Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Non-root container #102

Closed
alex1989hu opened this issue Jun 7, 2020 · 3 comments · Fixed by #103
Closed

Non-root container #102

alex1989hu opened this issue Jun 7, 2020 · 3 comments · Fixed by #103
Labels
enhancement Pull requests for new features/feature enhancements proposal An issue that proposes a feature request

Comments

@alex1989hu
Copy link
Contributor

Is your feature request related to a problem? Please describe.
Using nginx-prometheus-exporter in security-enhanced (like active PodSecurityPolicy) Kubernetes (or OpenShift) cluster requires non-root containers. It is common to use scratch image to reduce attack surface and get a smaller final image.

Describe the solution you'd like

  • Non-root container - USER in Dockerfile
  • Use scratch image

Describe alternatives you've considered
A clear and concise description of any alternative solutions or features you've considered.

Additional context
nginx-prometheus-exporter is written in Go, thus alpine:3.11 is not needed to run it.
@alex1989hu alex1989hu mentioned this issue Jun 7, 2020
Merged
6 tasks
@GCHQDeveloper0985
Copy link

I'm also very interested in this change being made. Any idea over what sort of time frame we can hope to see the PR merged and released?

@lucacome
Copy link
Member

lucacome commented Jun 9, 2020

Hi @alex1989hu thanks for the PR!

I think moving to non-root container makes sense, but I'm not sure about scratch. Alpine doesn't add much overhead to the scratch image and it's pretty secure (it's like one of their main goals) and you get a shell to attach to in case you need to debug something.

Do you have any data about images size or vulnerabilities of Alpine?

Cheers.

@lucacome lucacome added the proposal An issue that proposes a feature request label Jun 9, 2020
@pleshakov pleshakov added the enhancement Pull requests for new features/feature enhancements label Jun 9, 2020
@alex1989hu
Copy link
Contributor Author

Hi @alex1989hu thanks for the PR!

I think moving to non-root container makes sense, but I'm not sure about scratch. Alpine doesn't add much overhead to the scratch image and it's pretty secure (it's like one of their main goals) and you get a shell to attach to in case you need to debug something.

Do you have any data about images size or vulnerabilities of Alpine?

Cheers.

Hello @lucacome, your welcome 👍 When I wrote reducing attack surface I was thinking about minimizing the possibility of arbitrary code execution. If there is no shell, then you can not do anything except running the Go binary nginx-prometheus-exporter itself. We can not predict what vulnerability will rise in the future but using SCRATCH side-effect is that it does not require to maintain and follow up alpine possible vulnerabilities.

Finally, you asked me to provide image sizes, I have good news:

Base Image Size
alpine 19.1MB
scratch 13.6MB

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement Pull requests for new features/feature enhancements proposal An issue that proposes a feature request
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Move to non-root container
4 participants
@lucacome @pleshakov @alex1989hu @GCHQDeveloper0985