-
Notifications
You must be signed in to change notification settings - Fork 226
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Dockerfile: add minimal image #469
Dockerfile: add minimal image #469
Conversation
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: marquiz The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Pondering that should the minimal image be based on |
/cc mythi kad |
@marquiz: GitHub didn't allow me to request PR reviews from the following users: mythi. Note that only kubernetes-sigs members and repo collaborators can review this PR, and authors cannot review their own PRs. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Makes sense. Moving forward if it becomes "the" default we should explicitly mention it in the documentation. We had #247 for explaining the runtime options. When already minimal we could also add |
Yes, sure. This PR adds a note about lack of runtimes in the minimal image . |
Debugging minimal images is...fun, but this PR looks good |
@zvonkok @mythi @kad @adrianchiris any thoughts on |
Would |
So, going through this PR, i did not find the motivation to provide such an image (also no related issue on it). My main concern with this (and in the future moving to this image by default) are:
In regards to static vs base : i would go with base as to give hooks that are not written in go a chance. |
Yeah, this was kind of quick spin-off from #221.
Yes, these are the motivations behind this. I need to explain that in the commit message.
Yes. This might be too strict and
True. We have been deliberately avoiding this dependency. I think it's good as we (at least so far) have detected low-level features that are mainly available from kernel interfaces. This doesn't shut the door for using such tools in the future, though (if we choose the
The full image can be used for debugging. I think it's actually desirable from the security point of view to not be able to attach to running production containers. It vastly reduces the attack surface.
Yes, after sleeping over this PR I'm inclined to agree with this. |
Yes, I think so. Only supporting "fully static" binaries is probably unnecessarily strict, limiting hooks practically only to statically linked Go binaries. With |
Moving to minimal image by default must be carefully considered and I don't see it happening anytime soon. We're kind of held captive by the hooks, which I don't have any idea how widespread their usage is 🤔 Might be that nobody uses them and would even notice the change |
e72f8fb
to
279327e
Compare
Build a "minimal" variant of the nfd image based on gcr.io/distroless/base. The motivations behind the minimal image are image hardening (security) and reducing the image footprint (from ca. 108MB down to about 40MB). The practical effect of deploying the minimal image is that no runtimes for running worker hooks are present, not even a shell. This means that only statically linked linked hook binaries are supported. Also, because of the image hardening live debugging of the minimal image by attaching to the container is not possible, and, the "full" image needs to be used for that purpose.
Poll all images that are supposed to be tagged. Both the "full" and "minimal" variant, including tags created from IMAGE_EXTRA_TAG_NAMES.
Test both the full and minimal image. This might be paranoid but better be sure(r) than sorry. The end-to-end tests are not that expensive.
279327e
to
f4e0c58
Compare
Changed the base image to be base on distroless/base. Improved commit message of the first patch. |
Thanks for addressing my comments @marquiz. /lgtm |
Looks like there's a sort of consensus on this. And, the minimal image is optional, anyway. |
Build a "minimal" variant of the nfd image based on
gcr.io/distroless/base. The motivations behind the minimal image are
image hardening (security) and reducing the image footprint (from ca.
108MB down to about 40MB).
The practical effect of deploying the minimal image is that no runtimes
for running worker hooks are present, not even a shell. This means that
only statically linked linked hook binaries are supported. Also, because
of the image hardening live debugging of the minimal image by attaching
to the container is not possible, and, the "full" image needs to be used
for that purpose.
This doesn't change the default usage/deployment of NFD in any way. Just adds a new image variant that can be alternatively deployed. The minimal variant might become the default in the future, though