From 7edd17307c937a1ce60db216c18be5921ae71f80 Mon Sep 17 00:00:00 2001 From: Vinayak Goyal Date: Wed, 17 Feb 2021 01:26:54 -0800 Subject: [PATCH 1/2] Apply cap_net_bind_service to kube-apiserver binary. --- build/lib/release.sh | 17 ++++++++++-- build/server-image/kube-apiserver/Dockerfile | 27 ++++++++++++++++++++ 2 files changed, 42 insertions(+), 2 deletions(-) create mode 100644 build/server-image/kube-apiserver/Dockerfile diff --git a/build/lib/release.sh b/build/lib/release.sh index 58383cede7a9..36d534a81b3c 100644 --- a/build/lib/release.sh +++ b/build/lib/release.sh @@ -218,6 +218,12 @@ function kube::release::package_node_tarballs() { function kube::release::build_server_images() { # Clean out any old images rm -rf "${RELEASE_IMAGES}" + + export DOCKER_CLI_EXPERIMENTAL=enabled + docker run --rm --privileged multiarch/qemu-user-static:5.2.0-2 --reset -p yes + docker buildx rm kube-server-image-builder || true + docker buildx create --use --name=kube-server-image-builder + local platform for platform in "${KUBE_SERVER_PLATFORMS[@]}"; do local platform_tag @@ -239,6 +245,8 @@ function kube::release::build_server_images() { kube::release::create_docker_images_for_server "${release_stage}/server/bin" "${arch}" done + + docker buildx rm kube-server-image-builder } # Package up all of the server binaries @@ -364,9 +372,14 @@ function kube::release::create_docker_images_for_server() { local base_image=${wrappable##*,} local binary_file_path="${binary_dir}/${binary_name}" local docker_build_path="${binary_file_path}.dockerbuild" - local docker_file_path="${KUBE_ROOT}/build/server-image/Dockerfile" local docker_image_tag="${docker_registry}/${binary_name}-${arch}:${docker_tag}" + local docker_file_path="${KUBE_ROOT}/build/server-image/Dockerfile" + # If this binary has its own Dockerfile use that else use the generic Dockerfile. + if [[ -f "${KUBE_ROOT}/build/server-image/${binary_name}/Dockerfile" ]]; then + docker_file_path="${KUBE_ROOT}/build/server-image/${binary_name}/Dockerfile" + fi + kube::log::status "Starting docker build for image: ${binary_name}-${arch}" ( rm -rf "${docker_build_path}" @@ -402,7 +415,7 @@ function kube::release::create_docker_images_for_server() { kube::log::status "Deleting docker image ${docker_image_tag}" "${DOCKER[@]}" rmi "${docker_image_tag}" &>/dev/null || true - ) & + ) done if [[ "${KUBE_BUILD_CONFORMANCE}" =~ [yY] ]]; then diff --git a/build/server-image/kube-apiserver/Dockerfile b/build/server-image/kube-apiserver/Dockerfile new file mode 100644 index 000000000000..2762a04c7376 --- /dev/null +++ b/build/server-image/kube-apiserver/Dockerfile @@ -0,0 +1,27 @@ +# Copyright 2021 The Kubernetes Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# This file create the kube-apiserver image. +ARG BASEIMAGE + +FROM k8s.gcr.io/build-image/setcap:buster-v1.4.0 +ARG BINARY +COPY ${BINARY} /${BINARY} +# We apply cap_net_bind_service so that kube-apiserver can be run as +# non-root and still listen on port less than 1024 +RUN setcap cap_net_bind_service=+ep /${BINARY} + +FROM ${BASEIMAGE} +ARG BINARY +COPY --from=0 /${BINARY} /usr/local/bin/${BINARY} From 87f5ee31bda8294ef02bd362d5dbce46285176aa Mon Sep 17 00:00:00 2001 From: Vinayak Goyal Date: Thu, 18 Feb 2021 19:56:55 -0800 Subject: [PATCH 2/2] Check if the current builder supports multi-arch. --- build/lib/release.sh | 10 +--------- build/server-image/kube-apiserver/Dockerfile | 7 ++++--- 2 files changed, 5 insertions(+), 12 deletions(-) diff --git a/build/lib/release.sh b/build/lib/release.sh index 36d534a81b3c..6e8e1ab24538 100644 --- a/build/lib/release.sh +++ b/build/lib/release.sh @@ -218,12 +218,6 @@ function kube::release::package_node_tarballs() { function kube::release::build_server_images() { # Clean out any old images rm -rf "${RELEASE_IMAGES}" - - export DOCKER_CLI_EXPERIMENTAL=enabled - docker run --rm --privileged multiarch/qemu-user-static:5.2.0-2 --reset -p yes - docker buildx rm kube-server-image-builder || true - docker buildx create --use --name=kube-server-image-builder - local platform for platform in "${KUBE_SERVER_PLATFORMS[@]}"; do local platform_tag @@ -245,8 +239,6 @@ function kube::release::build_server_images() { kube::release::create_docker_images_for_server "${release_stage}/server/bin" "${arch}" done - - docker buildx rm kube-server-image-builder } # Package up all of the server binaries @@ -415,7 +407,7 @@ function kube::release::create_docker_images_for_server() { kube::log::status "Deleting docker image ${docker_image_tag}" "${DOCKER[@]}" rmi "${docker_image_tag}" &>/dev/null || true - ) + ) & done if [[ "${KUBE_BUILD_CONFORMANCE}" =~ [yY] ]]; then diff --git a/build/server-image/kube-apiserver/Dockerfile b/build/server-image/kube-apiserver/Dockerfile index 2762a04c7376..6bbaf566754a 100644 --- a/build/server-image/kube-apiserver/Dockerfile +++ b/build/server-image/kube-apiserver/Dockerfile @@ -14,14 +14,15 @@ # This file create the kube-apiserver image. ARG BASEIMAGE - -FROM k8s.gcr.io/build-image/setcap:buster-v1.4.0 +# we use the hosts platform to apply the capabilities to avoid the need +# to setup qemu for the builder. +FROM --platform=linux/$BUILDARCH k8s.gcr.io/build-image/setcap:buster-v1.4.0 ARG BINARY COPY ${BINARY} /${BINARY} # We apply cap_net_bind_service so that kube-apiserver can be run as # non-root and still listen on port less than 1024 RUN setcap cap_net_bind_service=+ep /${BINARY} -FROM ${BASEIMAGE} +FROM --platform=linux/$TARGETARCH ${BASEIMAGE} ARG BINARY COPY --from=0 /${BINARY} /usr/local/bin/${BINARY}