security-vulnerabilities: add more info about base images #11236
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
istio-testing
added
the
size/S
ericvn
reviewed
Apr 27, 2022
|
|
||
| Istio offers two sets of docker images, based on `ubuntu` (default) and based on `distroless` (see [Harden Docker Container Images](docs/ops/configuration/security/harden-docker-images/)). | ||
| These base images occasionally have CVEs. | ||
| The Istio security team has automated scanning to ensure base images are kept free of CVEs. |
There was a problem hiding this comment.
rest of page uses "Istio security team". Want me to change them all?
There was a problem hiding this comment.
Nope. Sounds like that's been the norm, and I had missed that.
|
|
||
| ## Base Images | ||
|
|
||
| Istio offers two sets of docker images, based on `ubuntu` (default) and based on `distroless` (see [Harden Docker Container Images](docs/ops/configuration/security/harden-docker-images/)). |
There was a problem hiding this comment.
Suggested change
| Istio offers two sets of docker images, based on `ubuntu` (default) and based on `distroless` (see [Harden Docker Container Images](docs/ops/configuration/security/harden-docker-images/)). | |
| Istio offers two sets of docker images, one based on `Ubuntu` (default) and another based on `distroless` (see [Harden Docker Container Images](docs/ops/configuration/security/harden-docker-images/)). |
| The Istio security team has automated scanning to ensure base images are kept free of CVEs. | ||
|
|
||
| When CVEs are detected in our images, new images are automatically built and used for all future builds. | ||
| Additionally, the security team analyzes the vulnerabilities to see if they are exploitable in Istio directly. |
howardjohn
force-pushed
the
pswg/base-images
branch
from
db5c53e to
f539272
Compare
ericvn
approved these changes
Apr 28, 2022
|
/retest |
|
/cherry-pick release-1.13 |
|
@ericvn: new pull request created: #11242 In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
dhawton
pushed a commit
to dhawton/istio.io
that referenced
this pull request
May 6, 2022
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Please provide a description for what this PR is for.
And to help us figure out who should review this PR, please
put an X in all the areas that this PR affects.