📦
secure-kubernetes-development
  • README
  • Setup
    • Requirements and Setup
      • Setup Google GKE
  • Linux Security Basics
    • Linux & Container Basics
  • Application Security
    • Sample Spring Boot Application
  • Container Security
    • Root Container
    • Rootless Container
    • Rootless Container with JIB
    • Rootless Container with Paketo
  • Kubernetes Security
    • Initial Unsafe K8s Deployment
    • Safe K8s Deployment with Pod Security Context
    • Safe K8s Deployment with Pod Security Admission
    • Safe K8s Deployment with Open Policy Agent
  • Further Resources
    • Kubernetes Authorization (RBAC)
    • Helpful Tools for Container & K8s Security
    • List of Further Resources
Powered by GitBook
On this page
  • Check image for Vulnerabilities
  • Next

Was this helpful?

  1. Container Security

Rootless Container with Paketo

PreviousRootless Container with JIBNextInitial Unsafe K8s Deployment

Last updated 6 months ago

Was this helpful?

This demo again builds a container image from the demo application. For details on the demo application see .

But this time instead of using a Dockerfile or JIB we will just try together with to build the container image.

Important note: Paketo buildpacks are still missing ARM64 support (Apple M1/M2 Mac hardware). See for details.

plugins {
    id 'com.google.cloud.tools.jib' version '2.6.0'
}

jib {
    to {
        image = 'andifalk/hello-rootless-jib:latest'
    }
    container {
        user = 1002
    }
}

You can prove this by using these commands:

docker container run --rm --detach --name hello-rootless-jib \
-p 8080:8080 andifalk/hello-rootless-jib:latest
docker exec hello-rootless-jib whoami

This time this should report an error as in the , as used by JIB as default, there even is no shell installed and so no whoami command is possible.

Finally, stop the running container by using the following command:

docker stop hello-rootless-jib

Check image for Vulnerabilities

Now we can check our image for vulnerabilities with high and critical severities using this command:

trivy clean --scan-cache
trivy image --severity HIGH,CRITICAL andifalk/hello-rootless-jib:latest

Next

You should also be able to reach the dockerized application again via .

hello spring boot application
spring boot tooling
paketo buildpacks
GitHub issue: Add support for arm64
distroless image
localhost:8080
Next: Initial Unsafe K8s Deploy