Is your image really distroless?
Watch talk on YouTubeLaurent Goderre from Docker. The entire talk was very short, but it was a nice demo of init containers
Baseline
- Security is hard - distroless sounds like a nice helper
- Basic Challenge: Usability-Security Dilemma -> But more usability doesn’t mean less secure, but more updating
- Distro: Kernel + Software Packages + Package manager (optional) -> In Containers just without the kernel
- Distroless: No package manager, no shell, no web client (curl/wget) - only minimal software bundles
Tools for distroless image creation
- Multi-Stage Builds: No cleanup needed and better caching
- Buildkit: More complex, but a pluggable build architecture
The title question
- Well many images don’t include a package manager, but a shell and some tools (busybox)
- Tools are usually included as config-time tools (init) -> They just stay around after init - unused
- Solution: Our lord and savior init containers without any inbound traffic that just does config stuff
Demo
- A (rough) distroless Postgres with alpine build step and scratch final step
- A basic pg:alpine container used for init with a shared data volume
- The init uses the pg admin user to initialize the pg server (you don’t need the admin credentials after this)
Kube
- K apply failed b/c no internet, but was fixed by connecting to Wi-Fi
- Without the init container the pod just crashes, with the init container the correct config gets created
Docker compose
- Just use
service_completed_successfullycondition in depends on