Loading...

XML

Word

Printable

Type: Bug
Resolution: Done
Priority: Major
Fix Version/s: None
Affects Version/s: 4.20.z
Component/s: Release
Labels:
None

Activity Type:
Quality / Stability / Reliability
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Story Points:
None
Severity:
None
Regression:
None

Target Backport Versions:
None
Target Version:

4.20.z
Release Blocker:
None
Sprint:
None

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

PX Impact Score:

Release Note Status:
Done
Release Note Type:
Bug Fix
Release Note Text:

Hide
Before this update, the binary version data for Kubernetes binaries was incorrectly set to `v0.0.0` which caused problems with vulnerability scanning tools. With this release, the build issue is fixed. As a result, the most recent upstream `kube` version is shown, for example, `v1.33.5`.

Show
Before this update, the binary version data for Kubernetes binaries was incorrectly set to `v0.0.0` which caused problems with vulnerability scanning tools. With this release, the build issue is fixed. As a result, the most recent upstream `kube` version is shown, for example, `v1.33.5`.

Escape Reason:
None
Escape Impact:
None
Corrective Measures:
None
SDLC stage when should've been found:
None

For reasons unknown the module version of binaries built from openshift/kubernetes via the hyperkube build have changed from `(devel)` to `v0.0.0` this appears to have happened along the demarcation line of builds that are produced using Go 1.24, however building the binaries locally via `make WHAT=cmd/kube-apiserver` produces yet different results using either Go 1.24 or 1.25. So the suspicion is that this may be something introduced by the build pipeline.

Here's the Go version and module version of the kube-apiserver binary across 4.19.15, 4.19.16, 4.20.0, 4.20.1, and 4.21.0-ec.2.

~ for v in 4.19.15 4.19.16 4.20.0 4.20.1 4.21.0-ec.2; do podman rm container && podman run --replace --name container -it --entrypoint /bin/sleep `oc adm release info ${v} --image-for hyperkube` 5 &sleep 3 && podman cp container:/usr/bin/kube-apiserver . && echo ${v} && go version -m ./kube-apiserver | grep -e k8s.io/kubernetes -e go1.2 && fg; done


# output trimmed just a bit for clarity

4.19.15
./kube-apiserver: go1.23.9 (Red Hat 1.23.9-1.el9_6) X:strictfipsruntime
        path	k8s.io/kubernetes/cmd/kube-apiserver
        mod	k8s.io/kubernetes	(devel)

4.19.16./kube-apiserver: go1.23.9 (Red Hat 1.23.9-1.el9_6) X:strictfipsruntime
	path	k8s.io/kubernetes/cmd/kube-apiserver
	mod	k8s.io/kubernetes	(devel)

4.20.0./kube-apiserver: go1.24.4 (Red Hat 1.24.4-2.el9) X:strictfipsruntime
	path	k8s.io/kubernetes/cmd/kube-apiserver
	mod	k8s.io/kubernetes	v0.0.0-20250925192037-d61639ac10e9+dirty

4.20.1./kube-apiserver: go1.24.4 (Red Hat 1.24.4-2.el9) X:strictfipsruntime
	path	k8s.io/kubernetes/cmd/kube-apiserver
	mod	k8s.io/kubernetes	v0.0.0-20251021111528-46835c79ded0+dirty

4.21.0-ec.2./kube-apiserver: go1.24.6 (Red Hat 1.24.6-1.el9_6) X:strictfipsruntime
	path	k8s.io/kubernetes/cmd/kube-apiserver
	mod	k8s.io/kubernetes	v0.0.0-20251017171021-7884145a7524+dirty

Finally, here's the output from a local build built using `make WHAT=cmd/kube-apiserver` this would be the ideal output format as it ensures that security scanners accurately represent at least the upstream version from which we're built on top of. We're aware that many of those tags are missing and I can add them to currently supported versions as soon as we understand why this is happening and know that it won't cause further issues.

go version -m _output/bin/kube-apiserver | grep -e k8s.io/kubernetes -e go1.2

_output/bin/kube-apiserver: go1.24.9
	path	k8s.io/kubernetes/cmd/kube-apiserver
	mod	k8s.io/kubernetes	v1.33.6-0.20251028225526-debdebd535dc

The reason we're asking about this is that the v0.0 is causing security scanner tools to flag these binaries as being vulnerable to items long since fixed in kube 1.21 for instance.

links to

openshift-eng/art-tools#2172: OCPBUGS-63749: Ensure semantic version exists for kube-apiserver build

Assignee:: Joep van Delft

Reporter:: Scott Dodson

Need Info From:: Joep van Delft

Contributors:: None

QA Contact:: Joep van Delft

Doc Contact:: None

Votes:: 0 Vote for this issue

Watchers:: 5 Start watching this issue

Created:: 2025/10/31 4:12 PM

Updated:: 2025/11/18 4:15 AM

Resolved:: 2025/11/18 4:15 AM

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates