Commits on Jan 24, 2023

1. docs: remove 1.13 and earlier upgrade docs …

   These docs are already stored in the v1.12 branch and exposed via the
   corresponding docs on docs.cilium.io, so there is no need to include
   that text directly in the page. Removing it will also help developers to
   update the correct notes for the upcoming release.
   
   Signed-off-by: Robin Hahling <robin.hahling@gw-computing.net>

   

   rolinh committed Jan 24, 2023
   Configuration menu

   • View commit details
   • Copy full SHA for 75645d7
   • Browse repository at this point

   Copy the full SHA

   75645d7 View commit details

   Browse the repository at this point in the history

2. hubble-relay: use distroless as the base image and run as non-root …

   In order to improve the security posture of Hubble Relay, this patch
   updates the base image for Hubble Relay from scratch to distroless.
   Distroless images come in different variants and the one being used here
   is the most basic one that only contains the following:
   
     - ca-certificates
     - A /etc/passwd entry for a root, nonroot and nobody users
     - A /tmp directory
     - tzdata
   
   Given that this new base image comes with CA certificates, we no longer
   need to import CA certificates from the Alpine image. Moreover, the hack
   for running gops, namely setting `ENV GOPS_CONFIG_DIR=/` is no longer
   required. Finally, the patch sets the image user to the nonroot user
   with UID 65532.
   
   At last, to run as non-root, the securityContext for the Hubble Relay
   container is updated to drop all capabilities and run as the user:group
   65532:65532.
   
   Signed-off-by: Robin Hahling <robin.hahling@gw-computing.net>

   

   rolinh committed Jan 24, 2023
   Configuration menu

   • View commit details
   • Copy full SHA for dbdda72
   • Browse repository at this point

   Copy the full SHA

   dbdda72 View commit details

   Browse the repository at this point in the history