Upgrade to distroless envoy #1271

jmcgrath207 · 2024-07-17T21:00:03Z

Changes

Upgrade envoy to distroless-v1.27 for less vulnerabilities.

grype docker.io/envoyproxy/envoy:distroless-v1.27-latest
 ✔ Vulnerability DB                [no update available]  
 ✔ Loaded image                                                                                                                                                                     index.docker.io/envoyproxy/envoy:distroless-v1.27-latest
 ✔ Parsed image                                                                                                                                                      sha256:f41d403a28eef76aea46c78f4445851a097483bc0a87d1e21ff4bf339494b5dc
 ✔ Cataloged contents                                                                                                                                                       ee5d42d10f744ff27bdc90decf1c21cc195f467815f71bbc8f0a5b271aef25b0
   ├── ✔ Packages                        [4 packages]  
   ├── ✔ File digests                    [1,219 files]  
   ├── ✔ File metadata                   [1,219 locations]  
   └── ✔ Executables                     [274 executables]  
 ✔ Scanned for vulnerabilities     [7 vulnerability matches]  
   ├── by severity: 0 critical, 0 high, 0 medium, 0 low, 7 negligible
   └── by status:   0 fixed, 7 not-fixed, 0 ignored 
NAME   INSTALLED       FIXED-IN  TYPE  VULNERABILITY     SEVERITY   
libc6  2.36-9+deb12u7            deb   CVE-2019-9192     Negligible  
libc6  2.36-9+deb12u7            deb   CVE-2019-1010025  Negligible  
libc6  2.36-9+deb12u7            deb   CVE-2019-1010024  Negligible  
libc6  2.36-9+deb12u7            deb   CVE-2019-1010023  Negligible  
libc6  2.36-9+deb12u7            deb   CVE-2019-1010022  Negligible  
libc6  2.36-9+deb12u7            deb   CVE-2018-20796    Negligible  
libc6  2.36-9+deb12u7            deb   CVE-2010-4756     Negligible

Old envoy container.

$ grype docker.io/envoyproxy/envoy:v1.26-latest
 ✔ Vulnerability DB                [no update available]  
 ✔ Loaded image                                                                                                                                                                                index.docker.io/envoyproxy/envoy:v1.26-latest
 ✔ Parsed image                                                                                                                                                      sha256:f63d21feeb3ca857a72182892c6c14fd8ed75dc3871c57f4578b342e1409b64d
 ✔ Cataloged contents                                                                                                                                                       264d816f68880c01a3daf9ec3b56e15723ddc0e952e8c623f42a2149ddae9c3f
   ├── ✔ Packages                        [95 packages]  
   ├── ✔ File digests                    [2,127 files]  
   ├── ✔ File metadata                   [2,127 locations]  
   └── ✔ Executables                     [734 executables]  
 ✔ Scanned for vulnerabilities     [47 vulnerability matches]  
   ├── by severity: 0 critical, 0 high, 16 medium, 28 low, 3 negligible
   └── by status:   11 fixed, 36 not-fixed, 0 ignored 
NAME          INSTALLED                 FIXED-IN            TYPE  VULNERABILITY   SEVERITY   
coreutils     8.30-3ubuntu2                                 deb   CVE-2016-2781   Low         
gcc-10-base   10.5.0-1ubuntu1~20.04                         deb   CVE-2023-4039   Medium      
gpgv          2.2.19-3ubuntu2.2                             deb   CVE-2022-3219   Low         
libc-bin      2.31-0ubuntu9.14          2.31-0ubuntu9.16    deb   CVE-2024-33602  Medium      
libc-bin      2.31-0ubuntu9.14          2.31-0ubuntu9.16    deb   CVE-2024-33601  Medium      
libc-bin      2.31-0ubuntu9.14          2.31-0ubuntu9.16    deb   CVE-2024-33600  Medium      
libc-bin      2.31-0ubuntu9.14          2.31-0ubuntu9.16    deb   CVE-2024-33599  Medium      
libc-bin      2.31-0ubuntu9.14          2.31-0ubuntu9.15    deb   CVE-2024-2961   Medium      
libc-bin      2.31-0ubuntu9.14                              deb   CVE-2016-20013  Negligible  
libc6         2.31-0ubuntu9.14          2.31-0ubuntu9.16    deb   CVE-2024-33602  Medium      
libc6         2.31-0ubuntu9.14          2.31-0ubuntu9.16    deb   CVE-2024-33601  Medium      
libc6         2.31-0ubuntu9.14          2.31-0ubuntu9.16    deb   CVE-2024-33600  Medium      
libc6         2.31-0ubuntu9.14          2.31-0ubuntu9.16    deb   CVE-2024-33599  Medium      
libc6         2.31-0ubuntu9.14          2.31-0ubuntu9.15    deb   CVE-2024-2961   Medium      
libc6         2.31-0ubuntu9.14                              deb   CVE-2016-20013  Negligible  
libgcc-s1     10.5.0-1ubuntu1~20.04                         deb   CVE-2023-4039   Medium      
libgcrypt20   1.8.5-5ubuntu1.1                              deb   CVE-2024-2236   Medium      
libgnutls30   3.6.13-2ubuntu1.10        3.6.13-2ubuntu1.11  deb   CVE-2024-28834  Medium      
liblzma5      5.2.4-1ubuntu1.1                              deb   CVE-2020-22916  Medium      
libncurses6   6.2-0ubuntu2.1                                deb   CVE-2023-50495  Low         
libncurses6   6.2-0ubuntu2.1                                deb   CVE-2023-45918  Low         
libncursesw6  6.2-0ubuntu2.1                                deb   CVE-2023-50495  Low         
libncursesw6  6.2-0ubuntu2.1                                deb   CVE-2023-45918  Low         
libpcre2-8-0  10.34-7ubuntu0.1                              deb   CVE-2022-41409  Low         
libpcre3      2:8.39-12ubuntu0.1                            deb   CVE-2017-11164  Negligible  
libssl1.1     1.1.1f-1ubuntu2.22                            deb   CVE-2024-5535   Low         
libssl1.1     1.1.1f-1ubuntu2.22                            deb   CVE-2024-4741   Low         
libssl1.1     1.1.1f-1ubuntu2.22                            deb   CVE-2024-2511   Low         
libstdc++6    10.5.0-1ubuntu1~20.04                         deb   CVE-2023-4039   Medium      
libsystemd0   245.4-4ubuntu3.23                             deb   CVE-2023-7008   Low         
libsystemd0   245.4-4ubuntu3.23                             deb   CVE-2023-26604  Low         
libtasn1-6    4.16.0-2                                      deb   CVE-2021-46848  Low         
libtinfo6     6.2-0ubuntu2.1                                deb   CVE-2023-50495  Low         
libtinfo6     6.2-0ubuntu2.1                                deb   CVE-2023-45918  Low         
libudev1      245.4-4ubuntu3.23                             deb   CVE-2023-7008   Low         
libudev1      245.4-4ubuntu3.23                             deb   CVE-2023-26604  Low         
login         1:4.8.1-1ubuntu5.20.04.5                      deb   CVE-2023-29383  Low         
login         1:4.8.1-1ubuntu5.20.04.5                      deb   CVE-2013-4235   Low         
ncurses-base  6.2-0ubuntu2.1                                deb   CVE-2023-50495  Low         
ncurses-base  6.2-0ubuntu2.1                                deb   CVE-2023-45918  Low         
ncurses-bin   6.2-0ubuntu2.1                                deb   CVE-2023-50495  Low         
ncurses-bin   6.2-0ubuntu2.1                                deb   CVE-2023-45918  Low         
openssl       1.1.1f-1ubuntu2.22                            deb   CVE-2024-5535   Low         
openssl       1.1.1f-1ubuntu2.22                            deb   CVE-2024-4741   Low         
openssl       1.1.1f-1ubuntu2.22                            deb   CVE-2024-2511   Low         
passwd        1:4.8.1-1ubuntu5.20.04.5                      deb   CVE-2023-29383  Low         
passwd        1:4.8.1-1ubuntu5.20.04.5                      deb   CVE-2013-4235   Low

/kind enhancement

knative-prow · 2024-07-17T21:00:14Z

Welcome @jmcgrath207! It looks like this is your first PR to knative-extensions/net-kourier 🎉

knative-prow · 2024-07-17T21:00:14Z

Hi @jmcgrath207. Thanks for your PR.

I'm waiting for a knative-extensions member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

skonto · 2024-09-05T10:25:16Z

.github/workflows/kind-e2e.yaml

@@ -25,8 +25,8 @@ jobs:

        gateway:
        - quay.io/maistra-dev/proxyv2-ubi8:2.4-latest
-        - docker.io/envoyproxy/envoy:v1.26-latest


In the tests I think we still want to verify 1.26.

skonto · 2024-09-05T10:27:14Z

.github/workflows/kind-e2e.yaml

        - docker.io/envoyproxy/envoy:v1.27-latest
+        - docker.io/envoyproxy/envoy:distroless-v1.27-latest
        - docker.io/envoyproxy/envoy:v1.28-latest


Envoy is at 1.31 should we update and see what works?

skonto · 2024-09-05T10:27:29Z

/ok-to-test

knative-prow · 2024-09-06T13:48:33Z

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: jmcgrath207
Once this PR has been reviewed and has the lgtm label, please assign retocode for approval. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

jmcgrath207 · 2024-09-06T13:54:08Z

/test integration-tests_net-kourier_main

jmcgrath207 · 2024-09-06T14:00:40Z

Thanks for reviewing @skonto.

I've added 1.31 and the other versions between 1.26 for test coverage.

If it looks good, I am ready for integration test approval.

skonto · 2024-09-16T14:53:03Z

.github/workflows/kind-e2e.yaml

-        - docker.io/envoyproxy/envoy:v1.28-latest
+        - docker.io/envoyproxy/envoy:distroless-v1.26-latest
+        - docker.io/envoyproxy/envoy:distroless-v1.27-latest
+        - docker.io/envoyproxy/envoy:distroless-v1.28-latest


It seems that < 1.28 are EOL see https://github.com/envoyproxy/envoy/blob/main/RELEASES.md#major-release-schedule. Probably better to start with 1.28?

skonto · 2024-09-16T15:02:32Z

I tried grype against 1.31.

distroless:

 ✔ Vulnerability DB                [updated]  
 ✔ Pulled image                    
 ✔ Loaded image                                                                                                    index.docker.io/envoyproxy/envoy:distroless-v1.31-latest
 ✔ Parsed image                                                                                     sha256:835f1baadd55fe5c2e7536a5eea3702fe2977e5e5bcac8c85728e39e9a2e4f38
 ✔ Cataloged contents                                                                                      8e828580ecb084dcedbd6cb73c09d015092d8ef1f6993bd6f699e95ea81ebade
   ├── ✔ Packages                        [4 packages]  
   ├── ✔ File digests                    [1,219 files]  
   ├── ✔ File metadata                   [1,219 locations]  
   └── ✔ Executables                     [274 executables]  
 ✔ Scanned for vulnerabilities     [7 vulnerability matches]  
   ├── by severity: 0 critical, 0 high, 0 medium, 0 low, 7 negligible
   └── by status:   0 fixed, 7 not-fixed, 0 ignored 
NAME   INSTALLED       FIXED-IN  TYPE  VULNERABILITY     SEVERITY   
libc6  2.36-9+deb12u8            deb   CVE-2019-9192     Negligible  
libc6  2.36-9+deb12u8            deb   CVE-2019-1010025  Negligible  
libc6  2.36-9+deb12u8            deb   CVE-2019-1010024  Negligible  
libc6  2.36-9+deb12u8            deb   CVE-2019-1010023  Negligible  
libc6  2.36-9+deb12u8            deb   CVE-2019-1010022  Negligible  
libc6  2.36-9+deb12u8            deb   CVE-2018-20796    Negligible  
libc6  2.36-9+deb12u8            deb   CVE-2010-4756     Negligible

non-distroless:

 ✔ Vulnerability DB                [no update available]  
 ✔ Pulled image                    
 ✔ Loaded image                                                                                                               index.docker.io/envoyproxy/envoy:v1.31-latest
 ✔ Parsed image                                                                                     sha256:7cb90f99adada4b9ab870c3ac4eb9c87c6eef27ea40d0580d4f5680c9cef9fb0
 ✔ Cataloged contents                                                                                      d1c7351c8f626f44a459f066ac739359777221db2d75d508cc1a72b133317e92
   ├── ✔ Packages                        [103 packages]  
   ├── ✔ File digests                    [2,195 files]  
   ├── ✔ File metadata                   [2,195 locations]  
   └── ✔ Executables                     [736 executables]  
 ✔ Scanned for vulnerabilities     [43 vulnerability matches]  
   ├── by severity: 0 critical, 0 high, 10 medium, 26 low, 7 negligible
   └── by status:   0 fixed, 43 not-fixed, 0 ignored 
NAME              INSTALLED                 FIXED-IN  TYPE  VULNERABILITY   SEVERITY   
coreutils         8.32-4.1ubuntu1.2                   deb   CVE-2016-2781   Low         
gcc-12-base       12.3.0-1ubuntu1~22.04               deb   CVE-2023-4039   Medium      
gcc-12-base       12.3.0-1ubuntu1~22.04               deb   CVE-2022-27943  Low         
gpgv              2.2.27-3ubuntu2.1                   deb   CVE-2022-3219   Low         
libc-bin          2.35-0ubuntu3.8                     deb   CVE-2016-20013  Negligible  
libc6             2.35-0ubuntu3.8                     deb   CVE-2016-20013  Negligible  
libgcc-s1         12.3.0-1ubuntu1~22.04               deb   CVE-2023-4039   Medium      
libgcc-s1         12.3.0-1ubuntu1~22.04               deb   CVE-2022-27943  Low         
libgcrypt20       1.9.4-3ubuntu3                      deb   CVE-2024-2236   Medium      
libgssapi-krb5-2  1.19.2-2ubuntu0.4                   deb   CVE-2024-26462  Medium      
libgssapi-krb5-2  1.19.2-2ubuntu0.4                   deb   CVE-2024-26461  Low         
libgssapi-krb5-2  1.19.2-2ubuntu0.4                   deb   CVE-2024-26458  Negligible  
libk5crypto3      1.19.2-2ubuntu0.4                   deb   CVE-2024-26462  Medium      
libk5crypto3      1.19.2-2ubuntu0.4                   deb   CVE-2024-26461  Low         
libk5crypto3      1.19.2-2ubuntu0.4                   deb   CVE-2024-26458  Negligible  
libkrb5-3         1.19.2-2ubuntu0.4                   deb   CVE-2024-26462  Medium      
libkrb5-3         1.19.2-2ubuntu0.4                   deb   CVE-2024-26461  Low         
libkrb5-3         1.19.2-2ubuntu0.4                   deb   CVE-2024-26458  Negligible  
libkrb5support0   1.19.2-2ubuntu0.4                   deb   CVE-2024-26462  Medium      
libkrb5support0   1.19.2-2ubuntu0.4                   deb   CVE-2024-26461  Low         
libkrb5support0   1.19.2-2ubuntu0.4                   deb   CVE-2024-26458  Negligible  
libncurses6       6.3-2ubuntu0.1                      deb   CVE-2023-50495  Low         
libncurses6       6.3-2ubuntu0.1                      deb   CVE-2023-45918  Low         
libncursesw6      6.3-2ubuntu0.1                      deb   CVE-2023-50495  Low         
libncursesw6      6.3-2ubuntu0.1                      deb   CVE-2023-45918  Low         
libpcre2-8-0      10.39-3ubuntu0.1                    deb   CVE-2022-41409  Low         
libpcre3          2:8.39-13ubuntu0.22.04.1            deb   CVE-2017-11164  Negligible  
libssl3           3.0.2-0ubuntu1.18                   deb   CVE-2024-41996  Medium      
libstdc++6        12.3.0-1ubuntu1~22.04               deb   CVE-2023-4039   Medium      
libstdc++6        12.3.0-1ubuntu1~22.04               deb   CVE-2022-27943  Low         
libsystemd0       249.11-0ubuntu3.12                  deb   CVE-2023-7008   Low         
libtasn1-6        4.18.0-4build1                      deb   CVE-2021-46848  Low         
libtinfo6         6.3-2ubuntu0.1                      deb   CVE-2023-50495  Low         
libtinfo6         6.3-2ubuntu0.1                      deb   CVE-2023-45918  Low         
libudev1          249.11-0ubuntu3.12                  deb   CVE-2023-7008   Low         
libzstd1          1.4.8+dfsg-3build1                  deb   CVE-2022-4899   Low         
login             1:4.8.1-2ubuntu2.2                  deb   CVE-2023-29383  Low         
ncurses-base      6.3-2ubuntu0.1                      deb   CVE-2023-50495  Low         
ncurses-base      6.3-2ubuntu0.1                      deb   CVE-2023-45918  Low         
ncurses-bin       6.3-2ubuntu0.1                      deb   CVE-2023-50495  Low         
ncurses-bin       6.3-2ubuntu0.1                      deb   CVE-2023-45918  Low         
openssl           3.0.2-0ubuntu1.18                   deb   CVE-2024-41996  Medium      
passwd            1:4.8.1-2ubuntu2.2                  deb   CVE-2023-29383  Low

skonto · 2024-09-16T15:03:47Z

cc @ReToCode if he has any additional comments.

codecov · 2024-09-17T08:02:17Z

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 62.31%. Comparing base (6f0b49f) to head (cfa3b0c).
Report is 3 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #1271   +/-   ##
=======================================
  Coverage   62.31%   62.31%           
=======================================
  Files          24       24           
  Lines        1632     1632           
=======================================
  Hits         1017     1017           
  Misses        553      553           
  Partials       62       62

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

skonto · 2024-09-17T09:46:09Z

Shutdown checks fail, we dont have curl or sleep in distroless. We either build our own shutdown command
that runs command: ["/bin/sh","-c","curl -X POST http://localhost:9901/drain_listeners?graceful; sleep $DRAIN_TIME_SECONDS"]) and add it to the image or fall back to the non-distroless versions.
In the meantime, I think we should update versions of the current images anyway and then discuss further if we should support distroless directly or just add instructions for the user.
cc @ReToCode

ReToCode · 2024-09-17T10:39:48Z

Hm, building our own command seems a lot of work for this, also adding curl would mean we have to rebuild every new version of envoy docker images (we can’t do that for patches and such). Not sure if having distroless is worth all that effort.

+1 for the version bump without it, I’ll do a PR for that.

jmcgrath207 · 2024-09-17T17:17:05Z

Thanks y'all. I am happy with the updated envoy version to the latest and understand the curl entrypoint issue.

I am closing this issue.

knative-prow bot added the kind/enhancement label Jul 17, 2024

knative-prow bot added the needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. label Jul 17, 2024

knative-prow bot requested review from izabelacg and ReToCode July 17, 2024 21:00

knative-prow bot added the size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. label Jul 17, 2024

skonto reviewed Sep 5, 2024

View reviewed changes

knative-prow bot added ok-to-test Indicates a non-member PR verified by an org member that is safe to test. and removed needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Sep 5, 2024

jmcgrath207 force-pushed the upgrade-to-envoy-distroless branch from b81ecc8 to 5b9755e Compare September 6, 2024 13:48

knative-prow bot added size/S Denotes a PR that changes 10-29 lines, ignoring generated files. and removed size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. labels Sep 6, 2024

Upgrade to distroless envoy

5b9755e

skonto reviewed Sep 16, 2024

View reviewed changes

start testing at 1.28

cfa3b0c

knative-prow bot added size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. and removed size/S Denotes a PR that changes 10-29 lines, ignoring generated files. labels Sep 16, 2024

ReToCode mentioned this pull request Sep 17, 2024

Bump envoy version and use shared go version #1288

Merged

jmcgrath207 closed this Sep 17, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Upgrade to distroless envoy #1271

Upgrade to distroless envoy #1271

jmcgrath207 commented Jul 17, 2024

knative-prow bot commented Jul 17, 2024

knative-prow bot commented Jul 17, 2024

skonto Sep 5, 2024

skonto Sep 5, 2024

skonto commented Sep 5, 2024

knative-prow bot commented Sep 6, 2024

jmcgrath207 commented Sep 6, 2024

jmcgrath207 commented Sep 6, 2024

skonto Sep 16, 2024 •

edited

Loading

jmcgrath207 Sep 16, 2024

skonto commented Sep 16, 2024

skonto commented Sep 16, 2024

codecov bot commented Sep 17, 2024 •

edited

Loading

skonto commented Sep 17, 2024 •

edited

Loading

ReToCode commented Sep 17, 2024

jmcgrath207 commented Sep 17, 2024

Upgrade to distroless envoy #1271

Upgrade to distroless envoy #1271

Conversation

jmcgrath207 commented Jul 17, 2024

Changes

knative-prow bot commented Jul 17, 2024

knative-prow bot commented Jul 17, 2024

skonto Sep 5, 2024

Choose a reason for hiding this comment

skonto Sep 5, 2024

Choose a reason for hiding this comment

skonto commented Sep 5, 2024

knative-prow bot commented Sep 6, 2024

jmcgrath207 commented Sep 6, 2024

jmcgrath207 commented Sep 6, 2024

skonto Sep 16, 2024 • edited Loading

Choose a reason for hiding this comment

jmcgrath207 Sep 16, 2024

Choose a reason for hiding this comment

skonto commented Sep 16, 2024

skonto commented Sep 16, 2024

codecov bot commented Sep 17, 2024 • edited Loading

Codecov Report

skonto commented Sep 17, 2024 • edited Loading

ReToCode commented Sep 17, 2024

jmcgrath207 commented Sep 17, 2024

skonto Sep 16, 2024 •

edited

Loading

codecov bot commented Sep 17, 2024 •

edited

Loading

skonto commented Sep 17, 2024 •

edited

Loading