For containers, do you often "encourage" common de...
# generalj
Jordan
07/12/2025, 12:49 PMFor containers, do you often "encourage" common development on same base images?
Ex. I come from Java environments where they'd have license agreements with Oracle, so someone would pull JDK into a file server, then they'd (often someone else) build an image from that. But it was never automated to always have the latest version of that available (rarely mattered for minor patches), but it was still a multi day bottleneck compared to just pulling any of the publicly available Java images
đź‘Ť 1
Jordan
07/12/2025, 12:51 PMAnd if not, how much scripting are you writing to handle cache pruning or abandoned images across the cluster?
s
Stephen Nadraus
07/12/2025, 6:01 PMHey Jordan what do you mean by common development?
For us it depends on dev or stg/prd, we have images with dev tools (a shell, curl, etc..) but in prod a base minimal image is used.
j
Jordan
07/12/2025, 9:05 PMCompany wide adoption.
I see no reason to allow different images in different environments. If someone needs a shell & curl, they can install themselves and therefore should understand the risks
s
Stephen Nadraus
07/13/2025, 3:16 PMSure that is a valid approach, for us we have gateways in our gitlab pipelines where for certain releases a certain base image needs to be used.
In dev everything is short lived and meant for developers to try things outs so from an ops perspective I would rather control what’s on those images rather than allow developers to just install things on them. It allows us some level of control over dev rather than it just being the Wild West.
Stephen Nadraus
07/13/2025, 3:21 PMAlso the ops team along with cyber is ultimately responsible for what winds up in stg/prd, so unfortunately I can’t allow developers to install various tools they may want. Everything must be scrutinized to ensure that vulnerabilities aren’t being deployed without mitigations of course.
j
Jordan
07/13/2025, 10:51 PMSure, we integrated trivy-scan into the CICD pipeline, but we didn't enforce the images used, or even the pipeline steps itself (forking and removing the cve scan could be done to deploy to prod faster).
r
Rolf Strijdhorst
07/21/2025, 12:21 PMwe build our development images in such a way that the components are the same as production. That way we follow the path of least surprise. we even have a suite of containers that allow us to authenticate using our authentication proxy the same way as our sso in production works. Works on my machine is not just a description related to code. It is a description related to the solution
j
Jordan
07/21/2025, 2:46 PMI'm not sure that answered my question? Any build should be productional; runtime operation can be modified
r
Rolf Strijdhorst
07/21/2025, 3:27 PMWhat I meant is that we're using the same images for development the as production the only difference is that I allow for hot reloading by mounting my source folder into the development image. Every service implementation I have is the same and every image I have as well
a
Andrew White
07/21/2025, 5:38 PMif you're not using Chainguard by now just give up
r
Rolf Strijdhorst
07/21/2025, 5:50 PMI agree but that was not the question.
j
Jordan
07/22/2025, 1:57 AMChainguard doesn't use Oracle JDK so you wouldn't get enterprise JVM support
2 Views