IK.AM

@making's tech note

Memo on Updating Specific Buildpacks in Tanzu Application Platform

🗃 {Dev/CaaS/Kubernetes/TAP}
🏷 Kubernetes 🏷 Tanzu Build Service 🏷 Tanzu 🏷 TAP 🏷 kpack 
🗓 Updated at 2023-12-02T17:02:31Z  🗓 Created at 2023-12-02T16:26:09Z   🇯🇵 Original entry

⚠️ The content of this article is not supported by VMware. Any issues arising from the content of this article are your responsibility and please do not contact VMware Support.

From Tanzu Application Platform 1.6, the ClusterBuildpack CR has been added. Before that, ClusterBuilder was composed of ClusterStore (OS base image) and ClusterStack (Buildpack set). From 1.6, ClusterBuilder is composed of ClusterStore (OS base image) and multiple ClusterBuildpacks. This makes it easier to update individual Buildpacks.

The update method is described here.

Let's give an example. In TAP 1.7.0, the tanzu nodejs buildpack 2.3.1 is installed as a Node.js Buildpack. However, this Buildpack includes Node.js with CVE-2023-39332 (Critical).

In fact, when you build a Node.js Workload in TAP 1.7.0 with the source-test-scan-to-url Supply Chain, vulnerabilities are detected as follows.

image

With TAP 1.7.0, you have no choice but to ignore CVE-2023-39332 or stop the Supply Chain until a new version of TAP containing a fixed buildpack is released. However, with the introduction of ClusterBuildpack, you can update the ClusterBuilder without waiting for the release of TAP, as long as a new buildpack is released.

In fact, CVE-2023-39332 was fixed in tanzu nodejs buildpack 2.3.2.

image

Without waiting for the release of TAP, let's apply this tanzu nodejs buildpack 2.3.2.

ℹ️ As of the time of writing this article, tanzu nodejs buildpack 2.3.2 is included in the latest version of TAP, 1.7.1.

First, relocate the Docker image of the buildpack with the imgpkg command. The original image name can be confirmed from Tanzu Net. If you are using lite dependencies, use the one with -lite at the end, and if you are using full dependencies, use the one without -lite.

image

Here, we will relocate under ghcr.io/making.

imgpkg copy -i registry.tanzu.vmware.com/tanzu-nodejs-buildpack/nodejs:2.3.2 --to-repo ghcr.io/making/tanzu-nodejs-buildpack/nodejs

Specify the relocated image in .spec.image of ClusterBuildpack. The Service Account specified in .spec.serviceAccountRef must have imagePullSecrets set to pull the relocated image. If you don't know, you can check the Service Account used by the existing ClusterBuildpack with kubectl get clusterbuildpack -ojsonpath='{.items[0].spec.serviceAccountRef}'.

The following is an example of updating the tanzu nodejs buildpack to 2.3.2 when using full dependencies. It is better to use a name format that does not overlap with those bundled with TAP. Here, we use out-of-band- as a prefix, as in the documentation.

kubectl apply -f - << 'EOF'
---
apiVersion: kpack.io/v1alpha2
kind: ClusterBuildpack
metadata:
  name: out-of-band-nodejs-2.3.2
spec:
  image: ghcr.io/making/tanzu-nodejs-buildpack/nodejs:2.3.2
  serviceAccountRef:
    name: dependencies-pull-serviceaccount
    namespace: tbs-full-deps
---
EOF

If there are multiple buildpacks with the same ID, ClusterBuilder will choose the newer one. As a result, the ClusterBuilder is updated using 2.3.2 instead of the tanzu nodejs buildpack 2.3.1 included in TAP 1.7.0.

When the ClusterBuilder is updated, the images of the Workloads using it are automatically rebuilt. This allows you to pass the vulnerability check of the Supply Chain.

image

With this method, we were able to update the Buildpack without updating TAP, but please note that there may be errors depending on the version of TAP due to dependencies on the Buildpack API version and SBoM version.

✒️️ Edit  ⏰ History  🗑 Delete