Use the same base image for all of our Docker images

[swiatekm]

Currently we use distroless for the manager, but scratch for the aforementioned. We should use the same base everywhere, if only to be consistent. I vote for distroless because it leads to simpler Dockerfiles, but I can live with scratch as well.

[bryan-aguilar]

I'd vote for scratch just for the sake of reducing the security surface area even further. Is there a reason to prefer distroless over scratch other than consistency?

[swiatekm]

I'd vote for scratch just for the sake of reducing the security surface area even further. Is there a reason to prefer distroless over scratch other than consistency?

Our Dockerfiles are simpler with distroless because we don't need to do the cert copying dance. But that's a pretty weak reason, I'm fine with porting the manager image to scratch instead.

[swiatekm]

Do you have a sense of what the security sufrace is like for distroless @bryan-aguilar? I haven't personally used it much.

[bryan-aguilar]

I don't think it's much more. From what I have been told and what I understand static-nonroot contains a user and cert compared with scratch.

I am more just recommending scratch as a best practice for docker images as much as possible.

[bryan-aguilar]

If the only burden of scratch is copying certs manually in the docker file, which end users should not have to interface with, then the extra little step to reduce the footprint could be useful.

[bryan-aguilar]

I also wonder if relying on gcr distroless as a base image may cause compliance issues for some end users.

[jaronoff97]

I trust bryan on this one – keeping with best practices (even if its a few extra steps) sounds good to me!

[seankhliao]

afaik distroless contents are: user, tzdata, cert roots Go binaries can embed the last 2:

• tzdata https://pkg.go.dev/time/tzdata
• certs https://pkg.go.dev/golang.org/x/crypto/x509roots/fallback