From 7b660a087827b2648ca200181594f72cecaf1b1f Mon Sep 17 00:00:00 2001
From: Tullio Sebastiani <tsebastiani@users.noreply.github.com>
Date: Mon, 10 Jun 2024 20:26:03 +0200
Subject: [PATCH] Fixes system and oc vulnerabilities detected by trivy (#644)

* fixes system and oc vulnerabilities detected by trivy

Signed-off-by: Tullio Sebastiani <tsebasti@redhat.com>

* updated base image to run as krkn user instead of root

Signed-off-by: Tullio Sebastiani <tsebasti@redhat.com>

---------

Signed-off-by: Tullio Sebastiani <tsebasti@redhat.com>
---
 containers/Dockerfile | 38 +++++++++++++++++++-------------------
 1 file changed, 19 insertions(+), 19 deletions(-)

diff --git a/containers/Dockerfile b/containers/Dockerfile
index 4335bda0..4c5ebdbe 100644
--- a/containers/Dockerfile
+++ b/containers/Dockerfile
@@ -2,48 +2,48 @@
 FROM mcr.microsoft.com/azure-cli:latest as azure-cli
 
 # oc build
-FROM golang:1.22.2 AS oc-build
+FROM golang:1.22.4 AS oc-build
 RUN apt-get update && apt-get install -y libkrb5-dev
 WORKDIR /tmp
 RUN git clone --branch release-4.18 https://github.com/openshift/oc.git
 WORKDIR /tmp/oc
+RUN go mod edit -go 1.22.3 &&\
+    go get github.com/moby/buildkit@v0.12.5 &&\
+    go get github.com/containerd/containerd@v1.7.11&&\
+    go get github.com/docker/docker@v25.0.5&&\
+    go mod tidy && go mod vendor
 RUN make GO_REQUIRED_MIN_VERSION:= oc
 
-FROM registry.access.redhat.com/ubi9/ubi:latest
+FROM fedora:40
+RUN groupadd -g 1001 krkn && useradd -m -u 1001 -g krkn krkn
+RUN dnf update -y
 
 # krkn version that will be built
 ENV KRKN_VERSION v1.6.0
 
-ENV KUBECONFIG /root/.kube/config
+ENV KUBECONFIG /home/krkn/.kube/config
 
-# update yum and install dependencies
-RUN yum update -y glibc glibc-common glibc-minimal-langpack runc libnghttp2
-RUN rpm -e --allmatches --nodeps --noscripts --notriggers python3-requests
-RUN yum install -y git python39 python3-pip jq gettext wget
-
-# get yq
-RUN wget https://github.com/mikefarah/yq/releases/latest/download/yq_linux_amd64 -O /usr/bin/yq && chmod +x /usr/bin/yq
-
-# get kubectl
+# install kubectl
 RUN curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl" &&\
     cp kubectl /usr/local/bin/kubectl && chmod +x /usr/local/bin/kubectl &&\
     cp kubectl /usr/bin/kubectl && chmod +x /usr/bin/kubectl
 
+# This overwrites any existing configuration in /etc/yum.repos.d/kubernetes.repo
+RUN dnf update && dnf install -y git python39 jq yq gettext wget
 # copy azure client binary from azure-cli image
 COPY --from=azure-cli /usr/local/bin/az /usr/bin/az
 
 # copy oc client binary from oc-build image
 COPY --from=oc-build /tmp/oc/oc /usr/bin/oc
-COPY --from=oc-build /tmp/oc/oc /usr/local/bin/oc
 
 # krkn build
-RUN python3.9 -m pip install -U pip
-RUN git clone https://github.com/krkn-chaos/krkn.git --branch $KRKN_VERSION /root/kraken && \
-    mkdir -p /root/.kube
-WORKDIR /root/kraken
+RUN git clone https://github.com/krkn-chaos/krkn.git --branch $KRKN_VERSION /home/krkn/kraken && \
+    mkdir -p /home/krkn/.kube
+WORKDIR /home/krkn/kraken
+RUN python3.9 -m ensurepip
 RUN pip3.9 install -r requirements.txt
-RUN pip3.9 install virtualenv
 
-WORKDIR /root/kraken
+RUN chown -R krkn:krkn /home/krkn
+USER krkn
 ENTRYPOINT ["python3.9", "run_kraken.py"]
 CMD ["--config=config/config.yaml"]
\ No newline at end of file