Image Base Component

Deploys pre-built container images with production security and auto-configured service connections.

Quick Reference

REQUIRED = Must be defined by user
Attribute Example Generated In Effect
version REQ ghcr.io/org/app:v1 image_base.yaml Container image
port REQ 8080 image_base.yaml, cloud.env containerPort + SERVICE_PORT
user_id REQ 10001 image_base.yaml runAsUser (must match image USER)
group_id REQ 10001 image_base.yaml runAsGroup, fsGroup
namespace REQ my-app all files K8s namespace
framework_type python cloud.env ENV naming convention
startup_commands python manage.py migrate startup.sh, image_base.yaml Init container runs before app
security_features [pod_security, ...] image_base.yaml securityContext settings
configmap KEY=value cloud.env Custom ENV vars (app-specific)
pvc: true - pvc.yaml, image_base.yaml PVC + volumeMount
hpa: true - hpa.yaml HorizontalPodAutoscaler

Service Links → cloud.env

Link To spring nodejs/python/rails laravel generic
CNPG/PostgreSQL SPRING_DATASOURCE_* DATABASE_URL DB_* POSTGRESS_*
Valkey/Redis SPRING_DATA_REDIS_* REDIS_URL REDIS_* REDIS_*
MongoDB SPRING_DATA_MONGODB_* MONGODB_URI - MONGODB_*
RabbitMQ SPRING_RABBITMQ_* AMQP_URL RABBITMQ_* RABBIT_*
SeaweedFS (S3) AWS_S3_* S3_* AWS_* SW_*
OTEL OTEL_* + pod annotation | python requires pythonpath attribute

Security Features Matrix

security_features item K8s field Value
pod_security runAsNonRoot, runAsUser, runAsGroup, fsGroup user_id/group_id values
no_host_access hostNetwork, hostPID, hostIPC false
no_privilege_escalation allowPrivilegeEscalation, privileged false
read_only_fs readOnlyRootFilesystem true + /tmp emptyDir
drop_capabilities capabilities.drop [ALL]
seccomp seccompProfile.type RuntimeDefault

Generated Files

File Condition Contains
image_base.yaml Always Deployment + Service + ServiceMonitor
rbac.yaml Always ServiceAccount
secret/cloud.env Always Auto-configured ENVs from links
files/startup.sh startup_commands set Init container script
pvc.yaml pvc: true PersistentVolumeClaim
hpa.yaml hpa: true HorizontalPodAutoscaler
Init Container (startup_commands) - Click to expand

When startup_commands is set, an init container runs the same image before the main app starts:

  • Commands written to startup.sh ConfigMap
  • Mounted at /startup/startup.sh
  • Shares volumes with main container (PVC, writable dirs)
  • Main app waits for init to complete successfully
startup_commands: |
  python manage.py migrate
  python manage.py collectstatic --noinput
OTEL Auto-Instrumentation - Click to expand

When linked to OTEL component:

Link attribute otel_language: java, python, nodejs, dotnet, go
Python only pythonpath: App working directory (e.g., /usr/src/app)
Generated Pod annotation + OTEL_* ENVs + PYTHONPATH (if python)
Python PYTHONPATH: Required because OTEL operator's sitecustomize.py doesn't add CWD to sys.path. Must match Dockerfile WORKDIR.
image_base vs external_source_code - Click to expand
Feature image_base external_source_code
Image source Full image path in version Built from registry config
Init containers ✓ startup_commands
imagePullSecrets ✓ registry-credential
Service links, Security, OTEL Same
Common Issues
  • user_id must match image USER
  • Python OTEL needs pythonpath
  • read_only_fs needs writable dirs
Production Checklist
  • All security_features enabled
  • user_id != 0 (non-root)
  • framework_type set correctly