Skip to content

experiment: Add Wolfi based images #1735

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

experiment: Add Wolfi based images #1735

wants to merge 1 commit into from

Conversation

@wlynch
Copy link
Member

@wlynch wlynch commented Nov 24, 2023

Opening as a draft since if we actually want to do this or not, but opening up for discussion. (cc @afrittoli)

Adds some initial images (ko, ko-gcloud) based on Wolfi packages using apko. (tl;dr apko = ko for apks).

These images are smaller and are kept up to date with upstream with a focus on minimal CVEs.

(computed using crane manifest $IMG | jq '.config.size + ([.layers[].size] | add)' | numfmt --to=iec)

Image Size
gcr.io/tekton-releases/dogfooding/ko:latest 277M us-docker.pkg.dev/wlynch-chainguard/public/ko@latest-wolfi

CVE Scans:

$ grype gcr.io/tekton-releases/dogfooding/ko:latest
 ✔ Vulnerability DB                [no update available]
 ✔ Parsed image                                                                                                                                                                                                 sha256:a41f5ae73e4a3aa0652d8653d22cd8dcf499f1ad2e78c3c1433127fe3ee6d61f
 ✔ Cataloged packages              [231 packages]
 ✔ Scanned for vulnerabilities     [23 vulnerability matches]
   ├── by severity: 1 critical, 7 high, 13 medium, 0 low, 0 negligible (2 unknown)
   └── by status:   12 fixed, 11 not-fixed, 0 ignored (4 dropped)

$ grype us-docker.pkg.dev/wlynch-chainguard/public/ko:latest-wolfi
 ✔ Vulnerability DB                [no update available]
 ✔ Parsed image                                                                                                                                                                                                 sha256:e5b9decd9f30c3500f7e289c7abd7d054e122b128877215b47b78b769e915329
 ✔ Cataloged packages              [191 packages]
 ✔ Scanned for vulnerabilities     [0 vulnerability matches]
   ├── by severity: 0 critical, 0 high, 0 medium, 0 low, 0 negligible
   └── by status:   0 fixed, 0 not-fixed, 0 ignored (4 dropped)

These aren't wired up to CI yet, but they're configured to publish to a different tag (latest-wolfi)

Changes

Submitter Checklist

These are the criteria that every PR should meet, please check them off as you
review them:

See the contribution guide
for more details.

@wlynch
experiment: Add Wolfi based images
d65d885 
Adds some initial images (ko, ko-gcloud) based on Wolfi packages using
apko. (tl;dr apko = ko for apks).

These images are smaller and are kept up to date with upstream with a
focus on minimal CVEs.

(computed using `crane manifest $IMG | jq '.config.size + ([.layers[].size] | add)' | numfmt --to=iec`)

Image | Size
----- | ----
gcr.io/tekton-releases/dogfooding/ko:latest | 277M
us-docker.pkg.dev/wlynch-chainguard/public/ko@latest-wolfi | 31M
gcr.io/tekton-releases/dogfooding/ko-gcloud:latest | 606M
us-docker.pkg.dev/wlynch-chainguard/public/ko-gcloud@latest-wolfi | 304M

CVE Scans:

```
$ grype gcr.io/tekton-releases/dogfooding/ko:latest
 ✔ Vulnerability DB                [no update available]
 ✔ Parsed image                                                                                                                                                                                                 sha256:a41f5ae73e4a3aa0652d8653d22cd8dcf499f1ad2e78c3c1433127fe3ee6d61f
 ✔ Cataloged packages              [231 packages]
 ✔ Scanned for vulnerabilities     [23 vulnerability matches]
   ├── by severity: 1 critical, 7 high, 13 medium, 0 low, 0 negligible (2 unknown)
   └── by status:   12 fixed, 11 not-fixed, 0 ignored (4 dropped)
```

```
$ grype us-docker.pkg.dev/wlynch-chainguard/public/ko:latest-wolfi
 ✔ Vulnerability DB                [no update available]
 ✔ Parsed image                                                                                                                                                                                                 sha256:e5b9decd9f30c3500f7e289c7abd7d054e122b128877215b47b78b769e915329
 ✔ Cataloged packages              [191 packages]
 ✔ Scanned for vulnerabilities     [0 vulnerability matches]
   ├── by severity: 0 critical, 0 high, 0 medium, 0 low, 0 negligible
   └── by status:   0 fixed, 0 not-fixed, 0 ignored (4 dropped)
```

These aren't wired up to CI yet.
@tekton-robot
Copy link
Contributor

tekton-robot commented Nov 24, 2023

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@tekton-robot tekton-robot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Nov 24, 2023
@tekton-robot tekton-robot added the size/L Denotes a PR that changes 100-499 lines, ignoring generated files. label Nov 24, 2023
@tekton-robot
Copy link
Contributor

tekton-robot commented Nov 24, 2023
edited
Loading

The following Tekton test failed:

Test name Commit Details Required Rerun command
check-pr-has-kind-label d65d885 link true /test check-pr-has-kind-label

@wlynch wlynch mentioned this pull request Feb 21, 2024
Open
6 tasks
@tekton-robot tekton-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Jan 8, 2025
@tekton-robot
Copy link
Contributor

tekton-robot commented Jan 8, 2025

@wlynch: PR needs rebase.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

vdemeester
vdemeester approved these changes Jun 20, 2025
View reviewed changes
Copy link
Member

@vdemeester vdemeester left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@tekton-robot tekton-robot added the lgtm Indicates that a PR is ready to be merged. label Jun 20, 2025
@tekton-robot
Copy link
Contributor

tekton-robot commented Jun 20, 2025

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: vdemeester

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@tekton-robot tekton-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jun 20, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@vdemeester vdemeester vdemeester approved these changes

@afrittoli afrittoli Awaiting requested review from afrittoli

@dibyom dibyom Awaiting requested review from dibyom

Assignees

@vdemeester vdemeester

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. lgtm Indicates that a PR is ready to be merged. needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@wlynch @tekton-robot @vdemeester