Skip to content

Commit

Permalink
Update Dockerfiles to use redhat ubi as base image
Browse files Browse the repository at this point in the history
Signed-off-by: rksharma95 <[email protected]>
  • Loading branch information
rksharma95 committed Aug 8, 2023
1 parent f58a36b commit b3ac47d
Show file tree
Hide file tree
Showing 9 changed files with 120 additions and 30 deletions.
44 changes: 37 additions & 7 deletions Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -17,16 +17,46 @@ WORKDIR /usr/src/KubeArmor/KubeArmor
RUN go install github.com/golang/protobuf/protoc-gen-go@latest
RUN make

### Make executable image
### build apparmor_parser binary

FROM alpine:3.17 as kubearmor
## debian:10 uses glibc2.28 version similar to ubi9
FROM debian:10 AS apparmor-builder
RUN apt-get update && apt-get install -y apparmor
RUN mkdir /tmp/apparmor && \
cp /sbin/apparmor_parser /tmp/apparmor/

RUN echo "@community http://dl-cdn.alpinelinux.org/alpine/edge/community" | tee -a /etc/apk/repositories
### Make UBI-based executable image

RUN apk --no-cache update
RUN apk add apparmor@community apparmor-utils@community bash
FROM redhat/ubi9-minimal as kubearmor

ARG VERSION=latest

LABEL name="kubearmor" \
vendor="Accuknox" \
version=${VERSION} \
release=${VERSION} \
summary="kubearmor container image based on redhat ubi" \
description="KubeArmor is a cloud-native runtime security enforcement system that restricts the behavior \
(such as process execution, file access, and networking operations) of pods, containers, and nodes (VMs) \
at the system level."

RUN microdnf -y update && \
microdnf -y install --nodocs --setopt=install_weak_deps=0 --setopt=keepcache=0 shadow-utils libcap && \
microdnf clean all && \
rm -rf /var/cache/yum

COPY --from=builder /usr/src/KubeArmor/KubeArmor/kubearmor /KubeArmor/kubearmor
COPY --from=builder /usr/src/KubeArmor/KubeArmor/templates/* /KubeArmor/templates/
RUN groupadd --gid 1000 default \
&& useradd --uid 1000 --gid default --shell /bin/bash --create-home default

COPY LICENSE /licenses/license.txt
COPY --from=builder --chown=default:dafault /usr/src/KubeArmor/KubeArmor/kubearmor /KubeArmor/kubearmor
COPY --from=builder --chown=default:default /usr/src/KubeArmor/KubeArmor/templates/* /KubeArmor/templates/
COPY --from=apparmor-builder /tmp/apparmor/apparmor_parser /usr/sbin/

RUN chmod u+s /usr/sbin/apparmor_parser
RUN setcap "cap_sys_admin=ep cap_ipc_lock=ep cap_sys_resource=ep cap_dac_override=ep cap_dac_read_search=ep" /KubeArmor/kubearmor

USER 1000
ENTRYPOINT ["/KubeArmor/kubearmor"]


37 changes: 31 additions & 6 deletions Dockerfile.init
Original file line number Diff line number Diff line change
Expand Up @@ -2,15 +2,40 @@
# Copyright 2021 Authors of KubeArmor

### Make compiler image
FROM alpine:3.17 as kubearmor-init
FROM redhat/ubi9-minimal as kubearmor-init

RUN apk --no-cache update
RUN echo "@edge http://dl-cdn.alpinelinux.org/alpine/edge/main" | tee -a /etc/apk/repositories
RUN echo "@edge http://dl-cdn.alpinelinux.org/alpine/edge/community" | tee -a /etc/apk/repositories
ARG VERSION=latest

RUN apk --no-cache update
RUN apk --no-cache add bash git clang llvm make gcc bpftool@edge
LABEL name="kubearmor-init" \
vendor="Accuknox" \
version=${VERSION} \
release=${VERSION} \
summary="kubearmor-init container image based on redhat ubi" \
description="kubearmor-init image for kubearmor init container image"

RUN microdnf -y update && \
microdnf -y install --nodocs --setopt=install_weak_deps=0 --setopt=keepcache=0 shadow-utils git clang llvm make gcc libbpf tar gzip && \
microdnf clean all && \
rm -rf /var/cache/yum

# install bpftool
RUN arch=$(uname -m) bpftool_version=v7.2.0 && \
if [[ "$arch" == "aarch64" ]]; then \
arch=arm64; \
elif [[ "$arch" == "x86_64" ]]; then \
arch=amd64; \
fi && \
curl -LO https://github.com/libbpf/bpftool/releases/download/$bpftool_version/bpftool-$bpftool_version-$arch.tar.gz && \
tar -xzf bpftool-$bpftool_version-$arch.tar.gz -C /usr/local/bin && \
chmod +x /usr/local/bin/bpftool

RUN groupadd --gid 1000 default \
&& useradd --uid 1000 --gid default --shell /bin/bash --create-home default

COPY LICENSE /licenses/license.txt
COPY ./KubeArmor/BPF /KubeArmor/BPF/
COPY ./KubeArmor/build/compile.sh /KubeArmor/compile.sh
RUN chown -R default:default /KubeArmor

USER 1000
ENTRYPOINT ["/KubeArmor/compile.sh"]
4 changes: 2 additions & 2 deletions KubeArmor/build/build_kubearmor.sh
Original file line number Diff line number Diff line change
Expand Up @@ -45,7 +45,7 @@ unset LABEL
# build a kubearmor image
DTAG="-t $REPO:$VERSION"
echo "[INFO] Building $DTAG"
cd $ARMOR_HOME/..; docker build $DTAG -f Dockerfile --target kubearmor . $LABEL
cd $ARMOR_HOME/..; docker build $DTAG -f Dockerfile --build-arg VERSION=$VERSION --target kubearmor . $LABEL

if [ $? != 0 ]; then
echo "[FAILED] Failed to build $REPO:$VERSION"
Expand All @@ -56,7 +56,7 @@ echo "[PASSED] Built $REPO:$VERSION"
# build a kubearmor-init image
DTAGINI="-t $REPO-init:$VERSION"
echo "[INFO] Building $DTAGINI"
cd $ARMOR_HOME/..; docker build $DTAGINI -f Dockerfile.init --target kubearmor-init . $LABEL
cd $ARMOR_HOME/..; docker build $DTAGINI -f Dockerfile.init --build-arg VERSION=$VERSION --target kubearmor-init . $LABEL

if [ $? != 0 ]; then
echo "[FAILED] Failed to build $REPO-init:$VERSION"
Expand Down
4 changes: 2 additions & 2 deletions KubeArmor/build/push_kubearmor.sh
Original file line number Diff line number Diff line change
Expand Up @@ -42,14 +42,14 @@ pwd

# push $REPO
echo "[INFO] Pushing $REPO:$VERSION"
cd $ARMOR_HOME/..; docker buildx build --metadata-file kubearmor.json --platform $PLATFORMS -t $REPO:$VERSION -f Dockerfile --push $LABEL $STABEL_LABEL .
cd $ARMOR_HOME/..; docker buildx build --metadata-file kubearmor.json --platform $PLATFORMS --build-arg VERSION=$VERSION -t $REPO:$VERSION -f Dockerfile --push $LABEL $STABEL_LABEL .

[[ $? -ne 0 ]] && echo "[FAILED] Failed to push $REPO:$VERSION" && exit 1
echo "[PASSED] Pushed $REPO:$VERSION"

# push $REPO-init
echo "[INFO] Pushing $REPO-init:$VERSION"
cd $ARMOR_HOME/..; docker buildx build --metadata-file kubearmor-init.json --platform $PLATFORMS -t $REPO-init:$VERSION -f Dockerfile.init --push $LABEL $STABEL_LABEL .
cd $ARMOR_HOME/..; docker buildx build --metadata-file kubearmor-init.json --platform $PLATFORMS --build-arg VERSION=$VERSION -t $REPO-init:$VERSION -f Dockerfile.init --push $LABEL $STABEL_LABEL .

[[ $? -ne 0 ]] && echo "[FAILED] Failed to push $REPO-init:$VERSION" && exit 1
echo "[PASSED] Pushed $REPO-init:$VERSION"
Expand Down
8 changes: 4 additions & 4 deletions KubeArmor/main.go
Original file line number Diff line number Diff line change
Expand Up @@ -30,10 +30,10 @@ func init() {
}

func main() {
if os.Geteuid() != 0 {
kg.Printf("Need to have root privileges to run %s\n", os.Args[0])
return
}
// if os.Geteuid() != 0 {
// kg.Printf("Need to have root privileges to run %s\n", os.Args[0])
// return
// }

dir, err := filepath.Abs(filepath.Dir(os.Args[0]))
if err != nil {
Expand Down
19 changes: 19 additions & 0 deletions Makefile
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
.PHONY: all
all: build run test

.PHONY: run
run:
docker save kubearmor/kubearmor:latest | sudo k3s ctr images import -
helm upgrade --install kubearmor ./deployments/helm \
--values ./KubeArmor/build/kubearmor-helm-test-values.yaml \
--set environment.name=k3s \
--set kubearmor.imagePullPolicy=Never \
--set kubearmorInit.imagePullPolicy=Never \
-n kube-system
kubectl wait --for=condition=ready --timeout=5m -n kube-system pod -l kubearmor-app
kubectl get pods -A

.PHONY: test
test:
go install -mod=mod github.com/onsi/ginkgo/v2/ginkgo
make -C tests/
2 changes: 1 addition & 1 deletion deployments/helm/templates/daemonset.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -80,7 +80,7 @@ spec:
hostPID: true
initContainers:
- image: {{printf "%s:%s" .Values.kubearmorInit.image.repository .Values.kubearmorInit.image.tag}}
imagePullPolicy: {{ .Values.kubearmor.imagePullPolicy }}
imagePullPolicy: {{ .Values.kubearmorInit.imagePullPolicy }}
name: init
securityContext:
capabilities:
Expand Down
28 changes: 22 additions & 6 deletions pkg/KubeArmorController/Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -21,11 +21,27 @@ COPY handlers/ handlers/
# Build
RUN CGO_ENABLED=0 GO111MODULE=on go build -a -o manager main.go

# Use distroless as minimal base image to package the manager binary
# Refer to https://github.com/GoogleContainerTools/distroless for more details
FROM gcr.io/distroless/static
FROM redhat/ubi9-minimal as controller

ARG VERSION=latest

LABEL name="kubearmor-controller" \
vendor="AccuKnox" \
version=${VERSION} \
release=${VERSION} \
summary="kubearmor-controller container image based on redhat ubi" \
description="kubearmor-controller container image based on redhat ubi"

RUN microdnf -y update && \
microdnf -y install --nodocs --setopt=install_weak_deps=0 --setopt=keepcache=0 shadow-utils && \
microdnf clean all && \
rm -rf /var/cache/yum

RUN groupadd --gid 1000 default \
&& useradd --uid 1000 --gid default --shell /bin/bash --create-home default

WORKDIR /
COPY --from=builder /workspace/manager .
USER 65532:65532
COPY --from=builder --chown=default:default /workspace/manager .

ENTRYPOINT ["/manager"]
USER 1000
ENTRYPOINT ["/manager"]
4 changes: 2 additions & 2 deletions pkg/KubeArmorController/Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -86,10 +86,10 @@ run: manifests generate fmt vet ## Run a controller from your host.

.PHONY: docker-build
docker-build: build ## Build docker image with the manager.
docker build -t ${IMG}:${TAG} -t ${IMG}:latest .
docker build -t ${IMG}:${TAG} -t ${IMG}:latest --build-arg VERSION=${TAG} .

docker-buildx: build ## Build docker image with the manager multiple archs.
docker buildx build --platform ${PLATFORM} --push -t ${IMG}:${TAG} .
docker buildx build --platform ${PLATFORM} --build-arg VERSION=${TAG} --push -t ${IMG}:${TAG} .

.PHONY: docker-push
docker-push: ## Push docker image with the manager.
Expand Down

0 comments on commit b3ac47d

Please sign in to comment.