Skip to content

Security: migrating to oss/v2 for the pause image, aligning version to 3.6 for linux and 3.10.1 for windows #7083

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Oct 30, 2025
Merged

Security: migrating to oss/v2 for the pause image, aligning version to 3.6 for linux and 3.10.1 for windows #7083

merged 2 commits into from
Oct 30, 2025

Conversation

@djsly
Copy link
Collaborator

@djsly djsly commented Sep 25, 2025

What this PR does / why we need it:
Migrating pause image to come from oss/v2 (Dalec build) which are version of the image built using msft-go for better fips compliance.

Requirements:

  • uses conventional commit messages
  • includes documentation
  • adds unit tests
  • tested upgrade from previous version
  • commits are GPG signed and Github marks them as verified

Special notes for your reviewer:

Release note:

none

@github-actions github-actions bot added the components This pull request updates cached components on Linux or Windows VHDs label Sep 25, 2025
@djsly djsly requested a review from Copilot September 29, 2025 23:41
Copilot AI reviewed Sep 29, 2025
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR migrates the pause image from the oss/kubernetes/pause registry to oss/v2/kubernetes/pause for better FIPS compliance using msft-go builds. The change updates the pause image version to 3.6 for Linux and 3.10.1 for Windows across all relevant configuration files.

Key changes:

  • Updated image registry path from oss/kubernetes/pause to oss/v2/kubernetes/pause
  • Aligned Linux pause image version to 3.6
  • Updated Windows pause image version to 3.10.1

Reviewed Changes

Copilot reviewed 11 out of 11 changed files in this pull request and generated no comments.

Show a summary per file
File Description
vhdbuilder/packer/windows/components_json_helpers.tests.ps1 Updated test data to reflect new oss/v2 registry path
vhdbuilder/packer/windows/components-test.json Updated test configuration with new registry path
staging/cse/windows/kubernetesfunc.ps1 Updated comment example to show new registry path and version
staging/cse/windows/containerdfunc.tests.suites/config.toml Updated containerd config test with new Windows pause image version 3.10.1
staging/cse/windows/containerdfunc.tests.ps1 Updated test variables with new registry path
pkg/agent/datamodel/types.go Updated documentation comment example
pkg/agent/datamodel/mocks.go Updated mock Windows pause image URL
pkg/agent/baker_test.go Updated test data with new pause image configurations
parts/common/components.json Updated component definitions with new registry paths and versions
e2e/node_config.go Updated end-to-end test configurations
.github/renovate.json Updated renovate configuration to track new registry path

@fseldow
Copy link
Contributor

fseldow commented Oct 9, 2025
edited
Loading

Test_Ubuntu2204Gen2_ContainerdAirgappedNonAnonymousK8sNotCached need to add one mutate to pass the case
This test case is using one old vhd, so v2 will not be cached

nbc.KubeletConfig["--pod-infra-container-image"] = "mcr.microsoft.com/oss/kubernetes/pause:3.6"

AgentBaker/e2e/scenario_test.go

Line 843 in b43d573

nbc.KubeletConfig["--image-credential-provider-config"] = "/var/lib/kubelet/credential-provider-config.yaml"

cameronmeissner
cameronmeissner reviewed Oct 9, 2025
View reviewed changes
Devinwong
Devinwong reviewed Oct 9, 2025
View reviewed changes
Devinwong
Devinwong reviewed Oct 9, 2025
View reviewed changes
@github-actions
Copy link
Contributor

github-actions bot commented Oct 29, 2025

Changes cached containers or packages on windows VHDs

Please get a Windows SIG member to approve.

The following dif file shows any additions or deletions from what will be cached on windows VHDs organised by VHD type.

  • Additions are new things cached.
  • Deletions are things no longer cached.
diff --git a/vhd_files/2019-containerd.txt b/vhd_files/2019-containerd.txt
index d5e85af..5751c26 100644
--- a/vhd_files/2019-containerd.txt
+++ b/vhd_files/2019-containerd.txt
@@ -78,0 +79 @@ mcr.microsoft.com/oss/v2/kubernetes-csi/secrets-store/driver:v1.5.4
+mcr.microsoft.com/oss/v2/kubernetes/pause:3.10.1
diff --git a/vhd_files/2022-containerd-gen2.txt b/vhd_files/2022-containerd-gen2.txt
index 7b04075..358d2f3 100644
--- a/vhd_files/2022-containerd-gen2.txt
+++ b/vhd_files/2022-containerd-gen2.txt
@@ -125,0 +126 @@ mcr.microsoft.com/oss/v2/kubernetes-csi/secrets-store/driver:v1.5.4
+mcr.microsoft.com/oss/v2/kubernetes/pause:3.10.1
diff --git a/vhd_files/2022-containerd.txt b/vhd_files/2022-containerd.txt
index e57d735..a2df2fc 100644
--- a/vhd_files/2022-containerd.txt
+++ b/vhd_files/2022-containerd.txt
@@ -125,0 +126 @@ mcr.microsoft.com/oss/v2/kubernetes-csi/secrets-store/driver:v1.5.4
+mcr.microsoft.com/oss/v2/kubernetes/pause:3.10.1
diff --git a/vhd_files/2025-gen2.txt b/vhd_files/2025-gen2.txt
index dc9be44..2a48caf 100644
--- a/vhd_files/2025-gen2.txt
+++ b/vhd_files/2025-gen2.txt
@@ -58,0 +59 @@ mcr.microsoft.com/oss/v2/kubernetes-csi/secrets-store/driver:v1.5.4
+mcr.microsoft.com/oss/v2/kubernetes/pause:3.10.1
diff --git a/vhd_files/2025.txt b/vhd_files/2025.txt
index 1de8a18..1b48d8b 100644
--- a/vhd_files/2025.txt
+++ b/vhd_files/2025.txt
@@ -58,0 +59 @@ mcr.microsoft.com/oss/v2/kubernetes-csi/secrets-store/driver:v1.5.4
+mcr.microsoft.com/oss/v2/kubernetes/pause:3.10.1
diff --git a/vhd_files/23H2-gen2.txt b/vhd_files/23H2-gen2.txt
index 911d246..eb728f8 100644
--- a/vhd_files/23H2-gen2.txt
+++ b/vhd_files/23H2-gen2.txt
@@ -74,0 +75 @@ mcr.microsoft.com/oss/v2/kubernetes-csi/secrets-store/driver:v1.5.4
+mcr.microsoft.com/oss/v2/kubernetes/pause:3.10.1
diff --git a/vhd_files/23H2.txt b/vhd_files/23H2.txt
index c3c6952..43b8724 100644
--- a/vhd_files/23H2.txt
+++ b/vhd_files/23H2.txt
@@ -74,0 +75 @@ mcr.microsoft.com/oss/v2/kubernetes-csi/secrets-store/driver:v1.5.4
+mcr.microsoft.com/oss/v2/kubernetes/pause:3.10.1

@djsly djsly merged commit fec2cbf into master Oct 30, 2025
40 of 42 checks passed
@djsly djsly deleted the djsly/34975870 branch October 30, 2025 12:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@awesomenix awesomenix awesomenix approved these changes

@Devinwong Devinwong Devinwong approved these changes

@cameronmeissner cameronmeissner cameronmeissner approved these changes

@juan-lee juan-lee Awaiting requested review from juan-lee juan-lee is a code owner

@UtheMan UtheMan Awaiting requested review from UtheMan

@ganeshkumarashok ganeshkumarashok Awaiting requested review from ganeshkumarashok ganeshkumarashok is a code owner

@anujmaheshwari1 anujmaheshwari1 Awaiting requested review from anujmaheshwari1

@lilypan26 lilypan26 Awaiting requested review from lilypan26 lilypan26 is a code owner

@AbelHu AbelHu Awaiting requested review from AbelHu AbelHu is a code owner

@junjiezhang1997 junjiezhang1997 Awaiting requested review from junjiezhang1997 junjiezhang1997 is a code owner

@phealy phealy Awaiting requested review from phealy phealy is a code owner

@r2k1 r2k1 Awaiting requested review from r2k1 r2k1 is a code owner

@timmy-wright timmy-wright Awaiting requested review from timmy-wright timmy-wright is a code owner

@zachary-bailey zachary-bailey Awaiting requested review from zachary-bailey zachary-bailey is a code owner

@bravebeaver bravebeaver Awaiting requested review from bravebeaver bravebeaver is a code owner

Assignees

No one assigned

Labels

components This pull request updates cached components on Linux or Windows VHDs

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@djsly @fseldow @awesomenix @Devinwong @cameronmeissner