agent icon indicating copy to clipboard operation
agent copied to clipboard
verified publisher icon optimizely

[ENHANCEMENT] Distroless images for optimizely agent.

Open yesudeep opened this issue 1 year ago • 3 comments

Description

Namaste,

  1. Distroless images are small and per our security team's guidance at Google, we're required to use those images for our deployments. To that effect, we're making a feature request to add the ability to build distroless images in addition to images built from scratch and Alpine Linux.

  2. We'd appreciate the ability to build using podman.

  3. And the ability to deploy built container images to the Google Artifact Registry.

For more information about distroless, please see: https://github.com/GoogleContainerTools/distroless.

Benefits

Low attack surface. High security standards.

Detail

We would like the ability to run:

   make \
     APP_VERSION=$(git rev-parse HEAD) \
     CONTAINERIZER=podman \
     IMAGE_TAG_PREFIX=<GAR-TAG> \
     ci_build_dockerimage_distroless push_image_distroless

Examples

Please see: https://github.com/GoogleContainerTools/distroless

Risks/Downsides

A little more tooling and build complexity.

yesudeep avatar Jul 09 '24 17:07 yesudeep

We will be sending a PR for your review shortly.

yesudeep avatar Jul 09 '24 17:07 yesudeep

https://github.com/optimizely/agent/pull/419 should fulfill this security feature request.

yesudeep avatar Jul 09 '24 18:07 yesudeep

Hi @yesudeep. Thanks for opening the PR. Let us review this issue and your solution and get back with you short. I've created internal ticket FSSDK-10402

mikechu-optimizely avatar Jul 10 '24 21:07 mikechu-optimizely