Pipeline: Base OS packages not being updated for each release?

Created on 30 Apr 2020 · 6Comments · Source: tektoncd/pipeline

Expected Behavior

As new releases come out, the base OS packages in the released images are updated to pick up the latest security issues.

Actual Behavior

Can you verify that the https://github.com/tektoncd/pipeline/blob/master/images/Dockerfile is used for each new release image (git-init and creds-init)? It seems to be trying to update the base packages, so trying to understand why this has not been getting fixed with new releases , like 0.14.x

Both of those images have some rather "old" CVEs in them for the 0.14 release.

Steps to Reproduce the Problem

Scan the git-init and creds-init images for CVEs
2.
3.

Additional Info

Kubernetes version:

Output of kubectl version:
```
(paste your output here)
```
Tekton Pipeline version:

Output of tkn version or kubectl get pods -n tekton-pipelines -l app=tekton-pipelines-controller -o=jsonpath='{.items[0].metadata.labels.version}'

arerelease kinbug

Source

kramvan1

All 6 comments

/area release

dibyom on 1 May 2020

/kind bug
Took a quick...the base image in .ko.yaml is using the latest image from tekton-nightly: https://github.com/tektoncd/pipeline/blob/master/.ko.yaml

.ko.yaml.release is using a image from gcr.io/tekton-release/ I don't seem to have access to that...however, gcr.io/tekton-releases (extra s - releases vs release) has an updated base image that has been built recently.
Questions:

Where/how is .ko.yaml.release used? I couldn't find where it was used
Why gcr.io/tekton-release instead of gcr.io/tekton-releases in .ko.yaml.release? Is that a typo or intentional?

Perhaps someone who has done a release recently has an idea? (@afrittoli @sbwsg ?)

dibyom on 1 May 2020

So a few things:

.ko.yaml.release is not used at all (I've opened a PR to remove it). Instead, we create one "from scratch" during the release process (which is not the best, but…)
We do build those images during the release, and depend on them (in that generated .ko.yaml), see https://github.com/tektoncd/pipeline/blob/master/tekton/publish.yaml#L51

vdemeester on 4 May 2020

👍1

@vdemeester we are building the images, but are they picking up the latest OS base package updates, from what I'm seeing in the release images, they are back level.

kramvan1 on 6 May 2020

Is this still the case ? :thinking:

vdemeester on 24 Jul 2020

Appears to be better now.

kramvan1 on 27 Jul 2020

❤1

Was this page helpful?

0 / 5 - 0 ratings