diff --git a/aznfs-mount.yaml b/aznfs-mount.yaml index b82b255e7ab..988245942eb 100644 --- a/aznfs-mount.yaml +++ b/aznfs-mount.yaml @@ -1,7 +1,7 @@ package: name: aznfs-mount version: "2.0.12" - epoch: 4 + epoch: 5 description: AZNFS Mount Helper copyright: - license: Apache-2.0 @@ -12,7 +12,7 @@ package: - coreutils - findmnt - flock - - iptables + - iptables-wrappers - procps - util-linux diff --git a/blob-csi-1.27.yaml b/blob-csi-1.27.yaml index eb18ad26267..b5b7270b2a3 100644 --- a/blob-csi-1.27.yaml +++ b/blob-csi-1.27.yaml @@ -1,7 +1,7 @@ package: name: blob-csi-1.27 version: "1.27.0" - epoch: 2 # GHSA-j5w8-q4qc-rx2x + epoch: 3 description: Azure Blob Storage CSI driver copyright: - license: Apache-2.0 @@ -23,7 +23,7 @@ environment: - curl - fuse3 - iproute2 - - iptables + - iptables-wrappers - kmod - procps - util-linux @@ -96,7 +96,7 @@ subpackages: - dash-binsh - e2fsprogs - iproute2 - - iptables + - iptables-wrappers - kmod - mount - netcat-openbsd diff --git a/calico-3.31.yaml b/calico-3.31.yaml index ff1aeb19240..cb1d7dad863 100644 --- a/calico-3.31.yaml +++ b/calico-3.31.yaml @@ -1,7 +1,7 @@ package: name: calico-3.31 version: "3.31.2" - epoch: 1 # GHSA-j5w8-q4qc-rx2x + epoch: 2 description: "Cloud native networking and network security" copyright: - license: Apache-2.0 @@ -157,10 +157,9 @@ subpackages: - bash # required for logging functionality to work since `start_runit` logging script uses #!/bin/bash - conntrack-tools - glibc - - ip6tables - iproute2 - ipset - - iptables + - iptables-wrappers - libbpf # listed in Dockerfile, but not sure if they're build dependencies (for iptables) or runtime - libelf diff --git a/docker.yaml b/docker.yaml index dc562f45553..a4b7c465117 100644 --- a/docker.yaml +++ b/docker.yaml @@ -1,7 +1,7 @@ package: name: docker version: "28.5.2" - epoch: 5 # GHSA-j5w8-q4qc-rx2x + epoch: 6 description: A meta package for Docker Engine and Docker CLI copyright: - license: Apache-2.0 @@ -110,9 +110,8 @@ subpackages: - e2fsprogs-extra - fuse-overlayfs - git - - ip6tables - iproute2 - - iptables + - iptables-wrappers - openssl - pigz - procps diff --git a/flannel.yaml b/flannel.yaml index 304fd439baa..85ce8141812 100644 --- a/flannel.yaml +++ b/flannel.yaml @@ -1,7 +1,7 @@ package: name: flannel version: "0.27.4" - epoch: 3 # GHSA-j5w8-q4qc-rx2x + epoch: 4 description: flannel is a network fabric for containers, designed for Kubernetes copyright: - license: Apache-2.0 @@ -9,9 +9,8 @@ package: runtime: - ca-certificates - coreutils - - ip6tables - iproute2 - - iptables + - iptables-wrappers - nftables - strongswan - wireguard-tools @@ -36,8 +35,7 @@ pipeline: deps: |- golang.org/x/crypto@v0.45.0 - - if: ${{build.arch}} == 'aarch64' - uses: patch + - uses: patch with: patches: disableBrNetfilterCheck.patch @@ -74,6 +72,7 @@ test: - etcd - jq - iproute2 + - iptables-wrappers pipeline: - name: "Check flanneld version" runs: | @@ -122,13 +121,8 @@ test: sleep 3 # Run flanneld in background - if [ "${{build.arch}}" = "aarch64" ]; then - flanneld --etcd-endpoints=$ETCD_ENDPOINTS --iface=$IFACE --iptables-forward-rules=false --disable-br-netfilter-check > /tmp/flannel.log 2>&1 & - FLANNEL_PID=$! - else - flanneld --etcd-endpoints=$ETCD_ENDPOINTS --iface=$IFACE --iptables-forward-rules=false > /tmp/flannel.log 2>&1 & - FLANNEL_PID=$! - fi + flanneld --etcd-endpoints=$ETCD_ENDPOINTS --iface=$IFACE --iptables-forward-rules=false --disable-br-netfilter-check > /tmp/flannel.log 2>&1 & + FLANNEL_PID=$! # Save PID to environment file echo "export FLANNEL_PID=$FLANNEL_PID" >> /tmp/env.sh diff --git a/jupyterhub-k8s-hub.yaml b/jupyterhub-k8s-hub.yaml index 4e5a93bb4d5..af362b445c6 100644 --- a/jupyterhub-k8s-hub.yaml +++ b/jupyterhub-k8s-hub.yaml @@ -1,14 +1,14 @@ package: name: jupyterhub-k8s-hub version: "4.3.1" - epoch: 0 + epoch: 1 description: Zero to JupyterHub with Kubernetes copyright: - license: BSD-3-Clause dependencies: runtime: - configurable-http-proxy - - iptables + - iptables-wrappers - py3-jupyterhub - py3-jupyterhub-firstuseauthenticator - py3-jupyterhub-hmacauthenticator diff --git a/jupyterhub-k8s-network-tools.yaml b/jupyterhub-k8s-network-tools.yaml index 87221cb8a8d..77bc83596f9 100644 --- a/jupyterhub-k8s-network-tools.yaml +++ b/jupyterhub-k8s-network-tools.yaml @@ -2,13 +2,13 @@ package: name: jupyterhub-k8s-network-tools version: "4.3.1" - epoch: 0 + epoch: 1 description: Network diagnostic tools for use within a JupyterHub Kubernetes cluster copyright: - license: BSD-3-Clause dependencies: runtime: - - iptables + - iptables-wrappers environment: contents: diff --git a/k3s-1.32.yaml b/k3s-1.32.yaml index 53ba6d94646..a42d693941d 100644 --- a/k3s-1.32.yaml +++ b/k3s-1.32.yaml @@ -1,7 +1,7 @@ package: name: k3s-1.32 version: "1.32.10.1" - epoch: 0 + epoch: 1 description: copyright: - license: Apache-2.0 @@ -10,8 +10,8 @@ package: - busybox - conntrack-tools - containerd-shim-runc-v2 - - ip6tables # this pulls in iptables as well - ipset # required for network policy controller + - iptables-wrappers - kmod - libseccomp - merged-bin @@ -120,8 +120,8 @@ subpackages: - busybox - conntrack-tools - containerd-shim-runc-v2 - - ip6tables - ipset + - iptables-wrappers - kmod - libseccomp - merged-bin @@ -165,8 +165,8 @@ subpackages: runtime: - busybox - conntrack-tools - - ip6tables - ipset + - iptables-wrappers - kmod - merged-bin - mount diff --git a/k3s-1.33.yaml b/k3s-1.33.yaml index 9cbd5df4b9b..4c2883a9ed6 100644 --- a/k3s-1.33.yaml +++ b/k3s-1.33.yaml @@ -1,7 +1,7 @@ package: name: k3s-1.33 version: "1.33.6.1" - epoch: 0 + epoch: 1 description: copyright: - license: Apache-2.0 @@ -10,8 +10,8 @@ package: - busybox - conntrack-tools - containerd-shim-runc-v2 - - ip6tables # this pulls in iptables as well - ipset # required for network policy controller + - iptables-wrappers - kmod - libseccomp - merged-bin @@ -116,8 +116,8 @@ subpackages: - busybox - conntrack-tools - containerd-shim-runc-v2 - - ip6tables - ipset + - iptables-wrappers - kmod - libseccomp - merged-bin @@ -161,8 +161,8 @@ subpackages: runtime: - busybox - conntrack-tools - - ip6tables - ipset + - iptables-wrappers - kmod - merged-bin - mount diff --git a/k3s.yaml b/k3s.yaml index 29c7eae5306..8f4673c4fb1 100644 --- a/k3s.yaml +++ b/k3s.yaml @@ -1,7 +1,7 @@ package: name: k3s version: "1.34.2.1" - epoch: 0 # GHSA-j5w8-q4qc-rx2x + epoch: 1 description: copyright: - license: Apache-2.0 @@ -10,8 +10,8 @@ package: - busybox - conntrack-tools - containerd-shim-runc-v2 - - ip6tables # this pulls in iptables as well - ipset # required for network policy controller + - iptables-wrappers - kmod - libseccomp - merged-bin @@ -116,8 +116,8 @@ subpackages: - busybox - conntrack-tools - containerd-shim-runc-v2 - - ip6tables - ipset + - iptables-wrappers - kmod - libseccomp - merged-bin @@ -161,8 +161,8 @@ subpackages: runtime: - busybox - conntrack-tools - - ip6tables - ipset + - iptables-wrappers - kmod - merged-bin - mount diff --git a/kubernetes-1.34.yaml b/kubernetes-1.34.yaml index 0afb1b5e339..e4761b22458 100644 --- a/kubernetes-1.34.yaml +++ b/kubernetes-1.34.yaml @@ -1,7 +1,7 @@ package: name: kubernetes-1.34 version: "1.34.2" - epoch: 1 # GHSA-j5w8-q4qc-rx2x + epoch: 2 description: Production-Grade Container Scheduling and Management copyright: - license: Apache-2.0 @@ -162,7 +162,7 @@ subpackages: description: An agent that runs on each node in a Kubernetes cluster making sure that containers are running in a Pod dependencies: runtime: - - ip6tables + - iptables-wrappers pipeline: - runs: | mkdir -p ${{targets.subpkgdir}}/usr/bin @@ -201,8 +201,7 @@ subpackages: description: Kubernetes network proxy that runs on each node dependencies: runtime: - - iptables - - ip6tables + - iptables-wrappers - nftables - kmod - conntrack-tools @@ -386,7 +385,7 @@ test: - iproute2 - socat - conntrack-tools - - iptables + - iptables-wrappers - crictl pipeline: - uses: test/kwok/cluster diff --git a/linkerd2-proxy-init.yaml b/linkerd2-proxy-init.yaml index 321543faecd..c2cf69683fc 100644 --- a/linkerd2-proxy-init.yaml +++ b/linkerd2-proxy-init.yaml @@ -1,13 +1,12 @@ package: name: linkerd2-proxy-init version: "2.4.3" - epoch: 4 # CVE-2025-47906 + epoch: 5 description: "Init container that sets up the iptables rules to forward traffic into the Linkerd2 sidecar proxy" copyright: - license: Apache-2.0 dependencies: runtime: - - ip6tables - iptables-xtables-privileged - libcap - libcap-utils diff --git a/linkerd2.yaml b/linkerd2.yaml index 2580e84f791..1ab11030676 100644 --- a/linkerd2.yaml +++ b/linkerd2.yaml @@ -1,7 +1,7 @@ package: name: linkerd2 version: "25.11.3" - epoch: 0 # GHSA-xwfj-jgwm-7wp5 + epoch: 1 description: "meta linkerd package" copyright: - license: Apache-2.0 @@ -217,7 +217,6 @@ subpackages: - findutils - grep - iproute2 - - iptables - iptables-xtables-privileged - jq - libcap diff --git a/nerdctl.yaml b/nerdctl.yaml index 3c2e0df2c0f..5255ac4900d 100644 --- a/nerdctl.yaml +++ b/nerdctl.yaml @@ -1,7 +1,7 @@ package: name: nerdctl version: "2.2.0" - epoch: 2 # GHSA-j5w8-q4qc-rx2x + epoch: 3 description: Docker-compatible CLI for containerd, with support for Compose, Rootless, eStargz, OCIcrypt, IPFS, ... copyright: - license: Apache-2.0 @@ -44,7 +44,7 @@ test: contents: packages: - containerd - - iptables + - iptables-wrappers - curl - coreutils pipeline: diff --git a/podman.yaml b/podman.yaml index 34adfc715b1..9ce8710e4b4 100644 --- a/podman.yaml +++ b/podman.yaml @@ -1,7 +1,7 @@ package: name: podman version: "5.7.0" - epoch: 1 # GHSA-j5w8-q4qc-rx2x + epoch: 2 description: "A tool for managing OCI containers and pods" copyright: - license: Apache-2.0 @@ -28,8 +28,8 @@ environment: - gpgme - gpgme-dev - grep - - iptables - iptables-dev + - iptables-wrappers - libassuan-dev - libgpg-error-dev - libseccomp-dev diff --git a/rancher-2.12.yaml b/rancher-2.12.yaml index 1ae06a229d2..bb3d2cbb832 100644 --- a/rancher-2.12.yaml +++ b/rancher-2.12.yaml @@ -1,7 +1,7 @@ package: name: rancher-2.12 version: "2.12.4" - epoch: 0 # GHSA-pwhc-rpq9-4c8w + epoch: 1 description: Complete container management platform copyright: - license: Apache-2.0 @@ -305,20 +305,6 @@ test: mkdir -p /tmp/k3s-airgap-images tar -xf /var/lib/rancher/k3s/agent/images/k3s-airgap-images.tar -C /tmp/k3s-airgap-images stat /tmp/k3s-airgap-images/repositories /tmp/k3s-airgap-images/manifest.json - - if: ${{build.arch}} == 'x86_64' # skip the test for aarch64 as it fails onn CI as in Docker runner k3s cant be run. and our current arm ci uses docker instead - name: "start daemon on localhost" - uses: test/daemon-check-output - with: - start: "rancher --trace --debug" # We can't use `entrypoint.sh` here since it needs `/run/secrets/kubernetes.io/serviceaccount` and `/dev/kmsg` to be mounted - timeout: 60 - # This is a negative-test to ensure that the Rancher prepares itself to run in a single server mode. - # After that it exits immediately due to the `:6443` is not available in this environment. - # We can't use the `test/kwok/cluster` here as it conflicts with the Rancher package and it manages - # its own k3s cluster inside. - expected_output: | - Running in single server mode - setupRancherService refreshing service - setupRancherService refreshing endpoint update: enabled: true diff --git a/spegel.yaml b/spegel.yaml index c51f4af4c1d..435a4ffafb8 100644 --- a/spegel.yaml +++ b/spegel.yaml @@ -1,7 +1,7 @@ package: name: spegel version: "0.5.1" - epoch: 2 # GHSA-j5w8-q4qc-rx2x + epoch: 3 description: Stateless cluster local OCI registry mirror. copyright: - license: MIT @@ -49,7 +49,7 @@ test: contents: packages: - containerd - - iptables + - iptables-wrappers - curl - coreutils - distribution diff --git a/ztunnel-1.28.yaml b/ztunnel-1.28.yaml index b5075d7cfaf..2579abcec52 100644 --- a/ztunnel-1.28.yaml +++ b/ztunnel-1.28.yaml @@ -1,7 +1,7 @@ package: name: ztunnel-1.28 version: "1.28.0" - epoch: 0 # GHSA-xwfj-jgwm-7wp5 + epoch: 1 description: The `ztunnel` component of istio ambient mesh. copyright: - license: Apache-2.0 @@ -10,8 +10,7 @@ package: - ztunnel=${{package.full-version}} runtime: - ca-certificates-bundle - - ip6tables - - iptables + - iptables-wrappers - libmnl - libnetfilter_conntrack - libnfnetlink