Recategorization of CVE for Network Exposure
#9
Labels
area/compliance
Compliance related
area/security
Security related
kind/task
General task
lifecycle/rotten
Nobody worked on this for 12 months (final aging stage)
Comments
shreyas-s-rao
added
area/compliance
gardener-robot
added
the
lifecycle/stale
gardener-robot
added
lifecycle/rotten
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
What would you like to be added:
Recategorization of CVE for
Network Exposure.Why is this needed:
Currently CVE
network_exposureis set toprivatesince the etcd-wrapper container does not interact with any endpoints outside of the cluster, and does not expose any external services as well. It is only contacted byetcd-backup-restore,kube-apiserverandprometheus. There is ongoing discussion to move etcd initialization from backup-restore container to etcd container, since initialization is is a DB-specific operation, and finds a better place within etcd container. Once this is done, the CVE labelnetwork_exposureneeds to be re-looked at, since DB validation also checks the backup bucket for revision sanity check against the DB revision. Since this involves the etcd container contacting the object storage on a public hyperscaler, the value for labelnetwork_exposurewill have to be changed toprotected.The text was updated successfully, but these errors were encountered: