Sign inContact usTry it out
Sign inContact usTry it out

Chainguard Image now available for Kubectl

Adrian Mouat, Staff OSS Engineer
  •  
February 7, 2023
The Case for Farm-to-Table Package Signing

While we might never be able to agree on how to pronounce it, we’re excited to announce that we’ve added a Kubectl image to the Chainguard Images catalog. Despite being one of the most widely used tools in the cloud native ecosystem, there are very few maintained images available today. So we fixed the bug and made one.

How it works 

Kubectl is the entrypoint to most clusters and is often found running inside CI environments, build systems, and even GitOps engines. This means size, pull time, and security are all very important to keeping your pipelines running efficiently and securely. Like all of our Chainguard Images, kubectl supports multiple architectures. While this is relatively standard today, Chainguard’s build of kubectl is the only supported image with arm64 support that we’ve seen.  

Chainguard’s Kubectl Image comes with a Software Bill of Material (SBOM) and is signed with Sigstore, both of which are available in Kubernetes. Our Image is 75 percent smaller than the most commonly used alternative (50MB vs. 200MB) and as always, we target zero-known, reported CVEs, coming in at 0 vs. 60 (including a critical), as of today’s date.

-- CODE language-bash -- docker images --digests REPOSITORY TAG DIGEST IMAGE ID CREATED SIZE bitnami/kubectl latest sha256:a567b806deb48004866315c9d7ac9b9150fcefef82ea26004fb4c94fe8d0d88b f4cc73913b98 6 hours ago 221MB cgr.dev/chainguard/kubectl latest sha256:eba7c948258f228d89ff963ac61c764b29c503ed8f4edebce503fd810b6782df ee2e3d9caf6a 5 hours ago 56.2MB This gives us (221-56.2)/221 = 0.7457 or roughly a 75% reduction in size.

As always, the binaries in our Images are built from source and come with comprehensive SBOMs from the start. These SBOMs contain the package metadata for everything in the Image and can be used for vulnerability scanning or license compliance. You can download the SBOMs for these containers with cosign:

-- CODE language-bash -- $ cosign download sbom --platform=linux/amd64 cgr.dev/chainguard/kubectl Found SBOM of media type: spdx+json … { "SPDXID": "SPDXRef-Package-kubectl-1.26.0-r0", "name": "kubectl", "versionInfo": "1.26.0-r0", "filesAnalyzed": true, "hasFiles": [ "SPDXRef-File--usr-bin-kubectl" ], "licenseConcluded": "NOASSERTION", "licenseDeclared": "Apache-2.0", "downloadLocation": "NOASSERTION", "copyrightText": "\n", "externalRefs": [ { "referenceCategory": "PACKAGE_MANAGER", "referenceLocator": "pkg:apk/wolfi/kubectl@1.26.0-r0?arch=x86_64", "referenceType": "purl" } ], "packageVerificationCode": { "packageVerificationCodeValue": "736a5511d08dd1437f3e167f69b9b78730e70b03" } }

If you want to see up to a 75 percent reduction in your Kubectl Image sizes with more security built in by default start using Chainguard’s Kubectl Image today using documentation in Chainguard Academy. Chainguard Images are currently available for Bazel, Redis, Python, curl, Git, Go, Jenkins, Postgres, Ruby and more. We currently offer our public Chainguard Images catalog for no cost to users, which includes features like SBOMs, signatures and SLSA Build Level 2 provenance information. If your organization requires patching SLAs, older version support or Images for compliance requirements, we offer Standard and Custom subscription tiers. Contact our team to learn more.

We are always looking for ways to improve our end user experience. If you have feedback or would like to submit a support issue you can reach out to us directly or file it here.

Update on our Chainguard Images Catalog: On August 16, 2023, we will be making changes to how Chainguard Image tags are pulled. Please see this announcement for further details about accessing our free, public Image catalog. 

The Case for Farm-to-Table Package Signing

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Suspendisse varius enim in eros elementum tristique. Duis cursus, mi quis viverra ornare, eros dolor interdum nulla, ut commodo diam libero vitae erat. Aenean faucibus nibh et justo cursus id rutrum lorem imperdiet. Nunc ut sem vitae risus tristique posuere.

More articles

Chainguard’s response to CVE-2023-4527 in glibc

Dan Luhring, Staff Software Engineer
  •  
September 25, 2023

A growing ecosystem of vulnerability scanners that now support Chainguard Images and Wolfi

Kim Lewandowski, Chief Product Officer
  •  
September 21, 2023

How to use Dockerfiles with wolfi-base images

Adrian Mouat, Staff DevRel Engineer
  •  
September 14, 2023

Don’t break the chain – secure your supply chain today!

Contact us
Please direct security disclosures or questions about our bug bounty program to security@chainguard.dev
Copyright 2022
BlogCareersLegalTerms

Sign up for our newsletter

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Unchained
Products
Chainguard Images
Reduce your attack surface with minimal, distroless images.
Chainguard Enforce
Manage, monitor and enforce end-to-end policies.
Chainguard Services
Infrastructure, configuration, and compliance assessment.
Developer
Resources
Company
Contact
Back
Docs
Open source
Back
Unchained blog
Chainguard labs
Customer stories
Education
Back
About
Newsroom
Careers
Back
About
Newsroom
Careers
Product

Chainguard Image now available for Kubectl

Adrian Mouat, Staff OSS Engineer
February 7, 2023
copied

While we might never be able to agree on how to pronounce it, we’re excited to announce that we’ve added a Kubectl image to the Chainguard Images catalog. Despite being one of the most widely used tools in the cloud native ecosystem, there are very few maintained images available today. So we fixed the bug and made one.

How it works 

Kubectl is the entrypoint to most clusters and is often found running inside CI environments, build systems, and even GitOps engines. This means size, pull time, and security are all very important to keeping your pipelines running efficiently and securely. Like all of our Chainguard Images, kubectl supports multiple architectures. While this is relatively standard today, Chainguard’s build of kubectl is the only supported image with arm64 support that we’ve seen.  

Chainguard’s Kubectl Image comes with a Software Bill of Material (SBOM) and is signed with Sigstore, both of which are available in Kubernetes. Our Image is 75 percent smaller than the most commonly used alternative (50MB vs. 200MB) and as always, we target zero-known, reported CVEs, coming in at 0 vs. 60 (including a critical), as of today’s date.

-- CODE language-bash -- docker images --digests REPOSITORY TAG DIGEST IMAGE ID CREATED SIZE bitnami/kubectl latest sha256:a567b806deb48004866315c9d7ac9b9150fcefef82ea26004fb4c94fe8d0d88b f4cc73913b98 6 hours ago 221MB cgr.dev/chainguard/kubectl latest sha256:eba7c948258f228d89ff963ac61c764b29c503ed8f4edebce503fd810b6782df ee2e3d9caf6a 5 hours ago 56.2MB This gives us (221-56.2)/221 = 0.7457 or roughly a 75% reduction in size.

As always, the binaries in our Images are built from source and come with comprehensive SBOMs from the start. These SBOMs contain the package metadata for everything in the Image and can be used for vulnerability scanning or license compliance. You can download the SBOMs for these containers with cosign:

-- CODE language-bash -- $ cosign download sbom --platform=linux/amd64 cgr.dev/chainguard/kubectl Found SBOM of media type: spdx+json … { "SPDXID": "SPDXRef-Package-kubectl-1.26.0-r0", "name": "kubectl", "versionInfo": "1.26.0-r0", "filesAnalyzed": true, "hasFiles": [ "SPDXRef-File--usr-bin-kubectl" ], "licenseConcluded": "NOASSERTION", "licenseDeclared": "Apache-2.0", "downloadLocation": "NOASSERTION", "copyrightText": "\n", "externalRefs": [ { "referenceCategory": "PACKAGE_MANAGER", "referenceLocator": "pkg:apk/wolfi/kubectl@1.26.0-r0?arch=x86_64", "referenceType": "purl" } ], "packageVerificationCode": { "packageVerificationCodeValue": "736a5511d08dd1437f3e167f69b9b78730e70b03" } }

If you want to see up to a 75 percent reduction in your Kubectl Image sizes with more security built in by default start using Chainguard’s Kubectl Image today using documentation in Chainguard Academy. Chainguard Images are currently available for Bazel, Redis, Python, curl, Git, Go, Jenkins, Postgres, Ruby and more. We currently offer our public Chainguard Images catalog for no cost to users, which includes features like SBOMs, signatures and SLSA Build Level 2 provenance information. If your organization requires patching SLAs, older version support or Images for compliance requirements, we offer Standard and Custom subscription tiers. Contact our team to learn more.

We are always looking for ways to improve our end user experience. If you have feedback or would like to submit a support issue you can reach out to us directly or file it here.

Update on our Chainguard Images Catalog: On August 16, 2023, we will be making changes to how Chainguard Image tags are pulled. Please see this announcement for further details about accessing our free, public Image catalog. 

Related articles
Product
Chainguard’s response to CVE-2023-4527 in glibc
September 25, 2023
Product
An update on Chainguard Images FIPS Validation
September 13, 2023
Product
Announcing a Chainguard Image for OpenTF
September 6, 2023
Products

Chainguard Images

Chainguard Enforce

Chainguard Services

Developer

Open source

Docs

Resources

Unchained blog

Chainguard Labs

Customer stories

Scanners

Security

Education

Company

About

Newsroom

Careers

Legal

Contact

Follow

Twitter

GitHub

LinkedIn

TikTok

© 2023 Chainguard, Inc.

Contact