You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
In production just use the scratch one and for debugging if you need a shell use the alpine one. For everyday operation I dont see any reason to have a shell.
In production there is no need to have a shell for pure binary apps. It is a very common practice to switch images for debugging.
How often do you need to debug your apps? So yes I do this every time I have to debug something. Tracing network issues can be done outside of the container itself, logs can be written to a volume or even better stdout etc.
Unless a different USER is set, root is being used. Also the directories are owned by root.
OK, fix scratch image. Set USER in dockerfile and fix directories permissions.
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
-
#4617
No, production images should not have a shell.
OK, fix scratch image. Set
USERin dockerfile and fix directories permissions.By default? I run with
runAsNonRootandreadOnlyRootFilesystem(https://kubernetes.io/docs/tasks/configure-pod-container/security-context/).Then you cannot simply install debug utilities from inside a container (
apk add), you have to run it underrootbefore. It is not so convenient.I would
alpinetodebugkeepingrootprivilegesPS
@pat-s, you should have blocked me from within organization settings ;)Beta Was this translation helpful? Give feedback.
All reactions