[release-1.31] Backports for 2024-09

.github/workflows/trivy.yaml

@@ -0,0 +1,49 @@
+name: PR Comment Triggered Trivy Scan
+
+on:
+ issue_comment:
+ types: [created]
+
+jobs:
+ trivy_scan:
+ if: github.event.issue.pull_request && github.event.comment.body == '/trivy'
+ runs-on: ubuntu-latest
+ permissions:
+ pull-requests: write
+ env:
+ GH_TOKEN: ${{ github.token }}
+ steps:
+ - name: Checkout PR code
+ uses: actions/checkout@v4
+ with:
+ ref: refs/pull/${{ github.event.issue.number }}/head
+
+ - name: Comment Status on PR
+ run: |
+ gh repo set-default ${{ github.repository }}
+ gh pr comment ${{ github.event.issue.number }} -b ":construction: Running Trivy scan on PR :construction: "
+
+ - name: Build K3s Image
+ run: |
+ make local
+ make package-image
+ make tag-image-latest
+
+ - name: Run Trivy vulnerability scanner
+ uses: aquasecurity/[email protected]
+ with:
+ image-ref: 'rancher/k3s:latest'
+ format: 'table'
+ severity: "HIGH,CRITICAL"
+ output: "trivy-report.txt"
+
+ - name: Add Trivy Report to PR
+ run: |
+ echo '```' | cat - trivy-report.txt > temp && mv temp trivy-report.txt
+ echo '```' >> trivy-report.txt
+ gh issue comment ${{ github.event.issue.number }} --edit-last -F trivy-report.txt
+
+ - name: Report Failure
+ if: ${{ failure() }}
+ run: |
+ gh issue comment ${{ github.event.issue.number }} --edit-last -b ":x: Trivy scan action failed, check logs :x:"

go.mod

@@ -3,18 +3,20 @@ module github.com/k3s-io/k3s
 go 1.22.5
 
 replace (
- github.com/Microsoft/hcsshim => github.com/Microsoft/hcsshim v0.8.26
+ github.com/Microsoft/hcsshim => github.com/Microsoft/hcsshim v0.11.7
  github.com/Mirantis/cri-dockerd => github.com/k3s-io/cri-dockerd v0.3.15-k3s1.31-3 //v1.31
  github.com/cloudnativelabs/kube-router/v2 => github.com/k3s-io/kube-router/v2 v2.2.1
- github.com/containerd/containerd => github.com/k3s-io/containerd v1.7.20-k3s1
+ github.com/containerd/containerd => github.com/k3s-io/containerd v1.7.21-k3s2
+ github.com/containerd/imgcrypt => github.com/containerd/imgcrypt v1.1.11
  github.com/distribution/reference => github.com/distribution/reference v0.5.0
+ github.com/docker/cli => github.com/docker/cli v27.1.2+incompatible
  github.com/docker/distribution => github.com/docker/distribution v2.8.3+incompatible
  github.com/docker/docker => github.com/docker/docker v25.0.6+incompatible
  github.com/emicklei/go-restful/v3 => github.com/emicklei/go-restful/v3 v3.11.0
  github.com/golang/protobuf => github.com/golang/protobuf v1.5.4
  github.com/googleapis/gax-go/v2 => github.com/googleapis/gax-go/v2 v2.12.0
  github.com/open-policy-agent/opa => github.com/open-policy-agent/opa v0.59.0 // github.com/Microsoft/hcsshim using bad version v0.42.2
- github.com/opencontainers/runc => github.com/k3s-io/runc v1.1.12-k3s1
+ github.com/opencontainers/runc => github.com/k3s-io/runc v1.1.14-k3s1
  github.com/opencontainers/selinux => github.com/opencontainers/selinux v1.11.0
  github.com/prometheus/client_golang => github.com/prometheus/client_golang v1.19.1
  github.com/prometheus/common => github.com/prometheus/common v0.55.0
@@ -74,12 +76,12 @@ replace (
 )
 
 require (
- github.com/Microsoft/hcsshim v0.12.3
+ github.com/Microsoft/hcsshim v0.12.6
  github.com/Mirantis/cri-dockerd v0.0.0-00010101000000-000000000000
  github.com/blang/semver/v4 v4.0.0
  github.com/cloudnativelabs/kube-router/v2 v2.0.0-00010101000000-000000000000
  github.com/containerd/aufs v1.0.0
- github.com/containerd/cgroups/v3 v3.0.2
+ github.com/containerd/cgroups/v3 v3.0.3
  github.com/containerd/containerd v1.7.16
  github.com/containerd/fuse-overlayfs-snapshotter v1.0.8
  github.com/containerd/stargz-snapshotter v0.15.1
@@ -103,9 +105,9 @@ require (
  github.com/ipfs/go-log/v2 v2.5.1
  github.com/joho/godotenv v1.5.1
  github.com/json-iterator/go v1.1.12
- github.com/k3s-io/helm-controller v0.16.3
+ github.com/k3s-io/helm-controller v0.16.4
  github.com/k3s-io/kine v0.12.0
- github.com/klauspost/compress v1.17.7
+ github.com/klauspost/compress v1.17.9
  github.com/lib/pq v1.10.2
  github.com/libp2p/go-libp2p v0.33.2
  github.com/mattn/go-sqlite3 v1.14.19
@@ -118,7 +120,7 @@ require (
  github.com/opencontainers/selinux v1.11.0
  github.com/otiai10/copy v1.7.0
  github.com/pkg/errors v0.9.1
- github.com/prometheus/client_golang v1.19.1
+ github.com/prometheus/client_golang v1.20.1
  github.com/prometheus/common v0.55.0
  github.com/rancher/dynamiclistener v0.6.0-rc1
  github.com/rancher/lasso v0.0.0-20240724174736-24ab3dbf26f0
@@ -132,7 +134,7 @@ require (
  github.com/spegel-org/spegel v1.0.18
  github.com/spf13/pflag v1.0.5
  github.com/stretchr/testify v1.9.0
- github.com/urfave/cli v1.22.14
+ github.com/urfave/cli v1.22.15
  github.com/vishvananda/netlink v1.2.1-beta.2
  github.com/yl2chen/cidranger v1.0.2
  go.etcd.io/etcd/api/v3 v3.5.15
@@ -142,8 +144,8 @@ require (
  golang.org/x/crypto v0.25.0
  golang.org/x/net v0.28.0
  golang.org/x/sync v0.8.0
- golang.org/x/sys v0.23.0
- google.golang.org/grpc v1.65.0
+ golang.org/x/sys v0.24.0
+ google.golang.org/grpc v1.66.0
  gopkg.in/yaml.v2 v2.4.0
  inet.af/tcpproxy v0.0.0-20200125044825-b6bb9b5b8252
  k8s.io/api v0.31.0
@@ -155,7 +157,7 @@ require (
  k8s.io/cluster-bootstrap v0.0.0
  k8s.io/component-base v0.31.0
  k8s.io/component-helpers v0.31.0
- k8s.io/cri-api v0.31.0
+ k8s.io/cri-api v0.32.0-alpha.0
  k8s.io/cri-client v0.31.0
  k8s.io/klog/v2 v2.130.1
  k8s.io/kube-proxy v0.0.0
@@ -180,7 +182,7 @@ require (
 )
 
 require (
- dario.cat/mergo v1.0.0 // indirect
+ dario.cat/mergo v1.0.1 // indirect
  github.com/AdaLogics/go-fuzz-headers v0.0.0-20230811130428-ced1acdcaa24 // indirect
  github.com/AdamKorcz/go-118-fuzz-build v0.0.0-20230306123547-8075edf89bb0 // indirect
  github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1 // indirect
@@ -201,38 +203,38 @@ require (
  github.com/cespare/xxhash/v2 v2.3.0 // indirect
  github.com/chai2010/gettext-go v1.0.2 // indirect
  github.com/checkpoint-restore/go-criu/v5 v5.3.0 // indirect
- github.com/cilium/ebpf v0.9.1 // indirect
+ github.com/cilium/ebpf v0.11.0 // indirect
  github.com/container-storage-interface/spec v1.9.0 // indirect
  github.com/containerd/btrfs/v2 v2.0.0 // indirect
  github.com/containerd/cgroups v1.1.0 // indirect
- github.com/containerd/console v1.0.3 // indirect
- github.com/containerd/containerd/api v1.7.19 // indirect
+ github.com/containerd/console v1.0.4 // indirect
+ github.com/containerd/containerd/api v1.8.0-rc.3 // indirect
  github.com/containerd/continuity v0.4.3 // indirect
  github.com/containerd/errdefs v0.1.0 // indirect
  github.com/containerd/fifo v1.1.0 // indirect
- github.com/containerd/go-cni v1.1.9 // indirect
- github.com/containerd/go-runc v1.0.0 // indirect
- github.com/containerd/imgcrypt v1.1.8 // indirect
+ github.com/containerd/go-cni v1.1.10 // indirect
+ github.com/containerd/go-runc v1.1.0 // indirect
+ github.com/containerd/imgcrypt v1.2.0-rc1 // indirect
  github.com/containerd/log v0.1.0 // indirect
  github.com/containerd/nri v0.6.1 // indirect
  github.com/containerd/platforms v0.2.1 // indirect
  github.com/containerd/stargz-snapshotter/estargz v0.15.1 // indirect
  github.com/containerd/ttrpc v1.2.5 // indirect
  github.com/containerd/typeurl v1.0.2 // indirect
- github.com/containerd/typeurl/v2 v2.1.1 // indirect
- github.com/containernetworking/cni v1.1.2 // indirect
+ github.com/containerd/typeurl/v2 v2.2.0 // indirect
+ github.com/containernetworking/cni v1.2.3 // indirect
  github.com/containernetworking/plugins v1.5.1 // indirect
- github.com/containers/ocicrypt v1.1.10 // indirect
+ github.com/containers/ocicrypt v1.2.0 // indirect
  github.com/coreos/go-oidc v2.2.1+incompatible // indirect
  github.com/coreos/go-semver v0.3.1 // indirect
  github.com/cpuguy83/go-md2man/v2 v2.0.4 // indirect
- github.com/cyphar/filepath-securejoin v0.2.4 // indirect
+ github.com/cyphar/filepath-securejoin v0.2.5 // indirect
  github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
  github.com/daviddengcn/go-colortext v1.0.0 // indirect
  github.com/davidlazar/go-crypto v0.0.0-20200604182044-b73af7476f6c // indirect
  github.com/decred/dcrd/dcrec/secp256k1/v4 v4.2.0 // indirect
  github.com/distribution/reference v0.6.0 // indirect
- github.com/docker/cli v24.0.7+incompatible // indirect
+ github.com/docker/cli v27.1.2+incompatible // indirect
  github.com/docker/distribution v2.8.3+incompatible // indirect
  github.com/docker/docker-credential-helpers v0.7.0 // indirect
  github.com/docker/go-connections v0.5.0 // indirect
@@ -253,7 +255,7 @@ require (
  github.com/fsnotify/fsnotify v1.7.0 // indirect
  github.com/ghodss/yaml v1.0.0 // indirect
  github.com/go-errors/errors v1.4.2 // indirect
- github.com/go-jose/go-jose/v3 v3.0.3 // indirect
+ github.com/go-jose/go-jose/v4 v4.0.2 // indirect
  github.com/go-openapi/jsonpointer v0.21.0 // indirect
  github.com/go-openapi/jsonreference v0.21.0 // indirect
  github.com/go-openapi/swag v0.23.0 // indirect
@@ -279,7 +281,7 @@ require (
  github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0 // indirect
  github.com/grpc-ecosystem/grpc-gateway v1.16.0 // indirect
  github.com/grpc-ecosystem/grpc-gateway/v2 v2.20.0 // indirect
- github.com/hanwen/go-fuse/v2 v2.4.0 // indirect
+ github.com/hanwen/go-fuse/v2 v2.5.1 // indirect
  github.com/hashicorp/errwrap v1.1.0 // indirect
  github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
  github.com/hashicorp/go-multierror v1.1.1 // indirect
@@ -291,7 +293,7 @@ require (
  github.com/huin/goupnp v1.3.0 // indirect
  github.com/imdario/mergo v0.3.16 // indirect
  github.com/inconshreveable/mousetrap v1.1.0 // indirect
- github.com/intel/goresctrl v0.3.0 // indirect
+ github.com/intel/goresctrl v0.7.0 // indirect
  github.com/ipfs/boxo v0.10.0 // indirect
  github.com/ipfs/go-cid v0.4.1 // indirect
  github.com/ipfs/go-datastore v0.6.0 // indirect
@@ -348,11 +350,12 @@ require (
  github.com/moby/ipvs v1.1.0 // indirect
  github.com/moby/locker v1.0.1 // indirect
  github.com/moby/spdystream v0.4.0 // indirect
- github.com/moby/sys/mountinfo v0.7.1 // indirect
- github.com/moby/sys/sequential v0.5.0 // indirect
- github.com/moby/sys/signal v0.7.0 // indirect
- github.com/moby/sys/symlink v0.2.0 // indirect
- github.com/moby/sys/user v0.1.0 // indirect
+ github.com/moby/sys/mountinfo v0.7.2 // indirect
+ github.com/moby/sys/sequential v0.6.0 // indirect
+ github.com/moby/sys/signal v0.7.1 // indirect
+ github.com/moby/sys/symlink v0.3.0 // indirect
+ github.com/moby/sys/user v0.3.0 // indirect
+ github.com/moby/sys/userns v0.1.0 // indirect
  github.com/moby/term v0.5.0 // indirect
  github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
  github.com/modern-go/reflect2 v1.0.2 // indirect
@@ -386,7 +389,7 @@ require (
  github.com/opentracing/opentracing-go v1.2.0 // indirect
  github.com/pbnjay/memory v0.0.0-20210728143218-7b4eea64cf58 // indirect
  github.com/pelletier/go-toml v1.9.5 // indirect
- github.com/pelletier/go-toml/v2 v2.2.2 // indirect
+ github.com/pelletier/go-toml/v2 v2.2.3 // indirect
  github.com/peterbourgon/diskv v2.0.1+incompatible // indirect
  github.com/pierrec/lz4 v2.6.0+incompatible // indirect
  github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
@@ -407,20 +410,20 @@ require (
  github.com/spf13/afero v1.11.0 // indirect
  github.com/spf13/cobra v1.8.1 // indirect
  github.com/stefanberger/go-pkcs11uri v0.0.0-20230803200340-78284954bff6 // indirect
- github.com/stoewer/go-strcase v1.2.0 // indirect
+ github.com/stoewer/go-strcase v1.3.0 // indirect
  github.com/syndtr/gocapability v0.0.0-20200815063812-42c35b437635 // indirect
  github.com/syndtr/goleveldb v1.0.0 // indirect
  github.com/tchap/go-patricia/v2 v2.3.1 // indirect
  github.com/tidwall/btree v1.6.0 // indirect
  github.com/tmc/grpc-websocket-proxy v0.0.0-20220101234140-673ab2c3ae75 // indirect
- github.com/urfave/cli/v2 v2.27.3 // indirect
+ github.com/urfave/cli/v2 v2.27.4 // indirect
  github.com/vbatts/tar-split v0.11.5 // indirect
  github.com/vishvananda/netns v0.0.4 // indirect
  github.com/whyrusleeping/go-keyspace v0.0.0-20160322163242-5b898ac5add1 // indirect
  github.com/xiang90/probing v0.0.0-20221125231312-a49e3df8f510 // indirect
  github.com/xlab/treeprint v1.2.0 // indirect
  github.com/xrash/smetrics v0.0.0-20240521201337-686a1a2994c1 // indirect
- go.etcd.io/bbolt v1.3.10 // indirect
+ go.etcd.io/bbolt v1.3.11 // indirect
  go.etcd.io/etcd/client/pkg/v3 v3.5.14 // indirect
  go.etcd.io/etcd/client/v2 v2.305.13 // indirect
  go.etcd.io/etcd/pkg/v3 v3.5.13 // indirect
@@ -433,6 +436,7 @@ require (
  go.opentelemetry.io/otel v1.28.0 // indirect
  go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.28.0 // indirect
  go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.28.0 // indirect
+ go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.28.0 // indirect
  go.opentelemetry.io/otel/metric v1.28.0 // indirect
  go.opentelemetry.io/otel/sdk v1.28.0 // indirect
  go.opentelemetry.io/otel/trace v1.28.0 // indirect
@@ -487,6 +491,6 @@ require (
  sigs.k8s.io/kustomize/kustomize/v5 v5.4.2 // indirect
  sigs.k8s.io/kustomize/kyaml v0.17.1 // indirect
  sigs.k8s.io/structured-merge-diff/v4 v4.4.1 // indirect
- tags.cncf.io/container-device-interface v0.7.2 // indirect
- tags.cncf.io/container-device-interface/specs-go v0.7.0 // indirect
+ tags.cncf.io/container-device-interface v0.8.0 // indirect
+ tags.cncf.io/container-device-interface/specs-go v0.8.0 // indirect
 )