Skip to content

Commit

Permalink
Dockerfile: remove SHELL for OCI compliance
Browse files Browse the repository at this point in the history 
Currently the image can't be built e.g with podman unless
`--format=docker` is used, because SHELL isn't in the OCI
spec - we can remove it and instead specify the shell directly
in the RUN.
  • Loading branch information
Steven Hardy committed Feb 1, 2023
1 parent 669dd8d commit ebce7c8
Showing 1 changed file with 1 addition and 3 deletions.
4 changes: 1 addition & 3 deletions Dockerfile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -53,16 +53,14 @@ RUN --mount=type=cache,target=/root/.cache/go-build \
# Use distroless as minimal base image to package the manager binary
# Refer to https://github.com/GoogleContainerTools/distroless for more details
FROM gcr.io/distroless/static:debug
SHELL ["/busybox/sh", "-c"]
WORKDIR /
COPY --from=builder /etc/ssl/certs /etc/ssl/certs
COPY --from=builder workspace/bin/kcp-front-proxy workspace/bin/kcp workspace/bin/virtual-workspaces /
COPY --from=builder workspace/bin/kubectl-* /usr/local/bin/
COPY --from=builder workspace/bin/kubectl /usr/local/bin/
ENV KUBECONFIG=/etc/kcp/config/admin.kubeconfig
# Use uid of nonroot user (65532) because kubernetes expects numeric user when applying pod security policies
RUN mkdir -p /data && \
chown 65532:65532 /data
RUN ["/busybox/sh", "-c", "mkdir -p /data && chown 65532:65532 /data"]
USER 65532:65532
WORKDIR /data
VOLUME /data
Expand Down

0 comments on commit ebce7c8

Please sign in to comment.