Upgrade sigs.k8s.io/controller-runtime to 0.15.x version

[spolti]

We came across a vulnerability where the controller-runtime pulls, as part of the [email protected], a dependency that has the following high vulnerability:

• https://www.cve.org/CVERecord?id=CVE-2023-37788

As we can see in the dependency graph, apimachinery brings this vulnerable version of go proxy:

$ go mod graph  |grep github.com/elazarl/goproxy
k8s.io/[email protected] github.com/elazarl/[email protected]

To address this, we have 2 options, first and easier:

• Updating go.mod by including the goproxy there:

  require (
     k8s.io/apimachinery v0.26.0
     github.com/elazarl/goproxy v<new-version>
  )

• Updating the controller-runtime to 0.15.0.
  • The big point of this update is that, the goproxy� dependency was removed from [email protected]:
    • https://github.com/kubernetes-sigs/controller-runtime/blob/v0.15.0/go.mod#L22C5-L22C29
    • 0.27.0: https://github.com/kubernetes/apimachinery/blob/v0.27.0/go.mod
    • 0.26.10: https://github.com/kubernetes/apimachinery/blob/v0.26.10/go.mod#L10

However, this is a very large upgrade and have a lot of breaking changes that can be found here: https://github.com/kubernetes-sigs/controller-runtime/releases/tag/v0.15.0

Update.

The update to address the described vulnerability is done, however we will keep this issue open to track the controller-runtime update, as it is a large one and will require more tests.

I'm opening this issue to start a discussion around this and how can we proceed with this CVE fix at this moment.

[spolti]

fyi @ckadner @rafvasq.

[ckadner]

I would go the quick and easy path right away to give us more time to work on the bigger upgrade.

i.e. add a required block for "indirect" dependencies that we forcefully upgrade to fix CVEs

// pull some of the indeirect dependency directly to get newer versions with fixed CVEs
require (
	k8s.io/apimachinery v0.27.0 //indirect
)

[spolti]

The dependency updated will be addressed by kserve/rest-proxy#30.

@ckadner what do you think to keep this issue open to track the major controller-runtime update?

[ckadner]

The dependency updated will be addressed by kserve/rest-proxy#30.

@ckadner what do you think to keep this issue open to track the major controller-runtime update?

Sounds good 👍🏻

[spolti]

Affected repositories:

• KServe
• modelmesh-serving
• modelmesh-runtime-adapter
• rest-proxy

[ckadner]

This will be done when we / along with the update to KServe v0.12.0 and Go 1.21

[spolti]

modelmesh-serving is ready to go.

[rafvasq]

For tracking, #497 includes an upgrade of controller-runtime from v0.14.6 to v0.16.3 for modelmesh-serving.