Authors: duselvar@cisco.com, jlewi@google.com, adselvaraj@cisco.com, jtf.github@gmail.com
The purpose of this document is to outline a process for creating docker images maintained by our community for Kubeflow applications.
The main goals are to:
- Establish a process around creating images for Kubeflow applications.
- Improve security of the images built for running Kubeflow applications.
This document is intended to cover container images of applications that are deployed in the Kubernetes cluster as part of Kubeflow and in particular:
- Custom resources and controllers
- Web applications
This document is not intended to cover any image which is not deployed to the Kubernetes cluster.
Using Multi-staged builds you can separate the build process to a separate build image and copy the binaries generated from the build stage to the actual image.
The recommended build images for each of the programming languages are listed below:
| Programming Language or Framework | Docker Image |
|---|---|
| Golang | Golang Docker Image |
| Python3 | Python Docker Image |
| NodeJS | NodeJS Docker Image |
If your language or framework is not covered within these above recommendations, it is recommended to use the official images for the respective language or framework.
-
It is recommended to use Golang 1.13+ images while building docker images as it contains critical security fixes for the packages net/http, crypto/dsa and net/textproto.
-
While building Golang binaries in the build docker file, it is recommended to build with the below flags to ensure that the binary runs without needing to use
libcbased packages. This facilitates the use of distroless'staticimage as opposed tobaseimage.
RUN CGO_ENABLED=0 GOOS=linux go build -o <output_binary> -a .
Kubeflow community recommends the usage of distroless images for building images for Kubeflow applications.
This approach reduces the image's size to only what is required to run the application thereby reducing security risks.
The preference of distroless images to be chosen according to language is given by the table below:
| Programming Language or Framework | Docker Image |
|---|---|
| Golang | gcr.io/distroless/static-debian10 |
| Python3 | gcr.io/distroless/python3-debian10 |
| NodeJS | gcr.io/distroless/nodejs |
Note: Distroless NodeJS is yet to publish a 'debian10' version of the image. We are tracking this change here: GoogleContainerTools/distroless#485
tf-operator distroless image for Golang based binary serves as an example image for Kubeflow.
It is recommended to use a CVE scanning tool to report vulnerabilities in the image being replaced and compare it with the report of the newer image. This is to ensure that the CVE count reduces with each update to an image.