Use Distroless Base Images for flannel

[avaneesh1232]

I would like to propose using Distroless images as the base for the flannel image. This change would improve security by reducing the attack surface and result in smaller, more minimal images.

There are lot of OS and application level CVE's with Alpine being base image
There is a stack overflow vulnerability in ash.c:6030 in busybox before 1.35. In the environment of Internet of Vehicles, this vulnerability can be executed from command to arbitrary code execution.

Alternatively, if needed we can have two variants one based on Alpine and one on Distroless, so users can choose the image that best fits their requirements.

[pgonin]

Flannel's reliance on iptables binaries makes a full Distroless migration impractical without significant architectural changes. Alpine is already a 'slim' base image with limited attack surface. Base images are regularly updated to fix vulnerabilities that are identified.

[avaneesh1232]

Can we use some replacement of alpine package manager like chainguard?

[sindhusri16]

Is this snippet good way @pgonin ? Will this affect any flannel related binaries

#Only the final runtime stage changes: Alpine(FROM alpine:20231219) -> Wolfi

FROM cgr.dev/chainguard/wolfi-base:latest
RUN apk update && apk upgrade

#Wolfi repos already configured; install same tools (Wolfi package names differ for CA bundle)
RUN apk add --no-cache iproute2 iptables strongswan wireguard-tools ca-certificates-bundle

COPY --from=build /build/dist/flanneld /opt/bin/flanneld
COPY dist/mk-docker-opts.sh /opt/bin/
COPY --from=build /iptables-wrapper/iptables-wrapper-installer.sh /
COPY --from=build /iptables-wrapper/bin/iptables-wrapper /

#Check that legacy/nft variants exist; keep the original strict check from v0.24.4
#(If this ever fails on Wolfi, swap with the tolerant line mentioned in the diff above.)

RUN which iptables-legacy && which iptables-nft
RUN /iptables-wrapper-installer.sh --no-sanity-check

ENTRYPOINT ["/opt/bin/flanneld"]

[pgonin]

Chainguard already builds wolfi based images of flannel https://images.chainguard.dev/directory/image/flannel/versions

I think alpine is still fine for an open source community project

[pgonin]

and Wolfi is NOT distroless, it's a different form of distribution with different tools and different approach

[sindhusri16]

@pgonin Is there a way to perform some kinds of test suite (like e2e ones when we try to merge upstream) on the flannel image generated with the above snippet, just want to make sure if I can generate a image this way and that this runner image would not introduce any regression?