Don't miss out! Join us at our next Flagship Conference: KubeCon + CloudNativeCon North America in Salt Lake City from November 12 - 15, 2024. Connect with our current graduated, incubating, and sandbox projects as the community gathers to further the education and advancement of cloud native computing. Learn more at https://kubecon.io

Is Your Image Really Distroless? - Laurent Goderre, Docker

With the introduction of multi-stage builds in Docker, it is possible to separate build-time dependencies from run-time dependencies by starting with a fresh base image and copying only the necessary output of the build stage(s). This in turn helps create "distroless" images that don’t contain many convenience tools included in a distribution, such as a package manager. This makes it harder for a malicious actor to add additional software to a container, and also reduces the surface area for potential vulnerabilities that need to be kept up-to-date. However, many applications still rely on extra tooling, such as shells, to configure the runtime environment of the application to meet the needs of users. This talks demonstrates how using init containers allow us to separate the logic needed to configure a runtime environment from the environment itself, to get images that don’t contain shells or scripting capabilities, and provide a more secure container.