[kitd]

    Developer Tooling

    This is where I tend to run into the most pushback on this pattern but it's also the 
    part that can greatly reduce headaches. Are you ready? Your immutable image includes 
    everything you need for development: linters, tests, and debugging modules. I will 
    sometimes even include a few useful system tools like netcat or ping, as well as a 
    fancy prompt.

    None of these things are necessary for production. They are at best, image bloat, 
    adding anywhere from 100 to 200 MB of useless code to your image that's never used in 
    the wild. Why then, would we want to include it?

Sorry, but this is dangerous advice. This won't pass most serious security audits and to use these tools, you'd likely need to be running as root.

Much better is to strip your immutable images to the bare minumum and instantiate a debug sidercar, eg [1], if you need to peer inside.

[1] - https://github.com/mhoyer/docker-swiss-army-knife

[chambored]

I agree with this. For multi-OS dev teams, I’ve set up separate compose files or Dockerfiles for dev and prod. I kept them as similar as possible while optimizing the images for prod and including the niceties for dev.