mirrors/node-feature-discovery
1
0
Fork 0
mirror of https://github.com/kubernetes-sigs/node-feature-discovery.git synced 2024-12-14 11:57:51 +00:00
Code Activity

Dockerfile: add minimal image

Browse source 
Build a "minimal" variant of the nfd image based on
gcr.io/distroless/base. The motivations behind the minimal image are
image hardening (security) and reducing the image footprint (from ca.
108MB down to about 40MB).

The practical effect of deploying the minimal image is that no runtimes
for running worker hooks are present, not even a shell. This means that
only statically linked linked hook binaries are supported. Also, because
of the image hardening live debugging of the minimal image by attaching
to the container is not possible, and, the "full" image needs to be used
for that purpose.
This commit is contained in:
Markus Lehtonen 2021-03-09 11:53:52 +02:00
parent 4c5285d9ed
commit 8fb58a178a
2 changed files with 27 additions and 7 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

16
Dockerfile
View file

@ -19,8 +19,20 @@ RUN make install VERSION=$VERSION HOSTMOUNT_PREFIX=$HOSTMOUNT_PREFIX
RUN make test
# Create production image for running node feature discovery
FROM debian:buster-slim
# Create full variant of the production image
FROM debian:buster-slim as full
# Run as unprivileged user
USER 65534:65534
# Use more verbose logging of gRPC
ENV GRPC_GO_LOG_SEVERITY_LEVEL="INFO"
COPY --from=builder /go/node-feature-discovery/nfd-worker.conf.example /etc/kubernetes/node-feature-discovery/nfd-worker.conf
COPY --from=builder /go/bin/* /usr/bin/
# Create minimal variant of the production image
FROM gcr.io/distroless/base as minimal
# Run as unprivileged user
USER 65534:65534

18
Makefile
View file

@ -72,10 +72,17 @@ install:
image: yamls
$(IMAGE_BUILD_CMD) --build-arg VERSION=$(VERSION) \
--build-arg HOSTMOUNT_PREFIX=$(CONTAINER_HOSTMOUNT_PREFIX) \
-t $(IMAGE_TAG) \
$(foreach tag,$(IMAGE_EXTRA_TAGS),-t $(tag)) \
$(IMAGE_BUILD_EXTRA_OPTS) ./
--target full \
--build-arg HOSTMOUNT_PREFIX=$(CONTAINER_HOSTMOUNT_PREFIX) \
-t $(IMAGE_TAG) \
$(foreach tag,$(IMAGE_EXTRA_TAGS),-t $(tag)) \
$(IMAGE_BUILD_EXTRA_OPTS) ./
$(IMAGE_BUILD_CMD) --build-arg VERSION=$(VERSION) \
--target minimal \
--build-arg HOSTMOUNT_PREFIX=$(CONTAINER_HOSTMOUNT_PREFIX) \
-t $(IMAGE_TAG)-minimal \
$(foreach tag,$(IMAGE_EXTRA_TAGS),-t $(tag)-minimal) \
$(IMAGE_BUILD_EXTRA_OPTS) ./
yamls: $(yaml_instances)
@ -138,7 +145,8 @@ e2e-test:
push:
$(IMAGE_PUSH_CMD) $(IMAGE_TAG)
for tag in $(IMAGE_EXTRA_TAGS); do $(IMAGE_PUSH_CMD) $$tag; done
$(IMAGE_PUSH_CMD) $(IMAGE_TAG)-minimal
for tag in $(IMAGE_EXTRA_TAGS); do $(IMAGE_PUSH_CMD) $$tag; $(IMAGE_PUSH_CMD) $$tag-minimal; done
poll-image:
set -e; \