Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Don't require cp in instrumentation images #3231

Open
breedx-splk opened this issue Aug 20, 2024 · 4 comments
Open

Don't require cp in instrumentation images #3231

breedx-splk opened this issue Aug 20, 2024 · 4 comments
Labels
area:auto-instrumentation Issues for auto-instrumentation help wanted Extra attention is needed

Comments

@breedx-splk
Copy link

breedx-splk commented Aug 20, 2024
edited
Loading

Component(s)

auto-instrumentation

Describe the issue you're reporting

The javaagent.go (link) component is doing an injection step that runs the cp command at least once, but perhaps several times, from inside the container. This strongly implies that the cp command is available in the container, which prevents distributions from publishing scratch images containing only the agent jar file (and/or extensions). As a result, java agent distributions are required to use FROM busybox or another (linux) distribution, which brings a set of binaries.

This unnecessarily exposes java agent images to vulnerabilities for which the java agent isn't directly related related. This may also make windows compatibility more challenging if cp is required.

I don't know kubernetes operators well enough right now to suggest how this might be addressed, but would appreciate it if we can give this some consideration. Thanks!
@pavolloffay
Copy link
Member

There has been asks for this in the past in #1600 due to licensing and CVEs.

One of the solutions was to implement a custom cp utility #1698 and #1727

@pavolloffay pavolloffay added area:auto-instrumentation Issues for auto-instrumentation help wanted Extra attention is needed and removed needs triage labels Aug 21, 2024
@pavolloffay pavolloffay changed the title Don't require cp in java instrumentation image Don't require cp in instrumentation images Aug 21, 2024
@swiatekm
Copy link
Contributor

We need the instrumentation container to be able to copy the agent JAR to a shared volume, from which the application can read it. Busybox cp is the simplest way of achieving that, but it can be any vaguely compatible binary. From my perspective, the primary requirement is that we'd rather not maintain this ourselves.

@swiatekm swiatekm mentioned this issue Dec 3, 2024
Open
@atoulme atoulme mentioned this issue Dec 21, 2024
Open
@jaronoff97 jaronoff97 mentioned this issue Dec 23, 2024
Open
@atoulme
Copy link
Contributor

atoulme commented Jan 6, 2025

A possible development is to use a container as volume, a new feature previewed in kubernetes 1.31: https://kubernetes.io/docs/tasks/configure-pod-container/image-volumes/

@swiatekm
Copy link
Contributor

swiatekm commented Jan 7, 2025
edited
Loading

A possible development is to use a container as volume, a new feature previewed in kubernetes 1.31: https://kubernetes.io/docs/tasks/configure-pod-container/image-volumes/

That would be ideal! Hopefully this feature makes it out of alpha quickly. In the meantime, if anyone wants to try their hand at an implementation in the operator, I'd be willing to merge it if it's appropriately hidden behind a feature gate and K8s version check.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area:auto-instrumentation Issues for auto-instrumentation help wanted Extra attention is needed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@atoulme @pavolloffay @breedx-splk @swiatekm