Skip to content

[1.19] CVE fix bump kubectl to 1.34.3 #11098

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
alexliu541 wants to merge 3 commits into
base: v1.19.x
Choose a base branch
from
Open

[1.19] CVE fix bump kubectl to 1.34.3 #11098

alexliu541 wants to merge 3 commits into from
+11 −2

Conversation

@alexliu541
Copy link

@alexliu541 alexliu541 commented Jan 9, 2026
edited
Loading

Description

Context

Testing steps

 for image in access-logger certgen discovery gloo gloo-envoy-wrapper ingress kubectl sds; do trivy image --severity HIGH,CRITICAL quay.io/solo-io/${image}:1.0.1-dev; done

2026-01-09T01:41:02-08:00       INFO    [vuln] Vulnerability scanning is enabled
2026-01-09T01:41:02-08:00       INFO    [secret] Secret scanning is enabled
2026-01-09T01:41:02-08:00       INFO    [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2026-01-09T01:41:02-08:00       INFO    [secret] Please see https://trivy.dev/docs/v0.68/guide/scanner/secret#recommendation for faster secret detection
2026-01-09T01:41:02-08:00       INFO    Detected OS     family="alpine" version="3.21.5"
2026-01-09T01:41:02-08:00       INFO    [alpine] Detecting vulnerabilities...   os_version="3.21" repository="3.21" pkg_num=16
2026-01-09T01:41:02-08:00       INFO    Number of language-specific files       num=1
2026-01-09T01:41:02-08:00       INFO    [gobinary] Detecting vulnerabilities...
2026-01-09T01:41:02-08:00       INFO    Some vulnerabilities have been ignored/suppressed. Use the "--show-suppressed" flag to display them.

Report Summary

┌─────────────────────────────────────────────────────────┬──────────┬─────────────────┬─────────┐
│                         Target                          │   Type   │ Vulnerabilities │ Secrets │
├─────────────────────────────────────────────────────────┼──────────┼─────────────────┼─────────┤
│ quay.io/solo-io/access-logger:1.0.1-dev (alpine 3.21.5) │  alpine  │        0        │    -    │
├─────────────────────────────────────────────────────────┼──────────┼─────────────────┼─────────┤
│ usr/local/bin/access-logger                             │ gobinary │        0        │    -    │
└─────────────────────────────────────────────────────────┴──────────┴─────────────────┴─────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)

2026-01-09T01:41:02-08:00       INFO    [vuln] Vulnerability scanning is enabled
2026-01-09T01:41:02-08:00       INFO    [secret] Secret scanning is enabled
2026-01-09T01:41:02-08:00       INFO    [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2026-01-09T01:41:02-08:00       INFO    [secret] Please see https://trivy.dev/docs/v0.68/guide/scanner/secret#recommendation for faster secret detection
2026-01-09T01:41:02-08:00       INFO    Detected OS     family="alpine" version="3.21.5"
2026-01-09T01:41:02-08:00       INFO    [alpine] Detecting vulnerabilities...   os_version="3.21" repository="3.21" pkg_num=16
2026-01-09T01:41:02-08:00       INFO    Number of language-specific files       num=1
2026-01-09T01:41:02-08:00       INFO    [gobinary] Detecting vulnerabilities...

Report Summary

┌───────────────────────────────────────────────────┬──────────┬─────────────────┬─────────┐
│                      Target                       │   Type   │ Vulnerabilities │ Secrets │
├───────────────────────────────────────────────────┼──────────┼─────────────────┼─────────┤
│ quay.io/solo-io/certgen:1.0.1-dev (alpine 3.21.5) │  alpine  │        0        │    -    │
├───────────────────────────────────────────────────┼──────────┼─────────────────┼─────────┤
│ usr/local/bin/certgen                             │ gobinary │        0        │    -    │
└───────────────────────────────────────────────────┴──────────┴─────────────────┴─────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)

2026-01-09T01:41:02-08:00       INFO    [vuln] Vulnerability scanning is enabled
2026-01-09T01:41:02-08:00       INFO    [secret] Secret scanning is enabled
2026-01-09T01:41:02-08:00       INFO    [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2026-01-09T01:41:02-08:00       INFO    [secret] Please see https://trivy.dev/docs/v0.68/guide/scanner/secret#recommendation for faster secret detection
2026-01-09T01:41:03-08:00       INFO    Detected OS     family="alpine" version="3.21.5"
2026-01-09T01:41:03-08:00       INFO    [alpine] Detecting vulnerabilities...   os_version="3.21" repository="3.21" pkg_num=16
2026-01-09T01:41:03-08:00       INFO    Number of language-specific files       num=1
2026-01-09T01:41:03-08:00       INFO    [gobinary] Detecting vulnerabilities...
2026-01-09T01:41:03-08:00       INFO    Some vulnerabilities have been ignored/suppressed. Use the "--show-suppressed" flag to display them.

Report Summary

┌─────────────────────────────────────────────────────┬──────────┬─────────────────┬─────────┐
│                       Target                        │   Type   │ Vulnerabilities │ Secrets │
├─────────────────────────────────────────────────────┼──────────┼─────────────────┼─────────┤
│ quay.io/solo-io/discovery:1.0.1-dev (alpine 3.21.5) │  alpine  │        0        │    -    │
├─────────────────────────────────────────────────────┼──────────┼─────────────────┼─────────┤
│ usr/local/bin/discovery                             │ gobinary │        0        │    -    │
└─────────────────────────────────────────────────────┴──────────┴─────────────────┴─────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)

2026-01-09T01:41:03-08:00       INFO    [vuln] Vulnerability scanning is enabled
2026-01-09T01:41:03-08:00       INFO    [secret] Secret scanning is enabled
2026-01-09T01:41:03-08:00       INFO    [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2026-01-09T01:41:03-08:00       INFO    [secret] Please see https://trivy.dev/docs/v0.68/guide/scanner/secret#recommendation for faster secret detection
2026-01-09T01:41:05-08:00       INFO    Detected OS     family="ubuntu" version="20.04"
2026-01-09T01:41:05-08:00       INFO    [ubuntu] Detecting vulnerabilities...   os_version="20.04" pkg_num=98
2026-01-09T01:41:05-08:00       INFO    Number of language-specific files       num=1
2026-01-09T01:41:05-08:00       INFO    [gobinary] Detecting vulnerabilities...
2026-01-09T01:41:05-08:00       WARN    This OS version is no longer supported by the distribution      family="ubuntu" version="20.04"
2026-01-09T01:41:05-08:00       WARN    The vulnerability detection may be insufficient because security updates are not provided
2026-01-09T01:41:05-08:00       INFO    Some vulnerabilities have been ignored/suppressed. Use the "--show-suppressed" flag to display them.

Report Summary

┌───────────────────────────────────────────────┬──────────┬─────────────────┬─────────┐
│                    Target                     │   Type   │ Vulnerabilities │ Secrets │
├───────────────────────────────────────────────┼──────────┼─────────────────┼─────────┤
│ quay.io/solo-io/gloo:1.0.1-dev (ubuntu 20.04) │  ubuntu  │        0        │    -    │
├───────────────────────────────────────────────┼──────────┼─────────────────┼─────────┤
│ usr/local/bin/gloo                            │ gobinary │        0        │    -    │
└───────────────────────────────────────────────┴──────────┴─────────────────┴─────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)

2026-01-09T01:41:05-08:00       INFO    [vuln] Vulnerability scanning is enabled
2026-01-09T01:41:05-08:00       INFO    [secret] Secret scanning is enabled
2026-01-09T01:41:05-08:00       INFO    [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2026-01-09T01:41:05-08:00       INFO    [secret] Please see https://trivy.dev/docs/v0.68/guide/scanner/secret#recommendation for faster secret detection
2026-01-09T01:41:05-08:00       INFO    Detected OS     family="ubuntu" version="20.04"
2026-01-09T01:41:05-08:00       INFO    [ubuntu] Detecting vulnerabilities...   os_version="20.04" pkg_num=98
2026-01-09T01:41:05-08:00       INFO    Number of language-specific files       num=1
2026-01-09T01:41:05-08:00       INFO    [gobinary] Detecting vulnerabilities...
2026-01-09T01:41:05-08:00       WARN    This OS version is no longer supported by the distribution      family="ubuntu" version="20.04"
2026-01-09T01:41:05-08:00       WARN    The vulnerability detection may be insufficient because security updates are not provided

Report Summary

┌─────────────────────────────────────────────────────────────┬──────────┬─────────────────┬─────────┐
│                           Target                            │   Type   │ Vulnerabilities │ Secrets │
├─────────────────────────────────────────────────────────────┼──────────┼─────────────────┼─────────┤
│ quay.io/solo-io/gloo-envoy-wrapper:1.0.1-dev (ubuntu 20.04) │  ubuntu  │        0        │    -    │
├─────────────────────────────────────────────────────────────┼──────────┼─────────────────┼─────────┤
│ usr/local/bin/envoyinit                                     │ gobinary │        0        │    -    │
└─────────────────────────────────────────────────────────────┴──────────┴─────────────────┴─────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)

2026-01-09T01:41:05-08:00       INFO    [vuln] Vulnerability scanning is enabled
2026-01-09T01:41:05-08:00       INFO    [secret] Secret scanning is enabled
2026-01-09T01:41:05-08:00       INFO    [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2026-01-09T01:41:05-08:00       INFO    [secret] Please see https://trivy.dev/docs/v0.68/guide/scanner/secret#recommendation for faster secret detection
2026-01-09T01:41:06-08:00       INFO    Detected OS     family="alpine" version="3.21.5"
2026-01-09T01:41:06-08:00       INFO    [alpine] Detecting vulnerabilities...   os_version="3.21" repository="3.21" pkg_num=15
2026-01-09T01:41:06-08:00       INFO    Number of language-specific files       num=1
2026-01-09T01:41:06-08:00       INFO    [gobinary] Detecting vulnerabilities...
2026-01-09T01:41:06-08:00       INFO    Some vulnerabilities have been ignored/suppressed. Use the "--show-suppressed" flag to display them.

Report Summary

┌───────────────────────────────────────────────────┬──────────┬─────────────────┬─────────┐
│                      Target                       │   Type   │ Vulnerabilities │ Secrets │
├───────────────────────────────────────────────────┼──────────┼─────────────────┼─────────┤
│ quay.io/solo-io/ingress:1.0.1-dev (alpine 3.21.5) │  alpine  │        0        │    -    │
├───────────────────────────────────────────────────┼──────────┼─────────────────┼─────────┤
│ usr/local/bin/ingress                             │ gobinary │        0        │    -    │
└───────────────────────────────────────────────────┴──────────┴─────────────────┴─────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)

2026-01-09T01:41:06-08:00       INFO    [vuln] Vulnerability scanning is enabled
2026-01-09T01:41:06-08:00       INFO    [secret] Secret scanning is enabled
2026-01-09T01:41:06-08:00       INFO    [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2026-01-09T01:41:06-08:00       INFO    [secret] Please see https://trivy.dev/docs/v0.68/guide/scanner/secret#recommendation for faster secret detection
2026-01-09T01:41:06-08:00       INFO    Detected OS     family="alpine" version="3.21.5"
2026-01-09T01:41:06-08:00       INFO    [alpine] Detecting vulnerabilities...   os_version="3.21" repository="3.21" pkg_num=15
2026-01-09T01:41:06-08:00       INFO    Number of language-specific files       num=1
2026-01-09T01:41:06-08:00       INFO    [gobinary] Detecting vulnerabilities...

Report Summary

┌───────────────────────────────────────────────────┬──────────┬─────────────────┬─────────┐
│                      Target                       │   Type   │ Vulnerabilities │ Secrets │
├───────────────────────────────────────────────────┼──────────┼─────────────────┼─────────┤
│ quay.io/solo-io/kubectl:1.0.1-dev (alpine 3.21.5) │  alpine  │        0        │    -    │
├───────────────────────────────────────────────────┼──────────┼─────────────────┼─────────┤
│ usr/local/bin/kubectl                             │ gobinary │        0        │    -    │
└───────────────────────────────────────────────────┴──────────┴─────────────────┴─────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)

2026-01-09T01:41:06-08:00       INFO    [vuln] Vulnerability scanning is enabled
2026-01-09T01:41:06-08:00       INFO    [secret] Secret scanning is enabled
2026-01-09T01:41:06-08:00       INFO    [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2026-01-09T01:41:06-08:00       INFO    [secret] Please see https://trivy.dev/docs/v0.68/guide/scanner/secret#recommendation for faster secret detection
2026-01-09T01:41:06-08:00       INFO    Detected OS     family="alpine" version="3.21.5"
2026-01-09T01:41:06-08:00       INFO    [alpine] Detecting vulnerabilities...   os_version="3.21" repository="3.21" pkg_num=15
2026-01-09T01:41:06-08:00       INFO    Number of language-specific files       num=1
2026-01-09T01:41:06-08:00       INFO    [gobinary] Detecting vulnerabilities...
2026-01-09T01:41:06-08:00       INFO    Some vulnerabilities have been ignored/suppressed. Use the "--show-suppressed" flag to display them.

Report Summary

┌───────────────────────────────────────────────┬──────────┬─────────────────┬─────────┐
│                    Target                     │   Type   │ Vulnerabilities │ Secrets │
├───────────────────────────────────────────────┼──────────┼─────────────────┼─────────┤
│ quay.io/solo-io/sds:1.0.1-dev (alpine 3.21.5) │  alpine  │        0        │    -    │
├───────────────────────────────────────────────┼──────────┼─────────────────┼─────────┤
│ usr/local/bin/sds                             │ gobinary │        0        │    -    │
└───────────────────────────────────────────────┴──────────┴─────────────────┴─────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)

Notes for reviewers

Checklist:

  • I have performed a self-review of my own code
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation
  • I have added tests that prove my fix is effective or that my feature works

@alexliu541 alexliu541 requested a review from sheidkamp January 9, 2026 11:53
@alexliu541 alexliu541 self-assigned this Jan 9, 2026
@solo-changelog-bot
Copy link

solo-changelog-bot bot commented Jan 9, 2026

Issues linked to changelog:
#11089

sheidkamp
sheidkamp reviewed Jan 9, 2026
View reviewed changes
Copy link
Collaborator

@sheidkamp sheidkamp left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should bump the kubectl dependency versions in the max_versions/pr_versions files in CI (and check if we should bump the node version to match), otherwise, this should be all we need.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sheidkamp sheidkamp sheidkamp left review comments

At least 2 approving reviews are required to merge this pull request.

Assignees

@alexliu541 alexliu541

Labels

keep pr updated

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@alexliu541 @sheidkamp