Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Build image with ko #3835

Merged
merged 1 commit into from
Aug 26, 2023
Merged

Build image with ko #3835

merged 1 commit into from
Aug 26, 2023

Conversation

johngmyers
Copy link
Contributor

@johngmyers johngmyers commented Aug 1, 2023

Description

Builds image with ko instead of Docker. Reduces build times, allowing developer builds to use cached module sources.

Replaces the base image with ko's default of cgr.dev/chainguard/static:latest (based on distroless). This reduces the size and attack surface of the resulting image.

Adds arm/v7 image back in.

Checklist

  • Unit tests updated
  • End user documentation updated

@k8s-ci-robot k8s-ci-robot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Aug 1, 2023
@k8s-ci-robot k8s-ci-robot added cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Aug 1, 2023
@johngmyers johngmyers force-pushed the ko branch 4 times, most recently from 986e88a to fc9c48e Compare August 1, 2023 17:34
@johngmyers johngmyers changed the title WIP Build images with ko WIP Build image with ko Aug 1, 2023
@Raffo
Copy link
Contributor

Raffo commented Aug 3, 2023

@johngmyers can you add some info on why this change?

@johngmyers johngmyers force-pushed the ko branch 2 times, most recently from 21cb93f to a36c36c Compare August 4, 2023 10:36
@johngmyers johngmyers changed the title WIP Build image with ko Build image with ko Aug 4, 2023
@k8s-ci-robot k8s-ci-robot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Aug 4, 2023
@johngmyers
Copy link
Contributor Author

/retest

@Raffo
Copy link
Contributor

Raffo commented Aug 5, 2023

@johngmyers why did you remove the trivy scanner? That can spot vulnerabilities also in the binary being built.

@k8s-ci-robot k8s-ci-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Aug 6, 2023
@johngmyers
Copy link
Contributor Author

@Raffo it looked like trivy expected the image to be present in a local docker server.

I don't think we can add much value by scanning the distroless-derived base image. We have coverage for Go module dependencies through the GitHub security notification stuff.

@k8s-ci-robot k8s-ci-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Aug 6, 2023
@Raffo
Copy link
Contributor

Raffo commented Aug 6, 2023

Ok for trivy.

What kind of advantage is the chainguard image bringing compared to google's distroless? And is ko widely used in the Kubernetes ecosystem? I would love for us to stick with somewhat standard approaches and not be too much far away from what the community uses, if there's a standard. I would personally not adopt ko unless explicitly recommended by the kubernetes community, but I'm also not opposed to it. @szuecs @mloiseleur any takes on this topic?

@johngmyers
Copy link
Contributor Author

I believe Chainguard is adding the SBOM (Software Bill Of Materials). I have the SBOM disabled in this because it might require changes in the release tooling.

I don't know what counts as "widely", but two other Kubernetes projects I'm involved in, kops and aws-load-balancer-controller, both use it.

@mloiseleur
Copy link
Contributor

According to ko.build documentation, they provide SBOM by default.

  • ko.build is a simple Go lang software solving a real issue on multi-arch build. It is open source, is integrated to sigtore and is maintained by 3 people. It does not seem to be a commercial product. I am aware that at least one of the maintainer is working on many others kubernetes related projects.
  • cgr.devand chainguard, on the other hand, is clearly a commercial product. The recent announcement is clear. The public repo also, containing their packaged version of public software.

Since ko.build can be easily replaced if needed,
Since SBOM is quite interesting and may become a standard,
Since that with ko.build we will have less code to maintain and faster multiarch build,
=> My humble advice would be to use ko.build with Google distroless.

It's not a strong opinion, I'm not opposed to keep the current system (with a distro less image) or using chainguard.

@Raffo
Copy link
Contributor

Raffo commented Aug 8, 2023

I don't know what counts as "widely"

That is a very good point, it's not easy to define as the community is big and projects managed significantly differently.

I would agree with @mloiseleur and be for using ko with distroless as base image, if possible. If we truly believe that the chainguard image is making a difference, then we can do that as well.

For the sbom, those can easily be downloaded from the GitHub dependency graph or CLI these days, but also open to improvements in this area as needed.

@johngmyers
Copy link
Contributor Author

I chose chainguard because that is the ko default.

@Raffo
Copy link
Contributor

Raffo commented Aug 10, 2023

Reading the original kep (https://github.com/kubernetes/enhancements/blob/master/keps/sig-release/1729-rebase-images-to-distroless/README.md) it seems to be that distroless should be used across the board by community projects. Given that there are no specific reason to use chainguard's, even if there are no drawbacks, I would choose Google's distroless as base image.

@mloiseleur
Copy link
Contributor

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Aug 10, 2023
@mloiseleur
Copy link
Contributor

/assign Raffo

@Raffo
Copy link
Contributor

Raffo commented Aug 26, 2023

/approve

@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: johngmyers, Raffo

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Aug 26, 2023
@k8s-ci-robot k8s-ci-robot merged commit 5426005 into kubernetes-sigs:master Aug 26, 2023
@johngmyers johngmyers deleted the ko branch August 26, 2023 19:10
@johngmyers johngmyers mentioned this pull request Sep 13, 2023
2 tasks
@edbighead
Copy link

does anyone else get the CreateContainerConfigError with v0.13.6 image

    state:
      waiting:
        message: 'container has runAsNonRoot and image will run as root (pod: "external-dns-5bf5f97c4-bw7mg_kube-system(d7ec6cb8-d04d-4c40-b333-1b51c5b69219)",
          container: external-dns'
        reason: CreateContainerConfigError

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. lgtm "Looks good to me", indicates that a PR is ready to be merged. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants