Skip to content

Switch base image to distroless python3-debian13 to eliminate CVE surface #2

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
RoiGlinik merged 1 commit into from
Jun 4, 2026
+47 −9
Merged

Switch base image to distroless python3-debian13 to eliminate CVE surface #2

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
18 changes: 18 additions & 0 deletions .gitignore
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
# Secrets / local overrides — never commit
config/rbac-builder-job.yaml
*.values
*.env

# Python
__pycache__/
*.py[cod]
*.egg-info/
.venv/
venv/
dist/
build/

# IDE
.idea/
.vscode/
*.iml
14 changes: 6 additions & 8 deletions builder/Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
FROM python:3.12-slim as builder
FROM python:3.13-slim AS builder

ENV LANG=C.UTF-8
ENV PYTHONDONTWRITEBYTECODE=1
Expand All @@ -10,19 +10,17 @@ WORKDIR /app
COPY requirements.txt requirements.txt
RUN python -m venv /app/venv

RUN pip3 install --use-deprecated=legacy-resolver -r requirements.txt
RUN pip3 install --use-deprecated=legacy-resolver --upgrade "pip>=25.3" \
&& pip3 install --use-deprecated=legacy-resolver -r requirements.txt

FROM python:3.12-slim
FROM gcr.io/distroless/python3-debian13

WORKDIR /app/

ENV PYTHONUNBUFFERED=1
ENV PATH="/venv/bin:$PATH"
ENV PYTHONPATH=$PYTHONPATH:.
ENV PYTHONPATH=/app:/venv/lib/python3.13/site-packages

COPY ./ ./builder/
COPY --from=builder /app/venv /venv

ENV PYTHONPATH=$PYTHONPATH:.

CMD [ "python3", "-u", "/app/builder/main.py"]
CMD ["-u", "/app/builder/main.py"]
2 changes: 1 addition & 1 deletion builder/requirements.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
pydantic==2.7.1
pydantic>=2.11.7
supabase==2.28.0
httpx[http2]
regex
Expand Down
22 changes: 22 additions & 0 deletions config/test-definitions.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
account_id: 6c2cbf41-c7b5-48ab-9777-76d320b985d4
scopes:
- name: test-namespace-scope
type: namespace
clusters:
test-cluster-a: ["default", "kube-system"]
test-cluster-b: ["*"]
- name: test-cluster-scope
type: cluster
clusters:
test-cluster-c: ["*"]
groups:
- name: test-viewers
provider_group_id: 11111111-1111-1111-1111-111111111111
type: namespace
permissions: ["POD_LOGS", "METRICS_VIEW"]
scopes: ["test-namespace-scope"]
- name: test-admins
provider_group_id: 22222222-2222-2222-2222-222222222222
type: cluster
permissions: ["CLUSTER_DELETE", "POPEYE_SCAN", "NODE_DRAIN"]
scopes: ["test-cluster-scope"]