Skip to content

Verify sha256sum for kubelet, vagrant zip and go binary#13889

Merged
manuelbuil merged 1 commit intok3s-io:mainfrom
manuelbuil:improvesecurityinitsh
Apr 1, 2026
Merged

Verify sha256sum for kubelet, vagrant zip and go binary#13889
manuelbuil merged 1 commit intok3s-io:mainfrom
manuelbuil:improvesecurityinitsh

Conversation

@manuelbuil
Copy link
Copy Markdown
Contributor

@manuelbuil manuelbuil commented Mar 31, 2026
edited
Loading

Proposed Changes

Verify the sha256sum for both Kubelet, vagrant zip and go binary.

It also updates the GO version

Types of Changes

Security imrpovement

Verification

Testing

Linked Issues

#13886

User-Facing Change

Further Comments

@manuelbuil manuelbuil requested a review from a team as a code owner March 31, 2026 16:19
@manuelbuil manuelbuil force-pushed the improvesecurityinitsh branch from e177b09 to fff439a Compare March 31, 2026 16:22
@manuelbuil manuelbuil changed the title Verify sha256sum for kubelet and vagrant zip Verify sha256sum for kubelet, vagrant zip and go binary Mar 31, 2026
@cwayne18
Copy link
Copy Markdown
Member

cwayne18 commented Mar 31, 2026

I think we're meant to pin the sha directly in-file, pulling it along with the artifacts wouldnt stop a trivy-esque attack

cc @macedogm

That said it kubectl is compromised it's basically game over isn't it

@codecov
Copy link
Copy Markdown

codecov bot commented Mar 31, 2026
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 22.32%. Comparing base (f1deb4e) to head (921ed20).
⚠️ Report is 11 commits behind head on main.

Additional details and impacted files 
@@            Coverage Diff             @@
##             main   #13889      +/-   ##
==========================================
- Coverage   22.38%   22.32%   -0.06%     
==========================================
  Files         193      193              
  Lines       15631    15631              
==========================================
- Hits         3499     3490       -9     
- Misses      11650    11661      +11     
+ Partials      482      480       -2
Flag Coverage Δ
unittests 22.32% <ø> (-0.06%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@manuelbuil
Copy link
Copy Markdown
Contributor Author

manuelbuil commented Mar 31, 2026

I think we're meant to pin the sha directly in-file, pulling it along with the artifacts wouldnt stop a trivy-esque attack

cc @macedogm

That said it kubectl is compromised it's basically game over isn't it

Do you have an example of how it should look like? I have used this approach in many other PRs

@cwayne18
Copy link
Copy Markdown
Member

cwayne18 commented Mar 31, 2026

Something along these lines:

k3s-io/klipper-helm#121

@farazkh-srti
Copy link
Copy Markdown

farazkh-srti commented Apr 1, 2026

@cwayne18 can sha also be compromised for these upstream binaries? is that the reason behind pinning in-file?

@manuelbuil
Verify sha256sum for kubelet and vagrant zip
921ed20 
Signed-off-by: Manuel Buil <mbuil@suse.com>
@manuelbuil manuelbuil force-pushed the improvesecurityinitsh branch from fff439a to 921ed20 Compare April 1, 2026 10:41
@manuelbuil manuelbuil merged commit 5e57872 into k3s-io:main Apr 1, 2026
57 checks passed
@manuelbuil manuelbuil deleted the improvesecurityinitsh branch April 1, 2026 17:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@vitorsavian vitorsavian vitorsavian approved these changes

@caroline-suse-rancher caroline-suse-rancher caroline-suse-rancher approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@manuelbuil @cwayne18 @farazkh-srti @vitorsavian @caroline-suse-rancher