Skip to content

Adopt distroless as container base image #253

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
vmercierfr wants to merge 5 commits into
base: main
Choose a base branch
from
Open

Adopt distroless as container base image #253

vmercierfr wants to merge 5 commits into from

Conversation

@vmercierfr
Copy link
Collaborator

@vmercierfr vmercierfr commented May 5, 2025
edited
Loading

Objective

Reduce attack surface

Why

Prometheus RDS exporter is deployed using alpine container base image. Although this image is minimalist, it contains around 200 binaries that are not required to run the application and increase its attack surface.

Kubernetes project adopted distroless few years ago to limit container image content to application and its runtime.

In addition to safety benefits, the container image is reduced by 9% (53MB to 48MB).

dive
Before before
After after

How

Release

  • Merge this PR

@vmercierfr vmercierfr force-pushed the adopt-distroless branch 2 times, most recently from ca922b6 to 4d8f8e8 Compare May 5, 2025 21:07
vmercierfr added 5 commits May 5, 2025 23:19
@vmercierfr
feat(docker): Switch baseimage to distroless debian12
72487f6 
Signed-off-by: Vincent Mercier <vmercier@gmail.com>
@vmercierfr
chore(prometheus): Use variable for Go version
efb72ef 
Signed-off-by: Vincent Mercier <vmercier@gmail.com>
@vmercierfr
feat(prometheus): Use distroless for local development
9fb4e70 
Signed-off-by: Vincent Mercier <vmercier@gmail.com>
@vmercierfr
chore(README): Reflect changes due to distroless
8ee6267 
Signed-off-by: Vincent Mercier <vmercier@gmail.com>
@vmercierfr
chore(CONTRIBUTING): Add reference to distroless
9f18933 
Signed-off-by: Vincent Mercier <vmercier@gmail.com>
@vmercierfr
Copy link
Collaborator Author

vmercierfr commented May 5, 2025

This will conflicts with #249. But sounds HEALTHCHECK is only supported by Docker (desktop?) engine and probably not relevant for production deployment these days.

So I will recommend to just remove HEALTHCHECK instruction in favor of attack surface reduction.

@vmercierfr vmercierfr mentioned this pull request May 5, 2025
Open
@qfritz qfritz self-assigned this May 6, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@qfritz qfritz

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@vmercierfr @qfritz