We have a policy on images for use in the production k8s realm. Could I ask for some similar policy for other sorts of images that we might want to use, please?
To give some context: I'm building a PoC Ceph cluster, and would like to try out upstream's preferred deployment approach (cephadm), which requires container images (which are run on the storage nodes using docker or podman) rather than installing .debs like our current puppetry does.
Ceph upstream publishes container images, which would be the easiest way for me to proceed. But these upstream images are based on centos, and I understand there is considerable reluctance to use upstream images based on a non-Debian base.
The upstream container build process is complicated, but largely involves installing upstream-built binary packages. Upstream do build and release .debs, so I could use those as the basis for Debian-based container images (I expect this still to be a not entirely trivial process). I expect this is the approach I am going to end up taking here. But obviously this is more work and more deviation from upstream than just using upstream's images, both of which are costs.
Or we could go further and build our own .debs from source and make images from those packages. Ceph is quite a pain to build (the build process is complex, involves a lot of git submodules, and takes a lot of time and compute resource), and Debian itself doesn't yet have packages for the latest stable upstream release in sid. I gather that we already have some software (k8s, envoy) which we don't insist on local-compilation for.
I've already spoken to @JMeybohm about this, and they suggested that opening a task to ask for policy to be clarified would be useful here.