[SDO-3026] Update Collector Image for Security Vulnerabilities (#124)

* Update Collector Image for Security Vulnerabilties * Clarify Deprecated Version * Fix yaml syntax that has been bothering me for a while * Some minor changes to NOTES * Change Docker Image version * Change date to day of release
CloudHealth · Jul 19, 2024 · a856d8c · a856d8c
1 parent b2499a2
commit a856d8c
Show file tree

Hide file tree

Showing 4 changed files with 52 additions and 21 deletions.
diff --git a/charts/cloudhealth-collector/Chart.yaml b/charts/cloudhealth-collector/Chart.yaml
@@ -5,8 +5,8 @@ apiVersion: v2
 name: cloudhealth-collector
 description: A Helm chart for CloudHealth's Kubernetes Collector Agent
 type: application
-version: 4.6.3
-appVersion: "7.0.0"
+version: 4.6.4
+appVersion: "7.1.0"
 home: https://cloudhealth.vmware.com/
 icon: https://d1fto35gcfffzn.cloudfront.net/images/Tanzu-Logomark.svg
 sources:

diff --git a/charts/cloudhealth-collector/NOTES.txt b/charts/cloudhealth-collector/NOTES.txt
@@ -10,24 +10,24 @@ helm install cloudhealth-collector --debug --dry-run --set apiToken=$CHT_API_TOK
 
 To install helm for local collection dev testing:
 
-helm install cloudhealth-collector --set apiToken=$CHT_API_TOKEN,clusterName=$CHT_CLUSTER_NAME,chtEndpointPrefix=$CHT_ENDPOINT_PREFIX --set devArgs="\['upload_k8s_state_v2'\,'--verbose'\,'--endpoint'\,'http://<your_ip_address>:9292'\]" cloudhealth/cloudhealth-collector
+helm install cloudhealth-collector --set apiToken=$CHT_API_TOKEN,clusterName=$CHT_CLUSTER_NAME,chtEndpointPrefix=$CHT_ENDPOINT_PREFIX --set devArgs="\['upload_k8s_state_v4'\,'--verbose'\,'--endpoint'\,'http://<your_ip_address>:9292'\]" cloudhealth/cloudhealth-collector
 
-helm upgrade cloudhealth-collector -n dmz --set apiToken=$CHT_API_TOKEN,clusterName=$CHT_CLUSTER_NAME,chtEndpointPrefix=$CHT_ENDPOINT_PREFIX --set devArgs="\['upload_k8s_state_v2'\,'--verbose'\]" cloudhealth/cloudhealth-collector
+helm upgrade cloudhealth-collector -n dmz --set apiToken=$CHT_API_TOKEN,clusterName=$CHT_CLUSTER_NAME,chtEndpointPrefix=$CHT_ENDPOINT_PREFIX --set devArgs="\['upload_k8s_state_v4'\,'--verbose'\]" cloudhealth/cloudhealth-collector
 
 helm install cloudhealth-collector --set apiToken=$CHT_API_TOKEN,clusterName=$CHT_CLUSTER_NAME,chtEndpointPrefix=$CHT_ENDPOINT_PREFIX,image.repository=cloudhealth/container-collector-dev cloudhealth/cloudhealth-collector
 
 
-helm install cloudhealth-collector --set apiToken=$CHT_API_TOKEN,clusterName=$CHT_CLUSTER_NAME,chtEndpointPrefix=$CHT_ENDPOINT_PREFIX,image.repository=latest-libs,image.pullPolicy=Never --set devArgs="\['upload_k8s_state_v2'\,'--verbose'\,'--endpoint'\,'http://<your_ip_address>:9292'\]" cloudhealth/cloudhealth-collector
+helm install cloudhealth-collector --set apiToken=$CHT_API_TOKEN,clusterName=$CHT_CLUSTER_NAME,chtEndpointPrefix=$CHT_ENDPOINT_PREFIX,image.repository=latest-libs,image.pullPolicy=Never --set devArgs="\['upload_k8s_state_v4'\,'--verbose'\,'--endpoint'\,'http://<your_ip_address>:9292'\]" cloudhealth/cloudhealth-collector
 
-helm install cloudhealth-collector --set apiToken=$CHT_API_TOKEN,clusterName=$CHT_CLUSTER_NAME,chtEndpointPrefix=$CHT_ENDPOINT_PREFIX,image.repository=metrics-collector-1,image.pullPolicy=Never --set devArgs="\['upload_k8s_state_v2'\,'--verbose'\,'--endpoint'\,'http://<your_ip_address>:9292'\]" cloudhealth/cloudhealth-collector
-helm install cloudhealth-collector --set apiToken=$CHT_API_TOKEN,clusterName=$CHT_CLUSTER_NAME,chtEndpointPrefix=$CHT_ENDPOINT_PREFIX,image.repository=latest-libs-1,image.pullPolicy=Never --set devArgs="\['upload_k8s_state_v2'\,'--verbose'\,'--endpoint'\,'http://<your_ip_address>:9292'\]" cloudhealth/cloudhealth-collector
+helm install cloudhealth-collector --set apiToken=$CHT_API_TOKEN,clusterName=$CHT_CLUSTER_NAME,chtEndpointPrefix=$CHT_ENDPOINT_PREFIX,image.repository=metrics-collector-1,image.pullPolicy=Never --set devArgs="\['upload_k8s_state_v4'\,'--verbose'\,'--endpoint'\,'http://<your_ip_address>:9292'\]" cloudhealth/cloudhealth-collector
+helm install cloudhealth-collector --set apiToken=$CHT_API_TOKEN,clusterName=$CHT_CLUSTER_NAME,chtEndpointPrefix=$CHT_ENDPOINT_PREFIX,image.repository=latest-libs-1,image.pullPolicy=Never --set devArgs="\['upload_k8s_state_v4'\,'--verbose'\,'--endpoint'\,'http://<your_ip_address>:9292'\]" cloudhealth/cloudhealth-collector
 
 
 --set "customEnvVars[0].name=ENV4" --set "customEnvVars[0].value=VALUE4"
 
-upload_k8s_state_v2 --verbose --endpoint http://<your_ip_address>:9292
+upload_k8s_state_v4 --verbose --endpoint http://<your_ip_address>:9292
 
 
-helm install cloudhealth-collector --debug --dry-run --set apiToken=$CHT_API_TOKEN,clusterName=$CHT_CLUSTER_NAME,chtEndpointPrefix=$CHT_ENDPOINT_PREFIX,image.repository=latest-libs-06-13-3,image.pullPolicy=Never --set devArgs="\['upload_k8s_state_v2'\,'--verbose'\,'--endpoint'\,'http://<your_ip_address>:9292'\]",podSecurityContext.fsGroup=2000,containerSecurityContext.readOnlyRootFilesystem=true,containerSecurityContext.runAsNonRoot=true,containerSecurityContext.runAsUser=1000,containerSecurityContext.capabilities.drop={ALL} ./cloudhealth-collector-1.1.3.tgz
+helm install cloudhealth-collector --debug --dry-run --set apiToken=$CHT_API_TOKEN,clusterName=$CHT_CLUSTER_NAME,chtEndpointPrefix=$CHT_ENDPOINT_PREFIX,image.repository=latest-libs-06-13-3,image.pullPolicy=Never --set devArgs="\['upload_k8s_state_v4'\,'--verbose'\,'--endpoint'\,'http://<your_ip_address>:9292'\]",podSecurityContext.fsGroup=2000,containerSecurityContext.readOnlyRootFilesystem=true,containerSecurityContext.runAsNonRoot=true,containerSecurityContext.runAsUser=1000,containerSecurityContext.capabilities.drop={ALL} ./cloudhealth-collector-1.1.3.tgz
 
-helm install cloudhealth-collector --debug --dry-run --set apiToken=$CHT_API_TOKEN,clusterName=$CHT_CLUSTER_NAME,chtEndpointPrefix=$CHT_ENDPOINT_PREFIX,image.repository=latest-libs-06-13-3,image.pullPolicy=Never --set devArgs="\['upload_k8s_state_v2'\,'--verbose'\,'--endpoint'\,'http://<your_ip_address>:9292'\]" --set "customEnvVars[0].name=ENV4" --set "customEnvVars[0].value=VALUE4" --set serviceAccount.name=sample_service_account ./cloudhealth-collector-1.1.2.tgz
+helm install cloudhealth-collector --debug --dry-run --set apiToken=$CHT_API_TOKEN,clusterName=$CHT_CLUSTER_NAME,chtEndpointPrefix=$CHT_ENDPOINT_PREFIX,image.repository=latest-libs-06-13-3,image.pullPolicy=Never --set devArgs="\['upload_k8s_state_v4'\,'--verbose'\,'--endpoint'\,'http://<your_ip_address>:9292'\]" --set "customEnvVars[0].name=ENV4" --set "customEnvVars[0].value=VALUE4" --set serviceAccount.name=sample_service_account ./cloudhealth-collector-1.1.2.tgz
diff --git a/charts/cloudhealth-collector/values.yaml b/charts/cloudhealth-collector/values.yaml
@@ -27,7 +27,7 @@ jvmMemory: "-Xmx891M"
 
 image:
   repository: cloudhealth/container-collector
-  tag: "1458"
+  tag: "1481"
 
 imagePullSecrets: []
 nameOverride: ""
@@ -54,16 +54,15 @@ deployAnnotations: {}
 
 podAnnotations: {}
 
-podSecurityContext: {
+podSecurityContext:
   runAsNonRoot: true
-}
-
-containerSecurityContext: {
-  allowPrivilegeEscalation: false,
-  readOnlyRootFilesystem: true,
-  runAsNonRoot: true,
-  capabilities: {drop: [all]}
-}
+
+containerSecurityContext:
+  allowPrivilegeEscalation: false
+  readOnlyRootFilesystem: true
+  runAsNonRoot: true
+  capabilities: 
+    drop: [all]
 
 # -- Run the collector on the host network
 hostNetwork: false

diff --git a/cloudhealth-collector-image-docs/CHANGELOG.md b/cloudhealth-collector-image-docs/CHANGELOG.md
@@ -8,7 +8,39 @@ The agent has been verified against:
 [Kubernetes Versions ≤ 1.29](https://kubernetes.io/releases/)</br>
 [OC Version ≥ 4.1](https://docs.openshift.com/container-platform)
 
-All versions before June 20, 2022 have been deprecated.
+All versions before June 20, 2022 (Version: 1191) have been deprecated.
+
+## [1481] - 2024-07-19
+
+### Security
+
+* Vulnerabilities patched:
+  * [CVE-2023-5388](https://avd.aquasec.com/nvd/cve-2023-5388)
+  * [CVE-2023-46218](https://avd.aquasec.com/nvd/cve-2023-46218)
+  * [CVE-2023-46219](https://avd.aquasec.com/nvd/cve-2023-46219)
+  * [CVE-2024-2004](https://avd.aquasec.com/nvd/cve-2024-2004)
+  * [CVE-2024-2398](https://avd.aquasec.com/nvd/cve-2024-2398)
+  * [CVE-2024-2511](https://avd.aquasec.com/nvd/cve-2024-2511)
+  * [CVE-2024-2961](https://avd.aquasec.com/nvd/cve-2024-2961)
+  * [CVE-2024-4741](https://avd.aquasec.com/nvd/cve-2024-4741)
+  * [CVE-2024-5535](https://avd.aquasec.com/nvd/cve-2024-5535)
+  * [CVE-2024-26256](https://avd.aquasec.com/nvd/cve-2024-26256)
+  * [CVE-2024-26458](https://avd.aquasec.com/nvd/cve-2024-26458)
+  * [CVE-2024-26461](https://avd.aquasec.com/nvd/cve-2024-26461)
+  * [CVE-2024-26462](https://avd.aquasec.com/nvd/cve-2024-26462)
+  * [CVE-2024-28085](https://avd.aquasec.com/nvd/cve-2024-28085)
+  * [CVE-2024-28757](https://avd.aquasec.com/nvd/cve-2024-28757)
+  * [CVE-2024-28834](https://avd.aquasec.com/nvd/cve-2024-28834)
+  * [CVE-2024-28835](https://avd.aquasec.com/nvd/cve-2024-28835)
+  * [CVE-2024-29857](https://avd.aquasec.com/nvd/cve-2024-29857)
+  * [CVE-2024-30171](https://avd.aquasec.com/nvd/cve-2024-30171)
+  * [CVE-2024-30172](https://avd.aquasec.com/nvd/cve-2024-30172)
+  * [CVE-2024-33599](https://avd.aquasec.com/nvd/cve-2024-33599)
+  * [CVE-2024-33600](https://avd.aquasec.com/nvd/cve-2024-33600)
+  * [CVE-2024-33601](https://avd.aquasec.com/nvd/cve-2024-33601)
+  * [CVE-2024-33602](https://avd.aquasec.com/nvd/cve-2024-33602)
+  * [CVE-2024-34397](https://avd.aquasec.com/nvd/cve-2024-34397)
+  * [CVE-2024-34447](https://avd.aquasec.com/nvd/cve-2024-34447)
 
 ## [1458] - 2024-03-11