Open
Conversation
added 30 commits
February 10, 2026 07:00
…ication & also update kube-scheduler and model-proxy
…duler and watchdog
…in in dockerfile for k8s host device plugin
added 10 commits
February 10, 2026 07:00
There was a problem hiding this comment.
Pull request overview
This pull request implements a comprehensive security update across all container images in the repository, including Ubuntu updates, Go version updates, Node.js package updates (lodash, qs, diff), and Python package updates. The changes involve updating base images, upgrading dependencies, and adding proper image pull policies to Kubernetes deployment configurations.
Changes:
- Updated Go versions across multiple Dockerfiles (targeting 1.24.x)
- Updated Node.js dependencies (lodash to 4.17.23, qs to 6.14.1, diff to 8.0.3)
- Replaced custom nginx builds with official nginx:1.29.4 base image
- Added imagePullPolicy: Always to Kubernetes deployments
- Replaced patch files with inline go mod edits for better maintainability
- Updated various tools (nerdctl, docker, frp) to newer versions
- Added proper apt cache cleanup in several Dockerfiles
Reviewed changes
Copilot reviewed 27 out of 31 changed files in this pull request and generated 8 comments.
Show a summary per file
| File | Description |
|---|---|
| src/webportal-dind/build/webportal-dind.common.dockerfile | Added multi-stage build for runc, updated Docker version, improved cleanup |
| src/webportal-dind/build/install.sh | Updated Docker version to 29.2.0, removed buildx/compose, improved cleanup |
| src/watchdog/build/watchdog.common.dockerfile | Updated Go to 1.24.13-alpine3.22 and Alpine to 3.22 |
| src/rest-server/yarn.lock, package.json | Updated lodash, qs, and diff dependencies |
| src/pylon/build/reverseproxy.common.dockerfile | Replaced binary download with building frp from source |
| src/pylon/build/pylon.common.dockerfile | Replaced custom nginx build with official nginx:1.29.4 image |
| src/postgresql/build/postgresql.k8s.dockerfile | Added multi-stage build for gosu binary |
| src/model-proxy/build/model-proxy.common.dockerfile | Updated Go version to 1.25.7 |
| src/job-exporter/build/job-exporter.common.dockerfile | Updated nerdctl to 2.2.1 |
| src/hivedscheduler/deploy/hivedscheduler.yaml.template | Added imagePullPolicy: Always |
| src/hivedscheduler/build/kube-scheduler.k8s.dockerfile | Updated kube-scheduler to v1.35.0 |
| src/hivedscheduler/build/hivedscheduler.k8s.dockerfile | Updated Go to 1.24.13-alpine3.22 and Alpine to 3.22 |
| src/frameworkcontroller/build/frameworkcontroller.common.dockerfile | Updated Go to 1.24.13-alpine3.22 and Alpine to 3.22 |
| src/frameworkcontroller/build/frameworkbarrier.common.dockerfile | Updated Go to 1.24.11-alpine3.21 (inconsistent with other files) |
| src/device-plugin/deploy/start.sh.template | Added imagePullPolicy modifications |
| src/device-plugin/deploy/device-plugin.yaml.template | Added imagePullPolicy: Always |
| src/device-plugin/build/k8s-rocm-device-plugin.k8s.dockerfile | Updated Go to 1.24.12-alpine, replaced patch with inline mod edits |
| src/device-plugin/build/k8s-rocm-device-plugin-patches/0001-*.patch | Removed patch file (replaced with inline edits) |
| src/device-plugin/build/k8s-rdma-shared-dev-plugin.k8s.dockerfile | Updated Go to 1.24.13-alpine, added inline mod edits |
| src/device-plugin/build/k8s-nvidia-device-plugin.k8s.dockerfile | Replaced base image with multi-stage build using golang:1.25.6 |
| src/device-plugin/build/k8s-host-device-plugin.k8s.dockerfile | Updated Go to 1.24.13, replaced patch with inline mod edits |
| src/device-plugin/build/k8s-host-device-plugin-patches/0001-*.patch | Removed patch file (replaced with inline edits) |
| src/database-controller/src/yarn.lock, package.json | Updated lodash and qs dependencies |
| src/copilot-chat/build/copilot-chat.common.dockerfile | Added pip upgrade command |
| src/alert-manager/src/job-status-change-notification/yarn.lock, package.json | Updated lodash and qs dependencies |
| src/alert-manager/src/alert-handler/yarn.lock, package.json | Updated lodash and qs dependencies |
| src/alert-manager/build/redis-monitoring.common.dockerfile | Added multi-stage build for gosu binary |
Comments suppressed due to low confidence (1)
src/frameworkcontroller/build/frameworkbarrier.common.dockerfile:36
- Inconsistent Alpine base image version. The builder stage uses alpine3.21 but other similar files use alpine3.22. The runtime stage (line 36) also uses alpine:3.21. Both should be updated to alpine:3.22 for consistency with the frameworkcontroller.common.dockerfile and to ensure the latest security updates.
FROM golang:1.24.11-alpine3.21 as builder
ENV GOPATH=/go
ENV PROJECT_DIR=/src
ENV INSTALL_DIR=/opt/frameworkcontroller/frameworkbarrier
RUN apk update && apk add --no-cache bash && \
mkdir -p ${PROJECT_DIR} ${INSTALL_DIR}
COPY src ${PROJECT_DIR}
RUN ${PROJECT_DIR}/build/frameworkbarrier/go-build.sh && \
mv ${PROJECT_DIR}/dist/frameworkbarrier/* ${INSTALL_DIR}
FROM alpine:3.21
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+4
to
+16
| @@ -11,10 +11,17 @@ ARG GOARCH=${TARGETARCH} | |||
|
|
|||
| RUN git clone --branch 1.31.4-0.1.0 --single-branch https://github.com/everpeace/k8s-host-device-plugin.git /go/src/k8s-host-device-plugin | |||
|
|
|||
| COPY ./build/k8s-host-device-plugin-patches/0001-update-Golang-toolchain-to-1.24.patch /go/src/k8s-host-device-plugin/ | |||
| WORKDIR /go/src/k8s-host-device-plugin | |||
| RUN git apply ./0001-update-Golang-toolchain-to-1.24.patch | |||
| RUN go mod download | |||
|
|
|||
| RUN go mod edit -go=1.24 -toolchain=go1.24.12 | |||
There was a problem hiding this comment.
Inconsistent Go toolchain version. Line 4 uses golang:1.24.13 as the base image but line 16 sets the toolchain to go1.24.12. These should be consistent - either both should be 1.24.12 or both should be 1.24.13. Recommend using 1.24.13 for both to ensure consistency and latest security patches.
| -require=github.com/opencontainers/runc@v1.2.8 \ | ||
| -require=golang.org/x/net@v0.38.0 \ | ||
| -require=github.com/opencontainers/runtime-spec@v1.2.0 && \ | ||
| go mod tidy -go=1.24.12 |
There was a problem hiding this comment.
Inconsistent go mod tidy toolchain version. Line 4 uses golang:1.24.13-alpine as the base image, but line 27 runs go mod tidy -go=1.24.12. The toolchain version should match the base image version. Change line 27 to use -go=1.24.13 instead of -go=1.24.12.
Suggested change
| go mod tidy -go=1.24.12 | |
| go mod tidy -go=1.24.13 |
| -require=google.golang.org/grpc@v1.72.1 \ | ||
| -require=k8s.io/kubelet@v0.33.1 | ||
|
|
||
| RUN go mod tidy -go=1.24.12 |
There was a problem hiding this comment.
Inconsistent go mod tidy toolchain version. Line 4 uses golang:1.24.13 as the base image, but line 24 runs go mod tidy -go=1.24.12. The toolchain version should match the base image version. Change line 24 to use -go=1.24.13 instead of -go=1.24.12.
Suggested change
| RUN go mod tidy -go=1.24.12 | |
| RUN go mod tidy -go=1.24.13 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Security Update for all the container images including the ubuntu update and other package update for node.js and Python