[Tracking] Streamlining (lighter, less vulns) container images for the Falco projects

[LucaGuerra]

In the Falco Supply Chain Security WG we have identified the need for standardizing container images for the Falco projects. Goals are:

• Reducing the number of potential vulnerabilities that affect every image we publish, especially the ones that run in production with high privileges. If you run SCA on some Falco images they'll report a lot of false positive vulnerabilities, but the only way to definitively get rid of them is not to have them in the first place
• Making them lighter if possible
• Making it easier to add attestation, sbom and other metadata to them

Tracking issues for projects:

• [x] Falco
  • https://github.com/falcosecurity/falco/issues/2181
  • What about the falco and falco-driver-loader images?
• [x] Falcoctl
  • https://github.com/falcosecurity/falcoctl/issues/232

This issue acts as a place of discussion for this topic as it's not as easy as it may seem.

[LucaGuerra]

cc @Issif @cpanato

[Issif]

Let me sum up what we discussed yesterday in the WG bi-weekly call:

• We have 2 kind of code bases, we'll consider Go projects (Falcosidekick, UI, Driverkit, Falcoctl) and Falco (C++)
• For Go projects, we have also 3 patterns:
  • CLI tools
  • Daemon
  • can be run as both
• For the pure daemon (Falcosidekick, Falcosidekick-UI):
  • they are built over pure alpine images with multistages but we can do better with ko. It also generates the SBOM by design.
• For CLI tools:
  • ko can also be considered but we need to be sure we can still attach a tty
  • some images (eg driverkit) need a lot of dependencies to do their purpose, like gcc libs, etc. We can't use ko for them
• For both (eg falcoctl):
  • ko is also a possibility when the image is used as CLI, the same remark than above has to be considered
  • for the daemon usage, we can provide a second flavor of images, not built with ko
• For Falco:
  • The current images are bloated with a lot of stuff only made to build the drivers not already built by our CI. We considered to remove that parts and replace them by falcoctl + driverkit images, it requires new developments for sure.
  • The Chainguard team contacted us and propose to help us to replace the base image for Falco by Wolfi. We're discussing with them to know if it's possible and what are the requirements

[dlorenc]

I'm on the Chainguard team and I just wanted to chime in and say that we're happy to help with using Wolfi!

[LucaGuerra]

Hey @dlorenc , great to see your interest in improving the supply chain security properties of Falco!

So, to add context to the discussion changing all Falco images is not an easy task because we have a lot of compilers / dependencies that are needed to try and compile the drivers in case prebuilts don't exist for your system, but we want to tackle it.

However, we also have small images that don't contain all those tools, libraries and compilers needed to build the drivers for your system and are used to run as a main container on platforms like k8s where you can have an init-container to do all the setup. Example: https://github.com/falcosecurity/falco/blob/master/docker/no-driver/Dockerfile . We publish those images for Linux x86_64 and ARM64. That could be an interesting starting point to change the slim base image, what do you think?

[poiana]

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

[LucaGuerra]

/remove-lifecycle stale

[LucaGuerra]

We have been discussing the improvements in this area for the new version of Falco. In fact, Falco 0.36.0 will come with two new images:

• An updated falco-driver-loader which is based on a more modern toolchain. This means that the number of potential vulnerabilities in the images (as detected by scanners) is massively reduced. If the older image is still required, a falco-driver-loader-legacy image is also provided.
• A new experimental falco-distroless image which is based on Wolfi.

[LucaGuerra]

I will close this issue given the updates for 0.36.0 . Looking forward to people trying out our new images and getting feedback :rocket:

When we collect any adjustments to make for next releases, we'll open another issue!