Backend - Starting the api-server container build from scratch (#1699)

* Backend - Starting the container build from scratch This reduces the image size, reduces the attack surface and avoids security vulnerabilities. Fixes #1545 * Starting building other controller images from scratch
kubeflow · Aug 2, 2019 · 24347fb · 24347fb
1 parent e8a6feb
commit 24347fb
Show file tree

Hide file tree

Showing 4 changed files with 6 additions and 8 deletions.
diff --git a/backend/Dockerfile b/backend/Dockerfile
@@ -1,7 +1,7 @@
 FROM l.gcr.io/google/bazel:0.24.0 as builder
 
 RUN apt-get update && \
-  apt-get install -y cmake clang musl-dev openssl
+  apt-get install -y cmake clang musl-dev openssl ca-certificates
 WORKDIR /go/src/github.com/kubeflow/pipelines
 
 COPY WORKSPACE WORKSPACE
@@ -31,7 +31,7 @@ COPY ./samples .
 #The "for" loop breaks on all whitespace, so we either need to override IFS or use the "read" command instead.
 RUN  find . -maxdepth 3 -name '*.py' -type f | while read pipeline; do dsl-compile --py "$pipeline" --output "$pipeline.tar.gz"; done
 
-FROM debian:stretch
+FROM scratch
 
 ARG COMMIT_SHA=unknown
 ENV COMMIT_SHA=${COMMIT_SHA}
@@ -45,7 +45,7 @@ COPY backend/src/apiserver/config/ /config
 COPY --from=compiler /samples/ /samples/
 
 # Adding CA certificate so API server can download pipeline through URL
-RUN apt-get update && apt-get install -y ca-certificates
+COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
 
 # Expose apiserver port
 EXPOSE 8888

diff --git a/backend/Dockerfile.persistenceagent b/backend/Dockerfile.persistenceagent
@@ -9,7 +9,7 @@ RUN apk update && apk upgrade && \
 
 RUN GO111MODULE=on go build -o /bin/persistence_agent backend/src/agent/persistence/*.go
 
-FROM alpine:3.8
+FROM scratch
 WORKDIR /bin
 
 COPY --from=builder /bin/persistence_agent /bin/persistence_agent

diff --git a/backend/Dockerfile.scheduledworkflow b/backend/Dockerfile.scheduledworkflow
@@ -9,12 +9,11 @@ RUN apk update && apk upgrade && \
 
 RUN GO111MODULE=on go build -o /bin/controller backend/src/crd/controller/scheduledworkflow/*.go
 
-FROM alpine:3.8
+FROM scratch
 WORKDIR /bin
 
 COPY --from=builder /bin/controller /bin/controller
 COPY --from=builder /go/src/github.com/kubeflow/pipelines/third_party/license.txt /bin/license.txt
-RUN chmod +x /bin/controller
 
 ENV NAMESPACE ""
 

diff --git a/backend/Dockerfile.viewercontroller b/backend/Dockerfile.viewercontroller
@@ -9,15 +9,14 @@ COPY . .
 RUN go mod vendor
 RUN go build -o /bin/controller backend/src/crd/controller/viewer/*.go
 
-FROM alpine
+FROM scratch
 WORKDIR /src
 COPY --from=builder /src/github.com/kubeflow/pipelines/vendor vendor
 
 WORKDIR /bin
 
 COPY --from=builder /bin/controller /bin/controller
 COPY --from=builder /src/github.com/kubeflow/pipelines/third_party/license.txt /bin/license.txt
-RUN chmod +x /bin/controller
 
 ENV MAX_NUM_VIEWERS "50"
 ENV NAMESPACE "kubeflow"