Skip to content

Update base images and dependencies to address vulnerabilities #35968

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
k8s-ci-robot merged 4 commits into from
Dec 5, 2025
Merged

Update base images and dependencies to address vulnerabilities #35968

k8s-ci-robot merged 4 commits into from
Dec 5, 2025
+3 −3

Conversation

@prad9192
Copy link
Contributor

@prad9192 prad9192 commented Nov 26, 2025

What

Updates Alpine base images and related dependencies

Why

To fix multiple security vulnerabilities

Release Notes

Update Prow base images to Alpine 20250108 and latest cloud auth tools to address security vulnerabilities

@k8s-ci-robot k8s-ci-robot added the cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. label Nov 26, 2025
@k8s-ci-robot
Copy link
Contributor

k8s-ci-robot commented Nov 26, 2025

Welcome @prad9192!

It looks like this is your first PR to kubernetes/test-infra 🎉. Please refer to our pull request process documentation to help your PR have a smooth ride to approval.

You will be prompted by a bot to use commands during the review process. Do not be afraid to follow the prompts! It is okay to experiment. Here is the bot commands documentation.

You can also check if kubernetes/test-infra has its own contribution guidelines.

You may want to refer to our testing guide if you run into trouble with your tests not passing.

If you are having difficulty getting your pull request seen, please follow the recommended escalation practices. Also, for tips and tricks in the contribution process you may want to read the Kubernetes contributor cheat sheet. We want to make sure your contribution gets all the attention it needs!

Thank you, and welcome to Kubernetes. 😃

@k8s-ci-robot k8s-ci-robot added needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. size/S Denotes a PR that changes 10-29 lines, ignoring generated files. labels Nov 26, 2025
@k8s-ci-robot
Copy link
Contributor

k8s-ci-robot commented Nov 26, 2025

Hi @prad9192. Thanks for your PR.

I'm waiting for a github.com member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@k8s-ci-robot k8s-ci-robot added area/images sig/testing Categorizes an issue or PR as relevant to SIG Testing. labels Nov 26, 2025
@prad9192
Copy link
Contributor Author

prad9192 commented Nov 26, 2025

/ok-to-test

@k8s-ci-robot
Copy link
Contributor

k8s-ci-robot commented Nov 26, 2025

@prad9192: Cannot trigger testing until a trusted user reviews the PR and leaves an /ok-to-test message.

In response to this:

/ok-to-test

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@BenTheElder
Copy link
Member

BenTheElder commented Nov 26, 2025

Prow isn't built here anymore, I'm not sure if we should just be deleting these images now.

If your goal is to patch prow, this may not be the solution. see sigs.k8s.io/prow

cc @petr-muller

@prad9192
Copy link
Contributor Author

prad9192 commented Nov 26, 2025
edited
Loading

Hi @BenTheElder

Thanks for your review, I see that Prow depends on base images which are sourced from this repo.

PR updates the source Dockerfiles that build k8s-staging-test-infra/* images, which are still built and pushed through the post submit jobs here - https://github.com/kubernetes/test-infra/blob/master/config/jobs/image-pushing/k8s-staging-test-infra.yaml

And having these updated images would allow me to open a follow up PR to make updates to base images referenced in prow

@upodroid
Copy link
Member

upodroid commented Nov 26, 2025

/hold

We should merge #35799 and create an autobumper config in the prow repo to pick up the new images automaticall.y

@k8s-ci-robot k8s-ci-robot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Nov 26, 2025
@prad9192 prad9192 mentioned this pull request Nov 26, 2025
Merged
@petr-muller petr-muller mentioned this pull request Dec 2, 2025
Open
@k8s-ci-robot k8s-ci-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Dec 5, 2025
upodroid
upodroid reviewed Dec 5, 2025
View reviewed changes
images/git-custom-k8s-auth/cloudbuild.yaml
# Prefer 0.5.x series (not 0.6.x) for now.
_AWS_IAM_AUTHENTICATOR_VERSION: "0.5.21"
_AZURE_KUBELOGIN_VERSION: "0.1.4"
_AWS_IAM_AUTHENTICATOR_VERSION: "0.7.9"
Copy link
Member

@upodroid upodroid Dec 5, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please drop all the changes except this file and I'll approve this PR and delete the comment below _GIT_TAG:

Copy link
Contributor Author

@prad9192 prad9192 Dec 5, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done, could you please re-review?

@k8s-ci-robot k8s-ci-robot added size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. and removed needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. size/S Denotes a PR that changes 10-29 lines, ignoring generated files. labels Dec 5, 2025
upodroid
upodroid approved these changes Dec 5, 2025
View reviewed changes
Copy link
Member

@upodroid upodroid left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you

/hold cancel

@k8s-ci-robot k8s-ci-robot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Dec 5, 2025
@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Dec 5, 2025
@k8s-ci-robot
Copy link
Contributor

k8s-ci-robot commented Dec 5, 2025

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: prad9192, upodroid

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Dec 5, 2025
@k8s-ci-robot k8s-ci-robot merged commit 8481528 into kubernetes:master Dec 5, 2025
4 checks passed
@BenTheElder
Copy link
Member

BenTheElder commented Dec 6, 2025

Thanks for your review, I see that Prow depends on base images which are sourced from this repo.

ACK ... that's been messy since prow was split out of this repo :-)

In most cases prow does not depend on this repo anymore, and shouldn't

For the images only used by prow, we should probably move them for clarity, but it's not important. This directory is highly overloaded and the other images have other considerations ...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@upodroid upodroid upodroid approved these changes

@aojea aojea Awaiting requested review from aojea

@stevekuznetsov stevekuznetsov Awaiting requested review from stevekuznetsov

Assignees

@upodroid upodroid

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. area/images cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. lgtm "Looks good to me", indicates that a PR is ready to be merged. needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. sig/testing Categorizes an issue or PR as relevant to SIG Testing. size/XS Denotes a PR that changes 0-9 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@prad9192 @k8s-ci-robot @BenTheElder @upodroid