FAQs
6 minute read
FAQS
KubeOps COMPLIANCE Security Hotfix
What is the issue?
Critical security vulnerabilities in NGINX (Rift and PoolSlip) affect the version used in KubeOps COMPLIANCE. These vulnerabilities may allow remote code execution or denial-of-service attacks.
Who is affected?
KubeOps COMPLIANCE users running affected NGINX versions, including:
KubeOps 2.1.0 KubeOps 2.0.3–2.0.6 KubeOps 1.7.6–1.7.8
What action is required?
Install the provided hotfix as soon as possible.
Script Details for KubeOps V2.x.x
- Step 1: Load the shell environment & define the KOSI Package.
Load the shell environment from the current user’s bashrc file &
source ~/.bashrc
Set the package name for the Nginx hotfix:
kosinginx="kubeops/ingress-nginx:2.1.0_Beta1"
• For KubeOps 2.1.0 the package name is:
kubeops/ingress-nginx:2.1.0_Beta1
• For KubeOps 2.0.3 to 2.0.6 package name is:
kubeops/ingress-nginx:2.0.6
Create the filename that will be used when the package is pulled:
kosinginxfile="ingress-nginx-$(echo $kosinginx | awk -F: '{print $NF}').tgz"
This creates a file name based on the package version, in this example for KubeOps 2.1.0:
ingress-nginx-2.1.0_Beta1.tgz
-
Step 2: Prepare the KOSI Directory
Temporarily enable housekeeping in the KOSI configuration, run
kosi version, and then disable housekeeping again:sed -i "s/ housekeeping: false/ housekeeping: true/g" $KUBEOPSROOT/kosi/config.yaml kosi version sed -i "s/ housekeeping: true/ housekeeping: false/g" $KUBEOPSROOT/kosi/config.yamlThis prepares the KOSI directory before the package update.
-
Step 3: Log In to KOSI
Log in to KOSI with a valid user account. The following loop prompts for a username and retries until the login is successful:
while true; do read -rp "$(printf "Username for kosi login: ")" KOSI_USER echo "Please enter the password for user '$KOSI_USER'" if kosi login -u "$KOSI_USER"; then echo "Login successful" break else echo "Login failed. Please try again." sleep 1 fi done -
Step 4: Determine the Harbor Configuration
Retrieve the Harbor namespace, endpoint, port, and password from the KubeOps configuration.
harborns=$(cat $KUBEOPSROOT/kubeopsctl/tools-values.yaml | grep -A50 "^- name: harbor" | grep -B50 "^- name:" | grep -m 1 "namespace:" | awk '{print $2}')
harborep=$(kubectl get cm -n"$harborns" harbor-core -oyaml | grep "EXT_ENDPOINT" | awk '{print $2}')
harborepohnehttp=$(echo "$harborep" | awk -F"//" '{print $2}')
harborport=$(echo "$harborepohnehttp" | awk -F: '{print $NF}')
harborpw=$(cat $KUBEOPSROOT/kubeopsctl/tools-values.yaml | grep -A50 "^- name: harbor" | grep -B50 "^- name:" | grep "harborpass" | awk '{print $NF}' | sed 's/"//g')
Display the Harbor URL and port:
echo "Harbor URL : $harborepohnehttp"
echo "Harbor PORT: $harborport"
-
Step 5: Log In to Harbor with Podman
Log in to Harbor as the
adminuser by using the password retrieved in the previous step:if podman login "$harborepohnehttp" -u admin -p "$harborpw" --tls-verify=false; then echo "Podman login successful" else echo "Podman login to $harborepohnehttp as admin with password $harborpw was not successful" exit 1 fi -
Step 6: Pull the Nginx Hotfix Package
Pull the
ingress-nginxpackage from the KOSI hub and save it as the local package archive:kosi pull --hub kubeops "$kosinginx" -o "$kosinginxfile" -r "$harborepohnehttp/kubeops" -t "localhost:$harborport/kubeops" -
Step 7: Determine the Deployment Name for ingress-nginx
Retrieve the deployment name for the existing
ingress-nginxpackage:dname=$(kosi list | grep ingress-nginx | awk '{print $2}') -
Step 8: Update ingress-nginx
Run the KOSI update command by using the deployment name, the pulled package file, and the KubeOps values file:
kosi update --dname="$dname" -p "$kosinginxfile" -f $KUBEOPSROOT/kubeopsctl/tools-values.yamlThis applies the hotfix package to the existing
ingress-nginxdeployment. -
Step 9: Remove Local Podman Images
After the update completes, remove the local Podman images related to
ingress-nginxanddefaultbackend:for i in $(podman images | grep "ingress-nginx\|defaultbackend" | awk '{print $3}'); do podman rmi -f $i doneThis cleans up the local images from the administration host.
Complete Script for 2.1.0
#!/bin/bash
source ~/.bashrc
# kosi package
kosinginx="kubeops/ingress-nginx:2.1.0_Beta1"
# Filename for kosi pull
kosinginxfile="ingress-nginx-$(echo $kosinginx | awk -F: '{print $NF}').tgz"
# Clean up kosi directory
sed -i "s/ housekeeping: false/ housekeeping: true/g" $KUBEOPSROOT/kosi/config.yaml
kosi version
sed -i "s/ housekeeping: true/ housekeeping: false/g" $KUBEOPSROOT/kosi/config.yaml
# kosi login
while true; do
read -rp "$(printf "Username for kosi login: ")" KOSI_USER
echo "Please enter the password for user '$KOSI_USER'"
if kosi login -u "$KOSI_USER"; then
echo "Login successful"
break
else
echo "Login failed. Please try again."
sleep 1
fi
done
# Determine Harbor values
harborns=$(cat $KUBEOPSROOT/kubeopsctl/tools-values.yaml | grep -A50 "^- name: harbor" | grep -B50 "^- name:" | grep -m 1 "namespace:" | awk '{print $2}')
harborep=$(kubectl get cm -n"$harborns" harbor-core -oyaml | grep "EXT_ENDPOINT" | awk '{print $2}')
harborepohnehttp=$(echo "$harborep" | awk -F"//" '{print $2}')
harborport=$(echo "$harborepohnehttp" | awk -F: '{print $NF}')
harborpw=$(cat $KUBEOPSROOT/kubeopsctl/tools-values.yaml | grep -A50 "^- name: harbor" | grep -B50 "^- name:" | grep "harborpass" | awk '{print $NF}' | sed 's/"//g')
echo "Harbor URL : $harborepohnehttp"
echo "Harbor PORT: $harborport"
# Podman login
if podman login "$harborepohnehttp" -u admin -p "$harborpw" --tls-verify=false; then
echo "Podman login successful"
else
echo "Podman login to $harborepohnehttp as admin with password $harborpw was not successful"
exit 1
fi
# kosi pull
kosi pull --hub kubeops "$kosinginx" -o "$kosinginxfile" -r "$harborepohnehttp/kubeops" -t "localhost:$harborport/kubeops"
# Determine dname for ingress-nginx
dname=$(kosi list | grep ingress-nginx | awk '{print $2}')
# kosi update
kosi update --dname="$dname" -p "$kosinginxfile" -f $KUBEOPSROOT/kubeopsctl/tools-values.yaml
# Clean up admin Podman images
for i in $(podman images | grep "ingress-nginx\|defaultbackend" | awk '{print $3}'); do
podman rmi -f $i
done
Complete Script for 2.0.3-2.0.6
#!/bin/bash
source ~/.bashrc
# kosi package
kosinginx="kubeops/ingress-nginx:2.0.6"
# Filename for kosi pull
kosinginxfile="ingress-nginx-$(echo $kosinginx | awk -F: '{print $NF}').tgz"
# Clean up kosi directory
sed -i "s/ housekeeping: false/ housekeeping: true/g" $KUBEOPSROOT/kosi/config.yaml
kosi version
sed -i "s/ housekeeping: true/ housekeeping: false/g" $KUBEOPSROOT/kosi/config.yaml
# kosi login
while true; do
read -rp "$(printf "Username for kosi login: ")" KOSI_USER
echo "Please enter the password for user '$KOSI_USER'"
if kosi login -u "$KOSI_USER"; then
echo "Login successful"
break
else
echo "Login failed. Please try again."
sleep 1
fi
done
# Determine Harbor values
harborns=$(cat $KUBEOPSROOT/kubeopsctl/tools-values.yaml | grep -A50 "^- name: harbor" | grep -B50 "^- name:" | grep -m 1 "namespace:" | awk '{print $2}')
harborep=$(kubectl get cm -n"$harborns" harbor-core -oyaml | grep "EXT_ENDPOINT" | awk '{print $2}')
harborepohnehttp=$(echo "$harborep" | awk -F"//" '{print $2}')
harborport=$(echo "$harborepohnehttp" | awk -F: '{print $NF}')
harborpw=$(cat $KUBEOPSROOT/kubeopsctl/tools-values.yaml | grep -A50 "^- name: harbor" | grep -B50 "^- name:" | grep "harborpass" | awk '{print $NF}' | sed 's/"//g')
echo "Harbor URL : $harborepohnehttp"
echo "Harbor PORT: $harborport"
# Podman login
if podman login "$harborepohnehttp" -u admin -p "$harborpw" --tls-verify=false; then
echo "Podman login successful"
else
echo "Podman login to $harborepohnehttp as admin with password $harborpw was not successful"
exit 1
fi
# kosi pull
kosi pull --hub kubeops "$kosinginx" -o "$kosinginxfile" -r "$harborepohnehttp/kubeops" -t "localhost:$harborport/kubeops"
# Determine dname for ingress-nginx
dname=$(kosi list | grep ingress-nginx | awk '{print $2}')
# kosi update
kosi update --dname="$dname" -p "$kosinginxfile" -f $KUBEOPSROOT/kubeopsctl/tools-values.yaml
# Clean up admin Podman images
for i in $(podman images | grep "ingress-nginx\|defaultbackend" | awk '{print $3}'); do
podman rmi -f $i
done