-
Notifications
You must be signed in to change notification settings - Fork 908
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Proposal] Streamlining docker images #3165
Comments
I think providing an image that does not include Falcoctl would be a good idea especially for folks trying to run Falco in a more secure environment or that are concerned about attack surface. I created a PR to create a distroless Dockerfile that does not include falcoctl. I have been testing this image in a dev environment with great results over the past week. I was motivated to modify the existing distroless image as I was seeing several vulnerabilities introduced by falcoctl. I am also running falco in a way that does not require I ever interact with falcoctl. Not sure if anyone else has a similar use case but either way maybe this PR can help them out. |
Hey @killerkenobi as per my proposal, the new
Also, please share 👇 your use case 👇 anyway, it may be useful for someone! 🙏
|
@leogr that's great to hear and will be very helpful. I am currently running my modified distroless falco image in a Kubernetes environment that restricts access to the internet so Falcoctl would not be allowed to call out and get rule updates. The environment is pretty locked down due to compliance requirements. I am also using a custom rule set that is tailor made for my environment so I have no need to update the Falco-provided rule sets using Falcoctl. In addition, I have to build my custom falco image using a CI/CD pipeline with strict vulnerability scanning requirements. Falcoctl was constantly failing this pipeline with vulnerabilities in various Go packages. Once I removed Falcoctl the image has been building and working as expected. The distroless image without falcoctl is also only ~50MB where the upstream falco distroless image is ~110MB if I remember correctly. |
cc @falcosecurity/falcoctl-maintainers for visibility |
/assign |
While we want to make our images simpler, we will address this in the version after the one we're preparing now, so I'm bumping the milestone. /milestone 0.39.0 |
I wanted also to highlight that we might want to ship multiple versions of the
Debian trixie ships with correct glibc version:
And so on, as new debian versions come out. |
I totally agree. I guess it wouldn't be hard to maintain these variants, and they are useful also for testing purposes. |
Do we also want to deprecate the |
Yes, IMO. The falco/.github/workflows/reusable_publish_docker.yaml Lines 92 to 94 in 0bf7458
|
I know :) we should add it in the OP for this issue then. |
Issues go stale after 90d of inactivity. Mark the issue as fresh with Stale issues rot after an additional 30d of inactivity and eventually close. If this issue is safe to close now please do so with Provide feedback via https://github.com/falcosecurity/community. /lifecycle stale |
/remove-lifecycle stale |
As discussed with @FedeDP we are moving this for In order to have more time to test and enhance the current WIP implementation. |
@leogr: The provided milestone is not valid for this repository. Milestones in this repository: [ Use In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
/milestone 0.40.0 |
Motivation
The modern eBPF probe is gaining prominence, prompting our decision to adopt it as the default driver. This shift offers significant advantages to our distribution system. By moving to the eBPF probe, we eliminate the need to include the full driver-building toolchain in the default Falco distribution. Users who prefer alternative setups can still opt for a different container image. Consequently, this allows us to transition the Falco default image to a "no-driver"/"distroless" configuration, streamlining our deployment and enhancing system simplicity.
As a result of this decision, we have re-audited all Docker images, gathered feedback, and are now proposing to streamline the Falco Docker images to better meet current needs and enhance their functionality. This proposal outlines the desired state of these improvements.
Feature
New supported images
falcoctl
not included.jq
,curl
), but notfalcoctl
.falcosecurity/falco:x.y.z-debian
(see above) plus the driver building toolchain support and also shipping the latest version offalcoctl
. Recommended only when modern eBPF is not supported.falcosecurity/falco-driver-loader
(see above) but based on a legacy Debian image (i.e.buster
). Recommended only for old kernel versionsDeprecated images
falcosecurity/falco:x.y.z
falcosecurity/falco:x.y.z-debian
(basically the same image with a new name)Other legacy or almost not-used images included in https://hub.docker.com/u/falcosecurity may be deprecated, too.
Alternatives
We have already evaluated different alternatives, but no valid alternatives emerged (or were discarded early).
A still valid alternative would be not to implement some image variants (i.e.,
-debian
and-buster
) or add others variants. This, however, may reduce the Falco compatibility range.Additional context
This needs to be shipped before Falco 1.0 as per our roadmap.
Tentatively for
/milestone 0.38.0
Probably for 0.39.0
The text was updated successfully, but these errors were encountered: