-
Notifications
You must be signed in to change notification settings - Fork 111
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
experiment: Add Wolfi based images #1735
base: main
Are you sure you want to change the base?
Conversation
Adds some initial images (ko, ko-gcloud) based on Wolfi packages using apko. (tl;dr apko = ko for apks). These images are smaller and are kept up to date with upstream with a focus on minimal CVEs. (computed using `crane manifest $IMG | jq '.config.size + ([.layers[].size] | add)' | numfmt --to=iec`) Image | Size ----- | ---- gcr.io/tekton-releases/dogfooding/ko:latest | 277M us-docker.pkg.dev/wlynch-chainguard/public/ko@latest-wolfi | 31M gcr.io/tekton-releases/dogfooding/ko-gcloud:latest | 606M us-docker.pkg.dev/wlynch-chainguard/public/ko-gcloud@latest-wolfi | 304M CVE Scans: ``` $ grype gcr.io/tekton-releases/dogfooding/ko:latest ✔ Vulnerability DB [no update available] ✔ Parsed image sha256:a41f5ae73e4a3aa0652d8653d22cd8dcf499f1ad2e78c3c1433127fe3ee6d61f ✔ Cataloged packages [231 packages] ✔ Scanned for vulnerabilities [23 vulnerability matches] ├── by severity: 1 critical, 7 high, 13 medium, 0 low, 0 negligible (2 unknown) └── by status: 12 fixed, 11 not-fixed, 0 ignored (4 dropped) ``` ``` $ grype us-docker.pkg.dev/wlynch-chainguard/public/ko:latest-wolfi ✔ Vulnerability DB [no update available] ✔ Parsed image sha256:e5b9decd9f30c3500f7e289c7abd7d054e122b128877215b47b78b769e915329 ✔ Cataloged packages [191 packages] ✔ Scanned for vulnerabilities [0 vulnerability matches] ├── by severity: 0 critical, 0 high, 0 medium, 0 low, 0 negligible └── by status: 0 fixed, 0 not-fixed, 0 ignored (4 dropped) ``` These aren't wired up to CI yet.
Skipping CI for Draft Pull Request. |
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Opening as a draft since if we actually want to do this or not, but opening up for discussion. (cc @afrittoli)
Adds some initial images (ko, ko-gcloud) based on Wolfi packages using apko. (tl;dr apko = ko for apks).
These images are smaller and are kept up to date with upstream with a focus on minimal CVEs.
(computed using
crane manifest $IMG | jq '.config.size + ([.layers[].size] | add)' | numfmt --to=iec
)CVE Scans:
These aren't wired up to CI yet, but they're configured to publish to a different tag (
latest-wolfi
)Changes
Submitter Checklist
These are the criteria that every PR should meet, please check them off as you
review them:
See the contribution guide
for more details.