gcr.io/kubebuilder/kube-rbac-proxy is deprecated, is going to be deleted from the registry early 2025 and contains many critical vulnerabilities

[pearj]

According to this kubebuilder discussion gcr.io/kubebuilder/kube-rbac-proxy is deprecated and is going to be deleted from the registry early 2025 (Probably May 20 2025 as part of the GCR shutdown).

Additionally when doing a scan of the gcr.io/kubebuilder/kube-rbac-proxy:v0.8.0 image using AWS Inspector, it contained 6 critical vulnerabilities

1. https://nvd.nist.gov/vuln/detail/CVE-2024-24790
2. https://nvd.nist.gov/vuln/detail/CVE-2023-24540
3. https://nvd.nist.gov/vuln/detail/CVE-2023-24538
4. https://nvd.nist.gov/vuln/detail/CVE-2024-45337
5. https://nvd.nist.gov/vuln/detail/CVE-2022-23806
6. A Generic Debian 9 is end of life vulnerability that AWS add. The RBAC Proxy is built on a Debian 9 container.

In the kubebuilder discussion, it looks like the easiest solution is probably option 3, which probably to switch to the brancz/kube-rbac-proxy fork of kube-rbac-proxy.

Have ForgeRock/Ping tried brancz/kube-rbac-proxy? Or are there plans to upgrade secret-agent so that it no longer depends on kube-rbac-proxy?

[pearj]

@lee-baines thoughts?

[lee-baines]

Hi @pearj . We are discussing how to address this later today. I can't remember if I discussed this with you previously but we are deprecating the secret-agent anyway for our next forgeops release next month for 3rd party alternatives. But in the meantime, we will fix this probably by copying the current image an pushing it locally or using an alternative source for the proxy

[pearj]

Thanks @lee-baines. I raised a ticket with support, and they pointed me to the dev branch of forgeops and I did manage to find some references to the new secret generator

Which I realised is a reference to: https://github.com/mittwald/kubernetes-secret-generator

The thing that wasn't clear is how Java keystores will be handled, support told me keystores would be "handled outside of secret-generator".

I guess I'll have to wait until next month to find out what that Java keystore approach will be? I'm in the middle of refactoring how we handle our secrets, so I'd be keen to know you guys will be doing keystore generation.

[lee-baines]

Yes, we were looking to generate keystores with cert-manager as they have support for this now, but we found after a PoC that it was quite limited. So we may just create them as part of an init-container for now. But still in progress