Update kubernetes packages #186
Conversation
|
A little more detail on the advisories: these are all vulnerabilities from govulncheck. One is rated High, one Low. The CVE descriptions are a little misleading. Both CVEs talk about |
|
The severity ratings for the advisories came from NVD (the high-severity CVE) and GitHub (the low-severity CVE). NVD hasn't analyzed the low-severity CVE yet. High severity: container can open arbitrary things on the host. Low severity: container can create new empty files and directories on the host (but can't overwrite existing files). |
packages/kubernetes-1.27/0003-EKS-PATCH-add-Authentication-tracking-request-error-.patch
Outdated
Show resolved
Hide resolved
larvacea
force-pushed
the
update-k8s
branch
2 times, most recently
from
b6f4f51 to
2a090a5
Compare
|
Updated to address Ben's comments. |
| sha512 = "fba641f745b5eef6f17e16501025959e570ae88912d79e2e08b4c79d18475430b879f98947d516871407feb297d5dac9b2fbc4ca565d3770c600d9550f3cffac" | ||
|
|
||
| [[package.metadata.build-package.external-files]] | ||
| url = "https://raw.githubusercontent.com/aws/eks-distro/refs/heads/main/projects/kubernetes/kubernetes/1-27/patches/0001-EKS-PATCH-admission-webhook-exclusion-from-file.patch" |
There was a problem hiding this comment.
Please add a .gitignore to k8s 1.27 through 1.31 to ignore these patches, like the ones in 1.24 - 1.26.
|
Your commit for 1.29 has a comma instead of a period. If you could fix that, that would be great! |
Update to v1-31-eks-4.
Update to upstream v1-30-eks-15
Upstream v1-29-eks-22 k
Update to upstream v1-28-eks-33
Update to 1.27.16, add .gitignore for patches
Add upstream patch 0016.
Add patch 0025
Add upstream patch 0037
Six advisories: two vulnerabilites each in three kubernetes packages, kubernetes-1.27, kubernetes-1.28, and kubernetes-1.29.
Add .gitignore for upstream patches to kubernetes 1.28 and later, in anticipation of patch files during extended support.
Description of changes:
Updates kubernetes-1.24 through 1.31 to the latest upstream versions. Moves kubernetes-1.27 from standard support to extended.
Testing done:
Built AMIs, created nodegroups with eksctl, verified that they would each join the cluster and run busybox. Accidentally verified that an aws-k8s-1.31 node will not join a v1.30 cluster, but will join a v1.31 cluster.
Terms of contribution:
By submitting this pull request, I agree that this contribution is dual-licensed under the terms of both the Apache License, version 2.0, and the MIT license.