[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: ivans3
Once this PR has been reviewed and has the lgtm label, please assign spowelljr for approval. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Hi @ivans3. Thanks for your PR.

I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Can one of the admins verify this patch?

Hi @medyagh Sure sounds good. I changed the tag name to v1 and will use v2,v3,etc... for any subsequent updates

Hi @ivans3, the new image has two critical CVEs, do you think you could resolve those?

 1C 6H 1M 0L 5? stdlib 1.21.6
pkg:golang/stdlib@1.21.6
 ✗ CRITICAL CVE-2024-24790
 https://scout.docker.com/v/CVE-2024-24790
 Affected range : <1.21.11 
 Fixed version : 1.21.11
 
 1C 4H 18M 0L 3? openssl 3.0.7-r2
pkg:apk/alpine/openssl@3.0.7-r2?os_name=alpine&os_version=3.17
 ✗ CRITICAL CVE-2024-5535
 https://scout.docker.com/v/CVE-2024-5535
 Affected range : <3.0.14-r0 
 Fixed version : 3.0.14-r0 

Hi @spowelljr okay i updated the packages as requested to address the CVEs. Can you give it another scan and let me know?

Thanks!

The critical ones are gone now, I still see some high for Go, would you be able to bump go to +1.22.7?

 0C 4H 0M 0L 1? stdlib 1.21.11
pkg:golang/stdlib@1.21.11
 ✗ HIGH CVE-2024-34158
 https://scout.docker.com/v/CVE-2024-34158
 Affected range : <1.22.7 
 Fixed version : 1.22.7 
 
 ✗ HIGH CVE-2024-34156
 https://scout.docker.com/v/CVE-2024-34156
 Affected range : <1.22.7 
 Fixed version : 1.22.7 
 
 ✗ HIGH CVE-2024-24791
 https://scout.docker.com/v/CVE-2024-24791
 Affected range : <1.21.12 
 Fixed version : 1.21.12 
 
 ✗ HIGH CVE-2022-30635
 https://scout.docker.com/v/CVE-2022-30635
 Affected range : <1.22.7 
 Fixed version : 1.22.7 
 
 ✗ UNSPECIFIED CVE-2024-34155
 https://scout.docker.com/v/CVE-2024-34155
 Affected range : <1.22.7 
 Fixed version : 1.22.7 

Hi @spowelljr okay i rebuilt using golang 1.22.8 and it showing now with 0 vulnerabilites for me. Can you please take a look?

Security wise it looks good @ivans3, two more things if you could:

1. Could you add a small integration test for the addon, just to ensure the pods come up healthy, for reference:
   

   minikube/test/integration/addons_test.go

   Lines 753 to 761 in 9d3094c

   // validateInspektorGadgetAddon tests the inspektor-gadget addon by ensuring the pod has come up and addon disables

   func validateInspektorGadgetAddon(ctx context.Context, t *testing.T, profile string) {

   defer disableAddon(t, "inspektor-gadget", profile)

   defer PostMortemLogs(t, profile)

   if _, err := PodWait(ctx, t, profile, "gadget", "k8s-app=gadget", Minutes(8)); err != nil {

   t.Fatalf("failed waiting for inspektor-gadget pod: %v", err)

   }

   }
2. Would you be able to build the image for more machine architectures? arm64 would be the most important (~25% of users use arm64), less important, but if possible s390x, arm, and ppc64le would be great as well. Feel free to copy what I do for another one of the images to easily build multi-arch.
   https://github.com/spowelljr/kube-registry-proxy/blob/main/Makefile