-
Notifications
You must be signed in to change notification settings - Fork 1.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
use distroless/static as base image to further reduce image size #748
Conversation
/assign @andyxning |
In regards to the CVE, given that the latest image is build after March 7th 2019, this should not apply to the latest build. Please correct me if I am wrong. In regards to moving to scratch as a base image, would it make sense to align this effort with the current enhancement proposal updating the base image of the Kubernetes core components? Maybe @tallclair has some advice for us. |
Yes you are right @mxinden. We are safe. This PR is just an extra cautionary measure. The distroless image actually ended up being up bigger in size than with alpine as base. |
I agree with @mxinden, even if it does end up being larger, I think we should use the distroless base. |
Alrighty, it is a trivial change. I will update this PR then? |
I have made the changes. Correction: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
just one question, otherwise lgtm
@brancz @tariq1890 @mxinden I think we need to be consensus with the Kubernetes community in choosing base image. |
@andyxning As per this doc, |
76a285d
to
ca1de5c
Compare
/hold cancel This PR is ready for review again. I am leaving the makefiles untouched since we are using it for mult-arch builds. Hopefully, these changes should be agreeable :). |
…increase security
Thanks for taking care of this! /lgtm |
/approve |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: brancz, tariq1890 The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Motivation: Given the Alpine CVE https://www.alpinelinux.org/posts/Docker-image-vulnerability-CVE-2019-5021.html (touted as the security-focused distro ironically), I would like to go one step further in preventive action by using
scratch
distroless/static
as the base image. This will reduce the attack vectors and the overall image size.