Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[WIP] Get rid of kubectl depepdency in container image #1137

Open
wants to merge 1 commit into
base: main
Choose a base branch
from

Conversation

tobiasgiese
Copy link
Member

@tobiasgiese tobiasgiese commented Nov 25, 2024

We should not use the kubectl binary inside our containers because of potential CVEs.
To get rid of the binary we can use the crdutil from the k8s-operator-libs.

Depends on NVIDIA/k8s-operator-libs#58

Comment on lines +184 to +187
// DROP BEFORE MERGE!
// Implements https://github.com/NVIDIA/k8s-operator-libs/pull/58
// This is only for testing.
replace github.com/NVIDIA/k8s-operator-libs => github.com/tobiasgiese/k8s-operator-libs v0.0.0-20241125092837-e8a080621717
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

must be dropped before merging, just as a reminder

We should not use the kubectl binary inside our containers because of potential CVEs.
To get rid of the binary we can use the crdutil from the k8s-operator-libs.

Signed-off-by: Tobias Giese <[email protected]>
@@ -77,6 +77,7 @@ operator:
use_ocp_driver_toolkit: false
# cleanup CRD on chart un-install
cleanupCRD: false
imageCleanupCRD: bitnami/kubectl:1.31
Copy link
Member Author

@tobiasgiese tobiasgiese Nov 25, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We can use the upstream bitnami/kubectl image here as we don't need the CRDs in the container for the cleanup task.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The cleanest approach would be to add a DeleteCRD method to the k8s-operator-libs. I think we can revisit this PR after that. Thoughts?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good call, was also thinking about this. Let me add a command to delete CRDs to the cmdutil

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There may be other requirements in terms of using a thirdparty image. Implementing the required logic in code may be simpler in the long run.

Comment on lines +89 to +93
# Build apply-crds binary
apply-crds:
CGO_ENABLED=0 GOOS=$(GOOS) \
go build -ldflags "-s -w -X $(VERSION_PKG).gitCommit=$(GIT_COMMIT) -X $(VERSION_PKG).version=$(VERSION)" -o apply-crds ./cmd/apply-crds/...

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In other projects we using the following:

CMDS := $(patsubst ./cmd/%/,%,$(sort $(dir $(wildcard ./cmd/*/))))
CMD_TARGETS := $(patsubst %,cmd-%,$(CMDS))

ifneq ($(PREFIX),)
cmd-%: COMMAND_BUILD_OPTIONS = -o $(PREFIX)/$(*)
endif
ifneq ($(shell uname),Darwin)
EXTLDFLAGS = -Wl,--export-dynamic -Wl,--unresolved-symbols=ignore-in-object-files
else
EXTLDFLAGS = -Wl,-undefined,dynamic_lookup
endif
BUILDFLAGS = -ldflags "-s -w '-extldflags=$(EXTLDFLAGS)' -X $(CLI_VERSION_PACKAGE).gitCommit=$(GIT_COMMIT) -X $(CLI_VERSION_PACKAGE).version=$(CLI_VERSION)"
build:
	go build $(BUILDFLAGS) ./...

cmds: $(CMD_TARGETS)
$(CMD_TARGETS): cmd-%:
	go build $(BUILDFLAGS) $(COMMAND_BUILD_OPTIONS) $(MODULE)/cmd/$(*)

to auto-generate make cmd-* targets for any binary that we place in cmd. Would that be a useful addition here?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants