Velero: Move Velero containers to a distroless base image
Describe the problem/challenge you have
Currently the ubunu:focal base image is used for the Velero container. This contains a number of libraries and other OS related support files that are unnecessary and often include security vulnerabilities.
Describe the solution you'd like
Move to a very minimal base image, such as google Distroless. https://github.com/GoogleContainerTools/distroless/blob/master/examples/go/Dockerfile
Anything else you would like to add:
This needs to be tested with e2e tests and all plugins.
Should fix https://github.com/vmware-tanzu/velero/issues/3003
Environment:
- Velero version (use
velero version): - Kubernetes version (use
kubectl version): - Kubernetes installer & version:
- Cloud provider or hardware configuration:
- OS (e.g. from
/etc/os-release):
Vote on this issue!
This is an invitation to the Velero community to vote on issues, you can see the project's top voted issues listed here.
Use the "reaction smiley face" up to the right of this comment to vote.
- :+1: for "The project would be better with this feature added"
- :-1: for "This feature will not enhance the project in a meaningful way"
dsu-igeek
All 4 comments
3003 is a blocker for us from using velero. Would appreciate if this can be released earlier (1.5.x/1.6.x).
SatyKrish
on 25 Feb 2021
same here - currently #3003 is blocking us from using velero due to sec-compliance
ksandermann
on 25 Mar 2021
yep, velero blocks the using in a pci-dss environment because of issues in the baseimage
carsten-f
on 26 Mar 2021
Blocker to use velero in production
benendboss
on 29 Mar 2021
Related issues
akgunjal
路
3Comments
archmangler
路
3Comments
my1990
路
3Comments
Berndinox
路
3Comments
doronmak
路
3Comments
Most helpful comment
same here - currently #3003 is blocking us from using velero due to sec-compliance