Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Monitor CVE reports as provided by KF/manifest team #327

Open
Tracked by #175
tarilabs opened this issue Sep 2, 2024 · 3 comments
Open
Tracked by #175

Monitor CVE reports as provided by KF/manifest team #327

tarilabs opened this issue Sep 2, 2024 · 3 comments

Comments

@tarilabs
Copy link
Member

tarilabs commented Sep 2, 2024

With KF 1.9, the Platform (KF/Manifest) team is introducing CVE reporting.
ref: https://blog.kubeflow.org/kubeflow-1.9-release/#cve-scanning

Since kubeflow/manifests#2860 it is possible to access the reports for the whole KF platform by accessing the zip archive in any of the run from: https://github.com/kubeflow/manifests/actions/workflows/trivy.yaml

With kubeflow/manifests#2856 we avoid a double-counting in the final report for image which are shared across WGs/Components (ie: we share Mysql and gcr.io/tfx-oss-public/ml_metadata_store_server)

Baseline

From the KF 1.9 release, this numbers where reported:

Screenshot 2024-09-02 at 10 26 40

September 2nd

Source images

Scanning  kubeflow/model-registry:latest
+----------+------+--------+-----+
| Critical | High | Medium | Low |
+----------+------+--------+-----+
|    0     |  0   |   11   |  68 |
+----------+------+--------+-----+

Shared images

Scanning  gcr.io/tfx-oss-public/ml_metadata_store_server:1.14.0
+----------+------+--------+-----+
| Critical | High | Medium | Low |
+----------+------+--------+-----+
|    0     |  0   |   35   |  41 |
+----------+------+--------+-----+

Scanning  mysql:8.0.3
+----------+------+--------+-----+
| Critical | High | Medium | Low |
+----------+------+--------+-----+
|    17    |  71  |   55   |  42 |
+----------+------+--------+-----+
@tarilabs tarilabs changed the title monitor CVE reports as provided by KF/manifest team Monitor CVE reports as provided by KF/manifest team Sep 2, 2024
@tarilabs
Copy link
Member Author

tarilabs commented Sep 2, 2024

It looks to me to get better numbers we need to have coordination with KFP WG for which we copy the MLMD setup.

I notice mysql:8.0.39 as also suggested in #267 would improve some of this numbers, although same considerations as above, since it seems to be also failing the bare minimal K8s test we have on this repo.

@tarilabs tarilabs added this to the Kubeflow 1.10 roadmap milestone Sep 10, 2024
@tarilabs
Copy link
Member Author

On suggestion received during the MR biweekly meeting 2024-09-16, I've raised the question about the shared DB image in the Discussion forum for the KFP WG: kubeflow/pipelines#11224

Copy link

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

1 participant