Change the Debian IPTables image to a distroless image
263 views
Skip to first unread message
Bowei Du
May 4, 2022, 2:22:01 PM5/4/22
to kubernetes-sig-network, Rob Scott, Weston Panther, Michael Taufen
Hi K8s community --
We currently use a Debian image with iptables as the base image for important infrastructure such as kube-proxy, nodelocaldns, etc. Unfortunately, the surface area of the standard Debian iptables image includes many (non-relevant) packages that frequently have CVEs.
Is there interest to create a slimmer base image in the K8s upstream that removes many of these extraneous dependencies. There are a few examples in other projects (see https://github.com/istio/istio/blob/master/pilot/docker/Dockerfile.proxyv2#L10) that point to this being possible to construct.
I will also put this as an agenda item on the SIG-NETWORK discussion.
Thanks,
Bowei
Antonio Ojea
May 4, 2022, 5:58:45 PM5/4/22
to Bowei Du, kubernetes-sig-network, Rob Scott, Weston Panther, Michael Taufen
Ricardo, Dan Winship and Lars are already working on that https://github.com/kubernetes/release/pull/2502
--
You received this message because you are subscribed to the Google Groups "kubernetes-sig-network" group.
To unsubscribe from this group and stop receiving emails from it, send an email to kubernetes-sig-ne...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/kubernetes-sig-network/CAGv8vBo9FSzW9NxA5Tosf3YAbE1TYKCPwWHMJ-VVxg%3DW-zYOFg%40mail.gmail.com.
Bowei Du
May 5, 2022, 4:24:51 PM5/5/22
to Antonio Ojea, kubernetes-sig-network, Rob Scott, Weston Panther, Michael Taufen
Oh this is great!
Is there anything others can do to help move this forward?
Bowei
Antonio Ojea
May 5, 2022, 4:48:17 PM5/5/22
to Bowei Du, kubernetes-sig-network, Rob Scott, Weston Panther, Michael Taufen
There are some open questions,
I'd say that someone with debian packaging experience should be very useful
Antonio Ojea
Jul 20, 2022, 12:17:58 PM7/20/22
to Bowei Du, kubernetes-sig-network, Rob Scott, Weston Panther, Michael Taufen
Thanks the impressive work of Ricardo we have a distroless image for kube-proxy
docker pull registry.k8s.io/build-image/distroless-iptables:v0.1.0
v0.1.0: Pulling from build-image/distroless-iptables
ced435ca769c: Pull complete
Digest: sha256:691c591a093063b119abc4753ab792b61271c66f2dbbc7d5219f914197274cc2
Status: Downloaded newer image for registry.k8s.io/build-image/distroless-iptables:v0.1.0
registry.k8s.io/build-image/distroless-iptables:v0.1.0
v0.1.0: Pulling from build-image/distroless-iptables
ced435ca769c: Pull complete
Digest: sha256:691c591a093063b119abc4753ab792b61271c66f2dbbc7d5219f914197274cc2
Status: Downloaded newer image for registry.k8s.io/build-image/distroless-iptables:v0.1.0
registry.k8s.io/build-image/distroless-iptables:v0.1.0
I've sent a PR to use it in Kubernetes/Kubernetes instead of the debian one
Reply all
Reply to author
Forward
0 new messages