Security fixes, Azure annotation guard, and version command#17
Closed
msupinodn wants to merge 2 commits into
Closed
Security fixes, Azure annotation guard, and version command#17msupinodn wants to merge 2 commits into
msupinodn wants to merge 2 commits into
Conversation
msupinodn
force-pushed
the
security-fixes-and-version
branch
2 times, most recently
from
49b641e to
2584394
Compare
Pull Request Test Coverage Report for Build 23111509329Details
💛 - Coveralls |
- Bump Go from 1.25.0 to 1.25.8 (fixes 8 stdlib CVEs in crypto/tls, crypto/x509, net/url, html/template, os) - Bump go.opentelemetry.io/otel/sdk from v1.36.0 to v1.40.0 (fixes CVE-2026-24051 HIGH: arbitrary code execution via PATH hijacking) - Fix directory permissions: 0666/os.ModePerm -> 0750 in deploy/deploy.go and topo/node/node.go - Harden Dockerfiles: pin base images, add non-root USER, use --no-install-recommends, multi-stage distroless build for wire/forward and webhook - Only apply Azure LB annotations on AKS clusters (was unconditional, causing unnecessary 10-min polling on non-Azure setups) - Add 'kne version' subcommand with git commit/tag injected via ldflags - Update CI: Go 1.25, golangci-lint v2 via action v9, inline workflow Made-with: Cursor
msupinodn
force-pushed
the
security-fixes-and-version
branch
from
2584394 to
43c286b
Compare
msupinodn
added a commit
that referenced
this pull request
May 26, 2026
Pulled from #17 (kept tightly scoped — version cmd, wider k8s bumps, and golangci v2 rewrite intentionally deferred). Filesystem perms (closes /tmp/kne being world-writable): - deploy/deploy.go: /tmp/kne MkdirAll os.ModePerm -> 0750 - topo/node/node.go: hostPath config tempdir 0666 -> 0750 Container hardening: - init_wait/Dockerfile: add non-root kne user - x/webhook/Dockerfile.webhook: switch to gcr.io/distroless/static-debian12:nonroot - x/wire/forward/Dockerfile: multi-stage distroless build, pin golang:1.25.8, CGO_ENABLED=0 - deploy/gobgp/Dockerfile: pin ubuntu:24.04, --no-install-recommends, non-root user, clean apt cache - deploy/ubuntu/Dockerfile: pin ubuntu:24.04, --no-install-recommends, ca-certificates drivenets/drivenets.go: - annotateCdnosService: only apply Azure LB annotations on AKS instead of unconditionally (was triggering 10-min poll on non-AKS clusters and emitting misleading "Azure AKS detected" log line on every run). CI: - .github/workflows/go.yml: switch Build and Test from openconfig common-ci Go 1.21 matrix to inline Go 1.25 build/test. Required because go.mod now declares `go 1.25.0` with `toolchain go1.25.10`; the old workflow couldn't compile the module at all. Co-authored-by: Cursor <cursoragent@cursor.com>
Collaborator
Author
|
Superseded by #24, which cherry-picks all the security-relevant pieces in tightly scoped form:
Closing this PR to keep the review surface small. The remaining bits here that are not in #24 can ship as follow-ups when desired:
|
msupinodn
added a commit
that referenced
this pull request
May 26, 2026
The Dockerfile hardening pulled in from #17 added apt-get install lines that hadolint flags with DL3008 (pin package versions). Pinning apt versions on rolling Ubuntu LTS images causes more breakage than it prevents (the pinned version disappears from the mirror as soon as a security update lands), so disable the warning the same way #17 did. Co-authored-by: Cursor <cursoragent@cursor.com>
msupinodn
added a commit
that referenced
this pull request
May 26, 2026
…ix CI (#24) * deps: bump x/net, x/crypto, grpc, docker; pin go toolchain to 1.25.10 Resolves 17 of 19 CVEs reported by govulncheck: Direct module bumps: - golang.org/x/net v0.47.0 -> v0.55.0 (GO-2026-5026, 4918) - golang.org/x/crypto v0.45.0 -> v0.52.0 (GO-2026-5013/5015/5017/5018/5019/5020/5021) - google.golang.org/grpc v1.65.0 -> v1.79.3 (GO-2026-4762) - github.com/docker/docker v28.1.1 -> v28.5.2 (latest available) Toolchain pin (toolchain go1.25.10) fixes 8 stdlib CVEs: - crypto/x509 (GO-2026-4946, 4947) - crypto/tls (GO-2026-4870) - html/template (GO-2026-4865, 4980, 4982) - net (GO-2026-4971) - net/http (GO-2026-4918) Remaining 2 vulns (GO-2026-4883, GO-2026-4887) are server-side moby/docker daemon issues with no upstream fix yet; kne uses docker only as a client so neither is exploitable through kne. Validated: - go build ./... clean - go vet ./... clean - go test -short ./... passes except cisco/juniper/cloudbuild-vendors which fail identically on pre-bump main (require external devices). Co-authored-by: Cursor <cursoragent@cursor.com> * hardening: tighten perms, non-root containers, fix CI Go version Pulled from #17 (kept tightly scoped — version cmd, wider k8s bumps, and golangci v2 rewrite intentionally deferred). Filesystem perms (closes /tmp/kne being world-writable): - deploy/deploy.go: /tmp/kne MkdirAll os.ModePerm -> 0750 - topo/node/node.go: hostPath config tempdir 0666 -> 0750 Container hardening: - init_wait/Dockerfile: add non-root kne user - x/webhook/Dockerfile.webhook: switch to gcr.io/distroless/static-debian12:nonroot - x/wire/forward/Dockerfile: multi-stage distroless build, pin golang:1.25.8, CGO_ENABLED=0 - deploy/gobgp/Dockerfile: pin ubuntu:24.04, --no-install-recommends, non-root user, clean apt cache - deploy/ubuntu/Dockerfile: pin ubuntu:24.04, --no-install-recommends, ca-certificates drivenets/drivenets.go: - annotateCdnosService: only apply Azure LB annotations on AKS instead of unconditionally (was triggering 10-min poll on non-AKS clusters and emitting misleading "Azure AKS detected" log line on every run). CI: - .github/workflows/go.yml: switch Build and Test from openconfig common-ci Go 1.21 matrix to inline Go 1.25 build/test. Required because go.mod now declares `go 1.25.0` with `toolchain go1.25.10`; the old workflow couldn't compile the module at all. Co-authored-by: Cursor <cursoragent@cursor.com> * ci: ignore hadolint DL3008 (apt-get version pinning) The Dockerfile hardening pulled in from #17 added apt-get install lines that hadolint flags with DL3008 (pin package versions). Pinning apt versions on rolling Ubuntu LTS images causes more breakage than it prevents (the pinned version disappears from the mirror as soon as a security update lands), so disable the warning the same way #17 did. Co-authored-by: Cursor <cursoragent@cursor.com> * ci: skip cisco + juniper tests in CI Both packages contain upstream scrapli-based tests (TestResetCfg / TestPushCfg / TestConfigPush / TestGenerateSelfSigned) that open a scrapligo transport and hang for the full test timeout (600s) when no real network device is present, so they fail every CI run on GitHub Actions. These failures predate this PR (also fail on stock openconfig/kne main) and are independent of our deps bump and hardening changes. Skipping them in CI keeps the merge signal meaningful; fixing the upstream tests is out of scope for a CVE-bump PR. Co-authored-by: Cursor <cursoragent@cursor.com> --------- Co-authored-by: Cursor <cursoragent@cursor.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Made-with: Cursor