2289ca
to
543f259
Compare
543f259
to
59f482f
Compare
59f482f
to
c5eca76
Compare
/hold cancel |
/area dependency security |
Is there some way we could get kubernetes/test/conformance/image/Dockerfile Lines 22 to 23 in 5be7bb4
|
Only prior art I found was for etcd image, that does something similar for bash-static i.e. Copy bash-static from debian to distroless. Link: https://github.com/kubernetes/kubernetes/blob/master/cluster/images/etcd/Dockerfile#L20-L27 |
- Debian base used was older (v2.1.3) missing multiple fixed CVEs - Minor update to distroless debian image name to explicitly point to debian 10 - Debian base image now points to buster-1.9.0
c5eca76
to
8ed3151
Compare
cc @johnSchnake |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/approve
/lgtm
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: justaugustus, PushkarJ, spiffxp The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Sorry for taking a while; I know it merged but fwiw I also built it and ran sonobuoy using that image without an issue. LGTM |
What type of PR is this?
/kind cleanup
What this PR does / why we need it:
Special notes for your reviewer:
Not sure, how can these images be promoted to k8s.gcr.io, but I am assuming it will happen as part of next release build getting published. If not, happy to submit a PR to promote these images
/area conformance
/sig release testing architecture security