feature request: distroless, immutable containers #311
Description
split-synchronizer and split-proxy already run as a non-root user. For futher security, and to avoid installing all the packages that come with Debian (even the minimal packages of debian-slim as found in #279), two more steps could be taken.
- Because the application is a statically linked Go executable, it could be the (nearly sole) content of the final deployed container, aka "distroless". (The ca-certificates package contents may be necessary as well). In addition. the entrypoint code runs in bash. One could install the bash-static package which would then make it easy to copy in the bash executable as a stand-alone executable as well.
A distroless container would have even fewer vulnerabilities reported against it, as the several that are currently reported all come from the Debian packages present but which are not used.
- The container could be run as read-only (immutable), as nothing in the application requires writing to the file system. Within ECS, mounting volumes at /var/log/amazon and /var/lib/amazon would satisfy the SSM agent's need for writing content. This wouldn't even require work on the part of Split/Harness developers here, unless there are files being written by the application which I haven't identified.