mirrors/kyverno
mirrors/kyverno
1
0
Fork 0
mirror of https://github.com/kyverno/kyverno.git synced 2025-03-28 18:38:40 +00:00
Code Activity

Update Dockerfile; remove securityContext runAsUser (#1695)

Browse source 
* - run Kyverno with specific uid; - remove "runAsUser" from deployment manifest

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* add LD_FLAGS when push Kyverno images

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* start Kyverno with UID 10001

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* update initContainer and CLI Dockerfiles

Signed-off-by: Shuting Zhao <shutting06@gmail.com>
This commit is contained in:
shuting 2021-03-10 14:47:09 -08:00 committed by GitHub
parent bb361df696
commit c8a41d83f7
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
6 changed files with 10 additions and 20 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

14
Makefile
View file

@ -43,8 +43,8 @@ docker-build-initContainer-amd64:
@docker build -f $(PWD)/$(INITC_PATH)/Dockerfile -t $(REPO)/$(INITC_IMAGE):$(IMAGE_TAG) . --build-arg LD_FLAGS=$(LD_FLAGS) --build-arg TARGETPLATFORM="linux/amd64"
docker-push-initContainer:
@docker buildx build --file $(PWD)/$(INITC_PATH)/Dockerfile --progress plane --push --platform linux/arm64,linux/amd64 --tag $(REPO)/$(INITC_IMAGE):$(IMAGE_TAG) .
@docker buildx build --file $(PWD)/$(INITC_PATH)/Dockerfile --progress plane --push --platform linux/arm64,linux/amd64 --tag $(REPO)/$(INITC_IMAGE):latest .
@docker buildx build --file $(PWD)/$(INITC_PATH)/Dockerfile --progress plane --push --platform linux/arm64,linux/amd64 --tag $(REPO)/$(INITC_IMAGE):$(IMAGE_TAG) . --build-arg LD_FLAGS=$(LD_FLAGS)
@docker buildx build --file $(PWD)/$(INITC_PATH)/Dockerfile --progress plane --push --platform linux/arm64,linux/amd64 --tag $(REPO)/$(INITC_IMAGE):latest . --build-arg LD_FLAGS=$(LD_FLAGS)
##################################
# KYVERNO CONTAINER
@ -74,8 +74,8 @@ docker-build-kyverno-amd64:
@docker build -f $(PWD)/$(KYVERNO_PATH)/Dockerfile -t $(REPO)/$(KYVERNO_IMAGE):$(IMAGE_TAG) . --build-arg LD_FLAGS=$(LD_FLAGS) --build-arg TARGETPLATFORM="linux/amd64"
docker-push-kyverno:
@docker buildx build --file $(PWD)/$(KYVERNO_PATH)/Dockerfile --progress plane --push --platform linux/arm64,linux/amd64 --tag $(REPO)/$(KYVERNO_IMAGE):$(IMAGE_TAG) .
@docker buildx build --file $(PWD)/$(KYVERNO_PATH)/Dockerfile --progress plane --push --platform linux/arm64,linux/amd64 --tag $(REPO)/$(KYVERNO_IMAGE):latest .
@docker buildx build --file $(PWD)/$(KYVERNO_PATH)/Dockerfile --progress plane --push --platform linux/arm64,linux/amd64 --tag $(REPO)/$(KYVERNO_IMAGE):$(IMAGE_TAG) . --build-arg LD_FLAGS=$(LD_FLAGS)
@docker buildx build --file $(PWD)/$(KYVERNO_PATH)/Dockerfile --progress plane --push --platform linux/arm64,linux/amd64 --tag $(REPO)/$(KYVERNO_IMAGE):latest . --build-arg LD_FLAGS=$(LD_FLAGS)
##################################
@ -105,9 +105,9 @@ docker-build-cli-amd64:
@docker build -f $(PWD)/$(CLI_PATH)/Dockerfile -t $(REPO)/$(KYVERNO_CLI_IMAGE):$(IMAGE_TAG) . --build-arg LD_FLAGS=$(LD_FLAGS) --build-arg TARGETPLATFORM="linux/amd64"
docker-push-cli:
@docker buildx build --file $(PWD)/$(CLI_PATH)/Dockerfile --progress plane --push --platform linux/arm64,linux/amd64 --tag $(REPO)/$(KYVERNO_CLI_IMAGE):$(IMAGE_TAG) .
@docker buildx build --file $(PWD)/$(CLI_PATH)/Dockerfile --progress plane --push --platform linux/arm64,linux/amd64 --tag $(REPO)/$(KYVERNO_CLI_IMAGE):latest .
@docker buildx build --file $(PWD)/$(CLI_PATH)/Dockerfile --progress plane --push --platform linux/arm64,linux/amd64 --tag $(REPO)/$(KYVERNO_CLI_IMAGE):$(IMAGE_TAG) . --build-arg LD_FLAGS=$(LD_FLAGS)
@docker buildx build --file $(PWD)/$(CLI_PATH)/Dockerfile --progress plane --push --platform linux/arm64,linux/amd64 --tag $(REPO)/$(KYVERNO_CLI_IMAGE):latest . --build-arg LD_FLAGS=$(LD_FLAGS)
##################################
docker-publish-all: docker-publish-initContainer docker-publish-kyverno docker-publish-cli

4
cmd/cli/kubectl-kyverno/Dockerfile
View file

@ -18,8 +18,6 @@ RUN go env
RUN CGO_ENABLED=0 go build -o /output/kyverno -ldflags="${LD_FLAGS}" -v ./cmd/cli/kubectl-kyverno/
RUN useradd -u 10001 kyverno
# Packaging stage
FROM scratch
@ -28,6 +26,6 @@ LABEL maintainer="Kyverno"
COPY --from=builder /output/kyverno /
COPY --from=builder /etc/passwd /etc/passwd
USER kyverno
USER 10001
ENTRYPOINT ["./kyverno"]

4
cmd/initContainer/Dockerfile
View file

@ -18,8 +18,6 @@ RUN go env
RUN CGO_ENABLED=0 go build -o /output/kyvernopre -ldflags="${LD_FLAGS}" -v ./cmd/initContainer/
RUN useradd -u 10001 kyverno
# Packaging stage
FROM scratch
@ -28,6 +26,6 @@ LABEL maintainer="Kyverno"
COPY --from=builder /output/kyvernopre /
COPY --from=builder /etc/passwd /etc/passwd
USER kyverno
USER 10001
ENTRYPOINT ["./kyvernopre"]

4
cmd/kyverno/Dockerfile
View file

@ -18,8 +18,6 @@ RUN go env
RUN CGO_ENABLED=0 go build -o /output/kyverno -ldflags="${LD_FLAGS}" -v ./cmd/kyverno/
RUN useradd -u 10001 kyverno
# Packaging stage
FROM scratch
@ -28,6 +26,6 @@ LABEL maintainer="Kyverno"
COPY --from=builder /output/kyverno /
COPY --from=builder /etc/passwd /etc/passwd
USER kyverno
USER 10001
ENTRYPOINT ["./kyverno"]

2
definitions/install.yaml
View file

@ -2480,7 +2480,6 @@ spec:
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 1000
initContainers:
- image: ghcr.io/kyverno/kyvernopre:v1.3.4
imagePullPolicy: IfNotPresent
@ -2493,7 +2492,6 @@ spec:
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 1000
securityContext:
runAsNonRoot: true
serviceAccountName: kyverno-service-account

2
definitions/manifest/deployment.yaml
View file

@ -24,7 +24,6 @@ spec:
image: ghcr.io/kyverno/kyvernopre:latest
imagePullPolicy: IfNotPresent
securityContext:
runAsUser: 1000
runAsNonRoot: true
privileged: false
allowPrivilegeEscalation: false
@ -57,7 +56,6 @@ spec:
- name: KYVERNO_SVC
value: kyverno-svc
securityContext:
runAsUser: 1000
runAsNonRoot: true
privileged: false
allowPrivilegeEscalation: false