[xmodem]

> The cool part about FROM scratch images is that you'll never have to update your base image to address CVEs. Only your software and its (compiled) dependencies.

What's the benefit really, though? If you still need to be able to rapidly deploy a new image in response to a dependency CVE, what have you gained?

[regularfry]

You've gained that happening much less frequently. The tradeoff is making every other problem harder to diagnose.

[NewJazz]

Debug containers are a thing.

Add an ephemeral container to an already running pod, for example to add debugging utilities without restarting the pod.

https://kubernetes.io/docs/reference/kubectl/generated/kubec...

[xmodem]

Yup! They are a good solution to the massive problem you caused for yourself by implementing a different "solution" to a non-problem.

And even that's only true if you assume kubernetes is the only place your container runs where you might want to also debug it.

[NewJazz]

You want to ship every debug utility you will need in every image? Just seems wasteful. What about 3rd party images, you will respin images just to add your preferred toolset?

[OptionOfT]

If the base image I use is based on Debian, it comes with more than 15 binaries that I don't use.

But when Docker scans my image and notices that there is a CVE in one of those binaries, my image is currently out of compliance.

FROM scratch just reduces the surface.

[xmodem]

> FROM scratch just reduces the surface.

The actual attack surface of your application? Or the attack surface of you and your team's attention from a busybody security org.

It's important not to confuse the two.