[jira] [Created] (FLINK-38383) Automatically republish Flink Kubernetes Operator image when base image receives security patches

Thu, 18 Sep 2025 08:13:43 -0700 

Jaydeep Karia created FLINK-38383:
-------------------------------------

             Summary: Automatically republish Flink Kubernetes Operator image 
when base image receives security patches
                 Key: FLINK-38383
                 URL: https://issues.apache.org/jira/browse/FLINK-38383
             Project: Flink
          Issue Type: Improvement
          Components: Kubernetes Operator
    Affects Versions: 1.12.1
            Reporter: Jaydeep Karia


Currently, the published {{apache/flink-kubernetes-operator}} images are built 
on top of 
[eclipse-temurin-11-jre-jammy|https://github.com/apache/flink-kubernetes-operator/blob/release-1.12.1/Dockerfile#L38C6-L38C47]{{{}{}}}.

For example, the {{1.12.1}} operator image (released July 2025) was built 
against Temurin 11.0.27 (packaged April 15, 2025):
$ java --version
openjdk 11.0.27 2025-04-15
OpenJDK Runtime Environment Temurin-11.0.27+6 (build 11.0.27+6)
OpenJDK 64-Bit Server VM Temurin-11.0.27+6 (build 11.0.27+6, mixed mode, 
sharing)
 
{{}}
Since then, the Temurin project has published {*}11.0.28{*}, which addresses 
multiple high-severity CVEs (e.g., CVE-2025-30749, CVE-2025-50106). While these 
CVEs may not be directly exploitable in the Operator context (server-side, 
trusted code), most downstream users are required to consume images without 
known CVEs for compliance and audit reasons.
----
h3. Motivation
 * Security scanners flag the current Operator image due to the outdated JRE 
version.

 * Teams deploying Flink in production often must rebuild the Operator image 
themselves just to update the Java base layer.

 * Automating republishing when the base image is updated reduces friction, 
improves supply chain hygiene, and helps downstream users meet security 
requirements without custom builds.

----
h3. Proposed Improvement

Introduce a process to *rebuild and republish the Operator image automatically* 
whenever the base image ({{{}eclipse-temurin-11-jre-jammy{}}}) is updated with 
a patched JDK/JRE version. Possible approaches:
 * Add a scheduled GitHub Action / CI job that periodically checks for updated 
Temurin tags and rebuilds the Operator image.

 * Or, at a minimum, document and commit to publishing patched “-rX” images 
(e.g., {{{}1.12.1-r1{}}}) shortly after upstream Temurin releases a CPU update.

----
h3. References
 * Eclipse Temurin 11.0.28 release notes

 * [Oracle Critical Patch Update – July 
2025|https://www.oracle.com/security-alerts/cpujul2025.html?utm_source=chatgpt.com]

 * CVEs addressed: 
[CVE-2025-30749|https://nvd.nist.gov/vuln/detail/CVE-2025-30749?utm_source=chatgpt.com],
 
[CVE-2025-50106|https://nvd.nist.gov/vuln/detail/CVE-2025-50106?utm_source=chatgpt.com]



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to