Collection of opinionated container images

containers docker images kubernetes opinionated

Find a file

Tommy Skaug e0a81b0b26 feat(cache): add initial nix cache shell program for using attic with actions		2024-11-27 18:17:24 +01:00
.forgejo	chore: adding backlog of additions	2024-11-03 21:28:24 +01:00
.taskfiles	chore: cleanup taskfiles	2024-11-15 07:24:10 +01:00
apps	feat(cache): add initial nix cache shell program for using attic with actions	2024-11-27 18:17:24 +01:00
assets	chore: update readme	2024-11-10 10:56:27 +01:00
.gitignore	chore: more restructuring of the repo. Most significant change is rename from flakes-action to ci-os	2024-11-12 10:12:42 +01:00
LICENSE	testing: initial commit with port from buroa and significant changes	2024-10-12 10:01:23 +02:00
metadata.rules.cue	testing: initial commit with port from buroa and significant changes	2024-10-12 10:01:23 +02:00
podman-seccomp.json	chore: adding backlog of additions	2024-11-03 21:28:24 +01:00
README.org	chore: update readme	2024-11-10 11:06:44 +01:00
renovate.json5	chore(renovate): move renovate file into place and customize for repo	2024-11-27 18:13:49 +01:00
Taskfile.yaml	chore: cleanup taskfiles	2024-11-15 07:24:10 +01:00

README.org

Container Collection

Containers for Kubernetes deployment_

Available Images

Container	Version	Status	Description
flakes-action	latest	🚧	Image to streamline the code.252.no CI/CD workflows
kaniko	v24.10.01	🚧	A more secure image builder

Container Rules

Containers in this project should be useful in Kubernetes. They will be:

semantically versioned
rootless
logging to stdout in JSON format if possible
using one process per container
having no s6-overlay
built on Alpine
immutable
do no monkey business after deployed

Additionally I may in the future support:

multiple architecture. For now containers are generated for amd64

Tag immutability

Instead of using immutable version tags as seen on e.g. linuxserver.io we use calver and sha256-digests.

If pinning an image to the sha256 digest, tools like [Renovate](https://github.com/renovatebot/renovate) support updating the container on a digest or application version change.

The schema used is: YYYY.MM.Minor@sha256:digest. This is not as pretty, but functional and immutable. Examples:

Container	Immutable
`code.252.no/tommy/containers/flakes-action:v24.10.1`	❌
`code.252.no/tommy/containers/flakes-action:v24.10.1@sha256:1234...`	✅

Kubernetes Pod Security Standard

In Kubernetes we assume that you have pod-security.kubernetes.io/enforce set to restricted. There may be some exceptions to this if the container actually requires more privileges.

E.g. for the flakes-action, which runs as user ID 1000, this means that the following settings should be used for the pod (all containers in a pod):

spec:
  securityContext:
    runAsUser: 1000
    runAsGroup: 1000
    fsGroup: 1000

For a container this means:

spec:
  [...]
  containers:
  - name: flakes-action
    [...]
    securityContext:
      runAsUser: 1001
      capabilities:
        drop: ["ALL"]
      privileged: false
      allowPrivilegeEscalation: false
      runAsNonRoot: true
      seccompProfile:
        type: RuntimeDefault

Configuration volume

For applications that need to have persistent configuration data the config volume is hardcoded to `/config` inside the container.

Deprecations

Containers here can be deprecated at any point, this could be for any reason described below.

The upstream application is no longer actively developed
The upstream application has an official upstream container that follows closely to the mission statement described here
The upstream application has been replaced with a better alternative
The maintenance burden of keeping the container here is too bothersome

Credits

A big thanks goes to Buroa@github for the inspiration to the repo structure and concept.