Trigger AL2 iptables base image rebuild for Go 1.25.9 CVE fixes (#1966)

varma-maryala · web-flow · commit e82bdd97eba4 · 2026-04-17T09:47:58.000-07:00
Set AL2 eks-distro-minimal-base-iptables tag to null to force a full rebuild. The periodic build skips iptables when yum check-update finds no RPM security updates, but the iptables-wrapper Go binary is stuck on Go 1.25.8 which is vulnerable to CVE-2026-32280 and CVE-2026-32282. golang:1.25 floating tag already points to Go 1.25.9. Setting the tag to null bypasses the RPM update check and forces a rebuild. AL2023 image was already rebuilt on Apr 14 with Go 1.25.9. Note: AL2 reaches EOL on June 30, 2026. After that date, AL2 base images will no longer be maintained.
diff --git a/EKS_DISTRO_TAG_FILE.yaml b/EKS_DISTRO_TAG_FILE.yaml
@@ -3,7 +3,7 @@ al2:
   eks-distro-minimal-base: 2026-04-02-1775156511.2
   eks-distro-minimal-base-nonroot: 2026-04-02-1775156511.2
   eks-distro-minimal-base-glibc: 2026-04-02-1775156511.2
-  eks-distro-minimal-base-iptables: 2026-04-02-1775156511.2
+  eks-distro-minimal-base-iptables: null
   eks-distro-minimal-base-docker-client: 2026-04-14-1776193302.2
   eks-distro-minimal-base-csi: 2026-04-14-1776193302.2
   eks-distro-minimal-base-csi-ebs: 2026-04-02-1775156511.2
