New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
hubble-relay: use distroless as the base image and run as non-root #23259
Conversation
1687951
to
c8261a1
Compare
/test Job 'Cilium-PR-K8s-1.24-kernel-5.4' failed: Click to show.Test Name
Failure Output
If it is a flake and a GitHub issue doesn't already exist to track it, comment |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nice!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Might be worth adding a note in upgrade.rst
.
c8261a1
to
389dbb8
Compare
389dbb8
to
b892ecf
Compare
/test |
These docs are already stored in the v1.12 branch and exposed via the corresponding docs on docs.cilium.io, so there is no need to include that text directly in the page. Removing it will also help developers to update the correct notes for the upcoming release. Signed-off-by: Robin Hahling <robin.hahling@gw-computing.net>
In order to improve the security posture of Hubble Relay, this patch updates the base image for Hubble Relay from scratch to distroless. Distroless images come in different variants and the one being used here is the most basic one that only contains the following: - ca-certificates - A /etc/passwd entry for a root, nonroot and nobody users - A /tmp directory - tzdata Given that this new base image comes with CA certificates, we no longer need to import CA certificates from the Alpine image. Moreover, the hack for running gops, namely setting `ENV GOPS_CONFIG_DIR=/` is no longer required. Finally, the patch sets the image user to the nonroot user with UID 65532. At last, to run as non-root, the securityContext for the Hubble Relay container is updated to drop all capabilities and run as the user:group 65532:65532. Signed-off-by: Robin Hahling <robin.hahling@gw-computing.net>
b892ecf
to
dbdda72
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good to me, nice!
/test |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM ✔️
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🚀
In order to improve the security posture of Hubble Relay, this patch updates the base image for Hubble Relay from scratch to distroless. Distroless images come in different variants and the one being used here is the most basic one that only contains the following:
Given that this new base image comes with CA certificates, we no longer need to import CA certificates from the Alpine image. Moreover, the hack for running gops, namely setting
ENV GOPS_CONFIG_DIR=/
is no longer required. Finally, the patch sets the image user to the nonroot user with UID 65532.At last, to run as non-root, the securityContext for the Hubble Relay container is updated to drop all capabilities and run as the user:group 65532:65532.