FIX: patch CVE-2025-68121

[moshemorad]

No description provided.

[github-actions]

✅ Docker image ready for e8fc3e3 (built in 3m 4s)

• us-central1-docker.pkg.dev/robusta-development/temporary-builds/robusta-runner:e8fc3e3

⚠️ Warning: does not support ARM (ARM images are built on release only - not on every PR)

Use this tag to pull the image for testing.

📋 Copy commands

⚠️ Temporary images are deleted after 30 days. Copy to a permanent registry before using them:

gcloud auth configure-docker us-central1-docker.pkg.dev
docker pull us-central1-docker.pkg.dev/robusta-development/temporary-builds/robusta-runner:e8fc3e3
docker tag us-central1-docker.pkg.dev/robusta-development/temporary-builds/robusta-runner:e8fc3e3 me-west1-docker.pkg.dev/robusta-development/development/robusta-runner-dev:e8fc3e3
docker push me-west1-docker.pkg.dev/robusta-development/development/robusta-runner-dev:e8fc3e3

Patch Helm values in one line:

helm upgrade --install robusta robusta/robusta \
  --reuse-values \
  --set runner.image=me-west1-docker.pkg.dev/robusta-development/development/robusta-runner-dev:e8fc3e3

[coderabbitai]

Walkthrough

The Dockerfile is updated to use Kubernetes v1.35 release key and repository, replacing v1.33 references. Changes include updating the curl download URL for the Release.key and the deb source line for kubectl installation.

Changes

Cohort / File(s)	Summary
Kubernetes Version Update Dockerfile	Updated Kubernetes apt source and key references from v1.33 to v1.35 in both the Release.key curl download and deb source repository line.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

🚥 Pre-merge checks | ✅ 1 | ❌ 2

❌ Failed checks (1 warning, 1 inconclusive)

Check name	Status	Explanation	Resolution
Title check	⚠️ Warning	The title claims to patch CVE-2025-68121, but the changeset only updates Kubernetes apt source from v1.33 to v1.35 with no mention of addressing that specific CVE.	Update the title to accurately reflect the change, such as 'Update Kubernetes apt source to v1.35' or clarify if the CVE patch is elsewhere in the PR.
Description check	❓ Inconclusive	No pull request description was provided by the author, making it impossible to assess relevance to the changeset.	Add a description explaining the purpose of updating to Kubernetes v1.35 and how it relates to CVE-2025-68121 or any other security concerns.

✅ Passed checks (1 passed)

Check name	Status	Explanation
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch ROB-3294-fix-vulnerabilities

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@Dockerfile`:
- Line 14: Centralize the Kubernetes channel/version by defining a single build
ARG (e.g., K8S_CHANNEL or KUBECTL_VERSION) and replace the hardcoded "v1.35" in
the RUN curl that fetches Release.key and any other references with that ARG;
also pin the kubectl package by installing a specific version (use the same
KUBECTL_VERSION ARG) instead of an unpinned apt install, updating the apt
repository entry and the installation command (refer to the RUN that fetches
Release.key and the RUN/apt-get step that installs kubectl) so builds are
deterministic and the channel/version is maintained in one place.
- Around line 94-96: Install kubectl with an explicit package version instead of
unpinned apt-get install -y kubectl to ensure reproducible builds; change the
apt install invocation that references kubectl in the Dockerfile to install a
specific package version (for example use version string like 1.35.2-1.1) and
update any related apt key/source logic accordingly. After building, verify the
kubectl binary was built with a Go runtime patched for the TLS CVE by running
kubectl version --client -o yaml and confirming the Go version is >=1.24.13 or
>=1.25.7 (or consult kubectl release notes), and record the pinned kubectl
version in build metadata for audits.

---

ℹ️ Review info

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between eae833b and 4a4c3f9.

📒 Files selected for processing (1)

• Dockerfile