From 6c8bc20c5671ff7a378ee26480862b05ca7f0394 Mon Sep 17 00:00:00 2001 From: Vinayak Goyal Date: Wed, 4 Nov 2020 14:27:21 -0800 Subject: [PATCH] Adding setcap to go-runner so that capabilities can be applied to kubernetes binaries. --- images/Makefile.common-image | 1 - images/build/go-runner/Dockerfile | 12 +++++++++++- images/build/go-runner/Makefile | 5 +++-- images/build/go-runner/cloudbuild.yaml | 10 +++++----- images/build/go-runner/variants.yaml | 9 ++++++++- 5 files changed, 27 insertions(+), 10 deletions(-) diff --git a/images/Makefile.common-image b/images/Makefile.common-image index 4cdc9292c90e..031555b29266 100644 --- a/images/Makefile.common-image +++ b/images/Makefile.common-image @@ -16,7 +16,6 @@ SHELL=/bin/bash -o pipefail IMAGE = $(REGISTRY)/$(IMGNAME) - TAG ?= $(shell git describe --tags --always --dirty) # TODO: Uncomment once all images using this Makefile can be built on all diff --git a/images/build/go-runner/Dockerfile b/images/build/go-runner/Dockerfile index ab2010ed8035..e667c6105d38 100644 --- a/images/build/go-runner/Dockerfile +++ b/images/build/go-runner/Dockerfile @@ -39,6 +39,7 @@ ENV GOPROXY="https://proxy.golang.org|direct" # Build ARG package=. ARG ARCH +ARG IMGNAME ENV CGO_ENABLED=0 ENV GOOS=linux @@ -49,10 +50,19 @@ RUN go env RUN go build -ldflags '-s -w -buildid= -extldflags "-static"' \ -o go-runner ${package} +RUN if [ "${IMGNAME}" = "go-runner-setcap" ]; then \ + apt-get update && \ + apt-get install -y -q --no-install-recommends --no-install-suggests --fix-missing gcc git libc6-dev make && \ + git clone git://git.kernel.org/pub/scm/linux/kernel/git/morgan/libcap.git && \ + cd libcap/progs && \ + make; \ + else mkdir -p libcap/progs; \ + fi + # Production image FROM gcr.io/distroless/${DISTROLESS_IMAGE}:latest LABEL maintainers="Kubernetes Authors" LABEL description="go based runner for distroless scenarios" WORKDIR / -COPY --from=builder /workspace/go-runner . +COPY --from=builder /workspace/go-runner /workspace/libcap/progs/*setcap . ENTRYPOINT ["/go-runner"] diff --git a/images/build/go-runner/Makefile b/images/build/go-runner/Makefile index 02e5cb4ebd9c..4b3c0b873131 100644 --- a/images/build/go-runner/Makefile +++ b/images/build/go-runner/Makefile @@ -15,7 +15,7 @@ # include the common image-building Makefiles include $(CURDIR)/../../Makefile.common-image $(CURDIR)/../Makefile.build-image -IMGNAME = go-runner +IMGNAME ?= go-runner IMAGE_VERSION ?= buster-v2.1.0 CONFIG ?= buster @@ -46,4 +46,5 @@ clean: rm go-runner BUILD_ARGS = --build-arg=GO_VERSION=$(GO_VERSION) \ - --build-arg=DISTROLESS_IMAGE=$(DISTROLESS_IMAGE) + --build-arg=DISTROLESS_IMAGE=$(DISTROLESS_IMAGE) \ + --build-arg=IMGNAME=$(IMGNAME) diff --git a/images/build/go-runner/cloudbuild.yaml b/images/build/go-runner/cloudbuild.yaml index 5da513b43e89..624795cc265b 100644 --- a/images/build/go-runner/cloudbuild.yaml +++ b/images/build/go-runner/cloudbuild.yaml @@ -21,12 +21,12 @@ steps: - CONFIG=$_CONFIG - GO_VERSION=$_GO_VERSION - DISTROLESS_IMAGE=$_DISTROLESS_IMAGE + - IMGNAME=$_IMGNAME args: - '-c' - | gcloud auth configure-docker \ && make manifest - substitutions: # _GIT_TAG will be filled with a git-based tag for the image, of the form vYYYYMMDD-hash, and # can be used as a substitution @@ -38,7 +38,7 @@ substitutions: _DISTROLESS_IMAGE: 'static-debian00' tags: -- 'go-runner' +- ${_IMGNAME} - ${_GIT_TAG} - ${_PULL_BASE_REF} - ${_IMAGE_VERSION} @@ -47,6 +47,6 @@ tags: - ${_DISTROLESS_IMAGE} images: - - 'gcr.io/$PROJECT_ID/go-runner-amd64:$_IMAGE_VERSION' - - 'gcr.io/$PROJECT_ID/go-runner-amd64:$_GIT_TAG-$_CONFIG' - - 'gcr.io/$PROJECT_ID/go-runner-amd64:latest-$_CONFIG' + - 'gcr.io/$PROJECT_ID/$_IMGNAME-amd64:$_IMAGE_VERSION' + - 'gcr.io/$PROJECT_ID/$_IMGNAME-amd64:$_GIT_TAG-$_CONFIG' + - 'gcr.io/$PROJECT_ID/$_IMGNAME-amd64:latest-$_CONFIG' diff --git a/images/build/go-runner/variants.yaml b/images/build/go-runner/variants.yaml index bc08da1b2866..247d0a828037 100644 --- a/images/build/go-runner/variants.yaml +++ b/images/build/go-runner/variants.yaml @@ -1,5 +1,12 @@ variants: - buster: + base: + IMGNAME: 'go-runner' + CONFIG: 'buster' + IMAGE_VERSION: 'buster-v2.1.0' + GO_VERSION: '1.15.3' + DISTROLESS_IMAGE: 'static-debian10' + setcap: + IMGNAME: 'go-runner-setcap' CONFIG: 'buster' IMAGE_VERSION: 'buster-v2.1.0' GO_VERSION: '1.15.3'