Run the deployment inside a container

[Smana]

When using the pull mode, run the deployment inside a container.
This container will come with all the tools/binaries needed:
hyperkube, kubectl, etcd, etdcdctl, calicoctl, kargo, kargo-cli, kpm ...

[v1k0d3n]

i'd like to recommend not using hyperkube whenever possible, or at least strongly advising users of the project to avoid conditions where hyperkube is deployed. for instance...a disclaimer during deployment that it is an insecure framework and meant for development purposes only: kubernetes/kubernetes#21735

also taken directly from the Kubernetes documentation: "** SECURITY WARNING ** services exposed via Kubernetes using Hyperkube are available on the host node’s public network interface / IP address. Because of this, this guide is not suitable for any host node/server that is directly internet accessible. Refer to #21735 for addtional info."

[Smana]

kubernetes guys are aiming to use hyperkube as default binary : https://groups.google.com/forum/#!topic/kubernetes-sig-cluster-lifecycle/FhEsevva6Yg

[v1k0d3n]

kubernetes running as a single binary in a container (hyperkube) is definitely a security concern when running directly on the internet. this is misleading when advertising as a "production ready" deployment until there is some other [more secure] method. hyperkube as a single binary...sure. hyperkube via a docker container...not so much when carefully reading the security advisory and issues thread.

[Smana]

I agree we'll take care of these security concerns when we'll choose the method (single binary or not).
Anyway we're currently trying to run everything into containers when possible.

I want to keep this issue opened as a reminder.
Thank you @v1k0d3n

[ant31]

No activity
This should be part of a larger discussion