Use distroless image as the base image, run Katib components as a non-root user

[tenzen-y]

/kind discussion

Once the ephemeral debug containers feature is available by default, we might better change the base image from the alpine to the distroless image, run Katib components as a non-root user.

Ref:

• Reimplement katib-cert-generator in Go #1662 (comment)
• Debugging with an ephemeral debug container
  

[gaocegege]

Can you please explain the benefits of using distroless and non-root user in this case? Is it for security issues?

[tenzen-y]

@gaocegege Thank you for your comment!

Is it for security issues?

Sure, that's one of the benefits.

Distroless is a very small image because it does not include shell, etc. I believe that making Katib components smaller is beneficial.

Besides, It does not have the image version tag such as alpine(ex. 3.7), we do not need to think about updating the image.

[gaocegege]

Gotcha. As you know, there are many users which k8s is 1.14/1.16, I am not sure if it works for them.

[tenzen-y]

I understood users using K8s <=1.16 can use an older version of Katib in the following discussion.

#1662 (comment)

I think we can say that Katib is working on Kubernetes >= 1.17
It should be fine for the community, otherwise they can use older version of Katib.

Although, I think we should discuss the time of change image because distroless image is difficult to debug without the ephemeral debug container feature.

• ephemeral containers

[gaocegege]

Yes, I agree. SGTM

[tenzen-y]

This is just sharing.
The ephemeral containers feature is going to move to beta in Kubernetes v1.23.

kubernetes/kubernetes#105405

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[tenzen-y]

/lifecycle frozen