Upgrade CNI plugins from v1.1.1 to v1.3.0

[antoninbas]

This will use a more recent build of the plugin binaries, and reduce the number of CVEs reported by security scanners.

[antoninbas]

Unfortunately, we can still get critical / high CVEs reported, because even this tag is not super recent and the binaries were built using an older Go version (1.20.4):

stdlib                                                                       go1.20.4                                                       go-module  CVE-2023-39323       Critical
stdlib                                                                       go1.20.4                                                       go-module  CVE-2023-29405       Critical
stdlib                                                                       go1.20.4                                                       go-module  CVE-2023-29404       Critical
stdlib                                                                       go1.20.4                                                       go-module  CVE-2023-29402       Critical
stdlib                                                                       go1.20.4                                                       go-module  CVE-2023-44487       High
stdlib                                                                       go1.20.4                                                       go-module  CVE-2023-39325       High
stdlib                                                                       go1.20.4                                                       go-module  CVE-2023-29403       High
stdlib                                                                       go1.20.4                                                       go-module  CVE-2023-39319       Medium
stdlib                                                                       go1.20.4                                                       go-module  CVE-2023-39318       Medium
stdlib                                                                       go1.20.4                                                       go-module  CVE-2023-29409       Medium
stdlib                                                                       go1.20.4                                                       go-module  CVE-2023-29406       Medium

The only option would be to use our own build for the plugins that we use, which may be worth considering...

[luolanzone]

LTGM

[wenyingd]

Failed to build Windows image since the base-windows image does not exist with the new CNI binary. https://github.com/antrea-io/antrea/actions/runs/7010302755/job/19071011048?pr=5747

[luolanzone]

Failed to build Windows image since the base-windows image does not exist with the new CNI binary. https://github.com/antrea-io/antrea/actions/runs/7010302755/job/19071011048?pr=5747

@wenyingd Is the base Windows image maintained by Antrea? If yes, which part need to be updated for CNI upgrade?

[luolanzone]

I noticed there is already a PR to change the golang version containernetworking/plugins#982 two weeks ago, but no progress yet.

[wenyingd]

@wenyingd Is the base Windows image maintained by Antrea? If yes, which part need to be updated for CNI upgrade?

Yes, it is maintained by antrea, the Dockerfile is https://github.com/antrea-io/antrea/blob/main/build/images/base-windows/Dockerfile. I'm afraid it is not automatically update according to the configurations changes, which means we may need to manually push the image? @XinShuYang @tnqn can confirm it.

[antoninbas]

@wenyingd I can build the image, we have a workflow for that

[antoninbas]

/test-all