Changing base images to cgr.dev/chainguard/static #1165
Comments
|
FWIW we've been using these in our |
|
Other than having to remember to pass |
|
cc @knative/technical-oversight-committee for visibility |
|
My only concern is the use of the |
That's understandable. We don't currently have mirrors onto other registries, but might consider it. The specific concern would be that if In any case, once Knative builds its images the reachability of cgr.dev is moot, since Knative serves all its image contents from gcr.io. |
Yup
Do you also push to other registries? |
|
I'm switching serving over to the chainguard images - my main concern was really GitHub registry stability etc. but with you moving to R2 i'm less concerned now. /assign @pierDipi for eventing |
|
Following up based on https://www.chainguard.dev/unchained/changes-to-static-git-and-busybox-developer-images-2 The chainguard main images don't support s390x/ppc arch. The recommendation is to use I'll be updating serving repos in response. Details: https://www.chainguard.dev/unchained/changes-to-static-git-and-busybox-developer-images-2 |
Knative Serving and Eventing's container images are currently based on
gcr.io/distroless/static:nonroot(serving, eventing).This is a good thing. The
static:nonrootimage contains almost nothing, it runs as a nonroot user, and it's served Knative well since the early days. However, I'd like to discuss updating this default base image tocgr.dev/chainguard/static.This new image is built using apko instead of GCP-distroless's Bazel build system, which means it's quite a bit easier to rebuild the image yourself, and easier to modify the image if there's ever such a need. This simpler development story also makes it easier to support, which means you'll get better support should anything come up.
This new image also runs as a nonroot user by default. This image is keylessly signed (as GCP-distroless is), and comes with an SBOM generated at build-time -- but since there's almost nothing in the image, there's almost nothing in the SBOM.
This new image supports all the same architectures as the current base, as well as
linux/arm/v7,linux/riscv64andlinux/386.It's also just a bit smaller -- from 783KB down to 479KB -- but that's probably not a big concern (pun intended!).
Tekton changed to this image a couple releases ago in tektoncd/pipeline#5009, with no technical issues -- they also use an image that provides
git, and another that providesbusybox, both also switched to be built using apko with no issues.koswitched to use this base image by default in v0.12, again with no technical issues that I'm aware of. Knative didn't pick up thekochange because you set your own default togcr.io/distroless/static:nonrootin the links above.If the community decides not to make this change, that's okay -- the current image is also a great choice. I just wanted to bring it up in case there was an appetite.
If there's interest, I can send PRs to Serving and Eventing, and any other relevant projects that are interested.
cc @mattmoor @vaikas for visibility
The text was updated successfully, but these errors were encountered: