Closed tuananh closed 1 year ago
@arikalon1 kindly take a look :)
@aantn @arikalon1 can we get this review?
Hey, sorry about the delay.
Would using the Google distroless images work here too?
@aantn i suppose it would.
the two are a bit different like distroless is still relying on traditional OS like debian while chainguard images are container specific workload.
however, for this static base image, i suppose the two are equivalent.
if you're in doubt, Tekton and ko project recently adopted Chainguard image as base images too.
@aantn would you prefer to use distroless as base instead? I can update this PR accordingly.
Thanks for the PR @tuananh We're going to merge it soon, as soon as we find some time to give it a quick test.
I switch from minideb to Chainguard's static image (this one has ca-certificates-bundle installed already, hence I remove the RUN instruction)
minideb has lots of CVE:
After switch to Chainguard's static, only 14 left. all are coming from kubewatch's dependencies, which I can patch in another PR.
Also, size has reduce from 112MB down to 33MB