Problem
You encounter the compliance issue described below when scanning the image against a 3rd-party security tool:
"ca-certificates must be root owned, readonly and non-executable"
Distroless images contain only the application and its runtime dependencies. They do not contain package managers, shells or any other programs you would expect to find in a standard Linux distribution. So you could not use chmod commands to update the /etc/ssl/certs/ca-certitifcates.crt (i.e. chmod 4444 /etc/ssl/certs/ca-certificates.crt) to resolve these checks.
Environment
- Distroless images
- Google Kubernetes Engine system workloads
Solution
It is a standard that the /etc/ssl/certs/ca-certificates.crt need to be managed by the root user (write access) with 644 mode, for example from debian:10 and ubuntu:latest images.
For specific security compliance, the solution is to leverage new docker multi-stage build/copy features and use another image, then use the chmod 444 command on the proper file, override the existing image to build the new baseline to add additional customer application.
Here is the Dockerfile example that update /etc/ssl/certs/ca-certificates.crt file with read-only permissions.
FROM gcr.io/distroless/static:latest as origin FROM debian:10 as shelltmp COPY --from=origin /etc/ssl/certs/ca-certificates.crt /tmp/ca-certificates.crt RUN chmod 444 /tmp/ca-certificates.crt FROM gcr.io/distroless/static:latest COPY --from=shelltmp /tmp/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt