Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

#1322 add support for hardened container environments #1323

Merged
merged 1 commit into from Apr 15, 2024
Merged

#1322 add support for hardened container environments #1323

merged 1 commit into from Apr 15, 2024

Conversation

lukibahr
Copy link

Description of Change

This change hardens the container to use nginxinc/nginx-unprivileged:1.25 container for getting the container up and running in a hardened enviroment, where privileged containers are not allowed or capabilities are restricted.

#1322

Checklist

  • PR description included and stakeholders cc'd
  • yarn test passes
  • yarn lint has been run
  • git pre-commit hook is successfully executed.
    (Please refrain from using --no-verify)

Notes

This applies for the frontend (client) application only. Configuration changes for the helm templates are not included.

© 2021 Thoughtworks, Inc.

@lukibahr lukibahr requested a review from a team as a code owner March 27, 2024 14:43
@olivercodes
Copy link

olivercodes commented Mar 29, 2024
edited

@lukibahr do you think it would be worth exploring the use of the chainguard image? A quick scan with Trivy reveals there are a number of vulnerabilities in the nginxinc image, whereas the chainguard image has none at the moment.

caveat: with all vuln scans, it's common to see an alarming list of CVEs, and then review them and realize they are all irrelevant to your own usage (but still requires that time commitment).

Only downside is we would need to contact Chainguard for an OSS license to access specific versions (the latest tag of their images is always public).

https://images.chainguard.dev/directory/image/nginx/versions
https://edu.chainguard.dev/chainguard/chainguard-images/reference/nginx/

@lukibahr
Copy link
Author

@olivercodes I was considering the chainguard image tho, however i faced the license issue you've mentioned too. If we're ok with the latest image (what we are doing more ore less, using the nginx-alpine:stable, which is also not directly pinned), I could update the MR.

For accessing specific versions of chainguard, I do not know the workflow or process how this works with chainguard.

@olivercodes
Copy link

@lukibahr @camcash17 I opened a dialogue with Chainguard but they don't currently have an OSS policy. Sounds like they may be open to it but it may take a while to work out the details. Probably good to merge this and then come back to it when we have something more solid.

@lukibahr
Copy link
Author

lukibahr commented Apr 8, 2024

I second that! In the meantime, I'll test the chainguard image with latest tag.

@lukibahr
Copy link
Author

@olivercodes @camcash17 Any news from your side? I suggest, we should merge the change and check chainguard images later.

@olivercodes
Copy link

+1, good to merge @camcash17

@ccasher ccasher merged commit 5260852 into cloud-carbon-footprint:trunk Apr 15, 2024
1 check passed
@ccasher
Copy link
Collaborator

ccasher commented Apr 15, 2024

Thanks for the contribution @lukibahr!

@lukibahr
Copy link
Author

lukibahr commented May 3, 2024

@ccasher will the updated image be published in dockerhub? Can't find a newer container image than release-2024-02-11

@ccasher
Copy link
Collaborator

ccasher commented May 11, 2024

@lukibahr, apologies for the delay. doing a release now so should be available for you momentarily!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@lukibahr @olivercodes @ccasher @bahrlukas