Upgrade Kustomize to >= 4.5.6 to mitigate CVE-2021-29923 and fix bugs

[Daemonslayer2048]

Summary

The argocd:v2.4.11 container ships with kustomize v4.4.1 which is vulnerable to CVE-2021-29923 as it is compiled with golang 1.16, there has been a similar chore task here to build argo with a more up to date compiler. In short simply bumping the kustomize version up would help resolve multiple security issues that are related to an EOL golang version.

I have read the security policy and believe this would be acceptable to make a public as per:

If there is a CVE assigned to the issue, please do open an issue on our GitHub tracker instead of writing to the security contact e-mail, since things reported by scanners are public already and the discussion that might emerge is of benefit to the general community.

Motivation

At Platform One we use continuous scanning with tools like Twistlock and Anchore to scan our hardened images. We are encountering a number of CVEs regarding go1.16, which is EOL.

Proposal

Upgrade from kustomize v4.4.1 to kustomize 4.5.6

[crenshaw-dev]

@Daemonslayer2048 that's a pretty big hop in versions for a patch release of Argo CD.

If we had a really compelling description of how this vulnerability severely impacts Argo CD, I'd be okay with adding it to the 2.4.x series with clear release notes warning of any surprise issues.

Alternatively, we could write some docs encouraging folks to install and use a new version of Kustomize for themselves.

But we should definitely make sure we're not using a vulnerable version in 2.5.

[Daemonslayer2048]

I wont say this issue severely impacts argo so rushing to get the updated binary in is probably not necessary. So I think waiting for 2.5 release is reasonable, I consider this more of a "chore" task and lacks urgency.

Is there a release date scheduled for 2.5? If the release date is particularly far out I wouldn't mind helping write some docs for updating kustomize.

[crenshaw-dev]

@Daemonslayer2048 I'd put the first 2.5 release candidate about two weeks out. I know @34fathombelow has been keeping an eye on the Kustomize releases and plans to put up a PR to get a recent version bundled before we ship 2.5.

It might still be worth writing the docs for the 2.4 branch. Folks don't always upgrade quickly. 😬

[crenshaw-dev]

#10533 suggests we should upgrade due to kustomize bugs. I still think sticking to the 4.4.x series in 2.4.x is the right approach, but docs about upgrading would help.

[vhsantos]

Hi,

One workaround to the bug fixed on kustomize 4.5.3 is to duplicate the kustomize images from the kustomization.yaml on the argo application, like this:

apiVersion: argoproj.io/v1alpha1
kind: ApplicationSet
metadata:
  name: ingress-nginx
spec:
  generators:
    - clusters: {}
  template:
    metadata:
      name: "ingress-nginx-{{name}}"
    spec:
      project: sysadmin
      source:
        repoURL: https://xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.git
        targetRevision: master
        path: ingress-nginx
        kustomize:
          images:
            - registry.k8s.io/ingress-nginx/controller:v1.3.0=docker.internal/ingress-nginx/controller-chroot:v1.3.0
            - registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.3.0=docker.internal/ingress-nginx/kube-webhook-certgen:v1.3.0

But it is a complicate when you have a lot of applications to maintain and not sure if it will works well with argo-image-updater

[vhsantos]

Hello @crenshaw-dev , did you forgot to update the kustomize on the version 2.5 ??
I can't find any reference on the documentation.

[34fathombelow]

@vhsantos Kustomize was upgraded to 4.5.7 https://argo-cd.readthedocs.io/en/stable/operator-manual/upgrading/2.4-2.5/#upgraded-kustomize-version

[vhsantos]

I just found the info here.

 Upgraded Kustomize Version
The bundled Kustomize version has been upgraded from 4.4.1 to 4.5.7.

Thanks