Fix image security issues about cluster-api-provider-ibmcloud HOT 8 CLOSED

Will check the other 2 bugs for cluster-api-provider-openstack and cluster-api-provider-vsphere.

from cluster-api-provider-ibmcloud.

may we we can change to use debian:stretch-slim as the base docker image

from cluster-api-provider-ibmcloud.

Why not use static lib when building the go binary and replace the base image with scratch, to minimize the image size?

from cluster-api-provider-ibmcloud.

Just ignore the last comment, we need ca-certificates package to generate the cert/key pair.

from cluster-api-provider-ibmcloud.

Look like simply adding apt-get update && apt-get upgrade -y can't upgrade the vulnerable package to fixed version.

Also checked the images of openstack and vsphere, the same security issues exist.

Should we consider changing the base image?

@gyliu513 Any comments?

from cluster-api-provider-ibmcloud.

@morvencao Yes, you can fix those issues together for OpenStack, vSphere as well.

from cluster-api-provider-ibmcloud.

@morvencao do we have best practice ?I think other k8s related project have similar question?
and do aws has this kind of issue? maybe we can refer to their stuffs?

from cluster-api-provider-ibmcloud.

@jichenjc Usually we fix this kind of security issues by upgrading the packages to the new version, because new versions contain the fix, however, it doesn't work in provider images, also tried to replace base image.

I found that the gcp provider is using the gcr.io/distroless/static:latest as base image: https://github.com/kubernetes-sigs/cluster-api-provider-gcp/blob/master/Dockerfile#L20, but I don't think we can do that, because we need ca-certificate package.

from cluster-api-provider-ibmcloud.