Vulnerabilities in Cluster Autoscaler #8389
Description
Hey team,
In our setup, we use k8s versions 1.28 to 1.32. Our internal security scan reports vulnerabilities in Cluster Autoscaler image’s dependencies. Here is the CVEs reported.
| CA Release | CVEs | Remediation Suggested |
|---|---|---|
| 1.28.7, 1.29.5, 1.30.4, 1.31.2 | CVE-2024-35255 | Upgrade github.com/Azure/azure-sdk-for-go/sdk/azidentity to >= 1.6.0 |
| 1.28.7 | CVE-2024-6104 | Upgrade github.com/hashicorp/go-retryablehttp to >= 0.7.7 |
| 1.28.7, 1.29.5, | CVE-2024-9042 | Upgrade k8s.io/kubernetes to >= 1.29.13, 1.30.9, 1.31.5, 1.32.1 |
| 1.28.7, 1.29.5 | CVE-2025-0426 | Upgrade k8s.io/kubernetes to >= 1.29.14, 1.30.10, 1.31.6, 1.32.2 |
| 1.28.7, 1.29.5, 1.30.4, 1.31.2 | CVE-2025-22868 | Upgrade golang.org/x/oauth2/jws to >= 0.27.0 |
| 1.28.7, 1.30.4, 1.31.2, 1.32.1 | CVE-2025-30204 | Upgrade github.com/golang-jwt/jwt/v4 to >= 4.5.2 |
| 1.29.5, 1.30.4, 1.31.2, 1.32.1 | CVE-2025-22872 | Upgrade golang.org/x/net/html to >= 0.38.0 |
| 1.31.2 | CVE-2024-45310 | Upgrade github.com/opencontainers/runc to >= 1.1.14, 1.2.0-rc.3 |
| 1.32.1 | CVE-2025-4563 | Upgrade k8s.io/kubernetes to >= 1.32.6, 1.33.2 |
I have questions regarding this,
- What criteria does the team follow to decide which CVE is going to be resolved?
- Can above CVEs be fixed in upcoming patch releases?
- How many versions does CA support at one point of time? Is it inline to k8s i.e n-2?