Updated and rebuilt container image variants of some Kubernetes operators.
Just like chemical isotopes are variants of an element, isotopes are variants of upstream container images rebuilt with different base images to minimize vulnerabilities while maintaining functionality.
| Isotope | Base | Size | Use Case |
|---|---|---|---|
distroless |
Google Distroless | ~20MB | Minimal attack surface, no shell |
ubi-micro |
Red Hat UBI Micro | ~40MB | Minimal + RHEL compatibility |
ubi-minimal |
Red Hat UBI Minimal | ~100MB | DNF available, good balance |
ubi |
Red Hat UBI | ~200MB | Full compatibility |
| Operator | Version | Isotopes | Packages | Security Report |
|---|---|---|---|---|
| AWX Operator | devel |
ubi-micro, ubi-minimal, ubi | π¦ | π |
| Cert-Utils Operator | v1.3.12 |
distroless, ubi-micro, ubi-minimal, ubi | π¦ | π |
| Group-Sync Operator | v0.0.36 |
distroless, ubi-micro, ubi-minimal, ubi | π¦ | π |
| Keepalived Operator | v1.5.4 |
ubi-minimal, ubi | π¦ | π |
# Pull an isotope image
docker pull ghcr.io/grandeit/isotope/group-sync-operator:v0.0.36-distroless
# Tag format: <version>-<isotope>
# Examples:
# v0.0.36-distroless
# v0.0.36-ubi-micro
# v0.0.36-ubi-minimal
# v0.0.36-ubi- Build - Upstream source is cloned and rebuilt with hardened base images
- Test - Smoke tests verify basic functionality, integration tests verify Kubernetes reconciliation
- Scan - Trivy scans each isotope and compares against upstream
- Promote - Passing images are tagged with stable version tags
Builds run twice daily to pick up base image security updates.