Provide distroless images with sleep utility #48890
GeorgeTsilias
started this conversation in
Ideas
Replies: 1 comment
-
You should not need sleep, use terminationDrainDuration. I sent a PR on this: #48996, but it was rejected |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Hello everyone,
How would you feel like providing a distroless image variant that includes the
sleep
utility, statically linked on the filesystem?One other idea would be to implement
sleep
as a command on some of Istio's binaries, but I guess that would be more time consuming.We're currently trying to rollout distroless istio-proxy images on our clusters in order to minimise the attack surface, but since we're using AWS NLBs with IP targets we need a preStop hook that makes the containers
sleep
for X number of seconds before SIGTERM is sent. This is due to a (widely known) limitation on the AWS side but I don't see anything being done to overcome it from their side, and I'm sure that there are a lot of people that are affected by this.More information on why the
sleep
preStop hook is needed can be found on the links below:[1] kubernetes-sigs/aws-load-balancer-controller#2366
[2] kubernetes-sigs/aws-load-balancer-controller#2131
EDIT: Just going through some of the related Issues, it seems like there was another request like this one here: #47779
Beta Was this translation helpful? Give feedback.
All reactions