vault-csi-provider
vault-csi-provider copied to clipboard
hashicorp
REQUEST: Use distroless image in final stage
https://github.com/hashicorp/vault-csi-provider/blob/425b31c0aee2eec204c4b626fa1cf65b64574139/Dockerfile#L1
I'd like the request we move the final stage of the image to a distroless image - or even an image that has no shell.
It would also be great to do some image scanning for known CVE vulnerabilities as it appears there are some in this image that are marked HIGH and CRITICAL respectively.
Hi @xUnholy, thanks for raising this. The 0.3.0 release was initially pushed to docker based on alpine 3.13.2 in error, and it has now been updated with the same binary layered on 3.13.5 as it should have been based on our Dockerfile. I believe this should address the CVEs of concern?
Separately, on the question of a distro-less image, could you explain a little more about the motivation for this request please?
Hi @tomhjp thanks for informing me about the image error.
Our ask for distroless is to avoid several exploits and to help harden our implementation in GKE. With this plugin we were able to surface a few attack vectors that we can completely mitigate if there was no shell that could be used to exploit. Obviously we have the default position that things like pods/exec and other RBAC controls are in place, but this is also helping protect from lateral privilege escalation from other compromised workloads that might be used to bleed into this particular workload.
We're using the GSM plugin among others and these are all based on distroless images in final stages, my ask would be to keep it aligned with that to help reduce the attack surface seeing as secret management is such a critical asset.
https://github.com/GoogleCloudPlatform/secrets-store-csi-driver-provider-gcp/blob/feac841f5835f47a35e5f978f4924edecd2d13e9/Dockerfile#L19
**Sorry for being slightly cryptic 😅
