Upgrade to etcd v3.4.26 to fix vulnerabilities from go runtime
lizzzcai opened this issue · comments
What would you like to be added:
Hi colleagues, the current etcd image (eu.gcr.io/gardener-project/gardener/etcd:v3.4.13-bootstrap-10
) maintained by gardener has around 140+
vulnerabilities (mainly from go runtime).
I check the official etcd v3.4.26 is using the latest go runtime to fix all these vulnerabilities, is it possible to upgrade to this version?
BTW I also saw this issue which slowly upgrade to v3.6.x
to avoid vulnerabilities from base image, is there any timeline?
Why is this needed:
fix vulnerabilities from go runtime for security compliance.
This repository will soon be replaced by https://github.com/gardener/etcd-wrapper (PR is under review). At the moment we have preserved the same etcd version (3.14.3) but we already have a backlog item to move to the latest version of etcd (gardener/etcd-druid#445). Since there are a lot of breaking changes between 3.14.3 and the latest version of etcd we will need some time to test and identify + make changes due to API changes.
etcd-wrapper has now been released. This currently uses v3.4.26 version of etcd. It will soon be integrated with etcd-druid as a de-facto etcd container.
This issue can now be closed since druid release v0.19.0 will use etcd-wrapper, running etcd v3.4.26
. @lizzzcai please watch etcd-druid for the v0.19.0 release.
/close