CSPL-3064: Support for Distroless Image Creation in Splunk Operator for Kubernetes #1421
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
added 2 commits
January 7, 2025 12:20
Signed-off-by: Vivek Reddy <vivekrsplunk@github.com>
Signed-off-by: Vivek Reddy <vivekrsplunk@github.com>
rlieberman-splunk
approved these changes
Jan 7, 2025
Signed-off-by: Vivek Reddy <vivekrsplunk@github.com>
Signed-off-by: Vivek Reddy <vivekrsplunk@github.com>
Signed-off-by: Vivek Reddy <vivekrsplunk@github.com>
Signed-off-by: Vivek Reddy <vivekrsplunk@github.com>
|
Not sure about the CR tag name in merge-develop-to-main workflow, distroless should probably be at the end of the tag. |
Signed-off-by: Vivek Reddy <vivekrsplunk@github.com>
akondur
approved these changes
Jan 27, 2025
| --build-arg BASE_IMAGE_VERSION="${BASE_IMAGE_VERSION}" \ | ||
| --tag "${IMG}" -f Dockerfile . | ||
| fi; \ | ||
| if echo "$(BASE_IMAGE)" | grep -q "distroless"; then \ |
There was a problem hiding this comment.
Should we add a parameter here to pass the dockerfile used to build? If we change the file names in the future, it might be easier to incorporate the change.
rlieberman-splunk
approved these changes
Jan 27, 2025
|
Tests actually pased here -> https://github.com/splunk/splunk-operator/actions/runs/12999543813/job/36255541155 |
rlieberman-splunk
added a commit
that referenced
this pull request
Feb 3, 2025
* Use docker-buildx and make smoke tests run * Add a '.' * Test again * Change env variable value * Trigger int testing * Minimize changes only to smoke tests to start with * Initial changes for graviton smoke tests * Try this * Add the argument again * Try passing build arguments * Add a default value * Hardcode * Change tag * Pull locally * Don't push for graviton * Display operator image * Change eks instance type * Dump version * Describe * Don't need to tag for graviton * Re-run change kust * Avoid describe * Enable everything and try again * Remove push-latest, re-run pipelines * Re-run tests * Enable int tests * Update error logs * Further enhance * Don't use platform in FROM in dockerfile, remove TARGETOSIMAGE, ignore int tests for now * Trigger int and smoke as well * Pull image fix - int tests * Set graviton to true int tests * Re-trigger * Trigger * Re-trigger * Disable int tests for now. * Avoid vul testing for graviton for now * Add support for Ubuntu * Pass as build arg * Echo BASE_OS * Address review comments * Fix docker builds * Change logic for Ubuntu * Test package version * Run without package versions * Fix unattended-upgrades * Build for amd64 as well for pipelines * Remove space * Change to AS * Trigger for 9.2.4 AL2023 ARM * Try installing certificates on SOK container * Trigger both arm and ubuntu. Add cert for ubuntu * Trigger workflows for 9.2.4 AL2023 ARM64 * trigger AL2023 build for splunk 9.2.4 * trigger AL2023 build for splunk 9.3.2 * trigger Ubuntu build for splunk 9.2.4 * trigger Ubuntu build for splunk 9.3.2 * trigger AL2023 build for splunk 9.2.4 * use new label to test app framework tests that hang during teardown * use shorter label for testing tag * trigger integration test for PR * trigger rebuild of sok images for arm64 architectures * trigger rebuild for sok container on linux arm64 * remove build and test workflow for now * trigger rebuild for sok container on ubuntu arm64 * separate suite tag for failing test * get correct standalone for readiness checks * get correct standalone for readiness checks * add sleep for managermc1 failing test case * dump splunk version during consistently check for search head cluster * clean up new workflows * merge commit for pulling splunk enterprise image * re-enable test case, correct merge conflict * feat: [CSPL-3253]: Change default storageClassName value in PVC * add back feature branch for integration test workflow trigger * Initial changes to support deployer spec in SHC CRD * Integration testing enabled * Remove SHC updating phase check * Remove change splunk operator name step in integration test workflow * Trigger int testing again * Fix int test bug * remove specific branch to run integration tests * Add a comment, rename TC. * Add UT and return error if not deployer sts * Add node affinity as well. * [CSPL-3269] Change error log for clarification (#1422) * Change error log to info for clarification * update log statement * change log back to error, keep new contents * lowercase error message * Restore int-test workflow * CSPL-3156: Add kubectl-splunk Plugin for Executing Splunk Commands within Kubernetes Pods (#1407) * adding kubectl splunk plugin Signed-off-by: Vivek Reddy <vivekrsplunk@github.com> * Fix code scanning alert no. 32: Clear-text logging of sensitive information Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> * added auto credentials Signed-off-by: Vivek Reddy <vivekrsplunk@github.com> * Fix code scanning alert no. 34: Clear-text logging of sensitive information Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> * modularized code with test Signed-off-by: Vivek Reddy <vivekrsplunk@github.com> * adding workflow for this Signed-off-by: Vivek Reddy <vivekrsplunk@github.com> * adding workflow for this Signed-off-by: Vivek Reddy <vivekrsplunk@github.com> * adding name to workflow Signed-off-by: Vivek Reddy <vivekrsplunk@github.com> * adding name to workflow Signed-off-by: Vivek Reddy <vivekrsplunk@github.com> * adding name to workflow Signed-off-by: Vivek Reddy <vivekrsplunk@github.com> * adding branch for test Signed-off-by: Vivek Reddy <vivekrsplunk@github.com> --------- Signed-off-by: Vivek Reddy <vivekrsplunk@github.com> Co-authored-by: Vivek Reddy <vivekrsplunk@github.com> Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> Co-authored-by: Arjun Kondur <69369319+akondur@users.noreply.github.com> * CSPL-2966: Feature: Manual App Updates per Custom Resource (CR) in Splunk Operator (#1395) * adding cr specific configmap Signed-off-by: Vivek Reddy <vivekr@splunk.com> * formatting changes * fallback * adding logic for manual update Signed-off-by: Vivek Reddy <vivekr@splunk.com> * working logic * commenting unit test for now * comment unit test for now * comment unit test in makefile * fixed field manualUpdate in per Cr config Signed-off-by: Vivek Reddy <vivekr@splunk.com> * add ownership to config * order changed for config creation * fix manualUpdate per CR * unit test cases fixed * CSPL-2983: doc changes Signed-off-by: Vivek Reddy <vivekr@splunk.com> * fixed unit test cases Signed-off-by: Vivek Reddy <vivekr@splunk.com> * uncomment unit test Signed-off-by: Vivek Reddy <vivekr@splunk.com> * adding go mod changes Signed-off-by: Vivek Reddy <vivekr@splunk.com> * some more changes to go sum * fixed mc list test case * fixed searchhead for dev merge Signed-off-by: Vivek Reddy <vivekr@splunk.com> * adding per cr changes Signed-off-by: Vivek Reddy <vivekrsplunk@github.com> * replaced test label Signed-off-by: Vivek Reddy <vivekrsplunk@github.com> * added few doc and code changes Signed-off-by: Vivek Reddy <vivekrsplunk@github.com> --------- Signed-off-by: Vivek Reddy <vivekr@splunk.com> Signed-off-by: Vivek Reddy <vivekrsplunk@github.com> Co-authored-by: Vivek Reddy <vivekrsplunk@github.com> * CSPL-3064: Support for Distroless Image Creation in Splunk Operator for Kubernetes (#1421) * adding support for distoless Signed-off-by: Vivek Reddy <vivekrsplunk@github.com> * adding document changes for distroless Signed-off-by: Vivek Reddy <vivekrsplunk@github.com> * adding github workflow for distroless Signed-off-by: Vivek Reddy <vivekrsplunk@github.com> * adding github workflow for distroless Signed-off-by: Vivek Reddy <vivekrsplunk@github.com> * adding github workflow for distroless Signed-off-by: Vivek Reddy <vivekrsplunk@github.com> * adding github workflow for distroless Signed-off-by: Vivek Reddy <vivekrsplunk@github.com> * Add workflow to push distroless image. * Add - CSPL-3064 branch to triggers for Arm Distroless Smoke Test WorkFlow * Add - CSPL-3064 branch to triggers for Arm Distroless Smoke Test WorkFlow * Add - CSPL-3064 branch to triggers for Arm Distroless Smoke Test WorkFlow * Remove stuttering from name * Use correct distroless image name * Use correct distroless image name * Comment out vurneability-scan * Comment out vurneability-scan * Use correct naming convention in merge develop to main * Use sidecar in distroless int workflow. * Update manifest path * Update sidecar manifest * Add kustomize patch to deploy sidecar-debug * Fix kustomize * Fix command * Fix sidecar name * supporting debug pod in pipeline Signed-off-by: Vivek Reddy <vivekrsplunk@github.com> * renamed sidecar name * Fix distroless-build-test-push-workflow.yml to not build for amd * Fix distroless build test push workflow * fix * comment vurn scan out * Update build push distro workflow * Update distorless-int-test-worfklow * Review suggestions * Remove empty lines from install.md * Remove running on CSPL-3064 --------- Signed-off-by: Vivek Reddy <vivekrsplunk@github.com> Co-authored-by: Vivek Reddy <vivekrsplunk@github.com> Co-authored-by: igor.grzankowski <igor.grzankowski@splunk.com> Co-authored-by: Igor Grzankowski <igorg@splunk.com> * Splunk Operator 2.7.1 release (#1426) * [create-pull-request] automated change * additional changes * use consistent formatting in ChangeLog.md * bundle clusterserviceversion updates --------- Co-authored-by: rlieberman-splunk <rlieberman-splunk@users.noreply.github.com> Co-authored-by: rlieberman-splunk <rlieberman@splunk.com> * Update distroless RC and release tags (#1433) * update distroless docker image tag * publish distroless image on releas --------- Signed-off-by: Vivek Reddy <vivekrsplunk@github.com> Signed-off-by: Vivek Reddy <vivekr@splunk.com> Co-authored-by: Arjun Kondur <akondur@splunk.com> Co-authored-by: Arjun Kondur <69369319+akondur@users.noreply.github.com> Co-authored-by: rlieberman-splunk <rlieberman@splunk.com> Co-authored-by: Patryk Wasielewski <pwasiele@splunk.com> Co-authored-by: patrykw-splunk <patrykw@splunk.com> Co-authored-by: vivekr-splunk <94569031+vivekr-splunk@users.noreply.github.com> Co-authored-by: Vivek Reddy <vivekrsplunk@github.com> Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> Co-authored-by: igor.grzankowski <igor.grzankowski@splunk.com> Co-authored-by: Igor Grzankowski <igorg@splunk.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: rlieberman-splunk <rlieberman-splunk@users.noreply.github.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
This PR adds support for creating a distroless image for the Splunk Operator for Kubernetes alongside the existing UBI (Universal Base Image) image. Instead of replacing the UBI image, we will provide both UBI and distroless images to allow flexibility for different customer requirements. This enhancement improves security by reducing the attack surface of the operator container while maintaining compatibility with existing workflows.
Why This Change Is Needed
Currently, the Splunk Operator uses the UBI image, which includes a complete Linux environment with various tools and libraries that may not be necessary for running the operator. By supporting a distroless image, we can:
Changes Implemented
Makefile Update:
distrolessbase image is being used.docker-buildxtarget to support building both UBI and distroless images.-distrolesssuffix (<image-name>-distroless).Dockerfile Update:
Dockerfileto support building a distroless image.Dockerfile.distrolesswith only essential dependencies required for runtime.CI/CD Pipeline:
Documentation:
Benefits
Impact
Tasks Completed
Dockerfileand created a newDockerfile.distroless.Makefileto build both UBI and distroless images.Next Steps
How to Test
Build the UBI Image:
Build the Distroless Image:
Run Integration Tests:
Priority: High
This change enhances the security posture of the Splunk Operator and aligns with best practices for container image minimalism.
Reviewer Notes:
Please review the changes to the Dockerfile, Makefile, and CI/CD pipeline. Special attention should be given to the sidecar proposal for customer debugging.