mirror of
https://github.com/kubernetes-sigs/node-feature-discovery.git
synced 2024-12-14 11:57:51 +00:00
8fb58a178a
Build a "minimal" variant of the nfd image based on gcr.io/distroless/base. The motivations behind the minimal image are image hardening (security) and reducing the image footprint (from ca. 108MB down to about 40MB). The practical effect of deploying the minimal image is that no runtimes for running worker hooks are present, not even a shell. This means that only statically linked linked hook binaries are supported. Also, because of the image hardening live debugging of the minimal image by attaching to the container is not possible, and, the "full" image needs to be used for that purpose.
44 lines
1.1 KiB
Docker
44 lines
1.1 KiB
Docker
# Build node feature discovery
|
|
FROM golang:1.15.5-buster as builder
|
|
|
|
# Get (cache) deps in a separate layer
|
|
COPY go.mod go.sum /go/node-feature-discovery/
|
|
|
|
WORKDIR /go/node-feature-discovery
|
|
|
|
RUN go mod download
|
|
|
|
# Do actual build
|
|
COPY . /go/node-feature-discovery
|
|
|
|
ARG VERSION
|
|
ARG HOSTMOUNT_PREFIX
|
|
|
|
RUN make install VERSION=$VERSION HOSTMOUNT_PREFIX=$HOSTMOUNT_PREFIX
|
|
|
|
RUN make test
|
|
|
|
|
|
# Create full variant of the production image
|
|
FROM debian:buster-slim as full
|
|
|
|
# Run as unprivileged user
|
|
USER 65534:65534
|
|
|
|
# Use more verbose logging of gRPC
|
|
ENV GRPC_GO_LOG_SEVERITY_LEVEL="INFO"
|
|
|
|
COPY --from=builder /go/node-feature-discovery/nfd-worker.conf.example /etc/kubernetes/node-feature-discovery/nfd-worker.conf
|
|
COPY --from=builder /go/bin/* /usr/bin/
|
|
|
|
# Create minimal variant of the production image
|
|
FROM gcr.io/distroless/base as minimal
|
|
|
|
# Run as unprivileged user
|
|
USER 65534:65534
|
|
|
|
# Use more verbose logging of gRPC
|
|
ENV GRPC_GO_LOG_SEVERITY_LEVEL="INFO"
|
|
|
|
COPY --from=builder /go/node-feature-discovery/nfd-worker.conf.example /etc/kubernetes/node-feature-discovery/nfd-worker.conf
|
|
COPY --from=builder /go/bin/* /usr/bin/
|