📦
secure-kubernetes-development
  • README
  • Setup
    • Requirements and Setup
      • Setup Google GKE
  • Linux Security Basics
    • Linux & Container Basics
  • Application Security
    • Sample Spring Boot Application
  • Container Security
    • Root Container
    • Rootless Container
    • Rootless Container with JIB
    • Rootless Container with Paketo
  • Kubernetes Security
    • Initial Unsafe K8s Deployment
    • Safe K8s Deployment with Pod Security Context
    • Safe K8s Deployment with Pod Security Admission
    • Safe K8s Deployment with Open Policy Agent
  • Further Resources
    • Kubernetes Authorization (RBAC)
    • Helpful Tools for Container & K8s Security
    • List of Further Resources
Powered by GitBook
On this page
  • Check image for Vulnerabilities
  • Next

Was this helpful?

  1. Container Security

Rootless Container with JIB

PreviousRootless ContainerNextRootless Container with Paketo

Last updated 6 months ago

Was this helpful?

This demo again builds an improved docker image from the demo application. For details on the demo application see .

But this time instead of using a Dockerfile we will use to build the container image.

Using JIB has the following advantages compared to classical image creation using Dockerfile:

  • With JIB, you even can build a container image without a docker daemon installed on your machine.

  • Building images repeatedly is much faster as JIB optimizes this to the typical development flow (i.e. the application code changes much more frequently then dependencies).

  • JIB uses the that only include the minimum components just to execute the desired process (e.g. Go or Java)

JIB works by using adding a plugin to your maven or gradle build. So here we add the plugin to our gradle build. And we also configure a non-root user in the gradle.build file to build a container image that will run without using the root user.

plugins {
    id 'com.google.cloud.tools.jib' version '3.3.1'
}

jib {
    to {
        image = 'andifalk/hello-rootless-jib:latest'
        platforms {
            platform {
                architecture = 'amd64'
                os = 'linux'
            }
            platform {
                architecture = 'arm64'
                os = 'linux'
            }
        }
    }
    container {
        user = 1002
    }
}

You can prove this by using these commands:

docker container run --rm --detach --name hello-rootless-jib \
-p 8080:8080 andifalk/hello-rootless-jib:latest
docker exec hello-rootless-jib whoami

Finally, stop the running container by using the following command:

docker stop hello-rootless-jib

Check image for Vulnerabilities

Now we can check our image for vulnerabilities with high and critical severities using this command:

trivy clean --scan-cache
trivy image --severity HIGH,CRITICAL andifalk/hello-rootless-jib:latest

Next

This time this should report an error as in the , as used by JIB as default, there even is no shell installed and so no whoami command is possible.

You should also be able to reach the dockerized application again via .

hello spring boot application
Google JIB
Google Distroless Base Images
distroless image
localhost:8080
Next: Initial Unsafe K8s Deploy