Add kubeflow, kubeflow-katib and kubeflow-pipelines: total 20 images and restructure kubeflow-volumes-web-app

[Dentrax]

Benchmark

kubeflow

volumes-web-app

Note
Before: 327MB, 160 packages, 200 vulnerabilities (19 high, 37 medium, 4 low, 133 negligible)
After: 222MB, 90 packages, 1-CVE

Follow-up CVE fix: wolfi-dev/os#4816

https://github.com/kubeflow/kubeflow/blob/master/components/crud-web-apps/volumes/Dockerfile

jupyter-web-app

Note
Before: 333MB, 161 packages, 2 critical, 31 high, 43 medium, 4 low, 132 negligible
After: 224MB, 105 packages, 0-CVE

https://github.com/kubeflow/kubeflow/blob/master/components/crud-web-apps/jupyter/Dockerfile

kubeflow-katib

controller

Note
Before: 69.3MB, 120 packages, 2 critical
After: 65.7MB, 122 packages, 0-CVE

Dockerfile: https://github.com/kubeflow/katib/blob/master/cmd/katib-controller/v1beta1/Dockerfile

db-manager

Note
Before: 31.4MB, 26 packages, 2 critical
After: 30.0MB, 39 packages, 0-CVE

Dockerfile: https://github.com/kubeflow/katib/blob/master/cmd/db-manager/v1beta1/Dockerfile

file-metricscollector

Note
Before: 29.5MB, 45 packages, 2 critical
After: 29.6MB, 44 packages, 0-CVE

Dockerfile: https://github.com/kubeflow/katib/blob/master/cmd/metricscollector/v1beta1/file-metricscollector/Dockerfile

suggestion-goptuna

Note
Before: 41.3MB, 26 packages, 2 critical
After: 23.7MB, 23 packages, 0-CVE

Dockerfile: https://github.com/kubeflow/katib/blob/master/cmd/suggestion/goptuna/v1beta1/Dockerfile

suggestion-optuna

Note
Before: 269MB, 134 packages, 3 high, 11 medium, 3 low, 57 negligible
After: 491MB, 133 packages, 0-CVE

Dockerfile: https://github.com/kubeflow/katib/blob/master/cmd/suggestion/optuna/v1beta1/Dockerfile

suggestion-hyperband

Note
Before: 751MB, 205 packages, 1 critical, 29 high, 46 medium, 4 low, 214 negligible
After: 522MB, 111 packages, 0-CVE

Dockerfile: https://github.com/kubeflow/katib/blob/master/cmd/suggestion/hyperband/v1beta1/Dockerfile

suggestion-hyperopt

Note
Before: 442MB, 135 packages, 3 high, 11 medium, 3 low, 57 negligible
After: 548MB, 133 packages, 0-CVE

Dockerfile: https://github.com/kubeflow/katib/blob/master/cmd/suggestion/hyperopt/v1beta1/Dockerfile

suggestion-skopt

Note
Before: 426MB, 133 packages, 3 high, 11 medium, 3 low, 57 negligible
After: 569MB, 149 packages, 2 medium:

NAME      INSTALLED  FIXED-IN  TYPE  VULNERABILITY  SEVERITY
openjpeg  2.5.0-r0             apk   CVE-2015-1239  Medium

Dockerfile: https://github.com/kubeflow/katib/blob/master/cmd/suggestion/skopt/v1beta1/Dockerfile

suggestion-pbt

Note
Before: 236MB, 122 packages, 3 high, 11 medium, 3 low, 57 negligible
After: 382MB, 88 packages, 0-CVE:

Dockerfile: https://github.com/kubeflow/katib/blob/master/cmd/suggestion/pbt/v1beta1/Dockerfile

suggestion-darts

Note
Before: 198MB, 122 packages, 3 high, 11 medium, 3 low, 57 negligible
After: 350MB, 84 packages, 0-CVE:

Dockerfile: https://github.com/kubeflow/katib/blob/master/cmd/suggestion/nas/darts/v1beta1/Dockerfile

earlystopping-medianstop

Note
Before: 558MB, 216 packages, 1 critical, 29 high, 46 medium, 4 low, 214 negligible
After: 390MB, 137 packages, 0-CVE:

Dockerfile: https://github.com/kubeflow/katib/blob/master/cmd/earlystopping/medianstop/v1beta1/Dockerfile

kubeflow-pipelines

cache-server

Note
Before: 68.6MB, 116 packages, 6 high, 11 medium, 2 low
After: 63.6MB, 111 packages, 2 high, 10 medium, 2 low

NAME               INSTALLED  FIXED-IN        TYPE       VULNERABILITY        SEVERITY
k8s.io/kubernetes  v1.11.1    1.16.11         go-module  GHSA-wqv3-8cm6-h6wg  High
k8s.io/kubernetes  v1.11.1    1.19.15         go-module  GHSA-f5f7-6478-qm6p  High
k8s.io/kubernetes  v1.11.1    1.24.14         go-module  GHSA-xc8m-28vv-4pjc  Medium
k8s.io/kubernetes  v1.11.1    1.24.15         go-module  GHSA-qc2g-gmh6-95p4  Medium
k8s.io/kubernetes  v1.11.1    1.11.8          go-module  GHSA-q4rr-64r9-fwgf  Medium
k8s.io/kubernetes  v1.11.1    1.16.0-beta.1   go-module  GHSA-jmrx-5g74-6v2f  Medium
k8s.io/kubernetes  v1.11.1                    go-module  GHSA-j9wf-vvm6-4r9w  Medium
k8s.io/kubernetes  v1.11.1    1.18.18         go-module  GHSA-g42g-737j-qx6j  Medium
k8s.io/kubernetes  v1.11.1    1.24.15         go-module  GHSA-cgcv-5272-97pr  Medium
k8s.io/kubernetes  v1.11.1    1.20.0-alpha.1  go-module  GHSA-8mjg-8c8g-6h85  Medium
k8s.io/kubernetes  v1.11.1    1.20.0-alpha.2  go-module  GHSA-8cfg-vx93-jvxw  Medium
k8s.io/kubernetes  v1.11.1                    go-module  GHSA-74j8-88mm-7496  Medium
k8s.io/kubernetes  v1.11.1                    go-module  GHSA-vw47-mr44-3jf9  Low
k8s.io/kubernetes  v1.11.1    1.18.19         go-module  GHSA-qh36-44jv-c8xj  Low

Dockerfile: https://github.com/kubeflow/pipelines/blob/master/backend/Dockerfile.cacheserver

cache-deployer

Note
Before: 2.95GB, 889 packages, 11 high, 7 medium, 17 low
After: 60.6MB, 117 packages, 0-CVE

Dockerfile: https://github.com/kubeflow/pipelines/blob/master/backend/src/cache/deployer/Dockerfile

api-server

Note
Before: 68.6MB, 231 packages, 7 high, 18 medium, 5 low, 51 negligible
After: 83.4MB, 145 packages, 2 high, 10 medium, 2 low

NAME               INSTALLED  FIXED-IN        TYPE       VULNERABILITY        SEVERITY
k8s.io/kubernetes  v1.11.1    1.16.11         go-module  GHSA-wqv3-8cm6-h6wg  High
k8s.io/kubernetes  v1.11.1    1.19.15         go-module  GHSA-f5f7-6478-qm6p  High
k8s.io/kubernetes  v1.11.1    1.24.14         go-module  GHSA-xc8m-28vv-4pjc  Medium
k8s.io/kubernetes  v1.11.1    1.24.15         go-module  GHSA-qc2g-gmh6-95p4  Medium
k8s.io/kubernetes  v1.11.1    1.11.8          go-module  GHSA-q4rr-64r9-fwgf  Medium
k8s.io/kubernetes  v1.11.1    1.16.0-beta.1   go-module  GHSA-jmrx-5g74-6v2f  Medium
k8s.io/kubernetes  v1.11.1                    go-module  GHSA-j9wf-vvm6-4r9w  Medium
k8s.io/kubernetes  v1.11.1    1.18.18         go-module  GHSA-g42g-737j-qx6j  Medium
k8s.io/kubernetes  v1.11.1    1.24.15         go-module  GHSA-cgcv-5272-97pr  Medium
k8s.io/kubernetes  v1.11.1    1.20.0-alpha.1  go-module  GHSA-8mjg-8c8g-6h85  Medium
k8s.io/kubernetes  v1.11.1    1.20.0-alpha.2  go-module  GHSA-8cfg-vx93-jvxw  Medium
k8s.io/kubernetes  v1.11.1                    go-module  GHSA-74j8-88mm-7496  Medium
k8s.io/kubernetes  v1.11.1                    go-module  GHSA-vw47-mr44-3jf9  Low
k8s.io/kubernetes  v1.11.1    1.18.19         go-module  GHSA-qh36-44jv-c8xj  Low

Dockerfile:
https://github.com/kubeflow/pipelines/blob/master/backend/Dockerfile

metadata-writer

Note
Before: 1.08GB, 465 packages, 8 critical, 69 high, 200 medium, 43 low, 458 negligible
After: 383MB, 147 packages, 0-CVE!

Dockerfile:
https://github.com/kubeflow/pipelines/blob/master/backend/metadata_writer/Dockerfile

persistenceagent

Note
Before: 68.1MB, 121 packages, 6 high, 11 medium, 2 low
After: 63.4MB, 116 packages, 2 high, 10 medium, 2 low

k8s.io/kubernetes  v1.11.1    1.16.11         go-module  GHSA-wqv3-8cm6-h6wg  High
k8s.io/kubernetes  v1.11.1    1.19.15         go-module  GHSA-f5f7-6478-qm6p  High
k8s.io/kubernetes  v1.11.1    1.24.14         go-module  GHSA-xc8m-28vv-4pjc  Medium
k8s.io/kubernetes  v1.11.1    1.24.15         go-module  GHSA-qc2g-gmh6-95p4  Medium
k8s.io/kubernetes  v1.11.1    1.11.8          go-module  GHSA-q4rr-64r9-fwgf  Medium
k8s.io/kubernetes  v1.11.1    1.16.0-beta.1   go-module  GHSA-jmrx-5g74-6v2f  Medium
k8s.io/kubernetes  v1.11.1                    go-module  GHSA-j9wf-vvm6-4r9w  Medium
k8s.io/kubernetes  v1.11.1    1.18.18         go-module  GHSA-g42g-737j-qx6j  Medium
k8s.io/kubernetes  v1.11.1    1.24.15         go-module  GHSA-cgcv-5272-97pr  Medium
k8s.io/kubernetes  v1.11.1    1.20.0-alpha.1  go-module  GHSA-8mjg-8c8g-6h85  Medium
k8s.io/kubernetes  v1.11.1    1.20.0-alpha.2  go-module  GHSA-8cfg-vx93-jvxw  Medium
k8s.io/kubernetes  v1.11.1                    go-module  GHSA-74j8-88mm-7496  Medium
k8s.io/kubernetes  v1.11.1                    go-module  GHSA-vw47-mr44-3jf9  Low
k8s.io/kubernetes  v1.11.1    1.18.19         go-module  GHSA-qh36-44jv-c8xj  Low

Dockerfile:
https://github.com/kubeflow/pipelines/blob/master/backend/Dockerfile.persistenceagent

scheduledworkflow

Note
Before: 73.6MB, 124 packages, 6 high, 11 medium, 2 low
After: 67.6MB, 118 packages, 2 high, 10 medium, 2 low

k8s.io/kubernetes  v1.11.1    1.16.11         go-module  GHSA-wqv3-8cm6-h6wg  High
k8s.io/kubernetes  v1.11.1    1.19.15         go-module  GHSA-f5f7-6478-qm6p  High
k8s.io/kubernetes  v1.11.1    1.24.14         go-module  GHSA-xc8m-28vv-4pjc  Medium
k8s.io/kubernetes  v1.11.1    1.24.15         go-module  GHSA-qc2g-gmh6-95p4  Medium
k8s.io/kubernetes  v1.11.1    1.11.8          go-module  GHSA-q4rr-64r9-fwgf  Medium
k8s.io/kubernetes  v1.11.1    1.16.0-beta.1   go-module  GHSA-jmrx-5g74-6v2f  Medium
k8s.io/kubernetes  v1.11.1                    go-module  GHSA-j9wf-vvm6-4r9w  Medium
k8s.io/kubernetes  v1.11.1    1.18.18         go-module  GHSA-g42g-737j-qx6j  Medium
k8s.io/kubernetes  v1.11.1    1.24.15         go-module  GHSA-cgcv-5272-97pr  Medium
k8s.io/kubernetes  v1.11.1    1.20.0-alpha.1  go-module  GHSA-8mjg-8c8g-6h85  Medium
k8s.io/kubernetes  v1.11.1    1.20.0-alpha.2  go-module  GHSA-8cfg-vx93-jvxw  Medium
k8s.io/kubernetes  v1.11.1                    go-module  GHSA-74j8-88mm-7496  Medium
k8s.io/kubernetes  v1.11.1                    go-module  GHSA-vw47-mr44-3jf9  Low
k8s.io/kubernetes  v1.11.1    1.18.19         go-module  GHSA-qh36-44jv-c8xj  Low

Dockerfile:
https://github.com/kubeflow/pipelines/blob/master/backend/Dockerfile.scheduledworkflow

viewer-crd-controller

Note
Before: 103MB, 76 packages, 3 high, 1 medium
After: 51.2MB, 71 packages, 0-CVE

Dockerfile:
https://github.com/kubeflow/pipelines/blob/master/backend/Dockerfile.viewercontroller

---

---

---

Chainguard Images Pull Request Template

Image Size

• The Image is smaller in size than its common public counterpart.
• The Image is larger in size than its common public counterpart (please explain in the notes).

Notes:

Image Vulnerabilities

• The Grype vulnerability scan returned 0 CVE(s).
• The Grype vulnerability scan returned > 0 CVE(s) (please explain in the notes).

Notes:

Basic Testing - K8s cluster

• The container image was successfully loaded into a kind cluster.
• The container image could not be loaded into a kind cluster (please explain in the notes).

Notes:

Basic Testing - Package/Application

• The application is accessible to the user/cluster/etc. after start-up.
• The application is not accessible to the user/cluster/etc. after start-up. (please explain in the notes).

Notes:

Helm

• A Helm chart has been provided and the container image can be used with the chart. If needed, please add a -compat package to close any gaps with the public helm chart.
• A Helm chart has been provided and the container image is not working with the chart (please explain in the notes).
• A Helm chart was not provided.

Notes: Used kustomize to test

Processor Architectures

• The image was built and tested for x86_64.
• The image could not be built for x86_64 (please explain in the notes).
• The image was built and tested for aarch64.
• The image could not be built for aarch64. (please explain in the notes).

Notes:

Functional Testing + Documentation

• Functional tests have been included and the tests are passing. All tests have been documnted in the notes section.

Notes:

Environment Testing + Documentation

• There has not been a request and/or there is no indication that this image needs tested on a public cloud provider.
• The container image has been tested successfully on a public cloud provider (AWS, GCP, Azure).
• The container image has not been tested successfully on a public cloud provider (AWS, GCP, Azure) (please explain in the notes).

Notes:

Version

• The package version is the latest version of the package. The latest tag points to this version.
• The package version is the not the latest version of the package (please explain in the notes).

Notes:

Dev Tag Availability

• There is a dev tag available that includes a shell and apk tools (by depending on 'wolfi-base')
• There is not a dev tag available that includes a shell and apk tools (by depending on 'wolfi-base') (please explain in the notes).

Notes:

Access Control + Authentication

• The image runs as nonroot and GID/UID are set to 65532 or upstream default
• Alternatively the username and GID/UID may be a commonly used one from the ecosystem e.g: postgres
• The image requires a non-standard username or non-standard GID/UID (please explain in the notes).

ENTRYPOINT

• applications/servers/utilities set to call main program with no arguments e.g. [redis-server]
• applications/servers/utilities not set to call main program with no arguments e.g. [redis-server] (please explain in the notes)
• base images leave empty.
• base image and not empty (please explain in the notes).
• dev variants is set to entrypoint script that falls back to system.
• dev variants is not set to entrypoint script that falls back to system (please explain in the notes).

CMD

• For server applications give arguments to start in daemon mode (may be empty)
• For utilities/tooling bring up help e.g. –help
• For base images with a shell, call it e.g. [/bin/sh]

Environment Variables

• Environment variables added.
• Environment variables not added and not required.

SIGTERM

• The image responds to SIGTERM (e.g., docker kill $(docker run -d --rm cgr.dev/chainguard/nginx))

Logs

• Error logs write to stderr and normal logs to stdout. Logs DO NOT write to file.

Documentation - README

• A README file has been provided and it follows the README template.

[developer-guy]

Advisory data is ready: wolfi-dev/advisories#233

[stormqueen1990]

LGTM! 🚀

[jonjohnsonjr]

This intentionally drops kubeflow-jupyter-web-app?

Nvm I see this just got moved around.

change not required

[joshrwolf]

approving to unblock this batch, but the following need to be addressed in a follow up:

• TESTING.md for kubeflow. I'm pretty confident our smoke tests here don't paint the whole picture.
• missing images for components (ref). these are almost guaranteed to pop up once we deliver to customers