containers icon indicating copy to clipboard operation
containers copied to clipboard
verified publisher icon bitnami

[bitnami/kubectl] Production level image

Open martinelli-francesco opened this issue 1 year ago • 4 comments

Name and Version

bitnami/kubectl:1.28.6

What is the problem this feature will solve?

The bitnami/kubectl image is based on debian which always has many vulnerabilities. For example trivy reports the following:

bitnami/kubectl:1.28.6 (debian 11.9)
====================================
Total: 147 (UNKNOWN: 0, LOW: 95, MEDIUM: 27, HIGH: 22, CRITICAL: 3)

This amount of vulnerability makes the image unsuitable in production environments.

What is the feature you are proposing to solve the problem?

Instead of Debian, I propose the use of a smaller base image such as Alpine or, even better, a distroless one. An example of a distroless image is the one provided by Rancher (https://hub.docker.com/layers/rancher/kubectl/v1.28.5/images/sha256-41d0b86a7fae7bf98cdce6370194b9f1f80bb62f60671a8f9642bec17da7807b?context=explore) which has 0 vulnerabilities. In their github repo is the Dockerfile they use to generate that image and it looks straightforward: https://github.com/rancher/kubectl/blob/master/package/Dockerfile

What alternatives have you considered?

No response

martinelli-francesco avatar Feb 12 '24 11:02 martinelli-francesco

I understand your concern regarding security vulnerabilities. While we regularly update our images with the latest system packages, certain CVEs may persist until they are patched in either the OS or the application. You can learn more about our CVE policy here.

The Bitnami Application Catalog (OpenSource) is built on Debian 11. Additionally, as part of VMware, Bitnami offers a custom container and Helm Charts catalog based on various base images, such as Debian 10, 11 & 12, PhotonOS 4, Ubuntu 20.04 & 22.04, RedHat UBI 8 & 9, and custom golden images. You can explore these options through the VMware Tanzu Application Catalog.

If you have any further questions, feel free to ask.

carrodher avatar Feb 12 '24 12:02 carrodher

Ubuntu almost always has far fewer vulnerabilities than Debian, so since it is already supported, couldn't you publish the same based on ubuntu?

martinelli-francesco avatar Feb 12 '24 15:02 martinelli-francesco

Other distros are part of the VMware Tanzu Application Catalog, as part of the Bitnami Application Catalog (OpenSource) only Debian 11 (soon replaced by 12) is provided.

carrodher avatar Feb 12 '24 23:02 carrodher

This Issue has been automatically marked as "stale" because it has not had recent activity (for 15 days). It will be closed if no further activity occurs. Thanks for the feedback.

github-actions[bot] avatar Feb 28 '24 01:02 github-actions[bot]

Due to the lack of activity in the last 5 days since it was marked as "stale", we proceed to close this Issue. Do not hesitate to reopen it later if necessary.

github-actions[bot] avatar Mar 04 '24 01:03 github-actions[bot]