CNG: Use Distroless base image
Currently we release two sets of CNG images. Standard images that are based on Debian Stretch (the Slim version) and UBI images that are based on UBI RHEL8. UBI images go through security scanning. However, the standard images are lagging behind.
Distroless "images contain only application and its runtime dependencies. They do not contain package managers, shells or any other programs you would expect to find in a standard Linux distribution". Not only they're very small in size, but also they have clear security advantages.
Distroless is based on Debian. The process of building a Distroless image is in line with separation of build stage and layering artifacts.
Of note, RedHat certification has hard requirement on the image being FROM ubi
or some variant (ubi
, ubi-minimal
, ubi-micro
)