modelmesh-serving icon indicating copy to clipboard operation
modelmesh-serving copied to clipboard

Published 20 hours ago verified publisher icon kserve

Upgrade sigs.k8s.io/controller-runtime to 0.15.x version

Open spolti opened this issue 1 year ago • 8 comments

We came across a vulnerability where the controller-runtime pulls, as part of the [email protected], a dependency that has the following high vulnerability:

  • https://www.cve.org/CVERecord?id=CVE-2023-37788

As we can see in the dependency graph, apimachinery brings this vulnerable version of go proxy:

$ go mod graph  |grep github.com/elazarl/goproxy
k8s.io/[email protected] github.com/elazarl/[email protected]

To address this, we have 2 options, first and easier:

  • Updating go.mod by including the goproxy there: 
    require (
   k8s.io/apimachinery v0.26.0
   github.com/elazarl/goproxy v<new-version>
)
  • Updating the controller-runtime to 0.15.0.
    • The big point of this update is that, the goproxy dependency was removed from [email protected]:
      • https://github.com/kubernetes-sigs/controller-runtime/blob/v0.15.0/go.mod#L22C5-L22C29
      • 0.27.0: https://github.com/kubernetes/apimachinery/blob/v0.27.0/go.mod
      • 0.26.10: https://github.com/kubernetes/apimachinery/blob/v0.26.10/go.mod#L10

However, this is a very large upgrade and have a lot of breaking changes that can be found here: https://github.com/kubernetes-sigs/controller-runtime/releases/tag/v0.15.0

Update.

The update to address the described vulnerability is done, however we will keep this issue open to track the controller-runtime update, as it is a large one and will require more tests.

I'm opening this issue to start a discussion around this and how can we proceed with this CVE fix at this moment.

spolti avatar Nov 16 '23 15:11 spolti

fyi @ckadner @rafvasq.

spolti avatar Nov 16 '23 15:11 spolti

I would go the quick and easy path right away to give us more time to work on the bigger upgrade.

i.e. add a required block for "indirect" dependencies that we forcefully upgrade to fix CVEs

// pull some of the indeirect dependency directly to get newer versions with fixed CVEs
require (
	k8s.io/apimachinery v0.27.0 //indirect
)

ckadner avatar Nov 16 '23 20:11 ckadner

The dependency updated will be addressed by https://github.com/kserve/rest-proxy/pull/30.

@ckadner what do you think to keep this issue open to track the major controller-runtime update?

spolti avatar Nov 17 '23 18:11 spolti

The dependency updated will be addressed by kserve/rest-proxy#30.

@ckadner what do you think to keep this issue open to track the major controller-runtime update?

Sounds good 👍🏻

ckadner avatar Nov 21 '23 16:11 ckadner

Affected repositories:

  • ~~KServe~~
  • modelmesh-serving
  • modelmesh-runtime-adapter
  • rest-proxy

spolti avatar Jan 25 '24 19:01 spolti

This will be done when we / along with the update to KServe v0.12.0 and Go 1.21

ckadner avatar Jan 26 '24 21:01 ckadner

modelmesh-serving is ready to go.

spolti avatar Feb 01 '24 02:02 spolti

For tracking, #497 includes an upgrade of controller-runtime from v0.14.6 to v0.16.3 for modelmesh-serving.

rafvasq avatar Apr 16 '24 16:04 rafvasq