-
Notifications
You must be signed in to change notification settings - Fork 63
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Move Container Image to Distroless #166
Comments
hey @leecalcote , if it's still up for grabs, I would like to submit a PR. |
Hi @siddhant94, yes, it is. That would be great. Thank you. |
hey @leecalcote , couple of points,
And lastly, can you point me to docs where I can set up and validate the changes by testing? |
@siddhant94 I believe maybe we need the |
@siddhant94 @Aisuko kubectl is not required and it can run as a root user. Don't have to create a separate one, u can stick to exactly the istio adapter's dockerfile |
Signed-off-by: Siddhant Sinha <sid.sinha94@gmail.com>
Signed-off-by: Siddhant Sinha <sid.sinha94@gmail.com>
@kumarabd @Aisuko Have created a PR which updates the dockerfile. Couple of things different from istio adapter.
Let me know if these should stay, i'll update the PR |
@siddhant94 linker flags cool, the envs however are needed by other binaries that we will using during runtime. Do add them if you would. Good to go after that! |
@kumarabd @siddhant94 nice work. I wonder about the root user. shouldn't a non-root user be used? if not, why not? |
@mgfeller it's not critical to use a root user, or there is no difference in our case because our container is distroless, thus no shell program is available for exploitation. Do advice if I'm missing something here. |
@kumarabd, what about compromised tools that are downloaded by the adapter, or compromised third-party libraries (supply chain)? |
Makes sense, let's add the user back. Thanks for highlighting @mgfeller |
Can you help @siddhant94 on this @mgfeller ? |
@mgfeller @kumarabd For running as non root user we can leverage the |
@siddhant94 go for it. And do test out the image once locally if all the functionalities work. |
Sure @kumarabd. Lastly, can you point me to doc with how to setup testing locally? |
BATS tests would have been nice to have now 😄 |
I'm afraid if there is one currently, do follow the below steps to get it tested:
|
I'll follow these,thanks. I am offline for now, will update it in sometime. |
hey @kumarabd , I tried but I am unable to get the set-up. It's showing error
But those files are present on host.
Any directions on how to solve this? I tried getting started with mesheryctl just to explore but there also it failed to connect to the minikube cluster. |
…oot tags default to nonroot user). Signed-off-by: Siddhant Sinha <sid.sinha94@gmail.com> Add env variables DISTRO & GOARCH to distroless base image. Signed-off-by: Siddhant Sinha <sid.sinha94@gmail.com>
…oot tags default to nonroot user). Signed-off-by: Siddhant Sinha <sid.sinha94@gmail.com> Add env variables DISTRO & GOARCH to distroless base image. Signed-off-by: Siddhant Sinha <sid.sinha94@gmail.com>
Fixes #166. Use distroless as base image.
Copy approach from meshery-istio adapter
The text was updated successfully, but these errors were encountered: