fluent-operator icon indicating copy to clipboard operation
fluent-operator copied to clipboard
verified publisher icon fluent

bug: Security: CVEs in suggested (EOL) image for fluentd

Open max-allan opened this issue 1 year ago • 3 comments

Describe the issue

From the helm values file:

  • https://github.com/fluent/fluent-operator/blob/19bd5936733015516768e344b367414a83d08581/charts/fluent-operator/values.yaml#L374
    repository: "kubesphere/fluentd"
    tag: "v1.15.3"

That image has (according to Grype) a lot of vulnerabilities:

 3 critical, 5 high, 22 medium, 1 low, 0 negligible

Also, fluentd 1.15.3 is EOL.

  • https://github.com/fluent/fluentd/blob/master/SECURITY.md

Can we update the image to 1.16 or 1.17? Will the operator work with newer versions?

Anywhere that image is referenced will need updating, not just that location in the chart.

In addition, fluent-bit 2.2.2 is EOL in a few weeks time.

To Reproduce

See the values file

Expected behavior

Current/supported versions of fluentd and fluent-bit are used by default.

Your Environment

- Fluent Operator version: 2.8.0
- Container Runtime: any
- Operating system: any
- Kernel version: any

How did you install fluent operator?

Helm

Additional context

No response

max-allan avatar May 14 '24 15:05 max-allan

@max-allan Good point, we do need hands to upgrade and test new version of fluentd and fluentbit

benjaminhuo avatar May 15 '24 01:05 benjaminhuo

@max-allan can you confirm that this issue is closed with #1199. Can this issue be closed?

SvenThies avatar Jul 01 '24 10:07 SvenThies

@max-allan can you confirm that this issue is closed with #1199. Can this issue be closed?

Yes, fluentd was upgraded to 1.17 in https://github.com/fluent/fluent-operator/blob/master/charts/fluent-operator/values.yaml#L383

benjaminhuo avatar Jul 02 '24 06:07 benjaminhuo