scratch for checkout, frontend, productcatalog and shipping
#2512
Conversation
mathieu-benoit
changed the title
scratch for checkout, productcatalog and shippingscratch for checkout, frontend, productcatalog and shipping
|
Ready for review, thanks! |
| @@ -13,8 +13,6 @@ | |||
| # limitations under the License. | |||
|
|
|||
| FROM golang:1.22.2-alpine@sha256:cdc86d9f363e8786845bea2040312b4efa321b828acdeb26f393faa864d887b0 as builder | |||
| RUN apk add --no-cache ca-certificates git | |||
There was a problem hiding this comment.
Question: Do you know why we can remove ca-certificates?
There was a problem hiding this comment.
(It's not super clear to me why ca-certificates is needed in the first place. I assume it's to enable HTTPS (secure) communication during runtime.)
Original commit: 92eb76c
There was a problem hiding this comment.
Good question. This is for the build container (not the final). If I do syft golang:1.22.2-alpine, I see that ca-certificates is already in there apparently:
NAME VERSION TYPE
alpine-baselayout 3.4.3-r2 apk
alpine-baselayout-data 3.4.3-r2 apk
alpine-keys 2.4-r1 apk
apk-tools 2.14.0-r5 apk
busybox 1.36.1-r15 apk
busybox-binsh 1.36.1-r15 apk
ca-certificates 20230506-r0 apk
ca-certificates-bundle 20230506-r0 apk
cmd/addr2line (devel) go-module
cmd/asm (devel) go-module
cmd/buildid (devel) go-module
cmd/cgo (devel) go-module
cmd/compile (devel) go-module
cmd/covdata (devel) go-module
cmd/cover (devel) go-module
cmd/doc (devel) go-module
cmd/fix (devel) go-module
cmd/go (devel) go-module
cmd/gofmt (devel) go-module
cmd/link (devel) go-module
cmd/nm (devel) go-module
cmd/objdump (devel) go-module
cmd/pack (devel) go-module
cmd/pprof (devel) go-module
cmd/test2json (devel) go-module
cmd/trace (devel) go-module
cmd/vet (devel) go-module
d3-pprof 2.0.0 npm
go 1.22.2 binary
libc-utils 0.7.2-r5 apk
libcrypto3 3.1.4-r5 apk
libssl3 3.1.4-r5 apk
musl 1.2.4_git20230717-r4 apk
musl-utils 1.2.4_git20230717-r4 apk
scanelf 1.3.7-r2 apk
ssl_client 1.36.1-r15 apk
stdlib go1.22.2 go-module (+18 duplicates)
zlib 1.3.1-r0 apk
Not sure why it was added in there at the first place though.
There was a problem hiding this comment.
Thanks so much for this, @mathieu-benoit! I highly appreciate the elaborate and clear pull-request description + links.
Just had a question before merging. :)
scratchfor the final image forcheckout,frontend,productcatalogandshipping.Objectives for the Golang apps:
busybox)alpinepreviouslyAddressing #693 for the Golang apps.
Associated resources for the inspiration and for the guidance:
The size is reduced:
For
checkoutserviceit's 8MB saved on disk:For
frontendit's 15.7 MB saved on disk:The number of packages is reduced:
With a tool like
syftwe could see that all the unnecessary/unsecured packages have been removed.For
checkoutservice, from 57 packages we are now at 40 packages, here are the ones removed:For
frontend, from 82 packages we are now at 48 packages, here are the ones removed:On these now missing packages, that's avoiding/removing any CVEs debt/fatigue on them.
Important notes: removing
busybox/wgetis a great improvement on a security standpoint, nobody can dodocker execorkubectl execon them.The number of CVEs is reduced:
With a tool like
trivywe could see that thealpinebased one has currently 2 CVEs:On the other end, the new one doesn't have any CVEs.
Also, based on the GKE Security Posture feature, for
frontend, this will fix these 25 CVEs:Tests:
Successfully tested:
docker compose:scratchfor golang apps Humanitec-DemoOrg/onlineboutique-demo#17scratchfor golang apps Humanitec-DemoOrg/onlineboutique-demo#17