Remove ksonnet (solves #5256)

[jkleinlercher]

Note on DCO:

If the DCO action in the integration test fails, one or more of your commits are not signed off. Please click on the Details link next to the DCO action for instructions on how to resolve this.

Checklist:

• Either (a) I've created an enhancement proposal and discussed it with the community, (b) this is a bug fix, or (c) this does not need to be in the release notes.
• The title of the PR states what changed and the related issues number (used for the release note).
• I've updated both the CLI and UI to expose my feature, or I plan to submit a second PR with them.
• Does this PR require documentation updates?
• I've updated documentation as required by this PR.

• Optional. My organization is added to USERS.md.

• I have signed off all my commits as required by DCO
• My build is green (troubleshooting builds).

[CLAassistant]

All committers have signed the CLA.

[sbose78]

Hi @jkleinlercher , thank you for kicking off this conversation. Do you mind adding a section on the rationale in the PR description?

[sbose78]

associated with #5256

[jkleinlercher]

Hi @jkleinlercher , thank you for kicking off this conversation. Do you mind adding a section on the rationale in the PR description?

I tried to argument in the referenced issue:

ksonnet is not actively maintained anymore and security vulnerability scans find CVE in ksonnet binaries, since it is built with an old golang version. Also argocd doesn't support ksonnet anymore: https://argoproj.github.io/argo-cd/user-guide/ksonnet/
I think it is time to remove ksonnet.

[sbose78]

Thank you, would you be willing to remove code references too?

We'll need to mark this with the appropriate milestone since this is a breaking change.

[jkleinlercher]

Of course, I will try my best. When I am not sure, I would be happy if you or someone else of the maintainers can help :)

[jessesuen]

@jkleinlercher we actually still use ksonnet internally and so we would still need first-class support for this. We're still trying to move people off the tool but in the meantime, I think you can remove the ksonnet binary to address the vulnerability.

[jkleinlercher]

@jessesuen thanks for this information! that is of course something we need to consider - sorry that I didn't ask earlier! ;)
should I close this PR or is it okay to leave it open? maybe the project needs to deprecate ksonnet support before and a roadmap where ksonnet is not shipped anymore (version 1.10? I don't know ...).
Anyways - I think at the moment I am fine with building a custom image without ksonnet if I really need to.

[TrueBrain]

You can no longer out-of-the-box build ksonnet manually, as one of the dependencies validate points to a GitHub repository that no longer exists.

https://github.com/ksonnet/ksonnet/blob/master/Gopkg.toml#L135
github.com/heptio/validate

This is a problem for ARM / ARM64 builds, as there is not a ksonnet binary available for them.

Just as a heads-up. There might be ways around this issue of course, I haven't really investigated that part.

[DWSR]

Posting on this issue for visibility:

Those of us running ARM-only or mixed-arch clusters (think Raspberry Pis or AWS Graviton instances) would really love ARM builds and this is holding it up. Is there any way to push this forward or at least make ARM builds work?