New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Enhancing dockerfiles (multi-stage) of kyverno components and adding non-root user to the docker images #1495
Conversation
Signed-off-by: Raj Babu Das <mail.rajdas@gmail.com>
Signed-off-by: Raj Babu Das <mail.rajdas@gmail.com>
@JimBugwadia / @chipzoller / @realshuting Please take a look. |
/kind feature |
You don't need to use alpine to get the non-root results. In the build stage, put the |
Signed-off-by: Raj Babu Das <mail.rajdas@gmail.com>
Thanks, @chipzoller for reviewing this PR, I reverted to |
Signed-off-by: Raj Babu Das <mail.rajdas@gmail.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@rajdas98 thanks for the contribution! It looks good to me.
@rajdas98 Have you tested this build process after these commits to ensure the container runs as this user/UID? |
Yes @chipzoller
|
@chipzoller Any other comments? Shall I merge this? |
I have not yet tested this, however I am a bit unsure of the process that doesn't involve copying |
I've built a test image locally for the kyverno container, it seems to work as expected. And I did not see any issue in the log. |
The question isn't so much "will Kyverno run" but is it running as non-root? We don't build test cases for this, and switching the base temporarily to alpine to check isn't sufficient. It will need to be checked from the host side as well. |
We have kyverno/definitions/install.yaml Lines 2390 to 2398 in 7d8c404
Is there anything else we need to check? |
Need to check running the image without those restrictions imposed to see if the image itself runs as non-root. |
Hi @chipzoller, I have created the non-root docker file by copying # Multi-stage docker build
# Build stage
FROM golang:1.14 AS builder
LABEL maintainer="Kyverno"
# LD_FLAGS is passed as argument from Makefile. It will be empty, if no argument passed
ARG LD_FLAGS
ADD . /kyverno
WORKDIR /kyverno
RUN CGO_ENABLED=0 GOOS=linux go build -o /output/kyverno -ldflags="${LD_FLAGS}" -v ./cmd/kyverno/
RUN useradd -u 10001 kyverno
# Packaging stage
FROM scratch
LABEL maintainer="Kyverno"
COPY --from=builder /output/kyverno /
COPY --from=builder /etc/passwd /etc/passwd
USER kyverno
ENTRYPOINT ["./kyverno"] |
Thanks, looks good to me. |
Signed-off-by: Raj Babu Das <mail.rajdas@gmail.com>
Hi @realshuting, I have made the change according to @chipzoller. Please take a look. cc: @chipzoller |
Signed-off-by: Raj Babu Das <mail.rajdas@gmail.com>
@rajdas98 Looks like one of the tests stuck in pending state. Do you have a test image so that I can verify?
|
Signed-off-by: Raj Babu Das <mail.rajdas@gmail.com>
Yes, @realshuting, there was a minor typo in the dockerfile of init container, but I fixed it in my last commit. |
images:
|
@rajdas98 Seems like this PR builds CLI image with the wrong registry name - The image should use Can you send a fix for this? |
…non-root user to the docker images (#1495) * Dockerfile refactored Signed-off-by: Raj Babu Das <mail.rajdas@gmail.com> * Adding non-root commands to docker images and enhanced the dockerfiles Signed-off-by: Raj Babu Das <mail.rajdas@gmail.com> * changing base image to scratch Signed-off-by: Raj Babu Das <mail.rajdas@gmail.com> * Minor typo fix Signed-off-by: Raj Babu Das <mail.rajdas@gmail.com> * changing dockerfiles to use /etc/passwd to use non-root user' Signed-off-by: Raj Babu Das <mail.rajdas@gmail.com> * minor typo Signed-off-by: Raj Babu Das <mail.rajdas@gmail.com> * minor typo Signed-off-by: Raj Babu Das <mail.rajdas@gmail.com> Signed-off-by: Jim Bugwadia <jim@nirmata.com>
* initial commit for api server lookups Signed-off-by: Jim Bugwadia <jim@nirmata.com> * initial commit for API server lookups Signed-off-by: Jim Bugwadia <jim@nirmata.com> * Enhancing dockerfiles (multi-stage) of kyverno components and adding non-root user to the docker images (#1495) * Dockerfile refactored Signed-off-by: Raj Babu Das <mail.rajdas@gmail.com> * Adding non-root commands to docker images and enhanced the dockerfiles Signed-off-by: Raj Babu Das <mail.rajdas@gmail.com> * changing base image to scratch Signed-off-by: Raj Babu Das <mail.rajdas@gmail.com> * Minor typo fix Signed-off-by: Raj Babu Das <mail.rajdas@gmail.com> * changing dockerfiles to use /etc/passwd to use non-root user' Signed-off-by: Raj Babu Das <mail.rajdas@gmail.com> * minor typo Signed-off-by: Raj Babu Das <mail.rajdas@gmail.com> * minor typo Signed-off-by: Raj Babu Das <mail.rajdas@gmail.com> Signed-off-by: Jim Bugwadia <jim@nirmata.com> * revert cli image name (#1507) Signed-off-by: Raj Babu Das <mail.rajdas@gmail.com> Signed-off-by: Jim Bugwadia <jim@nirmata.com> * Refactor resourceCache; Reduce throttling requests (background controller) (#1500) * skip sending API request for filtered resource * fix PR comment Signed-off-by: Shuting Zhao <shutting06@gmail.com> * fixes #1490 Signed-off-by: Shuting Zhao <shutting06@gmail.com> * fix bug - namespace is not returned properly Signed-off-by: Shuting Zhao <shutting06@gmail.com> * reduce throttling - list resource using lister * refactor resource cache * fix test Signed-off-by: Shuting Zhao <shutting06@gmail.com> * fix label selector Signed-off-by: Shuting Zhao <shutting06@gmail.com> * fix build failure Signed-off-by: Shuting Zhao <shutting06@gmail.com> Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix merge issues Signed-off-by: Jim Bugwadia <jim@nirmata.com> * fix unit test Signed-off-by: Jim Bugwadia <jim@nirmata.com> * add nil check for API client Signed-off-by: Jim Bugwadia <jim@nirmata.com> Co-authored-by: Raj Babu Das <mail.rajdas@gmail.com> Co-authored-by: shuting <shutting06@gmail.com>
Changes
[Multi-stage] Adding multi-stage docker build of the following docker images
[Non-root] Base image changed from
scratch
toalpine
(Because non-root user can't be added in scratch image)Following is the screenshot of the user inside the kyverno pod (which is non-root user)
[Size] Image sizes
[Makefile] Refactoring docker build step in Makefile to accommodate the new docker file changes
Related issue
What type of PR is this?
Proposed changes
Checklist
works.
Further comments