A Kubernetes controller to watch changes in ConfigMap and Secrets and do rolling upgrades on Pods with their associated Deployment, StatefulSet, DaemonSet and DeploymentConfig – [✩Star] if you're using it!
Is your feature request related to a problem? Please describe.
Currently the UBI based image is based off ubi-minimal which is has >100 packages most of which are not needed. This creates vulnerability churn and an increased attack surface
Describe the solution you'd like
Created an image directory in the first stage of the build that contains the minimum set of files to run a non-statically compiled Go app and be scannable by image vulnerability scanners. An RPM database is then created just for the packages in the image dir both this and the libs are then copied to the final base image.
Describe alternatives you've considered
Another option could have been to use UBI micro but this has more packages than this solution and also doesn't have a package manager which makes getting package updates more complicated when the CI is not running on RHEL.
Additional context
We have an internal requirement for compliance to use UBI based packages in the image which is why simply can't use the distroless image already provided
Is your feature request related to a problem? Please describe. Currently the UBI based image is based off ubi-minimal which is has >100 packages most of which are not needed. This creates vulnerability churn and an increased attack surface
Describe the solution you'd like Created an image directory in the first stage of the build that contains the minimum set of files to run a non-statically compiled Go app and be scannable by image vulnerability scanners. An RPM database is then created just for the packages in the image dir both this and the libs are then copied to the final base image.
Describe alternatives you've considered Another option could have been to use UBI micro but this has more packages than this solution and also doesn't have a package manager which makes getting package updates more complicated when the CI is not running on RHEL.
Additional context We have an internal requirement for compliance to use UBI based packages in the image which is why simply can't use the distroless image already provided