Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use distroless/static image instead of distroless/base since glibc is not used #44

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Use distroless/static image instead of distroless/base since glibc is not used #44

wants to merge 1 commit into from

Conversation

vilmosmartinek
Copy link

Description of your changes

This pull request changes the base image of the function to gcr.io/distroless/static-debian12:nonroot.

Fixes #43

I have:

  • Read and followed Upbound's contribution process.
  • Run make reviewable to ensure this PR is ready for review. 
    make: *** No rule to make target 'reviewable'.  Stop.
  • Added backport release-x.y labels to auto-backport this PR, as appropriate.

How has this code been tested

I've built the function using the modified Dockerfile and run the render and render-pipeline targets. Both ran without errors — as expected.

  • Output of make render: 
    Rendering examples/xr-cidrhost.yaml...
---
apiVersion: platform.upbound.io/v1alpha1
kind: XCIDR
metadata:
  name: cidr-host
status:
  atFunction:
    cidr: 10.0.0.111
  conditions:
  - lastTransitionTime: "2024-01-01T00:00:00Z"
    reason: Available
    status: "True"
    type: Ready

Rendering examples/xr-cidrnetmask.yaml...
---
apiVersion: platform.upbound.io/v1alpha1
kind: XCIDR
metadata:
  name: cidr-netmask
status:
  atFunction:
    cidr: 255.240.0.0
  conditions:
  - lastTransitionTime: "2024-01-01T00:00:00Z"
    reason: Available
    status: "True"
    type: Ready

Rendering examples/xr-cidrsubnet.yaml...
---
apiVersion: platform.upbound.io/v1alpha1
kind: XCIDR
metadata:
  name: cidr-subnet
status:
  atFunction:
    cidr: 10.0.0.0/28
  conditions:
  - lastTransitionTime: "2024-01-01T00:00:00Z"
    reason: Available
    status: "True"
    type: Ready

Rendering examples/xr-cidrsubnetloop.yaml...
---
apiVersion: platform.upbound.io/v1alpha1
kind: XCIDR
metadata:
  name: cidr-subnetloop
status:
  atFunction:
    cidr:
    - 10.0.0.48/32
    - 10.0.0.49/32
    - 10.0.0.50/32
  conditions:
  - lastTransitionTime: "2024-01-01T00:00:00Z"
    reason: Available
    status: "True"
    type: Ready

Rendering examples/xr-cidrsubnets.yaml...
---
apiVersion: platform.upbound.io/v1alpha1
kind: XCIDR
metadata:
  name: cidr-subnets
status:
  atFunction:
    cidr:
    - 10.0.0.0/28
    - 10.0.1.0/24
    - 10.0.4.0/22
  conditions:
  - lastTransitionTime: "2024-01-01T00:00:00Z"
    reason: Available
    status: "True"
    type: Ready

Rendering examples/xr-multicidrsubnetsloop.yaml...
---
apiVersion: platform.upbound.io/v1alpha1
kind: XCIDR
metadata:
  name: cidr-multiprefixloop
status:
  atFunction:
    cidr:
      10.0.0.0/20:
      - 10.0.0.0/28
      - 10.0.1.0/24
      - 10.0.4.0/22
      127.0.0.0/20:
      - 127.0.0.0/24
      - 127.0.1.0/24
      - 127.0.2.0/24
      - 127.0.3.0/24
      - 127.0.4.0/24
      - 127.0.5.0/24
      - 127.0.6.0/25
      - 127.0.6.128/25
      - 127.0.7.0/25
      - 127.0.7.128/25
      - 127.0.8.0/25
      - 127.0.8.128/25
  conditions:
  - lastTransitionTime: "2024-01-01T00:00:00Z"
    reason: Available
    status: "True"
    type: Ready
  • Output of make render-pipeline: 
    crossplane beta render examples/xr-cidrsubnet.yaml \
                  apis/composition-pipeline.yaml \
                        examples/functions.yaml
---
apiVersion: platform.upbound.io/v1alpha1
kind: XCIDR
metadata:
  name: cidr-subnet
status:
  atFunction:
    cidr:
      partitions:
      - 10.0.0.0/21
      - 10.0.8.0/21
      private:
        subnets:
        - 10.0.0.0/22
        - 10.0.4.0/22
      public:
        subnets:
        - 10.0.8.0/22
        - 10.0.12.0/22
  conditions:
  - lastTransitionTime: "2024-01-01T00:00:00Z"
    reason: Available
    status: "True"
    type: Ready

@village-labs-bot Village Labs Bot
Copy link

# *upbound/function-cidr* #44

Change Summary

  • Updates the base Docker image from debian11 to debian12, moving from 'base' to 'static' variant
  • Changes image user context to nonroot by using the :nonroot tag
  • Upgrades security posture by using a more minimal static image variant

Potential Vulnerabilities

None identified - in fact, this change improves security posture by:

  • File: Dockerfile:41
  • Code: FROM gcr.io/distroless/static-debian12:nonroot AS image
  • Explanation: Moving to a nonroot user context and static image variant reduces attack surface

Code Smells

None identified - the change is straightforward and follows Docker best practices

Debug Logs

None identified - no logging changes in this PR

Unintended Consequences

  • File: Dockerfile:41
  • Code: FROM gcr.io/distroless/static-debian12:nonroot AS image
  • Explanation: Moving to a static image variant might remove required runtime dependencies that were present in the base image. Testing should verify that the function binary can still execute properly in the more minimal environment

Risk Score: 3

The relatively low risk score is due to:

  • Simple, focused change
  • Follows security best practices
  • Main risk comes from potential runtime compatibility issues with the static image
  • Well-known and trusted base image source (Google's distroless)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Use distroless/static image instead of distroless/base since glibc is not used
1 participant
@vilmosmartinek