update image tag in manifest

[iheartNathan]

fixes this #49406

Updating the tag for registry.k8s.io/busybox from latest to 1.27.2.
When using the registry.k8s.io/busybox image with the latest tag to create a workload, the workload is stuck in ImagePullBackOff with the error.

Failed to pull image "registry.k8s.io/busybox": Error response from daemon: [DEPRECATION NOTICE] Docker Image Format v1 and Docker Image manifest version 2, schema 1 support is disabled by default and will be removed in an upcoming release. Suggest the author of registry.k8s.io/busybox:latest to upgrade the image to the OCI Format or Docker Image manifest v2, schema 2.

Issue
Closes: #49406

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign rayandas for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• content/en/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[netlify]

✅ Pull request preview available for checking

Built without sensitive environment variables

Name	Link
🔨 Latest commit	7b5ca4d
🔍 Latest deploy log	https://app.netlify.com/sites/kubernetes-io-main-staging/deploys/678a6109c435e6000816be4b
😎 Deploy Preview	https://deploy-preview-49474--kubernetes-io-main-staging.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify site configuration.

[network-charles]

Thanks for working on this, @iheartNathan. I don't know if you have tried to use the latest tag lately, but it's working now.

To avoid the issue again, we need to stick to a specific busybox image version as @sftim suggested. But, it may not be great to use an image version, 1.27.2, from 17 August 2017. There would have been a lot of bug fixes or added features to it since then.

The most recent stable version, 1.36.1, is from 19 May 2023.

Since registry.k8s.io doesn't contain the most recent stable version, we may need to use the default docker public registry.

Let me know what you think.

Suggested change

	`registry.k8s.io/busybox:1.27.2` image. Here is the configuration file for the Pod:
	`busybox:1.36.1` image. Here is the configuration file for the Pod:

[iheartNathan]

About the image working or not see #49406 (comment) and #49406 (comment) and #49406 (comment)
registry.k8s.io/busybox:1.27.2 has no CVE according to trivy image scan and registry.k8s.io/busybox:1.27.2 is stable, you're right though a more recent image might be best but the image should be from registry.k8s.io based on #49523 (comment) and https://kubernetes.io/blog/2022/11/28/registry-k8s-io-faster-cheaper-ga/

[network-charles]

I ran a CVE test on both images and they are both secure. We can use 1.27.2 on registry.k8s.io.
I don't know how images are published to registry.k8s.io yet, but I will suggest we push the newly updated busybox to it.

ubuntu $ trivy image docker.io/library/busybox:1.36.1
2025-01-25T12:20:14Z    INFO    [vuln] Vulnerability scanning is enabled
2025-01-25T12:20:14Z    INFO    [secret] Secret scanning is enabled
2025-01-25T12:20:14Z    INFO    [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-01-25T12:20:14Z    INFO    [secret] Please see also https://aquasecurity.github.io/trivy/v0.58/docs/scanner/secret#recommendation for faster secret detection

2025-01-25T12:20:15Z    INFO    Number of language-specific files       num=0
ubuntu $ 
ubuntu $ trivy image registry.k8s.io/busybox:1.27.2
2025-01-25T12:20:20Z    INFO    [vuln] Vulnerability scanning is enabled
2025-01-25T12:20:20Z    INFO    [secret] Secret scanning is enabled
2025-01-25T12:20:20Z    INFO    [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-01-25T12:20:20Z    INFO    [secret] Please see also https://aquasecurity.github.io/trivy/v0.58/docs/scanner/secret#recommendation for faster secret detection
2025-01-25T12:20:20Z    INFO    Number of language-specific files       num=0

[sftim]

Thanks

/lgtm

I didn't test busybox 1.27.2 works; it's a really simple container image and I'm sure it passes Busybox's own tests.

[k8s-ci-robot]

LGTM label has been added.

Git tree hash: e693db24b9a21addf52e3afa6fa8f6a0e29f4a71

[network-charles]

I did, @sftim. It works.

kubectl run test --image=registry.k8s.io/busybox:1.27.2 --restart=Never -- ping -c 4 google.com
pod/test created

kubectl logs test 
PING google.com (142.250.184.206): 56 data bytes
64 bytes from 142.250.184.206: seq=0 ttl=56 time=3.515 ms
64 bytes from 142.250.184.206: seq=1 ttl=56 time=3.569 ms
64 bytes from 142.250.184.206: seq=2 ttl=56 time=3.622 ms
64 bytes from 142.250.184.206: seq=3 ttl=56 time=3.546 ms

--- google.com ping statistics ---
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max = 3.515/3.563/3.622 ms