Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

job-builder: introduced secure base-job-image #1546

Merged
merged 5 commits into from
Jan 25, 2023
Merged

job-builder: introduced secure base-job-image #1546

merged 5 commits into from
Jan 25, 2023

Conversation

mivanov1988
Copy link
Collaborator

@mivanov1988 mivanov1988 commented Jan 24, 2023
edited
Loading

What

As part of our initiative to improve the overall security of the VDK project, we need to apply some general hardenings to the base job image.

Why

Introduced base job image based on the lightweight Photon OS. The general hardenings will be applied in a separate PR.

Testing done

Tested on a local Kind cluster

Signed-off-by: Miroslav Ivanov [email protected]

@mivanov1988
job-builder: introduced secure base-job-image
b220971 
As part of our initiative to improve the overall security of the VDK project,
we need to apply some general hardenings to the base job image.

Introduced base job image based on the lightweight Photon OS.
The general hardenings will be applied in a separate PR.

Tested on a local Kind cluster

Signed-off-by: Miroslav Ivanov [email protected]
@murphp15
Copy link
Collaborator

can we remove the insecure image? To keep the code clean?
Is there are use case for the insecure one?

@mivanov1988
Copy link
Collaborator Author

can we remove the insecure image? To keep the code clean? Is there are use case for the insecure one?

Some of our internal deployments depend on it.

@murphp15
Copy link
Collaborator

Can they migrate to the secure ones soon though?

@mivanov1988
Copy link
Collaborator Author

Can they migrate to the secure ones soon though?

It is not planned yet.

antoniivanov
antoniivanov approved these changes Jan 24, 2023
View reviewed changes
Copy link
Collaborator

@antoniivanov antoniivanov left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What are the benefits of photon vs python-slim (which is the default one) ?

In any case looks good to me. Offering more secure option is certainly a good thing.

@mivanov1988 mivanov1988 merged commit 418f721 into main Jan 25, 2023
@mivanov1988 mivanov1988 deleted the person/miroslavi/base-job-image-secure branch January 25, 2023 12:44
@mivanov1988
Copy link
Collaborator Author

mivanov1988 commented Jan 26, 2023
edited
Loading

One of the key features of interest of the Photon OS is: "The kernel and other aspects of the operating system are built with an emphasis on security.".

On scanning the Photon OS image, the vulnerabilities are as follows: Tested 35 dependencies for known issues, no vulnerable paths found.

On scanning python:3.10-slim the vulnerabilities are as follows: Tested 106 dependencies for known issues, found 47 issues.

@antoniivanov
Copy link
Collaborator

One of the key features of interest of the Photon OS is: "The kernel and other aspects of the operating system are built with an emphasis on security.".

On scanning the Photon OS image, the vulnerabilities are as follows: Tested 35 dependencies for known issues, no vulnerable paths found.

On scanning python:3.10-slim the vulnerabilities are as follows: Tested 106 dependencies for known issues, found 47 issues.

Thanks. That make sense.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@antoniivanov antoniivanov antoniivanov approved these changes

@murphp15 murphp15 murphp15 approved these changes

Assignees
No one assigned
Labels
cla-not-required
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@mivanov1988 @murphp15 @antoniivanov @vmwclabot