-
Notifications
You must be signed in to change notification settings - Fork 3.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Make argoexec image scratch/distroless to improve security #7486
Comments
We already move to a more secure base image (alpine), but it'd be awesome to go further. This work would need to be done piecemeal, as we'd probably want to add tests each step of the way:
The above list is in rough order of (cost+risk)/benefit. E.g. removing the Docker executer would easy and drastically improve our posture, where as removing |
@Sh1ftry would you be interested in helping? |
For the work related to replacing |
Correct. I think we can use |
As I see the downside atm is that it will be hard to be backwards compatible since the dynamic API don't have the same functionality out of the box as |
https://github.com/argoproj/argo-cd/blob/master/go.mod#L87 We can do that. Should we discus this is the right issue? #7797 |
yes, my bad! |
I've thought about this and I think there is a third-way that might be easier. Instead of replacing the binaries with pure Go, we actually just want to get rid of the operating system. We can do this by copying just the binaries accross. Assmuming all the biniaries work without the underying OS. |
Summary
Argoexec image has lots of components, which makes it vulnerable to various security findings. With emissary executor though it's possible to make the image distroless.
Use Cases
Workflows using emissary executor.
docker
executor #7795curl
binary in the HTTP artifact driver with pure Go #7796kubectl
with pure Go in the resource template code #7797git
binary in Git artifact driver #7798jq
binary with pure Go #7799tar
binary with pure Go in the Kubernetes API executor #7800Message from the maintainers:
Love this enhancement proposal? Give it a 👍. We prioritise the proposals with the most 👍.
The text was updated successfully, but these errors were encountered: