Closed thockin closed 11 months ago
Thanks for creating this issue. So, the problem is from this line as said in the closed issue #773 https://github.com/kubernetes/git-sync/blob/v4.0.0-rc3/Dockerfile.in#L107C13-L107C25
Maybe we should be more selective while copying the files.
I think we should not use the distroless/base image as intermediate one until there is bookworm version. Because when we install libraries inside this distroless/base, it will install libraries, like openssh, libssl1.1 etc. for the OS 11. In that case, it retrieves the vulnerabilities of the version 11. Then these libraries are copied from the intermediate image to the final one.
distroless serves the purpose of populating things like /etc and /dev and ca-certificates.
To drop distroless we either do that all ourselves or we find a workable replacement. chainguard's static
may fit the bill, but it purports to be alpine instead of debian, so I'm not sure it will be as easy as I'd like.
Out of time for today, but this is clearly a v4 release blocker.