-
Notifications
You must be signed in to change notification settings - Fork 2.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Build image with ko #3835
Build image with ko #3835
Conversation
986e88a
to
fc9c48e
Compare
@johngmyers can you add some info on why this change? |
21cb93f
to
a36c36c
Compare
/retest |
@johngmyers why did you remove the trivy scanner? That can spot vulnerabilities also in the binary being built. |
@Raffo it looked like trivy expected the image to be present in a local docker server. I don't think we can add much value by scanning the distroless-derived base image. We have coverage for Go module dependencies through the GitHub security notification stuff. |
Ok for trivy. What kind of advantage is the chainguard image bringing compared to google's distroless? And is |
I believe Chainguard is adding the SBOM (Software Bill Of Materials). I have the SBOM disabled in this because it might require changes in the release tooling. I don't know what counts as "widely", but two other Kubernetes projects I'm involved in, kops and aws-load-balancer-controller, both use it. |
According to ko.build documentation, they provide SBOM by default.
Since It's not a strong opinion, I'm not opposed to keep the current system (with a distro less image) or using chainguard. |
That is a very good point, it's not easy to define as the community is big and projects managed significantly differently. I would agree with @mloiseleur and be for using ko with distroless as base image, if possible. If we truly believe that the chainguard image is making a difference, then we can do that as well. For the sbom, those can easily be downloaded from the GitHub dependency graph or CLI these days, but also open to improvements in this area as needed. |
I chose chainguard because that is the |
Reading the original kep (https://github.com/kubernetes/enhancements/blob/master/keps/sig-release/1729-rebase-images-to-distroless/README.md) it seems to be that distroless should be used across the board by community projects. Given that there are no specific reason to use chainguard's, even if there are no drawbacks, I would choose Google's distroless as base image. |
/lgtm |
/assign Raffo |
/approve |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: johngmyers, Raffo The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
does anyone else get the
|
Description
Builds image with ko instead of Docker. Reduces build times, allowing developer builds to use cached module sources.
Replaces the base image with ko's default of
cgr.dev/chainguard/static:latest
(based on distroless). This reduces the size and attack surface of the resulting image.Adds arm/v7 image back in.
Checklist