Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

add kube-fluentd-operator #1086

Merged
merged 2 commits into from
Jul 10, 2023

Conversation

rawlingsj
Copy link
Member

@rawlingsj rawlingsj commented Jul 9, 2023

Quality Requirements for Images PRs

The items in this checklist should all be checked in the PR with exceptions clearly documented.
The general idea is that to the extent possible, the image should be a drop-in replacement to its public counterpart.

  • Image is a smaller size than its common public counterpart, or if not, the reason why should be explained
  • Image should be scanned for CVEs and should return 0 or near-0 results. Exceptions should be explained.
  • The software in the image should be able to be installed and work as expected
    • The image should start in a cluster
    • The application should be accessible to the user/cluster/etc. as expected
  • If there is an open source helm chart provided, the image should be able to be used with the chart. If needed, please add a -compat package to close any gaps with the public helm chart.
  • build for x86_64 and aarch64 if possible, document exceptions

For new image PRs only

If you have an apko.yaml file in this PR you need to follow this checklist, otherwise feel free to remove.

  • Include tests, sufficient enough that you would trust this image running in production.

  • Perform manual tests as needed and document your testing results

    • For services images (rabbit, databases, webservers) test basic functionality, upstream install/getting started, port availability, admin access. Document differences from public image.
  • The version included is the latest GA version of the software

  • The latest tag points to the newest stable version

  • There is a dev tag available that includes a shell and apk tools (by depending on 'wolfi-base')

  • The image runs as nonroot and GID/UID are set to 65532 or upstream default

    • Alternatively the username and GID/UID may be a commonly used one from the ecosystem e.g: postgres
  • The image contains the ca-certs bundle if needed

  • ENTRYPOINT

    • For applications/servers/utilities call main program with no arguments e.g. [redis-server]
    • For base images leave empty
    • For dev variants set to entrypoint script that falls back to system
  • CMD:

    • For server applications give arguments to start in daemon mode (may be empty)
    • For utilities/tooling bring up help e.g. –help
    • For base images with a shell, call it e.g. [/bin/sh]
  • Add annotations e.g:

annotations:
  "org.opencontainers.image.url": https://edu.chainguard.dev/chainguard/chainguard-images/reference/busybox/ # use the academy site here
  "org.opencontainers.image.source": https://github.com/chainguard-images/images/tree/main/images/bazel # use github here
  • Check if environment variables are needed e.g. to set data locations
  • Ensure the image responds to SIGTERM
    • docker kill $(docker run -d --rm cgr.dev/chainguard/nginx)
  • Error logs write to stderr and normal logs to stdout. DO NOT write to file.

Documentation Requirements

  • Provide a README file, follow the README template to include variants, tags, and usage examples
  • Document your testing and results in the PR
  • Document any exceptions to the testing and config requirements outlined in this template
  • Document where and how the image deviates from popular alternatives (ports, packages, user, entrypoint, versions, etc). Explain why there's a difference and if the user needs to do anything differently when using the image

@rawlingsj rawlingsj force-pushed the kube-fluentd-operator2 branch 8 times, most recently from 23d3b9a to b4df38a Compare July 10, 2023 09:50
@rawlingsj
Copy link
Member Author

current CVE count

2 critical, 7 high, 12 medium, 1 low, 0 negligible

@rawlingsj rawlingsj marked this pull request as ready for review July 10, 2023 10:03
@rawlingsj rawlingsj requested a review from a team as a code owner July 10, 2023 10:03
@rawlingsj rawlingsj requested a review from kaniini July 10, 2023 10:03
@rawlingsj
Copy link
Member Author

rawlingsj commented Jul 10, 2023

CVE analysis:

 ✔ Scanning image...       [22 vulnerabilities]
   ├── 2 critical, 7 high, 12 medium, 1 low, 0 negligible
   └── 3 fixed

NAME     INSTALLED  FIXED-IN  TYPE  VULNERABILITY        SEVERITY
grpc     1.52.0               gem   CVE-2023-1428        High
grpc     1.52.0               gem   CVE-2023-32732       Medium
grpc     1.52.0     1.53.0    gem   GHSA-6628-q6j9-w8vg  High
grpc     1.52.0     1.53.0    gem   GHSA-9hxf-ppjv-w6rq  Medium
grpc     1.52.0     1.53.0    gem   GHSA-cfgp-2977-2fmm  High
openssl  3.1.0                gem   CVE-2023-0464        High
openssl  3.1.0                gem   CVE-2023-0465        Medium
openssl  3.1.0                gem   CVE-2023-0466        Medium
openssl  3.1.0                gem   CVE-2023-1255        Medium
openssl  3.1.0                gem   CVE-2023-2650        High
redis    3.3.5                gem   CVE-2021-32626       High
redis    3.3.5                gem   CVE-2021-32672       Medium
redis    3.3.5                gem   CVE-2022-0543        Critical
redis    3.3.5                gem   CVE-2022-24735       High
redis    3.3.5                gem   CVE-2022-24736       Medium
redis    3.3.5                gem   CVE-2022-36021       Medium
redis    3.3.5                gem   CVE-2022-3647        Low
redis    3.3.5                gem   CVE-2022-3734        Critical
redis    3.3.5                gem   CVE-2023-25155       Medium
redis    3.3.5                gem   CVE-2023-28856       Medium
uri      0.12.1               gem   CVE-2023-36617       Medium
webrick  1.8.1                gem   CVE-2008-1145        Medium

The grpc and redis CVEs are false positives and @luhring has had a fix merged in Syft to remove these anchore/syft#1926

OpenSSL related ones are also false positives and will not appear once another @luhring PR is released anchore/syft#1897

That leaves uri and that is owned by the redis-3.2 apk, we already have an advisory for this https://github.com/wolfi-dev/advisories/blob/426ae55685353a13ee17335ad6ffdadcbf656d66/ruby-3.2.advisories.yaml#L40

Last one webrick and we now have an advisory for this https://github.com/wolfi-dev/advisories/blob/426ae55685353a13ee17335ad6ffdadcbf656d66/kube-fluentd-operator.advisories.yaml#L5

Result will be near zero CVEs once the PRs above are released and advisory data to cover remaining ones.

Signed-off-by: James Rawlings <jrawlings@chainguard.dev>
@rawlingsj rawlingsj force-pushed the kube-fluentd-operator2 branch from b4df38a to 8fb93d7 Compare July 10, 2023 14:35
images/kube-fluentd-operator/tests/main.tf Outdated Show resolved Hide resolved
images/kube-fluentd-operator/tests/main.tf Outdated Show resolved Hide resolved
images/kube-fluentd-operator/tests/smoke-test.sh Outdated Show resolved Hide resolved
Signed-off-by: James Rawlings <jrawlings@chainguard.dev>
@rawlingsj rawlingsj force-pushed the kube-fluentd-operator2 branch from 01bf6be to 87c72f7 Compare July 10, 2023 15:52
@rawlingsj
Copy link
Member Author

OK think this is ready now @imjasonh

@rawlingsj rawlingsj enabled auto-merge (squash) July 10, 2023 17:22
@rawlingsj rawlingsj merged commit 497acd6 into chainguard-images:main Jul 10, 2023
developer-guy pushed a commit to Dentrax/images that referenced this pull request Feb 12, 2024
… / flux-source-controller-0 / istio-pilot-discovery-fips-1.19 / spire-server-fips / vault-fips-1.14 (chainguard-images#1086)

* mitigate GHSA-2c7c-3mj9-8fqh for cert-manager-fips-1.13

* mitigate GHSA-2c7c-3mj9-8fqh for cilium-fips

* mitigate GHSA-2c7c-3mj9-8fqh for flux-source-controller-0

* mitigate GHSA-2c7c-3mj9-8fqh for istio-pilot-discovery-fips-1.19

* mitigate GHSA-2c7c-3mj9-8fqh for spire-server-fips

* mitigate GHSA-2c7c-3mj9-8fqh for vault-fips-1.14

* spire-server-fips package bumpt to 1.8.5
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants