feat(k8s): rancher rke2 version support #5988
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
chen-keinan
force-pushed
the
feat/k8s-vuln-finding-rke2
branch
from
463c2af to
91b3964
Compare
|
not an expert with Rancher, but from what I understand Rancher deploys the entire control plane as a single binary/container and this PR won't provide a really KBOM, but just the version of the container, correct? For example, RKE v1.28.5+rke2r1 includes etcd v3.5.9-k3s1, but the KBOM won't tell me this info. |
knqyf263
reviewed
Jan 29, 2024
yes, rke2 namespace is not needed rancher are using pure k8s upstream versions |
they build a single image |
Interesting. I thought all k8s distributions had their own builds. If RKE2 is just consuming upstream, there are no things to discuss. |
|
@chen-keinan can you share an example of the resulting KBOM? |
|
also, as discussed please see if there's a docs change needed |
@itaysk here is an example: {
"$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
"bomFormat": "CycloneDX",
"specVersion": "1.5",
"serialNumber": "urn:uuid:951ccd51-fb81-4c28-b967-df7c6c4a2dc2",
"version": 1,
"metadata": {
"timestamp": "2024-01-30T12:03:17+00:00",
"tools": {
"components": [
{
"type": "application",
"group": "aquasecurity",
"name": "trivy",
"version": "dev"
}
]
},
"component": {
"bom-ref": "pkg:k8s/k8s.io%2Fkubernetes@1.26.12%2Brke2r1",
"type": "platform",
"name": "k8s.io/kubernetes",
"version": "1.26.12+rke2r1",
"purl": "pkg:k8s/k8s.io%2Fkubernetes@1.26.12%2Brke2r1",
"properties": [
{
"name": "aquasecurity:trivy:resource:Name",
"value": "default"
},
{
"name": "aquasecurity:trivy:resource:Type",
"value": "cluster"
}
]
}
},
"components": [
{
"bom-ref": "154845e7-1780-428f-827e-6d0fda4642cd",
"type": "platform",
"name": "ip-10-0-6-83",
"properties": [
{
"name": "aquasecurity:trivy:Architecture",
"value": "amd64"
},
{
"name": "aquasecurity:trivy:HostName",
"value": "ip-10-0-6-83"
},
{
"name": "aquasecurity:trivy:KernelVersion",
"value": "6.2.0-1017-aws"
},
{
"name": "aquasecurity:trivy:NodeRole",
"value": "worker"
},
{
"name": "aquasecurity:trivy:OperatingSystem",
"value": "linux"
},
{
"name": "aquasecurity:trivy:resource:Name",
"value": "ip-10-0-6-83"
},
{
"name": "aquasecurity:trivy:resource:Type",
"value": "node"
}
]
},
{
"bom-ref": "15652f19-6634-411e-bfd3-8b63fdeb39af",
"type": "application",
"name": "node-core-components",
"properties": [
{
"name": "aquasecurity:trivy:Class",
"value": "lang-pkgs"
},
{
"name": "aquasecurity:trivy:Type",
"value": "golang"
}
]
},
{
"bom-ref": "1aa16a9f-9848-4f60-ad8c-52c0702f81fc",
"type": "platform",
"name": "ip-10-0-6-143",
"properties": [
{
"name": "aquasecurity:trivy:Architecture",
"value": "amd64"
},
{
"name": "aquasecurity:trivy:HostName",
"value": "ip-10-0-6-143"
},
{
"name": "aquasecurity:trivy:KernelVersion",
"value": "6.2.0-1017-aws"
},
{
"name": "aquasecurity:trivy:NodeRole",
"value": "master"
},
{
"name": "aquasecurity:trivy:OperatingSystem",
"value": "linux"
},
{
"name": "aquasecurity:trivy:resource:Name",
"value": "ip-10-0-6-143"
},
{
"name": "aquasecurity:trivy:resource:Type",
"value": "node"
}
]
},
{
"bom-ref": "3d55f5a8-53ef-4df3-aaaf-16fe1842ac29",
"type": "operating-system",
"name": "ubuntu",
"version": "22.04.3",
"properties": [
{
"name": "aquasecurity:trivy:Class",
"value": "os-pkgs"
},
{
"name": "aquasecurity:trivy:Type",
"value": "ubuntu"
}
]
},
{
"bom-ref": "b1300394-2087-49fe-a950-c826d8e0a5ea",
"type": "application",
"name": "node-core-components",
"properties": [
{
"name": "aquasecurity:trivy:Class",
"value": "lang-pkgs"
},
{
"name": "aquasecurity:trivy:Type",
"value": "golang"
}
]
},
{
"bom-ref": "b63a99f6-67e9-493a-88fe-2bf9066f8c3a",
"type": "operating-system",
"name": "ubuntu",
"version": "22.04.3",
"properties": [
{
"name": "aquasecurity:trivy:Class",
"value": "os-pkgs"
},
{
"name": "aquasecurity:trivy:Type",
"value": "ubuntu"
}
]
},
{
"bom-ref": "pkg:golang/github.com%2Fcontainerd%2Fcontainerd@1.7.11-k3s2",
"type": "application",
"name": "github.com/containerd/containerd",
"version": "1.7.11-k3s2",
"purl": "pkg:golang/github.com%2Fcontainerd%2Fcontainerd@1.7.11-k3s2",
"properties": [
{
"name": "aquasecurity:trivy:resource:Name",
"value": "github.com/containerd/containerd"
},
{
"name": "aquasecurity:trivy:resource:Type",
"value": "node"
}
]
},
{
"bom-ref": "pkg:k8s/canal",
"type": "application",
"name": "canal",
"purl": "pkg:k8s/canal",
"properties": [
{
"name": "aquasecurity:trivy:resource:Name",
"value": "rke2-canal-lrnwp"
}
]
},
{
"bom-ref": "pkg:k8s/go.etcd.io%2Fetcd%2Fv3@3.5.9",
"type": "application",
"name": "go.etcd.io/etcd/v3",
"version": "3.5.9",
"purl": "pkg:k8s/go.etcd.io%2Fetcd%2Fv3@3.5.9",
"properties": [
{
"name": "aquasecurity:trivy:resource:Name",
"value": "etcd-ip-10-0-6-143"
},
{
"name": "aquasecurity:trivy:resource:Type",
"value": "controlPlane"
}
]
},
{
"bom-ref": "pkg:k8s/k8s.io%2Fapiserver@1.26.12",
"type": "application",
"name": "k8s.io/apiserver",
"version": "1.26.12",
"purl": "pkg:k8s/k8s.io%2Fapiserver@1.26.12",
"properties": [
{
"name": "aquasecurity:trivy:resource:Name",
"value": "kube-apiserver-ip-10-0-6-143"
},
{
"name": "aquasecurity:trivy:resource:Type",
"value": "controlPlane"
}
]
},
{
"bom-ref": "pkg:k8s/k8s.io%2Fcontroller-manager@1.26.12",
"type": "application",
"name": "k8s.io/controller-manager",
"version": "1.26.12",
"purl": "pkg:k8s/k8s.io%2Fcontroller-manager@1.26.12",
"properties": [
{
"name": "aquasecurity:trivy:resource:Name",
"value": "kube-controller-manager-ip-10-0-6-143"
},
{
"name": "aquasecurity:trivy:resource:Type",
"value": "controlPlane"
}
]
},
{
"bom-ref": "pkg:k8s/k8s.io%2Fkube-proxy@1.26.12",
"type": "application",
"name": "k8s.io/kube-proxy",
"version": "1.26.12",
"purl": "pkg:k8s/k8s.io%2Fkube-proxy@1.26.12",
"properties": [
{
"name": "aquasecurity:trivy:resource:Name",
"value": "kube-proxy-ip-10-0-6-143"
},
{
"name": "aquasecurity:trivy:resource:Type",
"value": "node"
}
]
},
{
"bom-ref": "pkg:k8s/k8s.io%2Fkube-scheduler@1.26.12",
"type": "application",
"name": "k8s.io/kube-scheduler",
"version": "1.26.12",
"purl": "pkg:k8s/k8s.io%2Fkube-scheduler@1.26.12",
"properties": [
{
"name": "aquasecurity:trivy:resource:Name",
"value": "kube-scheduler-ip-10-0-6-143"
},
{
"name": "aquasecurity:trivy:resource:Type",
"value": "controlPlane"
}
]
},
{
"bom-ref": "pkg:k8s/k8s.io%2Fkubelet@1.26.12",
"type": "application",
"name": "k8s.io/kubelet",
"version": "1.26.12",
"purl": "pkg:k8s/k8s.io%2Fkubelet@1.26.12",
"properties": [
{
"name": "aquasecurity:trivy:resource:Name",
"value": "k8s.io/kubelet"
},
{
"name": "aquasecurity:trivy:resource:Type",
"value": "node"
}
]
},
{
"bom-ref": "pkg:k8s/kube-dns",
"type": "application",
"name": "kube-dns",
"purl": "pkg:k8s/kube-dns",
"properties": [
{
"name": "aquasecurity:trivy:resource:Name",
"value": "rke2-coredns-rke2-coredns-565dfc7d75-hdzgf"
}
]
},
{
"bom-ref": "pkg:k8s/kube-dns-autoscaler",
"type": "application",
"name": "kube-dns-autoscaler",
"purl": "pkg:k8s/kube-dns-autoscaler",
"properties": [
{
"name": "aquasecurity:trivy:resource:Name",
"value": "rke2-coredns-rke2-coredns-autoscaler-6c48c95bf9-z5xkj"
}
]
},
{
"bom-ref": "pkg:oci/hardened-calico@sha256%3A25609c27281c8993db2606ecb644823788bc2ac007221857384bd1c66e218313?repository_url=index.docker.io%2Francher%2Fhardened-calico",
"type": "container",
"name": "index.docker.io/rancher/hardened-calico",
"version": "sha256:25609c27281c8993db2606ecb644823788bc2ac007221857384bd1c66e218313",
"purl": "pkg:oci/hardened-calico@sha256%3A25609c27281c8993db2606ecb644823788bc2ac007221857384bd1c66e218313?repository_url=index.docker.io%2Francher%2Fhardened-calico",
"properties": [
{
"name": "aquasecurity:trivy:PkgID",
"value": "index.docker.io/rancher/hardened-calico:3.26.3-build20231109"
},
{
"name": "aquasecurity:trivy:PkgType",
"value": "oci"
}
]
},
{
"bom-ref": "pkg:oci/hardened-cluster-autoscaler@sha256%3A462d646604da3600521bff37608e1c03af322c30983c97c039fdc4afb7b69836?repository_url=index.docker.io%2Francher%2Fhardened-cluster-autoscaler",
"type": "container",
"name": "index.docker.io/rancher/hardened-cluster-autoscaler",
"version": "sha256:462d646604da3600521bff37608e1c03af322c30983c97c039fdc4afb7b69836",
"purl": "pkg:oci/hardened-cluster-autoscaler@sha256%3A462d646604da3600521bff37608e1c03af322c30983c97c039fdc4afb7b69836?repository_url=index.docker.io%2Francher%2Fhardened-cluster-autoscaler",
"properties": [
{
"name": "aquasecurity:trivy:PkgID",
"value": "index.docker.io/rancher/hardened-cluster-autoscaler:1.8.6-build20230609"
},
{
"name": "aquasecurity:trivy:PkgType",
"value": "oci"
}
]
},
{
"bom-ref": "pkg:oci/hardened-coredns@sha256%3A3bbaf490bb8cd2d5582f6873e223bb2acec83cbcef88b398871f27a88ee1f820?repository_url=index.docker.io%2Francher%2Fhardened-coredns",
"type": "container",
"name": "index.docker.io/rancher/hardened-coredns",
"version": "sha256:3bbaf490bb8cd2d5582f6873e223bb2acec83cbcef88b398871f27a88ee1f820",
"purl": "pkg:oci/hardened-coredns@sha256%3A3bbaf490bb8cd2d5582f6873e223bb2acec83cbcef88b398871f27a88ee1f820?repository_url=index.docker.io%2Francher%2Fhardened-coredns",
"properties": [
{
"name": "aquasecurity:trivy:PkgID",
"value": "index.docker.io/rancher/hardened-coredns:1.10.1-build20230607"
},
{
"name": "aquasecurity:trivy:PkgType",
"value": "oci"
}
]
},
{
"bom-ref": "pkg:oci/hardened-etcd@sha256%3Ac4d25c075d5d61b1860ae5496d1acc8f88dd3a8be6024b37207901da744efa08?repository_url=index.docker.io%2Francher%2Fhardened-etcd",
"type": "container",
"name": "index.docker.io/rancher/hardened-etcd",
"version": "sha256:c4d25c075d5d61b1860ae5496d1acc8f88dd3a8be6024b37207901da744efa08",
"purl": "pkg:oci/hardened-etcd@sha256%3Ac4d25c075d5d61b1860ae5496d1acc8f88dd3a8be6024b37207901da744efa08?repository_url=index.docker.io%2Francher%2Fhardened-etcd",
"properties": [
{
"name": "aquasecurity:trivy:PkgID",
"value": "index.docker.io/rancher/hardened-etcd:3.5.9-k3s1-build20230802"
},
{
"name": "aquasecurity:trivy:PkgType",
"value": "oci"
}
]
},
{
"bom-ref": "pkg:oci/hardened-flannel@sha256%3A8f1482e37dbca001daf9f694c7b1484e6a05d0959caf95ed3f64619bf18ee0a0?repository_url=index.docker.io%2Francher%2Fhardened-flannel",
"type": "container",
"name": "index.docker.io/rancher/hardened-flannel",
"version": "sha256:8f1482e37dbca001daf9f694c7b1484e6a05d0959caf95ed3f64619bf18ee0a0",
"purl": "pkg:oci/hardened-flannel@sha256%3A8f1482e37dbca001daf9f694c7b1484e6a05d0959caf95ed3f64619bf18ee0a0?repository_url=index.docker.io%2Francher%2Fhardened-flannel",
"properties": [
{
"name": "aquasecurity:trivy:PkgID",
"value": "index.docker.io/rancher/hardened-flannel:0.23.0-build20231109"
},
{
"name": "aquasecurity:trivy:PkgType",
"value": "oci"
}
]
},
{
"bom-ref": "pkg:oci/hardened-kubernetes@sha256%3Ac07c20c4501dd1c77cf0012f7cc2bf1148d1cfa1cc4ec0c92abe7561f4f0cb49?repository_url=index.docker.io%2Francher%2Fhardened-kubernetes",
"type": "container",
"name": "index.docker.io/rancher/hardened-kubernetes",
"version": "sha256:c07c20c4501dd1c77cf0012f7cc2bf1148d1cfa1cc4ec0c92abe7561f4f0cb49",
"purl": "pkg:oci/hardened-kubernetes@sha256%3Ac07c20c4501dd1c77cf0012f7cc2bf1148d1cfa1cc4ec0c92abe7561f4f0cb49?repository_url=index.docker.io%2Francher%2Fhardened-kubernetes",
"properties": [
{
"name": "aquasecurity:trivy:PkgID",
"value": "index.docker.io/rancher/hardened-kubernetes:1.26.12-rke2r1-build20231220"
},
{
"name": "aquasecurity:trivy:PkgType",
"value": "oci"
}
]
}
],
"dependencies": [
{
"ref": "154845e7-1780-428f-827e-6d0fda4642cd",
"dependsOn": [
"15652f19-6634-411e-bfd3-8b63fdeb39af",
"b63a99f6-67e9-493a-88fe-2bf9066f8c3a"
]
},
{
"ref": "15652f19-6634-411e-bfd3-8b63fdeb39af",
"dependsOn": [
"pkg:golang/github.com%2Fcontainerd%2Fcontainerd@1.7.11-k3s2",
"pkg:k8s/k8s.io%2Fkubelet@1.26.12"
]
},
{
"ref": "1aa16a9f-9848-4f60-ad8c-52c0702f81fc",
"dependsOn": [
"3d55f5a8-53ef-4df3-aaaf-16fe1842ac29",
"b1300394-2087-49fe-a950-c826d8e0a5ea"
]
},
{
"ref": "3d55f5a8-53ef-4df3-aaaf-16fe1842ac29",
"dependsOn": []
},
{
"ref": "b1300394-2087-49fe-a950-c826d8e0a5ea",
"dependsOn": [
"pkg:golang/github.com%2Fcontainerd%2Fcontainerd@1.7.11-k3s2",
"pkg:k8s/k8s.io%2Fkubelet@1.26.12"
]
},
{
"ref": "b63a99f6-67e9-493a-88fe-2bf9066f8c3a",
"dependsOn": []
},
{
"ref": "pkg:golang/github.com%2Fcontainerd%2Fcontainerd@1.7.11-k3s2",
"dependsOn": []
},
{
"ref": "pkg:k8s/canal",
"dependsOn": [
"pkg:oci/hardened-calico@sha256%3A25609c27281c8993db2606ecb644823788bc2ac007221857384bd1c66e218313?repository_url=index.docker.io%2Francher%2Fhardened-calico",
"pkg:oci/hardened-flannel@sha256%3A8f1482e37dbca001daf9f694c7b1484e6a05d0959caf95ed3f64619bf18ee0a0?repository_url=index.docker.io%2Francher%2Fhardened-flannel"
]
},
{
"ref": "pkg:k8s/go.etcd.io%2Fetcd%2Fv3@3.5.9",
"dependsOn": [
"pkg:oci/hardened-etcd@sha256%3Ac4d25c075d5d61b1860ae5496d1acc8f88dd3a8be6024b37207901da744efa08?repository_url=index.docker.io%2Francher%2Fhardened-etcd"
]
},
{
"ref": "pkg:k8s/k8s.io%2Fapiserver@1.26.12",
"dependsOn": [
"pkg:oci/hardened-kubernetes@sha256%3Ac07c20c4501dd1c77cf0012f7cc2bf1148d1cfa1cc4ec0c92abe7561f4f0cb49?repository_url=index.docker.io%2Francher%2Fhardened-kubernetes"
]
},
{
"ref": "pkg:k8s/k8s.io%2Fcloud-provider",
"dependsOn": [
"pkg:oci/rke2-cloud-provider@sha256%3Ae2d98791f28b7aed3ab99afb99b52310eb1a36844b9bc9c497ebce327e4c68d5?repository_url=index.docker.io%2Francher%2Frke2-cloud-provider"
]
},
{
"ref": "pkg:k8s/k8s.io%2Fcontroller-manager@1.26.12",
"dependsOn": [
"pkg:oci/hardened-kubernetes@sha256%3Ac07c20c4501dd1c77cf0012f7cc2bf1148d1cfa1cc4ec0c92abe7561f4f0cb49?repository_url=index.docker.io%2Francher%2Fhardened-kubernetes"
]
},
{
"ref": "pkg:k8s/k8s.io%2Fkube-proxy@1.26.12",
"dependsOn": [
"pkg:oci/hardened-kubernetes@sha256%3Ac07c20c4501dd1c77cf0012f7cc2bf1148d1cfa1cc4ec0c92abe7561f4f0cb49?repository_url=index.docker.io%2Francher%2Fhardened-kubernetes"
]
},
{
"ref": "pkg:k8s/k8s.io%2Fkube-scheduler@1.26.12",
"dependsOn": [
"pkg:oci/hardened-kubernetes@sha256%3Ac07c20c4501dd1c77cf0012f7cc2bf1148d1cfa1cc4ec0c92abe7561f4f0cb49?repository_url=index.docker.io%2Francher%2Fhardened-kubernetes"
]
},
{
"ref": "pkg:k8s/k8s.io%2Fkubelet@1.26.12",
"dependsOn": []
},
{
"ref": "pkg:k8s/k8s.io%2Fkubernetes@1.26.12%2Brke2r1",
"dependsOn": [
"154845e7-1780-428f-827e-6d0fda4642cd",
"1aa16a9f-9848-4f60-ad8c-52c0702f81fc",
"pkg:k8s/canal",
"pkg:k8s/canal",
"pkg:k8s/go.etcd.io%2Fetcd%2Fv3@3.5.9",
"pkg:k8s/k8s.io%2Fapiserver@1.26.12",
"pkg:k8s/k8s.io%2Fcloud-provider",
"pkg:k8s/k8s.io%2Fcontroller-manager@1.26.12",
"pkg:k8s/k8s.io%2Fkube-proxy@1.26.12",
"pkg:k8s/k8s.io%2Fkube-proxy@1.26.12",
"pkg:k8s/k8s.io%2Fkube-scheduler@1.26.12",
"pkg:k8s/kube-dns",
"pkg:k8s/kube-dns",
"pkg:k8s/kube-dns-autoscaler"
]
},
{
"ref": "pkg:k8s/kube-dns",
"dependsOn": [
"pkg:oci/hardened-coredns@sha256%3A3bbaf490bb8cd2d5582f6873e223bb2acec83cbcef88b398871f27a88ee1f820?repository_url=index.docker.io%2Francher%2Fhardened-coredns"
]
},
{
"ref": "pkg:k8s/kube-dns-autoscaler",
"dependsOn": [
"pkg:oci/hardened-cluster-autoscaler@sha256%3A462d646604da3600521bff37608e1c03af322c30983c97c039fdc4afb7b69836?repository_url=index.docker.io%2Francher%2Fhardened-cluster-autoscaler"
]
},
{
"ref": "pkg:oci/hardened-calico@sha256%3A25609c27281c8993db2606ecb644823788bc2ac007221857384bd1c66e218313?repository_url=index.docker.io%2Francher%2Fhardened-calico",
"dependsOn": []
},
{
"ref": "pkg:oci/hardened-cluster-autoscaler@sha256%3A462d646604da3600521bff37608e1c03af322c30983c97c039fdc4afb7b69836?repository_url=index.docker.io%2Francher%2Fhardened-cluster-autoscaler",
"dependsOn": []
},
{
"ref": "pkg:oci/hardened-coredns@sha256%3A3bbaf490bb8cd2d5582f6873e223bb2acec83cbcef88b398871f27a88ee1f820?repository_url=index.docker.io%2Francher%2Fhardened-coredns",
"dependsOn": []
},
{
"ref": "pkg:oci/hardened-etcd@sha256%3Ac4d25c075d5d61b1860ae5496d1acc8f88dd3a8be6024b37207901da744efa08?repository_url=index.docker.io%2Francher%2Fhardened-etcd",
"dependsOn": []
},
{
"ref": "pkg:oci/hardened-flannel@sha256%3A8f1482e37dbca001daf9f694c7b1484e6a05d0959caf95ed3f64619bf18ee0a0?repository_url=index.docker.io%2Francher%2Fhardened-flannel",
"dependsOn": []
},
{
"ref": "pkg:oci/hardened-kubernetes@sha256%3Ac07c20c4501dd1c77cf0012f7cc2bf1148d1cfa1cc4ec0c92abe7561f4f0cb49?repository_url=index.docker.io%2Francher%2Fhardened-kubernetes",
"dependsOn": []
},
{
"ref": "pkg:oci/rke2-cloud-provider@sha256%3Ae2d98791f28b7aed3ab99afb99b52310eb1a36844b9bc9c497ebce327e4c68d5?repository_url=index.docker.io%2Francher%2Frke2-cloud-provider",
"dependsOn": []
}
],
"vulnerabilities": []
} |
sure, I'll take a look and make a separate PR #6019 for it |
2 tasks
itaysk
reviewed
Feb 21, 2024
Signed-off-by: chenk <hen.keinan@gmail.com>
chen-keinan
force-pushed
the
feat/k8s-vuln-finding-rke2
branch
from
91b3964 to
ab83864
Compare
itaysk
approved these changes
Feb 21, 2024
github-merge-queue
bot
removed this pull request from the merge queue due to failed status checks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
k8s scan rancher rke2 version support
Related issues
Checklist