GitLab container image best practice

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

• Close this issue

Background

As our project grows, and we increasingly rely on containerization, it's crucial that we establish and document best practices for creating and managing our container images. This will ensure consistency, security, and efficiency across our development and deployment processes. This was also mentioned on a recent internal Slack discussion (90 days only).

Objective

Create a comprehensive guide outlining best practices for container images used within our organization.

Key Areas to Address

1. Base Image Selection
   • Criteria for choosing official base images
   • When and how to use minimal base images
2. Dockerfile Optimization
   • Minimizing layers
   • Implementing multi-stage builds
   • Ordering of commands for optimal caching
   • Docker building best practices
3. Security Considerations
   • Implementing vulnerability scanning
   • Handling secrets and sensitive data
   • Regularly updating base images and dependencies
   • CIS Benchmarks
   • Check image integrity before consumption
4. Image Size Optimization
   • Techniques for reducing image size
   • Balancing size with functionality
5. Tagging and Versioning
   • Establishing a consistent tagging strategy
   • Avoid the use of mutable tags (e.g. latest) in production
6. Documentation
   • Required documentation for each image
   • Standardizing README content for image repositories
7. CI/CD Integration
   • Best practices for building images in CI/CD pipelines
   • Implementing automated testing for container images
8. GitLab-specific Considerations
   • Utilizing GitLab Container Registry
   • Implementing Container Scanning in CI/CD pipelines
   • Setting up Container Protection Rules
   • Impacts on external releases like IronMountain (DSOP)
   • Build duration SLA
9. Monitoring and Logging
   • Best practices for implementing monitoring and logging in containers
10. Performance Optimization
    • Guidelines for optimizing container performance

Deliverables

1. A detailed document outlining the best practices
2. A checklist for developers to use when creating or updating container images
3. Example Dockerfiles demonstrating these best practices
4. A CI component to scan all GitLab originated images and highlight any breaching

Additional Resources

• https://docs.docker.com/build/building/best-practices/
• https://github.com/goodwithtech/dockle
• https://github.com/docker/docker-bench-security

Please add any additional points or areas that you think should be covered in our container image best practices.

Note: This issue description is prepared with the GitLab Duo Chat's help.