Skip to content

Comments

Update kube and alpine images version to fix vulnerability#77

Open
ashutoshrathore wants to merge 2 commits intogroundnuty:masterfrom
ashutoshrathore:patch-1
Open

Update kube and alpine images version to fix vulnerability#77
ashutoshrathore wants to merge 2 commits intogroundnuty:masterfrom
ashutoshrathore:patch-1

Conversation

@ashutoshrathore
Copy link

@ashutoshrathore ashutoshrathore commented Oct 15, 2024

No description provided.

@ashutoshrathore ashutoshrathore marked this pull request as draft October 15, 2024 19:13
@ashutoshrathore ashutoshrathore marked this pull request as ready for review October 15, 2024 19:15
@ashutoshrathore
Copy link
Author

ashutoshrathore commented Oct 15, 2024

@ArnobKumarSaha @groundnuty can you please review and merge it?

@spideyfusion
Copy link

spideyfusion commented Nov 8, 2024

@groundnuty Mind merging this in to address security vulnerabilities?

@groundnuty
Copy link
Owner

groundnuty commented Nov 14, 2024

@spideyfusion k8s-wait-for will be updated in December and after that, I plan to do a release every ~6 months.

@groundnuty
Copy link
Owner

groundnuty commented Jan 7, 2025

@spideyfusion @ashutoshrathore I'm updating the dependencies and releasing the new version this week, but this constant race against vulnerabilities is too rapid for a biannual release cycle.

I researched using https://www.chainguard.dev images as they seem to be popular nowadays in devops circles.
My intention was to use their kubectl and reguild k8s-wait-for image with github workflows eg. weekly with pined kubectl version and updated dependences, but last year they disabled pulling images with any version but latest...

Do you have any recommendations/know the best practices on how to tackle the problem of vulnerability fixes in an automatic manner, but still maintaining stability of the tool?

@ashutoshrathore
Copy link
Author

ashutoshrathore commented Feb 11, 2025
edited
Loading

@spideyfusion @ashutoshrathore I'm updating the dependencies and releasing the new version this week, but this constant race against vulnerabilities is too rapid for a biannual release cycle.

I researched using https://www.chainguard.dev images as they seem to be popular nowadays in devops circles. My intention was to use their kubectl and reguild k8s-wait-for image with github workflows eg. weekly with pined kubectl version and updated dependences, but last year they disabled pulling images with any version but latest...

Do you have any recommendations/know the best practices on how to tackle the problem of vulnerability fixes in an automatic manner, but still maintaining stability of the tool?

I am not sure if there are any best practices or automated methods to keep this image up to date. However, if I have permission to maintain this repository, I can ensure the images are regularly updated. We pull this image into our Azure Container Registry and also scan it regularly using Defender. Also, this k8s-wait image is used in our organization by many applications. Therefore, it would be easier for me to address vulnerabilities here, as I already need to fix them in my container as well.

PS: Sorry for late reply, I was on paternity leave :)

@zlemisie
Copy link

zlemisie commented Jul 17, 2025

hi, when can we expect the update?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@ashutoshrathore @spideyfusion @groundnuty @zlemisie