Uploaded image for project: 'SAFe Program'
  1. SAFe Program
  2. SP-4527

Provide a hardened base image for building

Change Owns to Parent OfsSet start and due date...
    XporterXMLWordPrintable

Details

    • Services
    • Hide

      Currently, ST only provides a base image for CICD so it means we do not have a hardened base image for people to use as a base image for their own OCI images, this makes it harder to patch security vulnerabilities, causes divergences in the base OS layer and makes it hard and expensive for operations to manage many images in production instead of a few. Also see ROAM-518

      Show
      Currently, ST only provides a base image for CICD so it means we do not have a hardened base image for people to use as a base image for their own OCI images, this makes it harder to patch security vulnerabilities, causes divergences in the base OS layer and makes it hard and expensive for operations to manage many images in production instead of a few. Also see ROAM-518
    • Hide
      • Provide a base image that's deprived of application level dependencies for people to use as a base image when building their own products or other variant base images (like ska-tango-images, js, gpu ones)
        • image name needs to be agreed with Piers.
        • Image should base on ubuntu 22.04 with the minimum set of binaries needed for building application code on top of it
        • python 3.10.X
        • poetry 1.X
        • no kubectl, helm or other supporting binaries
      • WOMBAT Dependency: Move ska-tango-util and ska-tango-base helm charts out of ska-tango-images repository and identify which is needed in what image
      • Agree on a scheduled/automated patching routine and rollout for the base image
        • Implement it with ST repositories
          • Marvin repositories
          • ska-cicd-k8s-tools CI/CD image needs to base on this instead of default ubuntu
          • services api repository
          • makefile submodule test Dockerfiles
          • ska-tango-examples
          • ska-tango-images
        • The automated patching routine should be end to end:
          • Schedule (manually or automatically) when it should be patched
          • Apply the updates, security patches
          • Rollout to ST repositories automatically if possible (TBD)
      • Provide documentation on:
        • Explanation:  how it's selected, what's important o build up SKA security posture
        • How to: How people can add this and keep it updated
      Show
      Provide a base image that's deprived of application level dependencies for people to use as a base image when building their own products or other variant base images (like ska-tango-images, js, gpu ones) image name needs to be agreed with Piers. Image should base on ubuntu 22.04 with the minimum set of binaries needed for building application code on top of it python 3.10.X poetry 1.X no kubectl, helm or other supporting binaries WOMBAT Dependency: Move ska-tango-util and ska-tango-base helm charts out of ska-tango-images repository and identify which is needed in what image Remove ST from CODEOWNERS in ska-tango-images repository as wombat will maintain it going forward wait-for-it.sh (and https://gitlab.com/ska-telescope/ska-tango-images/-/blob/master/images/ska-tango-images-tango-dependencies/retry.sh) and other scripts can be moved to the helm chart itself instead of the dsconfig image. (TBD: needs more discussion to understand what the impact would be) https://gitlab.com/ska-telescope/ska-tango-images/-/blob/master/images/ska-tango-images-pytango-builder/Dockerfile#L53 << do we still need bcc here? Agree on the dependant images that the Helm Charts need (tango-db etc.) Agree on a scheduled/automated patching routine and rollout for the base image Implement it with ST repositories Marvin repositories ska-cicd-k8s-tools CI/CD image needs to base on this instead of default ubuntu services api repository makefile submodule test Dockerfiles ska-tango-examples ska-tango-images The automated patching routine should be end to end: Schedule (manually or automatically) when it should be patched Apply the updates, security patches Rollout to ST repositories automatically if possible (TBD) Provide documentation on: Explanation:  how it's selected, what's important o build up SKA security posture How to: How people can add this and keep it updated
    • 2
    • 2
    • 0
    • Team_SYSTEM
    • Sprint 3

    • PI24 - UNCOVERED

    • Team_SYSTEM

    Description

      Provide a hardened base image for building

      This is started off from https://confluence.skatelescope.org/display/SE/2024-07-17+SKA+Tango+Images+Meeting+notes 

       

      Attachments

        Issue Links

          is required by

          Enabler - An Enabler supports the activities needed to extend the Architectural Runway to provide future business functionality. These include exploration, architecture, infrastructure, and compliance. SP-4619 Refactor Tango OCI images

          • Medium - Has the potential to affect progress.
          • Program Backlog

          Structure

            Activity

              People

                m.deegan Deegan, Miles
                U.Yilmaz Yilmaz, Ugur
                Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Feature Progress

                  Story Point Burn-up: (0%)

                  Feature Estimate: 2.0

                  IssuesStory Points
                  To Do00.0
                  In Progress   00.0
                  Complete00.0
                  Total00.0

                  Dates

                    Created:
                    Updated:

                    Structure Helper Panel