-
Notifications
You must be signed in to change notification settings - Fork 29
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Build distroless package for better security, smaller size, speed and more #448
Comments
maybe function-mesh is a pretty good point start to give this approach a try:
If it pays of, one could move further e.g. to main pulsar... |
Hi @hpvd, thanks for the brief introduction about the distroless images. This will be a big change to function mesh. The main reason we haven't built the runner images as distroless images is: IIRC, the distroless image requires As the result, we are working on moving the package download and other processes as init containers first, see #400, with all the processes being migrated as individual init containers, we will be able to start work on the distroless runner images. @streamnative/serverless any options? |
@freeznet many thanks for the great summary of the reasons! imho this is a pretty important direction (added some more possibly interesting points for developers and managers to list of advantages of distroless images #448 (comment)) -> Just to get a feeling about this topic in function mesh: is this one of the next big steps with a high prio? |
@hpvd we sure like to have the distroless images, because security is important for a serverless service. But we already have the roadmap for Q3, so we might work on the distroless images on Q4. |
As proofed in practice and documented in #371
there are sometimes (often!) security problems in a container/package whose origin is not the software one build, but in the software which is also situated in this container.
In most cases, there is no use case for this additional software.
This is where the idea of distroless containers comes in and "free" your software:
Traditional, this approach is somehow strenuous to implement and associated with restrictions.
But it looks like 2 new tools makes it pretty easy and straight forward:
good overview on distroless containers
https://dev.to/dansiviter/distroless-alpine-ci8
and
https://blog.chainguard.dev/minimal-container-images-towards-a-more-secure-future/
see last paragraph for how it works
the tools:
source to abk:
https://github.com/chainguard-dev/melange
abk to oci:
https://github.com/chainguard-dev/apko
to debug distroless containers:
official: https://kubernetes.io/docs/concepts/workloads/pods/ephemeral-containers/
detail flow: https://iximiuz.com/en/posts/kubernetes-ephemeral-containers/
The text was updated successfully, but these errors were encountered: