mirrors/external-secrets
1
0
Fork 0
mirror of https://github.com/external-secrets/external-secrets.git synced 2024-12-14 11:57:59 +00:00
Code Activity

Make UBI more tolerable from OS vulnerabilities (#3607)

Browse source 
* Make UBI safer from OS vulnerabilities

* Add missing files

* Use correct packages

* Fix CVEs
This commit is contained in:
Idan Adar 2024-06-20 18:50:49 +03:00 committed by GitHub
parent ebae16beb3
commit 9a6ffcd844
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
7 changed files with 92 additions and 10 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

38
Dockerfile.ubi
View file

@ -1,11 +1,35 @@
FROM registry.access.redhat.com/ubi8/ubi-minimal@sha256:5f1cd3422d5d46aea35dac80825dbcbd58213eef49c317f42a394345fb4e8ff1 FROM registry.access.redhat.com/ubi8/ubi as minimal-ubi
ARG TARGETOS
ARG TARGETARCH
RUN dnf update -y && dnf install -y binutils
# prep target rootfs for scratch container
WORKDIR /
RUN mkdir /image && \
ln -s usr/bin /image/bin && \
ln -s usr/sbin /image/sbin && \
ln -s usr/lib64 /image/lib64 && \
ln -s usr/lib /image/lib && \
mkdir -p /image/{usr/bin,usr/lib64,usr/lib,root,home,proc,etc,sys,var,dev}
COPY ubi-build-files-${TARGETARCH}.txt /tmp
# Copy all the required files from the base UBI image into the image directory
# As the go binary is not statically compiled this includes everything needed for CGO to work, cacerts, tzdata and RH release files
RUN tar cf /tmp/files.tar -T /tmp/ubi-build-files-${TARGETARCH}.txt && tar xf /tmp/files.tar -C /image/ \
&& strip --strip-unneeded /image/usr/lib64/*[0-9].so
# Generate a rpm database which contains all the packages that you said were needed in ubi-build-files-*.txt
RUN rpm --root /image --initdb \
&& PACKAGES=$(rpm -qf $(cat /tmp/ubi-build-files-${TARGETARCH}.txt) | grep -v "is not owned by any package" | sort -u) \
&& echo dnf install -y 'dnf-command(download)' \
&& dnf download --destdir / ${PACKAGES} \
&& rpm --root /image -ivh --justdb --nodeps `for i in ${PACKAGES}; do echo $i.rpm; done`
FROM scratch
# Copy all required files + rpm database so the image is scannable
COPY --from=minimal-ubi /image/ /
USER 65534
ARG TARGETOS ARG TARGETOS
ARG TARGETARCH ARG TARGETARCH
COPY bin/external-secrets-${TARGETOS}-${TARGETARCH} /bin/external-secrets COPY bin/external-secrets-${TARGETOS}-${TARGETARCH} /bin/external-secrets
RUN microdnf update
# Run as UID for nobody
USER 65534
ENTRYPOINT ["/bin/external-secrets"] ENTRYPOINT ["/bin/external-secrets"]

2
e2e/go.mod
View file

@ -1,6 +1,6 @@
module github.com/external-secrets/external-secrets-e2e module github.com/external-secrets/external-secrets-e2e
go 1.22.3 go 1.22.4
replace ( replace (
github.com/Masterminds/sprig/v3 => github.com/external-secrets/sprig/v3 v3.3.0 github.com/Masterminds/sprig/v3 => github.com/external-secrets/sprig/v3 v3.3.0

2
go.mod
View file

@ -1,6 +1,6 @@
module github.com/external-secrets/external-secrets module github.com/external-secrets/external-secrets
go 1.22.3 go 1.22.4
replace github.com/Masterminds/sprig/v3 => github.com/external-secrets/sprig/v3 v3.3.0 replace github.com/Masterminds/sprig/v3 => github.com/external-secrets/sprig/v3 v3.3.0

15
ubi-build-files-amd64.txt Normal file
View file

@ -0,0 +1,15 @@
etc/pki
root/buildinfo
etc/ssl/certs
etc/redhat-release
usr/share/zoneinfo
usr/lib64/ld-2.28.so
usr/lib64/ld-linux-x86-64.so.2
usr/lib64/libc-2.28.so
usr/lib64/libc.so.6
usr/lib64/libdl-2.28.so
usr/lib64/libdl.so.2
usr/lib64/libpthread-2.28.so
usr/lib64/libpthread.so.0
usr/lib64/libm-2.28.so
usr/lib64/libm.so.6

15
ubi-build-files-arm64.txt Normal file
View file

@ -0,0 +1,15 @@
etc/pki
root/buildinfo
etc/ssl/certs
etc/redhat-release
usr/share/zoneinfo
usr/lib64/ld-2.28.so
usr/lib64/ld-linux-aarch64.so.1
usr/lib64/libc-2.28.so
usr/lib64/libc.so.6
usr/lib64/libdl-2.28.so
usr/lib64/libdl.so.2
usr/lib64/libpthread-2.28.so
usr/lib64/libpthread.so.0
usr/lib64/libm-2.28.so
usr/lib64/libm.so.6

14
ubi-build-files-ppc64le.txt Normal file
View file

@ -0,0 +1,14 @@
etc/pki
root/buildinfo
etc/ssl/certs
etc/redhat-release
usr/share/zoneinfo
usr/lib64/ld-2.28.so
usr/lib64/libc-2.28.so
usr/lib64/libc.so.6
usr/lib64/libdl-2.28.so
usr/lib64/libdl.so.2
usr/lib64/libpthread-2.28.so
usr/lib64/libpthread.so.0
usr/lib64/libm-2.28.so
usr/lib64/libm.so.6

14
ubi-build-files-s390x.txt Normal file
View file

@ -0,0 +1,14 @@
etc/pki
root/buildinfo
etc/ssl/certs
etc/redhat-release
usr/share/zoneinfo
usr/lib64/ld-2.28.so
usr/lib64/libc-2.28.so
usr/lib64/libc.so.6
usr/lib64/libdl-2.28.so
usr/lib64/libdl.so.2
usr/lib64/libpthread-2.28.so
usr/lib64/libpthread.so.0
usr/lib64/libm-2.28.so
usr/lib64/libm.so.6