> For the complete documentation index, see [llms.txt](https://andifalk.gitbook.io/secure-kubernetes-development/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://andifalk.gitbook.io/secure-kubernetes-development/container-security/step4-hello-rootless-jib.md). # Rootless Container with JIB This demo again builds an improved docker image from the demo application. For details on the demo application see [hello spring boot application](/secure-kubernetes-development/application-security/step1-hello-spring-boot.md). But this time instead of using a *Dockerfile* we will use [Google JIB](https://github.com/GoogleContainerTools/jib) to build the container image. Using JIB has the following advantages compared to classical image creation using Dockerfile: * With JIB, you even can build a container image without a docker daemon installed on your machine. * Building images repeatedly is much faster as JIB optimizes this to the typical development flow (i.e. the application code changes much more frequently then dependencies). * JIB uses the [Google Distroless Base Images](https://github.com/GoogleContainerTools/distroless) that only include the minimum components just to execute the desired process (e.g. Go or Java) JIB works by using adding a plugin to your maven or gradle build. So here we add the plugin to our gradle build. And we also configure a non-root user in the *gradle.build* file to build a container image that will run without using the root user. ```groovy plugins { id 'com.google.cloud.tools.jib' version '3.3.1' } jib { to { image = 'andifalk/hello-rootless-jib:latest' platforms { platform { architecture = 'amd64' os = 'linux' } platform { architecture = 'arm64' os = 'linux' } } } container { user = 1002 } } ``` You can prove this by using these commands: ```shell docker container run --rm --detach --name hello-rootless-jib \ -p 8080:8080 andifalk/hello-rootless-jib:latest docker exec hello-rootless-jib whoami ``` This time this should report an error as in the [distroless image](https://github.com/GoogleContainerTools/distroless), as used by JIB as default, there even is no shell installed and so no *whoami* command is possible. You should also be able to reach the dockerized application again via [localhost:8080](http://localhost:8080). Finally, stop the running container by using the following command: ```shell docker stop hello-rootless-jib ``` ## Check image for Vulnerabilities Now we can check our image for vulnerabilities with high and critical severities using this command: ```shell trivy clean --scan-cache trivy image --severity HIGH,CRITICAL andifalk/hello-rootless-jib:latest ``` ## Next [Next: Initial Unsafe K8s Deploy](https://github.com/andifalk/secure-development-on-kubernetes/blob/master/step5-initial-k8s-deploy/README.md) --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://andifalk.gitbook.io/secure-kubernetes-development/container-security/step4-hello-rootless-jib.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.