Final docker image should not include debug-like package

[madchap]

FEATURE REQUEST
The final docker image should not include packages such as gdb, which also happen to bear a CVE that is not getting fixed and unfortunately reported as HIGH.

Maybe an approach a la multi-stage build should be taken?

NGINX Ingress controller version:
0.25.0

What happened:
The docker image does not pass security checks due to embedded "debug" type packages installed.

What you expected to happen:
The docker image should only contain the necessary packages to deliver its functionality.

[dawidmalina]

👍 as we have the same requirements. In addition can I have information if curl, sensible-utils and python2.7-minimal are really needed and if not can we remove those packages?

[bartlomiejsawicki]

After checking security scan made for this version it looks like there are more problems which could be also easy fixed, except glibc one for which it looks like there is no fix for now:
https://quay.io/repository/kubernetes-ingress-controller/nginx-ingress-controller/manifest/sha256:464db4880861bd9d1e74e67a4a9c975a6e74c1e9968776d8d4cc73492a56dfa5?tab=vulnerabilities

[aledbf]

For those subscribed in this PR: I am removing gdb in the next update of the nginx image in this PR #4509
To be clear, this is possible now thanks to a kubectl plugin that allows a new container to join the pid, network, user and ipc namespaces of the nginx controller pod https://github.com/aylei/kubectl-debug#quick-start

k debug --port-forward -n ingress-nginx nginx-ingress-controller-79b6b9cfc6-2g5rq
pod nginx-ingress-controller-79b6b9cfc6-2g5rq PodIP 10.240.0.254, agentPodIP 10.240.0.225
wait for forward port to debug agent ready...
Forwarding from 127.0.0.1:10027 -> 10027
Forwarding from [::1]:10027 -> 10027
Handling connection for 10027
pulling image nicolaka/netshoot:latest... 
latest: Pulling from nicolaka/netshoot
e7c96db7181b: Already exists 
e8ad7601444c: Pull complete 
1c3e3a777e70: Pull complete 
916dd651caf3: Pull complete 
4375fed2538e: Pull complete 
8631605717d0: Pull complete 
dd4fb07f87c6: Pull complete 
Digest: sha256:8b020dc72d8ef07663e44c449f1294fc47c81a10ef5303dc8c2d9635e8ca22b1
Status: Downloaded newer image for nicolaka/netshoot:latest
starting debug container...
container created, open tty...
bash-5.0# ps axf
PID   USER     TIME  COMMAND
    1 xfs       0:00 /usr/bin/dumb-init -- /nginx-ingress-controller --configmap=ingress-nginx/nginx-configuration --tcp-services-configmap=ingress-nginx/tcp-services --udp-services-configmap=ingress-nginx/udp-services --publish-service=ingress-nginx/ingress-nginx --annotations-prefix=nginx.ingress.kubernetes.io --enable-ssl-chain-completion=true --default-ssl-c
    7 xfs      46:59 /nginx-ingress-controller --configmap=ingress-nginx/nginx-configuration --tcp-services-configmap=ingress-nginx/tcp-services --udp-services-configmap=ingress-nginx/udp-services --publish-service=ingress-nginx/ingress-nginx --annotations-prefix=nginx.ingress.kubernetes.io --enable-ssl-chain-completion=true --default-ssl-certificate=default/wil
   33 xfs       0:02 nginx: master process /usr/local/openresty/nginx/sbin/nginx -c /etc/nginx/nginx.conf
 3290 xfs       3:26 nginx: worker process
 3291 xfs       3:36 nginx: worker process
 3292 xfs       3:27 nginx: worker process
 3293 xfs       3:26 nginx: worker process
 3294 xfs       0:01 nginx: cache manager process
 3423 root      0:00 bash
 3428 root      0:00 ps axf
bash-5.0# 

[aledbf]

as we have the same requirements. In addition can I have information if

curl,

This could be removed but when you are running the ingress controller you cannot install packages and several users requested this package in the past. This package will not be removed.

sensible-utils and python2.7-minimal

Removing gdb removes several packages

apt-get remove gdb             
Reading package lists... Done
Building dependency tree        
Reading state information... Done
The following packages were automatically installed and are no longer required:
  bzip2 file libbabeltrace1 libdw1 libelf1 libexpat1 libglib2.0-0 libipt2 libmagic-mgc libmagic1 libmpdec2 libpopt0 libpython3.7 libpython3.7-minimal libpython3.7-stdlib libreadline7 libsqlite3-0 mime-support readline-common
Use 'apt autoremove' to remove them.

I will check if those two can be removed

[aledbf]

sensible-utils

removed

and python2.7-minimal

This package is not present in the image but it is installed (at some point) to build the nginx image. Adding https://github.com/kubernetes/ingress-nginx/pull/4509/files#diff-4a5113d28634e29f2ab0bca34da7a3e5R547 we now remove all those configuration files left after the removal

apt list|grep residual

autoconf/now 2.69-11 all [residual-config]
cmake-data/now 3.13.4-1 all [residual-config]
groff-base/now 1.22.4-3 amd64 [residual-config]
libglib2.0-0/now 2.58.3-2 amd64 [residual-config]
libmagic1/now 1:5.35-4 amd64 [residual-config]
libpython2.7-minimal/now 2.7.16-2 amd64 [residual-config]
man-db/now 2.8.5-2 amd64 [residual-config]
mime-support/now 3.62 all [residual-config]
perl/now 5.28.1-6 amd64 [residual-config]
python2.7-minimal/now 2.7.16-2 amd64 [residual-config]
readline-common/now 7.0-5 all [residual-config]

[aledbf]

Closing. Fixed in #4509. The new image is already available in quay, where we can see the improvement https://quay.io/repository/kubernetes-ingress-controller/nginx?tab=tags

[dawidmalina]

@aledbf you are referring to image quay.io/kubernetes-ingress-controller/nginx:0.92 but the releases page suggest this image quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.25.1. There is a new image for quay.io/kubernetes-ingress-controller/nginx-ingress-controller but with tag dev not new release. When we can expect nginx-ingress-controller?

[aledbf]

@dawidmalina after we close the pending items in https://github.com/kubernetes/ingress-nginx/projects/33 , at least two weeks.