CVE upgrade requirement k8s.io >=1.18.19

[jeffbanks]

Issue

Per CVE-2021-25737, upgrade to at least 1.18.19 is recommended.

Moderate severity issue

A security issue was discovered in Kubernetes where a user may be able to redirect pod traffic to private networks on a Node. Kubernetes already prevents creation of Endpoint IPs in the localhost or link-local range, but the same validation was not performed on EndpointSlice IPs.

**Fix:
Upgrading 1.18.19

┆Issue is synchronized with this Jira Task by Unito
┆Issue Number: K8SSAND-941
┆Priority: Medium

[jdonenine]

@jsanda does this get resolved if we do the work to support v1.22 for reaper-operator in #76 ?

[bradfordcp]

Hey team! Please add your planning poker estimate with ZenHub @jsanda @burmanm @Miles-Garnsey

[Miles-Garnsey]

I still don't have Zenhub access here so I'll add an estimate here @bradfordcp. I assume that this ticket relates to upgrading the k8s version beyond 1.18.19 for the reaper-operator tests only. My understanding is that the vuln is in Kubernetes itself, not the k8s libraries we import into reaper-operator.

On those assumptions, I question whether we should do this piece of work, because users are in control of the k8s version installed and reaper-operator is in maintenance mode.

If we do choose to do the work, I recommend a proper upgrade to 1.22+ which is a larger piece of work and entails API changes (due to deprecations from 1.18-1.21 especially).

If we go ahead, I'd recommend 2 days time-boxed research to establish how long this will take (it may just be the two days, but it could blow out to 5).