Chainguard Image now available for Pulumi
Today we’re announcing a new Chainguard Image for Pulumi, an open source infrastructure as code (IaC) tool for creating, deploying and managing cloud infrastructure. Historically, popular off-the-shelf container images contain an influx of CVEs as a result of too many packages and infrequent update cadences. We set out to fix these problems with our new Pulumi Image available at:
cgr.dev/chainguard/pulumi:latest
One of Pulumi’s greatest features is comprehensive support for several popular programming languages to enable developers to write IaC in their language of choice. For that reason, putting together a container image to support all of the language runtimes can be challenging.
How we built it
To start, we first packaged the entire Pulumi toolchain in Wolfi OS. From there, we were able to build a working Pulumi image using apko.
The apko config for the Pulumi Image has our largest set of packages explicitly listed to-date for a single Image — 30. However, this 78 line YAML file is arguably more declarative and manageable than the Dockerfile used for the official Pulumi image, which contains all sorts of curl-to-bash and other magic. 🪄
The size of this image is also our largest yet at 596M. This is still slim compared to the official Pulumi image pulumi/pulumi:latest
at a whopping 1.4G. The large size is necessary due to support for all of the languages where Pulumi has an SDK. In the future, we may release smaller images, for example a pulumi-python
with only Python support. Stay tuned.
The Chainguard Pulumi Image is also multi-arch with support for both x86-64 and ARM64, while the official one is single-arch (x86_64).
The CVE count on the Chainguard Pulumi Image today according to Trivy is 15 compared to 737 in the official image (that is an upwards of a 97% reduction in CVEs). 🤯 Scanners have also been struggling to interpret .NET data correctly, and this may be a source of some false positives.
One thing we found is that it is also difficult to test this sort of image. Luckily, Wolfi already contains packages for all the same languages and runtimes that Pulumi supports. Wolfi already has support for the following languages:
.NET - Wolfi source: dotnet-7.yaml
Java - Wolfi source: openjdk-17.yaml
Go - Wolfi source: go-1.20.yaml
Node.js - Wolfi source: nodejs-18.yaml
Python - Wolfi source: python-3.11.yaml
After we assembled an image, we tested it by creating a Pulumi project for each supported language, which does the same thing: runs a simple Kubernetes pod using the Chainguard Nginx Image cgr.dev/chainguard/nginx:latest
. We ensured that we could:
Run
pulumi stack up
and check that the pod comes up
Start a port-forward and check that we can
curl
the Nginx server
Run
pulumi stack destroy
and check that the pod gets deleted
If you want to see upwards of a 57% reduction in your Pulumi image sizes with more security built in by default and a 97% reduction in CVEs, start using Chainguard’s Pulumi Image today at github.com/chainguard-images. You can also check out the “Kubernetes Pod Example” section in the Image docs on Chainguard Academy. Chainguard Images are now available for Apache Zookeeper, Bazel, curl, Git, Go, Jenkins, NATS, OpenSearch, Prometheus, Ruby and more. We currently offer our public Chainguard Images catalog for no cost to users, which includes features like SBOMs, signatures and SLSA Build Level 2 provenance information. If your organization requires patching SLAs, older version support or Images for compliance requirements, we offer Standard and Custom subscription tiers. Contact our team to learn more.
We are always looking for ways to improve our end user experience. If you have feedback or would like to submit a support issue you can reach out to us directly or file it here.
Update on our Chainguard Images Catalog: On August 16, 2023, we will be making changes to how Chainguard Image tags are pulled. Please see this announcement for further details about accessing our free, public Image catalog.
Ready to Lock Down Your Supply Chain?
Talk to our customer obsessed, community-driven team.