K8s Security — Use distroless base images
4 min readJun 10, 2023
Security is fundamental and should be in the mind of everyone in an organization.
Important Points
- syft — we are using this tool to list the packages inside an image.
- We are comparing 3 base images. Debian, Alpine & Distroless.
Debian Images
- They contain lots of packages including apt package manager as listed below. These packages can be used to install other packages or to make remote calls.
- The extent of the risk of using Debian-based images is plain to see: The more packages there are, the larger the attack surface becomes.
Amits-MacBook-Pro:k8s amitdube$ syft debian
✔ Parsed image
✔ Cataloged packages [96 packages]
NAME VERSION TYPE
adduser 3.118 deb
apt 2.2.4 deb
base-files 11.1+deb11u7 deb
base-passwd 3.5.51 deb
bash 5.1-2+deb11u1 deb
bsdutils 1:2.36.1-8+deb11u1 deb
coreutils 8.32-4+b1 deb
dash 0.5.11+git20200708+dd9ef66-5 deb
debconf 1.5.77 deb
debian-archive-keyring 2021.1.1+deb11u1 deb
debianutils 4.11.2 deb
diffutils 1:3.7-5 deb
dpkg 1.20.12 deb
e2fsprogs 1.46.2-2 deb
findutils 4.8.0-1 deb
gcc-10-base 10.2.1-6 deb
gcc-9-base 9.3.0-22 deb
gpgv 2.2.27-2+deb11u2 deb
grep 3.6-1+deb11u1 deb
gzip 1.10-4+deb11u1 deb
hostname 3.23 deb
init-system-helpers 1.60 deb
libacl1 2.2.53-10 deb
libapt-pkg6.0 2.2.4 deb
libattr1 1:2.4.48-6 deb
libaudit-common 1:3.0-2 deb
libaudit1 1:3.0-2 deb
libblkid1 2.36.1-8+deb11u1 deb
libbz2-1.0 1.0.8-4 deb
libc-bin 2.31-13+deb11u6 deb
libc6 2.31-13+deb11u6 deb
libcap-ng0 0.7.9-2.2+b1 deb
libcom-err2 1.46.2-2 deb
libcrypt1 1:4.4.18-4 deb
libdb5.3 5.3.28+dfsg1-0.8 deb
libdebconfclient0 0.260 deb
libext2fs2 1.46.2-2 deb
libffi7 3.3-6 deb
libgcc-s1 10.2.1-6 deb
libgcrypt20 1.8.7-6 deb
libgmp10 2:6.2.1+dfsg-1+deb11u1 deb
libgnutls30 3.7.1-5+deb11u3 deb
libgpg-error0 1.38-2 deb
libgssapi-krb5-2 1.18.3-6+deb11u3 deb
libhogweed6 3.7.3-1 deb
libidn2-0 2.3.0-5 deb
libk5crypto3 1.18.3-6+deb11u3 deb
libkeyutils1 1.6.1-2 deb
libkrb5-3 1.18.3-6+deb11u3 deb
libkrb5support0 1.18.3-6+deb11u3 deb
liblz4-1 1.9.3-2 deb
liblzma5 5.2.5-2.1~deb11u1 deb
libmount1 2.36.1-8+deb11u1 deb
libnettle8 3.7.3-1 deb
libnsl2 1.3.0-2 deb
libp11-kit0 0.23.22-1 deb
libpam-modules 1.4.0-9+deb11u1 deb
libpam-modules-bin 1.4.0-9+deb11u1 deb
libpam-runtime 1.4.0-9+deb11u1 deb
libpam0g 1.4.0-9+deb11u1 deb
libpcre2-8-0 10.36-2+deb11u1 deb
libpcre3 2:8.39-13 deb
libseccomp2 2.5.1-1+deb11u1 deb
libselinux1 3.1-3 deb
libsemanage-common 3.1-1 deb
libsemanage1 3.1-1+b2 deb
libsepol1 3.1-1 deb
libsmartcols1 2.36.1-8+deb11u1 deb
libss2 1.46.2-2 deb
libssl1.1 1.1.1n-0+deb11u4 deb
libstdc++6 10.2.1-6 deb
libsystemd0 247.3-7+deb11u2 deb
libtasn1-6 4.16.0-2+deb11u1 deb
libtinfo6 6.2+20201114-2+deb11u1 deb
libtirpc-common 1.3.1-1+deb11u1 deb
libtirpc3 1.3.1-1+deb11u1 deb
libudev1 247.3-7+deb11u2 deb
libunistring2 0.9.10-4 deb
libuuid1 2.36.1-8+deb11u1 deb
libxxhash0 0.8.0-2 deb
libzstd1 1.4.8+dfsg-2.1 deb
login 1:4.8.1-1 deb
logsave 1.46.2-2 deb
lsb-base 11.1.0 deb
mawk 1.3.4.20200120-2 deb
mount 2.36.1-8+deb11u1 deb
ncurses-base 6.2+20201114-2+deb11u1 deb
ncurses-bin 6.2+20201114-2+deb11u1 deb
passwd 1:4.8.1-1 deb
perl-base 5.32.1-4+deb11u2 deb
sed 4.7-1 deb
sysvinit-utils 2.96-7+deb11u1 deb
tar 1.34+dfsg-1 deb
tzdata 2021a-1+deb11u10 deb
util-linux 2.36.1-8+deb11u1 deb
zlib1g 1:1.2.11.dfsg-2+deb11u2 deb
Alpine Images
- They are considered as light weight and used for fast build and deploy.
- Alpine Linux is a security-oriented, lightweight Linux distribution
- However they still contains package manager that can be used to install other packages. This can cause security issues.
Amits-MacBook-Pro:k8s amitdube$ syft alpine
✔ Parsed image
✔ Cataloged packages [16 packages]
NAME VERSION TYPE
alpine-baselayout 3.4.3-r1 apk
alpine-baselayout-data 3.4.3-r1 apk
alpine-keys 2.4-r1 apk
apk-tools 2.14.0-r0 apk
busybox 1.36.0 binary
busybox 1.36.0-r9 apk
busybox-binsh 1.36.0-r9 apk
ca-certificates-bundle 20230506-r0 apk
libc-utils 0.7.2-r5 apk
libcrypto3 3.1.0-r4 apk
libssl3 3.1.0-r4 apk
musl 1.2.4-r0 apk
musl-utils 1.2.4-r0 apk
scanelf 1.3.7-r1 apk
ssl_client 1.36.0-r9 apk
zlib 1.2.13-r1 apkDistroless Images
- They contain the bare minimum packages needed to use this image as base image.
- They offer better security as they don’t contain package manager, shell or other packages and this reduces risk surface.
- They contain CA certificate and /etc/passwd file. They also contain nonroot user that can be used to run process etc.
Amits-MacBook-Pro:k8s amitdube$ syft gcr.io/distroless/static-debian11
✔ Parsed image
✔ Cataloged packages [3 packages]
NAME VERSION TYPE
base-files 11.1+deb11u7 deb
netbase 6.3 deb
tzdata 2021a-1+deb11u10 deb This is all for now. I propose to use distroless images rather than debian or alpine as your base image while building your application.
