From 9da94d5220915526d5adb3fd37d1c1c59ba3ab45 Mon Sep 17 00:00:00 2001 From: Raj Babu Das Date: Sat, 30 Jan 2021 01:28:07 +0530 Subject: [PATCH] Enhancing dockerfiles (multi-stage) of kyverno components and adding non-root user to the docker images (#1495) * Dockerfile refactored Signed-off-by: Raj Babu Das * Adding non-root commands to docker images and enhanced the dockerfiles Signed-off-by: Raj Babu Das * changing base image to scratch Signed-off-by: Raj Babu Das * Minor typo fix Signed-off-by: Raj Babu Das * changing dockerfiles to use /etc/passwd to use non-root user' Signed-off-by: Raj Babu Das * minor typo Signed-off-by: Raj Babu Das * minor typo Signed-off-by: Raj Babu Das --- Makefile | 11 +++-------- cmd/cli/kubectl-kyverno/Dockerfile | 28 ++++++++++++++++++++++++++-- cmd/initContainer/Dockerfile | 28 ++++++++++++++++++++++++++-- cmd/kyverno/Dockerfile | 28 ++++++++++++++++++++++++++-- 4 files changed, 81 insertions(+), 14 deletions(-) diff --git a/Makefile b/Makefile index d44f952d90..18f63639bc 100644 --- a/Makefile +++ b/Makefile @@ -36,9 +36,7 @@ initContainer: fmt vet docker-publish-initContainer: docker-build-initContainer docker-tag-repo-initContainer docker-push-initContainer docker-build-initContainer: - CGO_ENABLED=0 GOOS=linux go build -o $(PWD)/$(INITC_PATH)/kyvernopre -ldflags=$(LD_FLAGS) $(PWD)/$(INITC_PATH)/main.go - echo $(PWD)/$(INITC_PATH)/ - @docker build -f $(PWD)/$(INITC_PATH)/Dockerfile -t $(REPO)/$(INITC_IMAGE):$(IMAGE_TAG) $(PWD)/$(INITC_PATH)/ + @docker build -f $(PWD)/$(INITC_PATH)/Dockerfile -t $(REPO)/$(INITC_IMAGE):$(IMAGE_TAG) . --build-arg LD_FLAGS=$(LD_FLAGS) docker-tag-repo-initContainer: @docker tag $(REPO)/$(INITC_IMAGE):$(IMAGE_TAG) $(REPO)/$(INITC_IMAGE):latest @@ -64,8 +62,7 @@ kyverno: fmt vet docker-publish-kyverno: docker-build-kyverno docker-tag-repo-kyverno docker-push-kyverno docker-build-kyverno: - CGO_ENABLED=0 GOOS=linux go build -o $(PWD)/$(KYVERNO_PATH)/kyverno -ldflags=$(LD_FLAGS) $(PWD)/$(KYVERNO_PATH)/main.go - @docker build -f $(PWD)/$(KYVERNO_PATH)/Dockerfile -t $(REPO)/$(KYVERNO_IMAGE):$(IMAGE_TAG) $(PWD)/$(KYVERNO_PATH) + @docker build -f $(PWD)/$(KYVERNO_PATH)/Dockerfile -t $(REPO)/$(KYVERNO_IMAGE):$(IMAGE_TAG) . --build-arg LD_FLAGS=$(LD_FLAGS) docker-tag-repo-kyverno: @echo "docker tag $(REPO)/$(KYVERNO_IMAGE):$(IMAGE_TAG) $(REPO)/$(KYVERNO_IMAGE):latest" @@ -97,8 +94,7 @@ cli: docker-publish-cli: docker-build-cli docker-tag-repo-cli docker-push-cli docker-build-cli: - CGO_ENABLED=0 GOOS=linux go build -o $(PWD)/$(CLI_PATH)/kyverno -ldflags=$(LD_FLAGS) $(PWD)/$(CLI_PATH)/main.go - @docker build -f $(PWD)/$(CLI_PATH)/Dockerfile -t $(REPO)/$(KYVERNO_CLI_IMAGE):$(IMAGE_TAG) $(PWD)/$(CLI_PATH) + @docker build -f $(PWD)/$(CLI_PATH)/Dockerfile -t $(REPO)/$(CLI_PATH):$(IMAGE_TAG) . --build-arg LD_FLAGS=$(LD_FLAGS) docker-tag-repo-cli: @echo "docker tag $(REPO)/$(KYVERNO_CLI_IMAGE):$(IMAGE_TAG) $(REPO)/$(KYVERNO_CLI_IMAGE):latest" @@ -212,4 +208,3 @@ fmt: vet: go vet ./... - diff --git a/cmd/cli/kubectl-kyverno/Dockerfile b/cmd/cli/kubectl-kyverno/Dockerfile index edb70fb2a7..4a1f4d6ffe 100644 --- a/cmd/cli/kubectl-kyverno/Dockerfile +++ b/cmd/cli/kubectl-kyverno/Dockerfile @@ -1,3 +1,27 @@ +# Multi-stage docker build +# Build stage +FROM golang:1.14 AS builder + +LABEL maintainer="Kyverno" + +# LD_FLAGS is passed as argument from Makefile. It will be empty, if no argument passed +ARG LD_FLAGS + +ADD . /kyverno +WORKDIR /kyverno + +RUN CGO_ENABLED=0 GOOS=linux go build -o /output/kyverno -ldflags="${LD_FLAGS}" -v ./cmd/cli/kubectl-kyverno/ + +RUN useradd -u 10001 kyverno + +# Packaging stage FROM scratch -ADD kyverno /kyverno -ENTRYPOINT ["/kyverno"] + +LABEL maintainer="Kyverno" + +COPY --from=builder /output/kyverno / +COPY --from=builder /etc/passwd /etc/passwd + +USER kyverno + +ENTRYPOINT ["./kyverno"] \ No newline at end of file diff --git a/cmd/initContainer/Dockerfile b/cmd/initContainer/Dockerfile index 547d8e9fc3..3c010fa686 100644 --- a/cmd/initContainer/Dockerfile +++ b/cmd/initContainer/Dockerfile @@ -1,3 +1,27 @@ +# Multi-stage docker build +# Build stage +FROM golang:1.14 AS builder + +LABEL maintainer="Kyverno" + +# LD_FLAGS is passed as argument from Makefile. It will be empty, if no argument passed +ARG LD_FLAGS + +ADD . /kyverno +WORKDIR /kyverno + +RUN CGO_ENABLED=0 GOOS=linux go build -o /output/kyvernopre -ldflags="${LD_FLAGS}" -v ./cmd/initContainer/ + +RUN useradd -u 10001 kyverno + +# Packaging stage FROM scratch -ADD kyvernopre /kyvernopre -ENTRYPOINT ["/kyvernopre"] \ No newline at end of file + +LABEL maintainer="Kyverno" + +COPY --from=builder /output/kyvernopre / +COPY --from=builder /etc/passwd /etc/passwd + +USER kyverno + +ENTRYPOINT ["./kyvernopre"] diff --git a/cmd/kyverno/Dockerfile b/cmd/kyverno/Dockerfile index edb70fb2a7..a0ba646730 100644 --- a/cmd/kyverno/Dockerfile +++ b/cmd/kyverno/Dockerfile @@ -1,3 +1,27 @@ +# Multi-stage docker build +# Build stage +FROM golang:1.14 AS builder + +LABEL maintainer="Kyverno" + +# LD_FLAGS is passed as argument from Makefile. It will be empty, if no argument passed +ARG LD_FLAGS + +ADD . /kyverno +WORKDIR /kyverno + +RUN CGO_ENABLED=0 GOOS=linux go build -o /output/kyverno -ldflags="${LD_FLAGS}" -v ./cmd/kyverno/ + +RUN useradd -u 10001 kyverno + +# Packaging stage FROM scratch -ADD kyverno /kyverno -ENTRYPOINT ["/kyverno"] + +LABEL maintainer="Kyverno" + +COPY --from=builder /output/kyverno / +COPY --from=builder /etc/passwd /etc/passwd + +USER kyverno + +ENTRYPOINT ["./kyverno"]