CoreDNS Patch Compliance

A quick fix

WARNING: Chainguard announced they were discontinuing the free tier for this image shortly after I wrote this. Consider using the Bitnami image instead.

Problem

Wiz has been repeatedly flagging CoreDNS for CVEs in my EKS clusters. Most common are issues with the underlying OS or language toolchain. Both of which can be fixed by simple rebuilds.

Official builds and Amazon EKS builds of CoreDNS are both infrequent on the scale of months or quarters. Whereas most patching SLAs are much tighter for critical vulnerabilities.

Solution

Update your deployment to run a Chainguard image.

In the past I might have ripped out the EKS add-on for CoreDNS and managed my own helm release. But updating the existing deployment seems like the fastest and lowest risk to bring a running cluster up to date.

kubectl set image deployment.apps/coredns -n kube-system coredns=chainguard/coredns:latest

Chainguard offers contracts for access to secure builds of many popular open source projects. But they also provide a latest tag of some projects for free on Dockerhub. Build cadence seems close to once a day or at least a few times a week. Logs indicate they’re building the same git SHA as my old amazon build, they’re just rebuilding with an updated base image and language toolchain.

Rollback

My experience with this method was smooth and zero-downtime. But should you run into issues with future versions, this is a quick way to revert.

kubectl set image deployment.apps/coredns -n kube-system coredns=602401143452.dkr.ecr.us-east-1.amazonaws.com/eks/coredns:v1.11.1-eksbuild.9

My example is for EKS 1.30 in us-east-1. So be sure to replace region with your region and the docker tag with the version that matches your EKS control plane.