Move away from deprecated gcr.io/kubebuilder/kube-rbac-proxy image used by keda-add-ons-http component to retain support and address CVE's

[toffiebotha]

Proposal

Version 0.8.0 of the keda-add-ons-http helm chart makes use of the v.016.0 tag of the gcr.io/kubebuilder/kube-rbac-proxy image.
This image contains the following vulnerabilities:

CVE ID	SEVERITY	VULNERABLE PACKAGE NAME	INSTALLED VERSION	FIXED IN VERSION
CVE-2024-24786	High	google.golang.org/protobuf	1.31.0.0	1.33.0
CVE-2023-47108	High	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc	0.42.0.0	0.46.0
CVE-2023-45288	High	golang.org/x/net	0.21.0.0	0.23.0
CVE-2024-28180	Medium	gopkg.in/square/go-jose.v2	2.6.0.0

The image maintainers has put up a notice stating that this image must no longer be used as it will no longer be maintained.
kubernetes-sigs/kubebuilder#3907

This feature request is to either make use of the suggested alternative project's image, where v0.18.1 of the image has updated all the vulnerable packages, or if at all possible, remove the dependency on this image completely and make use of the built in protection mechanism as the discussion mentions.

Use-Case

Retain supportability, longevity and security compliance when using keda http-add-on component in combination with keda as a whole.

Is this a feature you are interested in implementing yourself?

No

Anything else?

No response

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 7 days if no further activity occurs. Thank you for your contributions.

[stale]

This issue has been automatically closed due to inactivity.