Bump Go version for cluster-autoscaler to 1.21.5 or higher

[YamsThePotato]

Happy Thursday!
I'm having trouble following the Go version and strategy used for cluster-autoscaler. On cluster-autoscaler-1.29.0, Twistlock (PRISMA Cloud) detects GO version 1.21.4 with a High severity CVE. This matches the dockerfile

High severity CVE-2023-45285 shows as vulnerable in this version. Safe version is 1.21.5 or higher. Latest Go is 1.21.7 released two days ago.

The Readme mentions that Go version used in CA will attempt match the Kubernetes version used. Using CA-1.29.0 as an example, which appears to use Go 1.21.4, Kubernetes-1.29.0 appears to use Go version 1.21.6. link.

Is it possible to bump Go to address this high CVE in CA please or have I misinterpreted the Go versions in use?
Thanks!

[Shubham82]

@YamsThePotato Thanks for reporting this, The go version for the k8s release and its corresponding CA release should be the same.
I will open a PR for it in the master branch and then in cluster-autoscaler-release-1.29 branch.

[Shubham82]

/assign
/area cluster-autoscaler

[Shubham82]

I have raised PR #6522 to fix it.
It is for the master branch, once it is merged I will open PR for the cluster-autoscaler-release-1.29 branch.

[Shubham82]

I have raised PR #6526 to fix it for the CA1.29

[Shubham82]

closing this issue, as corresponding PRs are merged.

[Shubham82]

/close

[k8s-ci-robot]

@Shubham82: Closing this issue.

In response to this:

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.