From 65ad20cd8e30476af5075ea3d7601597bd45cb62 Mon Sep 17 00:00:00 2001
From: Eddie Torres <torredil@amazon.com>
Date: Tue, 10 May 2022 22:56:41 +0000
Subject: [PATCH] Use distroless base image for linux builds

Signed-off-by: Eddie Torres <torredil@amazon.com>
---
 Dockerfile | 50 +++++++++++++++++++++++++++++++++++++-------------
 Makefile   |  9 ++++-----
 2 files changed, 41 insertions(+), 18 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index 6098b5e706..6b76fad002 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -22,21 +22,45 @@ ARG TARGETOS
 ARG TARGETARCH
 RUN OS=$TARGETOS ARCH=$TARGETARCH make $TARGETOS/$TARGETARCH
 
-FROM amazonlinux:2 AS linux-amazon
-RUN yum update -y && \
-    yum install ca-certificates e2fsprogs xfsprogs util-linux -y && \
-    yum clean all
-COPY --from=builder /go/src/github.com/kubernetes-sigs/aws-ebs-csi-driver/bin/aws-ebs-csi-driver /bin/aws-ebs-csi-driver
-ENTRYPOINT ["/bin/aws-ebs-csi-driver"]
+FROM k8s.gcr.io/build-image/debian-base:buster-v1.9.0 as debian
+RUN clean-install util-linux e2fsprogs mount ca-certificates udev xfsprogs
+RUN ln -sf /lib/aarch64-linux-gnu/ /lib/arm64-linux-gnu
+RUN ln -sf /lib/x86_64-linux-gnu/ /lib/amd64-linux-gnu
 
-FROM mcr.microsoft.com/windows/servercore:1809 AS windows-1809
-COPY --from=builder /go/src/github.com/kubernetes-sigs/aws-ebs-csi-driver/bin/aws-ebs-csi-driver.exe /aws-ebs-csi-driver.exe
-ENTRYPOINT ["/aws-ebs-csi-driver.exe"]
+FROM gcr.io/distroless/base-debian11 as linux-distroless
+ARG TARGETARCH
+ENV LIB_DIRECTORY=/lib/${TARGETARCH}-linux-gnu
+COPY --from=builder /go/src/github.com/kubernetes-sigs/aws-ebs-csi-driver/bin/aws-ebs-csi-driver /bin/aws-ebs-csi-driver
+COPY --from=debian /sbin/blkid \
+                   /sbin/blockdev \
+                   /sbin/dumpe2fs \
+                   /sbin/resize2fs \
+                   /sbin/fsck* \
+                   /sbin/mkfs* \
+                   /sbin/
+COPY --from=debian /usr/sbin/xfs_* /usr/sbin/
+COPY --from=debian /bin/umount /bin/umount
 
-FROM mcr.microsoft.com/windows/servercore:20H2 AS windows-20H2
-COPY --from=builder /go/src/github.com/kubernetes-sigs/aws-ebs-csi-driver/bin/aws-ebs-csi-driver.exe /aws-ebs-csi-driver.exe
-ENTRYPOINT ["/aws-ebs-csi-driver.exe"]
+COPY --from=debian ${LIB_DIRECTORY}/libblkid.so.1 \
+                   ${LIB_DIRECTORY}/libcom_err.so.2 \
+                   ${LIB_DIRECTORY}/libc.so.6 \
+                   ${LIB_DIRECTORY}/libdevmapper.so.1.02.1 \
+                   ${LIB_DIRECTORY}/libdl.so.2 \
+                   ${LIB_DIRECTORY}/libe2p.so.2 \
+                   ${LIB_DIRECTORY}/libext2fs.so.2 \
+                   ${LIB_DIRECTORY}/libmount.so.1 \
+                   ${LIB_DIRECTORY}/libm.so.6 \
+                   ${LIB_DIRECTORY}/libpcre.so.3 \
+                   ${LIB_DIRECTORY}/libpthread.so.0 \
+                   ${LIB_DIRECTORY}/libreadline.so.5 \
+                   ${LIB_DIRECTORY}/librt.so.1 \
+                   ${LIB_DIRECTORY}/libselinux.so.1 \
+                   ${LIB_DIRECTORY}/libtinfo.so.6 \
+                   ${LIB_DIRECTORY}/libudev.so.1 \
+                   ${LIB_DIRECTORY}/libuuid.so.1 \
+                   ${LIB_DIRECTORY}/
+ENTRYPOINT ["/bin/aws-ebs-csi-driver"]
 
 FROM mcr.microsoft.com/windows/servercore:ltsc2019 AS windows-ltsc2019
 COPY --from=builder /go/src/github.com/kubernetes-sigs/aws-ebs-csi-driver/bin/aws-ebs-csi-driver.exe /aws-ebs-csi-driver.exe
-ENTRYPOINT ["/aws-ebs-csi-driver.exe"]
+ENTRYPOINT ["/aws-ebs-csi-driver.exe"]
\ No newline at end of file
diff --git a/Makefile b/Makefile
index 4e990a39cc..a90311a806 100644
--- a/Makefile
+++ b/Makefile
@@ -34,15 +34,15 @@ OUTPUT_TYPE?=docker
 
 OS?=linux
 ARCH?=amd64
-OSVERSION?=amazon
+OSVERSION?=distroless
 
 ALL_OS?=linux windows
 ALL_ARCH_linux?=amd64 arm64
-ALL_OSVERSION_linux?=amazon
+ALL_OSVERSION_linux?=distroless
 ALL_OS_ARCH_OSVERSION_linux=$(foreach arch, $(ALL_ARCH_linux), $(foreach osversion, ${ALL_OSVERSION_linux}, linux-$(arch)-${osversion}))
 
 ALL_ARCH_windows?=amd64
-ALL_OSVERSION_windows?=1809 20H2 ltsc2019
+ALL_OSVERSION_windows?=ltsc2019
 ALL_OS_ARCH_OSVERSION_windows=$(foreach arch, $(ALL_ARCH_windows), $(foreach osversion, ${ALL_OSVERSION_windows}, windows-$(arch)-${osversion}))
 
 ALL_OS_ARCH_OSVERSION=$(foreach os, $(ALL_OS), ${ALL_OS_ARCH_OSVERSION_${os}})
@@ -96,7 +96,6 @@ sub-image-%:
 image: .image-$(TAG)-$(OS)-$(ARCH)-$(OSVERSION)
 .image-$(TAG)-$(OS)-$(ARCH)-$(OSVERSION):
 	docker buildx build \
-		--no-cache-filter=linux-amazon \
 		--platform=$(OS)/$(ARCH) \
 		--progress=plain \
 		--target=$(OS)-$(OSVERSION) \
@@ -234,4 +233,4 @@ generate-kustomize: bin/helm
 	cd charts/aws-ebs-csi-driver && ../../bin/helm template kustomize . -s templates/node.yaml  > ../../deploy/kubernetes/base/node.yaml
 	cd charts/aws-ebs-csi-driver && ../../bin/helm template kustomize . -s templates/poddisruptionbudget-controller.yaml > ../../deploy/kubernetes/base/poddisruptionbudget-controller.yaml
 	cd charts/aws-ebs-csi-driver && ../../bin/helm template kustomize . -s templates/serviceaccount-csi-controller.yaml > ../../deploy/kubernetes/base/serviceaccount-csi-controller.yaml
-	cd charts/aws-ebs-csi-driver && ../../bin/helm template kustomize . -s templates/serviceaccount-csi-node.yaml > ../../deploy/kubernetes/base/serviceaccount-csi-node.yaml
+	cd charts/aws-ebs-csi-driver && ../../bin/helm template kustomize . -s templates/serviceaccount-csi-node.yaml > ../../deploy/kubernetes/base/serviceaccount-csi-node.yaml
\ No newline at end of file