Skip to content

Bump Go toolchain and update dependencies #24

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
Ken501 wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Bump Go toolchain and update dependencies #24

Ken501 wants to merge 1 commit into from

Conversation

@Ken501
Copy link

@Ken501 Ken501 commented Oct 29, 2025
edited
Loading

This PR bumps Go toolchain and update dependencies to address CVEs.

  • Update go version
  • Update packages
  • Update Dockerfile

Tested by building Go binary, docker image and running on kind cluster.

Note

Go build succeeds locally.

Test results:

Expand here

steps:

Build docker image

docker build -t nodetaint:local .

Create Kind cluster from custom config

config:

kind: Cluster
apiVersion: kind.x-k8s.io/v1alpha4
nodes:
- role: control-plane
- role: worker
  kubeadmConfigPatches:
  - |
    kind: JoinConfiguration
    nodeRegistration:
      taints:
      - key: "node.kubernetes.io/not-ready"
        value: ""
        effect: "NoSchedule"
      - key: "test/not-ready"
        value: ""
        effect: "NoSchedule"
- role: worker
  kubeadmConfigPatches:
  - |
    kind: JoinConfiguration
    nodeRegistration:
      taints:
      - key: "node.kubernetes.io/not-ready"
        value: ""
        effect: "NoSchedule"
kind create cluster --name nodetaint-test --config kind-config.yaml

Load docker image to local kind cluster

kind load docker-image nodetaint:local --name nodetaint-test

Deploy local version of nodetaint with custom manifest

apiVersion: v1
kind: ServiceAccount
metadata:
  name: nodetaint
  namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: nodetaint
rules:
- apiGroups: [""]
  resources: ["nodes"]
  verbs: ["get", "list", "watch", "patch", "update"]
- apiGroups: [""]
  resources: ["pods"]
  verbs: ["get", "list", "watch"]
- apiGroups: ["apps"]
  resources: ["daemonsets"]
  verbs: ["get", "list", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: nodetaint
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: nodetaint
subjects:
- kind: ServiceAccount
  name: nodetaint
  namespace: kube-system
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: nodetaint
  namespace: kube-system
spec:
  replicas: 1
  selector:
    matchLabels:
      app: nodetaint
  template:
    metadata:
      labels:
        app: nodetaint
    spec:
      tolerations:
      - key: "node-role.kubernetes.io/control-plane"
        operator: "Exists"
        effect: "NoSchedule"
      serviceAccountName: nodetaint
      containers:
      - name: nodetaint
        image: nodetaint:local
        imagePullPolicy: Never
        args:
          - --log-level=debug
          - --node-taint=test/not-ready
          - --bind-addr=:8080
          - --daemonset-annotation=nodetaint.wish.com/watch
        ports:
        - containerPort: 8080
kubectl apply -f deploy.yaml

Pods status/logs

NAME                         READY   STATUS    RESTARTS   AGE
nodetaint-648776c467-5mg7h   1/1     Running   0          46s
time="2025-10-29T22:21:10Z" level=info msg="Waiting for initial cache sync"
time="2025-10-29T22:21:10Z" level=info msg="cache synced"
time="2025-10-29T22:21:10Z" level=info msg="Number of required daemonsets is 0"

Trivy results:

Expand here 
❯ trivy image nodetaint:local
2025-10-29T18:12:48-04:00       INFO    [vuln] Vulnerability scanning is enabled
2025-10-29T18:12:48-04:00       INFO    [secret] Secret scanning is enabled
2025-10-29T18:12:48-04:00       INFO    [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-10-29T18:12:48-04:00       INFO    [secret] Please see https://trivy.dev/v0.67/docs/scanner/secret#recommendation for faster secret detection
2025-10-29T18:12:50-04:00       INFO    Detected OS     family="alpine" version="3.22.2"
2025-10-29T18:12:50-04:00       INFO    [alpine] Detecting vulnerabilities...   os_version="3.22" repository="3.22" pkg_num=17
2025-10-29T18:12:50-04:00       INFO    Number of language-specific files       num=1
2025-10-29T18:12:50-04:00       INFO    [gobinary] Detecting vulnerabilities...

Report Summary

┌─────────────────────────────────┬──────────┬─────────────────┬─────────┐
│             Target              │   Type   │ Vulnerabilities │ Secrets │
├─────────────────────────────────┼──────────┼─────────────────┼─────────┤
│ nodetaint:local (alpine 3.22.2) │  alpine  │        0        │    -    │
├─────────────────────────────────┼──────────┼─────────────────┼─────────┤
│ root/nodetaint                  │ gobinary │        0        │    -    │
└─────────────────────────────────┴──────────┴─────────────────┴─────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)

@Ken501 Ken501 marked this pull request as ready for review October 29, 2025 22:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Ken501