Use debian-base instead of busybox as base image for server images #70245
Conversation
k8s-ci-robot
added
the
release-note
k8s-ci-robot
added
kind/cleanup
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: ixdy The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
We could probably use scratch-with-/etc/nsswitch.conf like we do for busybox now, though it might need an |
|
bazel flake bazelbuild/bazel#6136 |
| kube-controller-manager,"k8s.gcr.io/debian-base-${arch}:${debian_base_version}" | ||
| kube-scheduler,"k8s.gcr.io/debian-base-${arch}:${debian_base_version}" | ||
| kube-proxy,"k8s.gcr.io/debian-iptables-${arch}:${debian_iptables_version}" | ||
| ) |
There was a problem hiding this comment.
this alone is wonderful, thanks :-)
| # ensure /etc/nsswitch.conf exists so go's resolver respects /etc/hosts | ||
| container_image( | ||
| name = "busybox-with-nsswitch", | ||
| base = "@official_busybox//image", |
There was a problem hiding this comment.
are we using this image elsewhere? otherwise we can also remove from WORKSPACE
There was a problem hiding this comment.
cluster/images/kubemark/BUILD uses it. I was planning to switch it to debian-base and then remove it here in a follow-up PR; I wanted to keep this one focused on the server images.
There was a problem hiding this comment.
I kinda forgot about this, but now updating the kubemark image in #73539.
k8s-ci-robot
added
the
lgtm
|
|
re-iterating from @cblecker since it seemed to not stick... |
k8s-ci-robot
added
the
do-not-merge/hold
|
xref: #70249 |
|
any objections from anyone? |
|
No objections. 🚢 it ! |
|
|
k8s-ci-robot
removed
the
do-not-merge/hold
What type of PR is this?
/kind cleanup
What this PR does / why we need it: standardizes on
debian-basefor the server images instead of busybox, per #40248 (comment).Using
debian-basealso ensures we use a consistent libc (glibc instead of musl libc), allows better security scanning on gcr.io, avoids weird compatibility bugs like #69195, and may even use marginally less space on nodes, sincedebian-iptablesis based on it and is already included on all nodes forkube-proxy.Does this PR introduce a user-facing change?:
/assign @BenTheElder @cblecker @dims
cc @tallclair @AishSundar @simony-gke @listx
/sig release