How To Use Distroless Containers & OpenFaaS To Minimize Attack Vectors

I’ve been playing with OpenFaas ever since I learned about Minikube a few years ago, so when one of my colleagues mentioned Google’s Distroless project I obviously needed to see if my Go projects could work using those images too.

Distroless

“Distroless” images contain only your application and its runtime dependencies. They do not contain package managers, shells or any other programs you would expect to find in a standard Linux distribution. Restricting what’s in your runtime container to precisely what’s necessary for your app is a best practice employed by Google and other tech giants that have used containers in production for many years. It improves the signal to noise of scanners (e.g. CVE) and reduces the burden of establishing provenance to just what you need.

Source: Google Container Tools

OpenFaaS

OpenFaaS allows you to package anything as a serverless function - Binaries, Node.js or, as in my case, Go!

So what do I do

When you’re starting with OpenFaaS the first command you run is

faas-cli template pull

This downloads all the templates that are curated by the OpenFaaS team and puts them in a ./template folder. For the go template, you can replace the second container (OpenFaaS uses a multistage Dockerfile) in ./template/go/Dockerfile with the below snippet

# Let's see if we can do distroless
FROM gcr.io/distroless/base
COPY --from=builder /usr/bin/fwatchdog         /
COPY --from=builder /go/src/handler/function/  /
COPY --from=builder /go/src/handler/handler    /
ENV fprocess="./handler"
EXPOSE 8080
HEALTHCHECK --interval=2s CMD [ -e /fwatchdog ] || exit 1
CMD ["/fwatchdog"]

This will do exactly the same, just with a Distroless base image to run your apps!

Cover image by Pixabay