#+DATE: 2024-10-12 #+OPTIONS: toc:nil #+macro: issue [[https://code.252.no/tommy/containers/issues/$1][issue #$1]] #+macro: pr [[https://code.252.no/tommy/containers/pulls/$1][PR #$1]] #+export_file_name: kagi #+property: header-args:elisp :results none :exports code #+BEGIN_EXPORT html

Container Collection

Containers for Kubernetes deployment_

Nix Flakes Ready

#+END_EXPORT ** Available Images | Container | Version | Status | Description |------------------------------------------------------------------------------------------+-----------+---------|------------------ | [[https://code.252.no/tommy/containers/src/branch/main/apps/lix-builder][flakes-action]] | latest | 🚧 | Image to streamline the code.252.no CI/CD workflows | [[https://code.252.no/tommy/containers/src/branch/main/apps/kaniko][kaniko]] | v24.10.01 | 🚧 | A more secure image builder ** Container Rules Containers in this project should be useful in Kubernetes. They will be: - [[https://semver.org/][semantically versioned]] - [[https://rootlesscontaine.rs/][rootless]] - logging to stdout in JSON format if possible - using [[https://testdriven.io/tips/59de3279-4a2d-4556-9cd0-b444249ed31e/][one process per container]] - having no [[https://github.com/just-containers/s6-overlay][s6-overlay]] - built on [[https://hub.docker.com/_/alpine][Alpine]] - [[https://glossary.cncf.io/immutable-infrastructure/][immutable]] - do no monkey business after deployed Additionally I may in the future support: - [[https://www.docker.com/blog/multi-arch-build-and-images-the-simple-way/][multiple architecture]]. For now containers are generated for amd64 ** Tag immutability Instead of using immutable version tags as seen on e.g. [[https://fleet.linuxserver.io/][linuxserver.io]] we use [[https://www.letsdebug.it/post/41-calendar-versioning/][calver]] and sha256-digests. If pinning an image to the sha256 digest, tools like [Renovate](https://github.com/renovatebot/renovate) support updating the container on a digest or application version change. The schema used is: =YYYY.MM.Minor@sha256:digest=. This is not as pretty, but functional and immutable. Examples: | Container | Immutable | |------------------------------------------------------------------------+-----------| | =code.252.no/tommy/containers/flakes-action:v24.10.1= | ❌ | | =code.252.no/tommy/containers/flakes-action:v24.10.1@sha256:1234...= | ✅ | ** Kubernetes Pod Security Standard In Kubernetes we assume that you have pod-security.kubernetes.io/enforce set to [[https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted][restricted]]. There may be some exceptions to this if the container actually requires more privileges. E.g. for the =flakes-action=, which runs as user ID =1000=, this means that the following settings should be used for the pod (all containers in a pod): #+begin_src yaml spec: securityContext: runAsUser: 1000 runAsGroup: 1000 fsGroup: 1000 #+end_src For a container this means: #+begin_src yaml spec: [...] containers: - name: flakes-action [...] securityContext: runAsUser: 1001 capabilities: drop: ["ALL"] privileged: false allowPrivilegeEscalation: false runAsNonRoot: true seccompProfile: type: RuntimeDefault #+end_src ** Configuration volume For applications that need to have persistent configuration data the config volume is hardcoded to `/config` inside the container. ** Deprecations Containers here can be **deprecated** at any point, this could be for any reason described below. 1. The upstream application is **no longer actively developed** 2. The upstream application has an **official upstream container** that follows closely to the mission statement described here 3. The upstream application has been **replaced with a better alternative** 4. The **maintenance burden** of keeping the container here **is too bothersome** ** Credits A big thanks goes to [[https://github.com/buroa/containers/tree/master][Buroa@github]] for the inspiration to the repo structure and concept.