experiment: Add Wolfi based images #1735
Draft
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Adds some initial images (ko, ko-gcloud) based on Wolfi packages using apko. (tl;dr apko = ko for apks). These images are smaller and are kept up to date with upstream with a focus on minimal CVEs. (computed using `crane manifest $IMG | jq '.config.size + ([.layers[].size] | add)' | numfmt --to=iec`) Image | Size ----- | ---- gcr.io/tekton-releases/dogfooding/ko:latest | 277M us-docker.pkg.dev/wlynch-chainguard/public/ko@latest-wolfi | 31M gcr.io/tekton-releases/dogfooding/ko-gcloud:latest | 606M us-docker.pkg.dev/wlynch-chainguard/public/ko-gcloud@latest-wolfi | 304M CVE Scans: ``` $ grype gcr.io/tekton-releases/dogfooding/ko:latest ✔ Vulnerability DB [no update available] ✔ Parsed image sha256:a41f5ae73e4a3aa0652d8653d22cd8dcf499f1ad2e78c3c1433127fe3ee6d61f ✔ Cataloged packages [231 packages] ✔ Scanned for vulnerabilities [23 vulnerability matches] ├── by severity: 1 critical, 7 high, 13 medium, 0 low, 0 negligible (2 unknown) └── by status: 12 fixed, 11 not-fixed, 0 ignored (4 dropped) ``` ``` $ grype us-docker.pkg.dev/wlynch-chainguard/public/ko:latest-wolfi ✔ Vulnerability DB [no update available] ✔ Parsed image sha256:e5b9decd9f30c3500f7e289c7abd7d054e122b128877215b47b78b769e915329 ✔ Cataloged packages [191 packages] ✔ Scanned for vulnerabilities [0 vulnerability matches] ├── by severity: 0 critical, 0 high, 0 medium, 0 low, 0 negligible └── by status: 0 fixed, 0 not-fixed, 0 ignored (4 dropped) ``` These aren't wired up to CI yet.
|
Skipping CI for Draft Pull Request. |
tekton-robot
added
the
do-not-merge/work-in-progress
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
tekton-robot
added
the
size/L
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Opening as a draft since if we actually want to do this or not, but opening up for discussion. (cc @afrittoli)
Adds some initial images (ko, ko-gcloud) based on Wolfi packages using apko. (tl;dr apko = ko for apks).
These images are smaller and are kept up to date with upstream with a focus on minimal CVEs.
(computed using
crane manifest $IMG | jq '.config.size + ([.layers[].size] | add)' | numfmt --to=iec)CVE Scans:
These aren't wired up to CI yet, but they're configured to publish to a different tag (
latest-wolfi)Changes
Submitter Checklist
These are the criteria that every PR should meet, please check them off as you
review them:
See the contribution guide
for more details.