add kube-fluentd-operator

[rawlingsj]

Quality Requirements for Images PRs

The items in this checklist should all be checked in the PR with exceptions clearly documented.
The general idea is that to the extent possible, the image should be a drop-in replacement to its public counterpart.

• Image is a smaller size than its common public counterpart, or if not, the reason why should be explained
• Image should be scanned for CVEs and should return 0 or near-0 results. Exceptions should be explained.
• The software in the image should be able to be installed and work as expected
  • The image should start in a cluster
  • The application should be accessible to the user/cluster/etc. as expected
• If there is an open source helm chart provided, the image should be able to be used with the chart. If needed, please add a -compat package to close any gaps with the public helm chart.
• build for x86_64 and aarch64 if possible, document exceptions

For new image PRs only

If you have an apko.yaml file in this PR you need to follow this checklist, otherwise feel free to remove.

• Include tests, sufficient enough that you would trust this image running in production.

• Perform manual tests as needed and document your testing results

  • For services images (rabbit, databases, webservers) test basic functionality, upstream install/getting started, port availability, admin access. Document differences from public image.

• The version included is the latest GA version of the software

• The latest tag points to the newest stable version

• There is a dev tag available that includes a shell and apk tools (by depending on 'wolfi-base')

• The image runs as nonroot and GID/UID are set to 65532 or upstream default

  • Alternatively the username and GID/UID may be a commonly used one from the ecosystem e.g: postgres

• The image contains the ca-certs bundle if needed

• ENTRYPOINT

  • For applications/servers/utilities call main program with no arguments e.g. [redis-server]
  • For base images leave empty
  • For dev variants set to entrypoint script that falls back to system

• CMD:

  • For server applications give arguments to start in daemon mode (may be empty)
  • For utilities/tooling bring up help e.g. –help
  • For base images with a shell, call it e.g. [/bin/sh]

• Add annotations e.g:

annotations:
  "org.opencontainers.image.url": https://edu.chainguard.dev/chainguard/chainguard-images/reference/busybox/ # use the academy site here
  "org.opencontainers.image.source": https://github.com/chainguard-images/images/tree/main/images/bazel # use github here

• Check if environment variables are needed e.g. to set data locations
• Ensure the image responds to SIGTERM
  • docker kill $(docker run -d --rm cgr.dev/chainguard/nginx)
• Error logs write to stderr and normal logs to stdout. DO NOT write to file.

Documentation Requirements

• Provide a README file, follow the README template to include variants, tags, and usage examples
• Document your testing and results in the PR
• Document any exceptions to the testing and config requirements outlined in this template
• Document where and how the image deviates from popular alternatives (ports, packages, user, entrypoint, versions, etc). Explain why there's a difference and if the user needs to do anything differently when using the image

[rawlingsj]

current CVE count

2 critical, 7 high, 12 medium, 1 low, 0 negligible

[rawlingsj]

CVE analysis:

 ✔ Scanning image...       [22 vulnerabilities]
   ├── 2 critical, 7 high, 12 medium, 1 low, 0 negligible
   └── 3 fixed

NAME     INSTALLED  FIXED-IN  TYPE  VULNERABILITY        SEVERITY
grpc     1.52.0               gem   CVE-2023-1428        High
grpc     1.52.0               gem   CVE-2023-32732       Medium
grpc     1.52.0     1.53.0    gem   GHSA-6628-q6j9-w8vg  High
grpc     1.52.0     1.53.0    gem   GHSA-9hxf-ppjv-w6rq  Medium
grpc     1.52.0     1.53.0    gem   GHSA-cfgp-2977-2fmm  High
openssl  3.1.0                gem   CVE-2023-0464        High
openssl  3.1.0                gem   CVE-2023-0465        Medium
openssl  3.1.0                gem   CVE-2023-0466        Medium
openssl  3.1.0                gem   CVE-2023-1255        Medium
openssl  3.1.0                gem   CVE-2023-2650        High
redis    3.3.5                gem   CVE-2021-32626       High
redis    3.3.5                gem   CVE-2021-32672       Medium
redis    3.3.5                gem   CVE-2022-0543        Critical
redis    3.3.5                gem   CVE-2022-24735       High
redis    3.3.5                gem   CVE-2022-24736       Medium
redis    3.3.5                gem   CVE-2022-36021       Medium
redis    3.3.5                gem   CVE-2022-3647        Low
redis    3.3.5                gem   CVE-2022-3734        Critical
redis    3.3.5                gem   CVE-2023-25155       Medium
redis    3.3.5                gem   CVE-2023-28856       Medium
uri      0.12.1               gem   CVE-2023-36617       Medium
webrick  1.8.1                gem   CVE-2008-1145        Medium

The grpc and redis CVEs are false positives and @luhring has had a fix merged in Syft to remove these anchore/syft#1926

OpenSSL related ones are also false positives and will not appear once another @luhring PR is released anchore/syft#1897

That leaves uri and that is owned by the redis-3.2 apk, we already have an advisory for this https://github.com/wolfi-dev/advisories/blob/426ae55685353a13ee17335ad6ffdadcbf656d66/ruby-3.2.advisories.yaml#L40

Last one webrick and we now have an advisory for this https://github.com/wolfi-dev/advisories/blob/426ae55685353a13ee17335ad6ffdadcbf656d66/kube-fluentd-operator.advisories.yaml#L5

Result will be near zero CVEs once the PRs above are released and advisory data to cover remaining ones.

[rawlingsj]

OK think this is ready now @imjasonh