hubble-relay: use distroless as the base image and run as non-root #23259
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
rolinh
added
release-note/misc
8 tasks
rolinh
force-pushed
the
pr/rolinh/rootless-relay
branch
2 times, most recently
from
1687951
to
c8261a1
Compare
|
/test Job 'Cilium-PR-K8s-1.24-kernel-5.4' failed: Click to show.Test NameFailure OutputIf it is a flake and a GitHub issue doesn't already exist to track it, comment |
chancez
requested changes
Jan 23, 2023
rolinh
force-pushed
the
pr/rolinh/rootless-relay
branch
from
c8261a1
to
389dbb8
Compare
rolinh
force-pushed
the
pr/rolinh/rootless-relay
branch
from
389dbb8
to
b892ecf
Compare
|
/test |
qmonnet
requested changes
Jan 24, 2023
These docs are already stored in the v1.12 branch and exposed via the corresponding docs on docs.cilium.io, so there is no need to include that text directly in the page. Removing it will also help developers to update the correct notes for the upcoming release. Signed-off-by: Robin Hahling <robin.hahling@gw-computing.net>
In order to improve the security posture of Hubble Relay, this patch updates the base image for Hubble Relay from scratch to distroless. Distroless images come in different variants and the one being used here is the most basic one that only contains the following: - ca-certificates - A /etc/passwd entry for a root, nonroot and nobody users - A /tmp directory - tzdata Given that this new base image comes with CA certificates, we no longer need to import CA certificates from the Alpine image. Moreover, the hack for running gops, namely setting `ENV GOPS_CONFIG_DIR=/` is no longer required. Finally, the patch sets the image user to the nonroot user with UID 65532. At last, to run as non-root, the securityContext for the Hubble Relay container is updated to drop all capabilities and run as the user:group 65532:65532. Signed-off-by: Robin Hahling <robin.hahling@gw-computing.net>
rolinh
force-pushed
the
pr/rolinh/rootless-relay
branch
from
b892ecf
to
dbdda72
Compare
qmonnet
added
the
area/documentation
|
/test |
chancez
approved these changes
Jan 25, 2023
maintainer-s-little-helper
bot
added
the
ready-to-merge
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
In order to improve the security posture of Hubble Relay, this patch updates the base image for Hubble Relay from scratch to distroless. Distroless images come in different variants and the one being used here is the most basic one that only contains the following:
Given that this new base image comes with CA certificates, we no longer need to import CA certificates from the Alpine image. Moreover, the hack for running gops, namely setting
ENV GOPS_CONFIG_DIR=/is no longer required. Finally, the patch sets the image user to the nonroot user with UID 65532.At last, to run as non-root, the securityContext for the Hubble Relay container is updated to drop all capabilities and run as the user:group 65532:65532.