Enhancing dockerfiles (multi-stage) of kyverno components and adding non-root user to the docker images (#1495)

* Dockerfile refactored Signed-off-by: Raj Babu Das <mail.rajdas@gmail.com> * Adding non-root commands to docker images and enhanced the dockerfiles Signed-off-by: Raj Babu Das <mail.rajdas@gmail.com> * changing base image to scratch Signed-off-by: Raj Babu Das <mail.rajdas@gmail.com> * Minor typo fix Signed-off-by: Raj Babu Das <mail.rajdas@gmail.com> * changing dockerfiles to use /etc/passwd to use non-root user' Signed-off-by: Raj Babu Das <mail.rajdas@gmail.com> * minor typo Signed-off-by: Raj Babu Das <mail.rajdas@gmail.com> * minor typo Signed-off-by: Raj Babu Das <mail.rajdas@gmail.com>
2025-03-28 18:38:40 +00:00 · 2021-01-30 01:28:07 +05:30 · 2021-01-30 01:28:07 +05:30 · 9da94d5220
commit 9da94d5220
parent 0396d5278e
4 changed files with 81 additions and 14 deletions
--- a/11
+++ b/11
@ -36,9 +36,7 @@ initContainer: fmt vet
 docker-publish-initContainer: docker-build-initContainer docker-tag-repo-initContainer docker-push-initContainer

 docker-build-initContainer:
-	CGO_ENABLED=0 GOOS=linux go build -o $(PWD)/$(INITC_PATH)/kyvernopre -ldflags=$(LD_FLAGS) $(PWD)/$(INITC_PATH)/main.go
-	echo $(PWD)/$(INITC_PATH)/
-	@docker build -f $(PWD)/$(INITC_PATH)/Dockerfile -t $(REPO)/$(INITC_IMAGE):$(IMAGE_TAG) $(PWD)/$(INITC_PATH)/
+	@docker build -f $(PWD)/$(INITC_PATH)/Dockerfile -t $(REPO)/$(INITC_IMAGE):$(IMAGE_TAG) . --build-arg LD_FLAGS=$(LD_FLAGS)

 docker-tag-repo-initContainer:
 	@docker tag $(REPO)/$(INITC_IMAGE):$(IMAGE_TAG) $(REPO)/$(INITC_IMAGE):latest
@ -64,8 +62,7 @@ kyverno: fmt vet
 docker-publish-kyverno: docker-build-kyverno  docker-tag-repo-kyverno  docker-push-kyverno

 docker-build-kyverno:
-	CGO_ENABLED=0 GOOS=linux go build -o $(PWD)/$(KYVERNO_PATH)/kyverno -ldflags=$(LD_FLAGS) $(PWD)/$(KYVERNO_PATH)/main.go
-	@docker build -f $(PWD)/$(KYVERNO_PATH)/Dockerfile -t $(REPO)/$(KYVERNO_IMAGE):$(IMAGE_TAG) $(PWD)/$(KYVERNO_PATH)
+	@docker build -f $(PWD)/$(KYVERNO_PATH)/Dockerfile -t $(REPO)/$(KYVERNO_IMAGE):$(IMAGE_TAG) . --build-arg LD_FLAGS=$(LD_FLAGS)

 docker-tag-repo-kyverno:
 	@echo "docker tag $(REPO)/$(KYVERNO_IMAGE):$(IMAGE_TAG) $(REPO)/$(KYVERNO_IMAGE):latest"
@ -97,8 +94,7 @@ cli:
 docker-publish-cli: docker-build-cli  docker-tag-repo-cli  docker-push-cli

 docker-build-cli:
-	CGO_ENABLED=0 GOOS=linux go build -o $(PWD)/$(CLI_PATH)/kyverno -ldflags=$(LD_FLAGS) $(PWD)/$(CLI_PATH)/main.go
-	@docker build -f $(PWD)/$(CLI_PATH)/Dockerfile -t $(REPO)/$(KYVERNO_CLI_IMAGE):$(IMAGE_TAG) $(PWD)/$(CLI_PATH)
+	@docker build -f $(PWD)/$(CLI_PATH)/Dockerfile -t $(REPO)/$(CLI_PATH):$(IMAGE_TAG) . --build-arg LD_FLAGS=$(LD_FLAGS)

 docker-tag-repo-cli:
 	@echo "docker tag $(REPO)/$(KYVERNO_CLI_IMAGE):$(IMAGE_TAG) $(REPO)/$(KYVERNO_CLI_IMAGE):latest"
@ -212,4 +208,3 @@ fmt:

 vet:
 	go vet ./...
-	
--- a/cmd/cli/kubectl-kyverno/Dockerfile
+++ b/cmd/cli/kubectl-kyverno/Dockerfile
@ -1,3 +1,27 @@
+# Multi-stage docker build
+# Build stage
+FROM golang:1.14 AS builder
+
+LABEL maintainer="Kyverno"
+
+# LD_FLAGS is passed as argument from Makefile. It will be empty, if no argument passed
+ARG LD_FLAGS
+
+ADD . /kyverno
+WORKDIR /kyverno
+
+RUN CGO_ENABLED=0 GOOS=linux go build -o /output/kyverno -ldflags="${LD_FLAGS}" -v ./cmd/cli/kubectl-kyverno/
+
+RUN useradd -u 10001 kyverno
+
+# Packaging stage
 FROM scratch
-ADD kyverno /kyverno
-ENTRYPOINT ["/kyverno"]
+
+LABEL maintainer="Kyverno"
+
+COPY --from=builder /output/kyverno /
+COPY --from=builder /etc/passwd /etc/passwd
+
+USER kyverno
+
+ENTRYPOINT ["./kyverno"]
--- a/cmd/initContainer/Dockerfile
+++ b/cmd/initContainer/Dockerfile
@ -1,3 +1,27 @@
+# Multi-stage docker build
+# Build stage
+FROM golang:1.14 AS builder
+
+LABEL maintainer="Kyverno"
+
+# LD_FLAGS is passed as argument from Makefile. It will be empty, if no argument passed
+ARG LD_FLAGS
+
+ADD . /kyverno
+WORKDIR /kyverno
+
+RUN CGO_ENABLED=0 GOOS=linux go build -o /output/kyvernopre -ldflags="${LD_FLAGS}" -v ./cmd/initContainer/
+
+RUN useradd -u 10001 kyverno
+
+# Packaging stage
 FROM scratch
-ADD kyvernopre /kyvernopre
-ENTRYPOINT ["/kyvernopre"]
+
+LABEL maintainer="Kyverno"
+
+COPY --from=builder /output/kyvernopre /
+COPY --from=builder /etc/passwd /etc/passwd
+
+USER kyverno
+
+ENTRYPOINT ["./kyvernopre"]
--- a/cmd/kyverno/Dockerfile
+++ b/cmd/kyverno/Dockerfile
@ -1,3 +1,27 @@
+# Multi-stage docker build
+# Build stage
+FROM golang:1.14 AS builder
+
+LABEL maintainer="Kyverno"
+
+# LD_FLAGS is passed as argument from Makefile. It will be empty, if no argument passed
+ARG LD_FLAGS
+
+ADD . /kyverno
+WORKDIR /kyverno
+
+RUN CGO_ENABLED=0 GOOS=linux go build -o /output/kyverno -ldflags="${LD_FLAGS}" -v ./cmd/kyverno/
+
+RUN useradd -u 10001 kyverno
+
+# Packaging stage
 FROM scratch
-ADD kyverno /kyverno
-ENTRYPOINT ["/kyverno"]
+
+LABEL maintainer="Kyverno"
+
+COPY --from=builder /output/kyverno /
+COPY --from=builder /etc/passwd /etc/passwd
+
+USER kyverno
+
+ENTRYPOINT ["./kyverno"]