#221 fix CVE-2024-45337

cloudogu · Dec 19, 2024 · 7913a4a · 7913a4a
1 parent d320bab
commit 7913a4a
Show file tree

Hide file tree

Showing 4 changed files with 2 additions and 35 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -5,6 +5,8 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
 ## [Unreleased]
+### Fixed 
+- [#223] remove rbac proxy to fix CVE-2024-45337
 
 ## [v3.1.0] - 2024-12-16
 ### Added

diff --git a/k8s/helm/component-patch-tpl.yaml b/k8s/helm/component-patch-tpl.yaml
@@ -2,17 +2,11 @@ apiVersion: v1
 values:
   images:
     doguOperator: cloudogu/k8s-dogu-operator:3.1.0
-    kubeRbacProxy: gcr.io/kubebuilder/kube-rbac-proxy:v0.14.1
     chownInitImage: busybox:1.36
 patches:
   values.yaml:
     additionalImages:
       chownInitImage: "{{ .images.chownInitImage }}"
-    kubeRbacProxy:
-      image:
-        registry: "{{ registryFrom .images.kubeRbacProxy }}"
-        repository: "{{ repositoryFrom .images.kubeRbacProxy }}"
-        tag: "{{ tagFrom .images.kubeRbacProxy }}"
     controllerManager:
       image:
         registry: "{{ registryFrom .images.doguOperator }}"

diff --git a/k8s/helm/templates/deployment.yaml b/k8s/helm/templates/deployment.yaml
@@ -26,24 +26,6 @@ spec:
         {{- toYaml . | nindent 8 }}
         {{- end }}
       containers:
-        - args:
-            - --secure-listen-address=0.0.0.0:8443
-            - --upstream=http://127.0.0.1:8080/
-            - --v=0
-          image: "{{ .Values.kubeRbacProxy.image.registry }}/{{ .Values.kubeRbacProxy.image.repository }}:{{ .Values.kubeRbacProxy.image.tag }}"
-          name: kube-rbac-proxy
-          ports:
-            - containerPort: 8443
-              name: https
-              protocol: TCP
-          resources:
-            limits: {{- toYaml .Values.kubeRbacProxy.resourceLimits | nindent 12 }}
-            requests: {{- toYaml .Values.kubeRbacProxy.resourceRequests | nindent 12 }}
-          securityContext:
-            allowPrivilegeEscalation: false
-            capabilities:
-              drop:
-                - ALL
         - args:
             - --health-probe-bind-address=:8081
             - --metrics-bind-address=127.0.0.1:8080

diff --git a/k8s/helm/values.yaml b/k8s/helm/values.yaml
@@ -29,14 +29,3 @@ controllerManager:
   resourceRequests:
     cpu: 10m
     memory: 64Mi
-kubeRbacProxy:
-  image:
-    registry: gcr.io
-    repository: kubebuilder/kube-rbac-proxy
-    tag: v0.14.1
-  resourceLimits:
-    cpu: 500m
-    memory: 128Mi
-  resourceRequests:
-    cpu: 5m
-    memory: 64Mi