-
Notifications
You must be signed in to change notification settings - Fork 102
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Fixes system and oc vulnerabilities detected by trivy (#644)
* fixes system and oc vulnerabilities detected by trivy Signed-off-by: Tullio Sebastiani <[email protected]> * updated base image to run as krkn user instead of root Signed-off-by: Tullio Sebastiani <[email protected]> --------- Signed-off-by: Tullio Sebastiani <[email protected]>
- Loading branch information
1 parent
5fe0655
commit 7b660a0
Showing
1 changed file
with
19 additions
and
19 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -2,48 +2,48 @@ | |
FROM mcr.microsoft.com/azure-cli:latest as azure-cli | ||
|
||
# oc build | ||
FROM golang:1.22.2 AS oc-build | ||
FROM golang:1.22.4 AS oc-build | ||
RUN apt-get update && apt-get install -y libkrb5-dev | ||
WORKDIR /tmp | ||
RUN git clone --branch release-4.18 https://github.com/openshift/oc.git | ||
WORKDIR /tmp/oc | ||
RUN go mod edit -go 1.22.3 &&\ | ||
go get github.com/moby/[email protected] &&\ | ||
go get github.com/containerd/[email protected]&&\ | ||
go get github.com/docker/[email protected]&&\ | ||
go mod tidy && go mod vendor | ||
RUN make GO_REQUIRED_MIN_VERSION:= oc | ||
|
||
FROM registry.access.redhat.com/ubi9/ubi:latest | ||
FROM fedora:40 | ||
RUN groupadd -g 1001 krkn && useradd -m -u 1001 -g krkn krkn | ||
RUN dnf update -y | ||
|
||
# krkn version that will be built | ||
ENV KRKN_VERSION v1.6.0 | ||
|
||
ENV KUBECONFIG /root/.kube/config | ||
ENV KUBECONFIG /home/krkn/.kube/config | ||
|
||
# update yum and install dependencies | ||
RUN yum update -y glibc glibc-common glibc-minimal-langpack runc libnghttp2 | ||
RUN rpm -e --allmatches --nodeps --noscripts --notriggers python3-requests | ||
RUN yum install -y git python39 python3-pip jq gettext wget | ||
|
||
# get yq | ||
RUN wget https://github.com/mikefarah/yq/releases/latest/download/yq_linux_amd64 -O /usr/bin/yq && chmod +x /usr/bin/yq | ||
|
||
# get kubectl | ||
# install kubectl | ||
RUN curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl" &&\ | ||
cp kubectl /usr/local/bin/kubectl && chmod +x /usr/local/bin/kubectl &&\ | ||
cp kubectl /usr/bin/kubectl && chmod +x /usr/bin/kubectl | ||
|
||
# This overwrites any existing configuration in /etc/yum.repos.d/kubernetes.repo | ||
RUN dnf update && dnf install -y git python39 jq yq gettext wget | ||
# copy azure client binary from azure-cli image | ||
COPY --from=azure-cli /usr/local/bin/az /usr/bin/az | ||
|
||
# copy oc client binary from oc-build image | ||
COPY --from=oc-build /tmp/oc/oc /usr/bin/oc | ||
COPY --from=oc-build /tmp/oc/oc /usr/local/bin/oc | ||
|
||
# krkn build | ||
RUN python3.9 -m pip install -U pip | ||
RUN git clone https://github.com/krkn-chaos/krkn.git --branch $KRKN_VERSION /root/kraken && \ | ||
mkdir -p /root/.kube | ||
WORKDIR /root/kraken | ||
RUN git clone https://github.com/krkn-chaos/krkn.git --branch $KRKN_VERSION /home/krkn/kraken && \ | ||
mkdir -p /home/krkn/.kube | ||
WORKDIR /home/krkn/kraken | ||
RUN python3.9 -m ensurepip | ||
RUN pip3.9 install -r requirements.txt | ||
RUN pip3.9 install virtualenv | ||
|
||
WORKDIR /root/kraken | ||
RUN chown -R krkn:krkn /home/krkn | ||
USER krkn | ||
ENTRYPOINT ["python3.9", "run_kraken.py"] | ||
CMD ["--config=config/config.yaml"] |