Overview
"Distroless" images contain only your application and its runtime dependencies. They do not contain package managers, shells or any other programs you would expect to find in a standard Linux distribution.
Default Users
| Users | id | group |
|---|---|---|
| root | 0 | 0 |
| nonroot | 65532 | 65532 |
To define the nonroot user in a kubernetes pod/deployment you will need to set the securityContext as defined below:
spec:
template:
spec:
securityContext:
runAsUser: 65532
fsGroup: 65532
Example Creating a Docker Image for Go ApplicationÂ
# Start by building the application. FROM golang:1.18 as build WORKDIR /go/src/app COPY . . RUN go mod download RUN CGO_ENABLED=0 go build -o /go/bin/app # Now copy it into our base image. FROM gcr.io/distroless/static-debian11 COPY --from=build /go/bin/app / CMD ["/app"]
References
| Reference | URL |
|---|---|
| "Distroless" Container Images | https://github.com/GoogleContainerTools/distroless |
| How to add a directory where non-root user can write #427 | https://github.com/GoogleContainerTools/distroless/issues/427 |