Choosing a Base Image
Choosing a suitable base image is the first step to hardening an image within Iron Bank. All images must start from an existing Iron Bank base image. This is not a comprehensive list of ALL images that can be used as a base. ANY opensource image can be used as a base image, such as python-3.10 or apache. The table below lists the highest ancestor possible for images.
| Image | Variant | FIPS Friendly |
|---|---|---|
| Alpine | Yes | |
| Chainguard | static, node |
|
| Debian | Yes | |
| Docker/Scratch | ||
| Google/Distroless | static, base, cc, java-11 java-17 |
|
| Redhat/UBI | ubi, ubi-minimal, ubi-micro |
Yes |
| Suse | bci |
Yes |
| Ubuntu | Yes |
hardening_manifest.yaml
args:
BASE_IMAGE: "redhat/ubi/ubi9"
BASE_TAG: "9.3"
Dockerfile
ARG BASE_REGISTRY=registry1.dso.mil
ARG BASE_IMAGE=ironbank/redhat/ubi/ubi9
ARG BASE_TAG="9.3"
FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG}
Warning
The pipeline automatically injects the ironbank namespace and must not be included in the hardening_manifest.yaml. It is included in the Dockerfile to support building images locally. The reason for this is the pipeline injects ironbank-staging for non-production builds.