kapp-controller icon indicating copy to clipboard operation
kapp-controller copied to clipboard

Published 20 hours ago verified publisher icon carvel-dev

Consider a slimmer base image (e.g. distroless)

Open aaronshurley opened this issue 2 years ago • 3 comments

Describe the problem/challenge you have We'd like to ship kapp-controller with the minimum necessary bits. We're currently using photon as our base image. Is there a better (i.e. slimmer) option?

Describe the solution you'd like Investigate alternative options (such as distroless) and determine if we should consider making a switch. If the changes appear to be simple, feel free to make the necessary changes.

Anything else you would like to add:

  • similar issue in secretgen-controller: vmware-tanzu/carvel-secretgen-controller#40

Vote on this request

This is an invitation to the community to vote on issues, to help us prioritize our backlog. Use the "smiley face" up to the right of this comment to vote.

👍 "I would like to see this addressed as soon as possible" 👎 "There are other more important things to focus on right now"

We are also happy to receive and review Pull Requests if you want to help working on this issue.

aaronshurley avatar Nov 08 '21 20:11 aaronshurley

After some discussion, we're deciding to hold off on investigating further into this issue until we learn more about other build processes that we may be able to leverage. If anyone from the community is interested in this work, please let us know.

aaronshurley avatar Nov 29 '21 16:11 aaronshurley

Another thing to consider if we don't want to change the base image, could we remove tools that we don't need that could create security vulnerabilities?

aaronshurley avatar Apr 20 '22 20:04 aaronshurley

Looks like we can't remove the shell from photon:4.0

❯ docker run -ti --rm photon:4.0 bash
root [ / ]# tdnf remove bash
Refreshing metadata for: 'VMware Photon Linux 4.0 (x86_64) Updates'
Refreshing metadata for: 'VMware Photon Extras 4.0 (x86_64)'
Refreshing metadata for: 'VMware Photon Linux 4.0 (x86_64)'
Error(1030) : The operation would result in removing the protected package : tdnf

benmoss avatar Apr 25 '22 14:04 benmoss

I don't think we can get away with a smaller image right now because we need git. HOWEVER we now have a sidecar where most of the work happens, so perhaps the main kc base os can in fact be minimal. Will leave this issue open to investigate!

neil-hickey avatar Feb 22 '23 20:02 neil-hickey