Debug distroless containers

A distroless container is a type of container that is designed to be as small as possible, with only the necessary components and dependencies installed.

Comparing with alpine container:

  • Size: Distroless containers are generally smaller than Alpine containers, as they do not include any unnecessary files or package managers. However, the size of a distroless container can still vary depending on the base image used.
  • Package manager: Distroless containers do not include any package managers, which means that users must install any necessary packages themselves. Alpine containers, on the other hand, include a minimal package manager, apk, which can help to reduce the size of the container image.
  • Security: Distroless containers are generally considered to be more secure than Alpine containers, as they do not include any unnecessary files or package managers. However, this does not mean that distroless containers are completely secure. Distroless containers are still vulnerable to security vulnerabilities and attacks, as they are based on minimal base images and do not include any security updates or patches.
  • Portability: Distroless containers are generally more portable than Alpine containers, as they do not include any specific dependencies or package managers. This makes them more suitable for cloud-native applications and microservices architectures, where portability is important.

Overall, both distroless and Alpine containers are useful tools for improving the security, portability, and efficiency of cloud-native applications and microservices architectures. The choice between the two will depend on the specific needs of the application and the preferences of the development team.

https://containersolutions.github.io/runbooks/posts/kubernetes/pod-stuck-in-pending-status/#solution-a

1
2
kubectl get pods -n my_namespace
kubectl debug my_pod -it --image=ubuntu --share-processes --copy-to=debugging-pod -n my_namespace

Must run as root to avoid

Warning: container debugger-9m8q2: container has runAsNonRoot and image will run as root (pod: “debugging-my_namespace(f71359e4-71f8-4919-8c7f-ba9139812856)”, container: debugger-9m8q2)

Fix POD specs

1
2
3
    spec:
      securityContext:
        runAsNonRoot: false