Adding setcap to go-runner so that capabilities can be applied to

kubernetes binaries.
kubernetes · Nov 7, 2020 · c79082c · c79082c
1 parent 5414db6
commit c79082c
Show file tree

Hide file tree

Showing 4 changed files with 27 additions and 9 deletions.
diff --git a/images/build/go-runner/Dockerfile b/images/build/go-runner/Dockerfile
@@ -39,6 +39,7 @@ ENV GOPROXY="https://proxy.golang.org|direct"
 # Build
 ARG package=.
 ARG ARCH
+ARG IMGNAME
 
 ENV CGO_ENABLED=0
 ENV GOOS=linux
@@ -49,10 +50,19 @@ RUN go env
 RUN go build -ldflags '-s -w -buildid= -extldflags "-static"' \
     -o go-runner ${package}
 
+RUN if [ "${IMGNAME}" = "go-runner-setcap" ]; then \
+      apt-get update && \
+      apt-get install -y -q --no-install-recommends --no-install-suggests --fix-missing gcc git libc6-dev make && \
+      git clone git://git.kernel.org/pub/scm/linux/kernel/git/morgan/libcap.git && \
+      cd libcap/progs && \
+      make; \
+    else mkdir -p libcap/progs; \
+    fi
+
 # Production image
 FROM gcr.io/distroless/${DISTROLESS_IMAGE}:latest
 LABEL maintainers="Kubernetes Authors"
 LABEL description="go based runner for distroless scenarios"
 WORKDIR /
-COPY --from=builder /workspace/go-runner .
+COPY --from=builder /workspace/go-runner /workspace/libcap/progs/*setcap .
 ENTRYPOINT ["/go-runner"]
diff --git a/images/build/go-runner/Makefile b/images/build/go-runner/Makefile
@@ -15,7 +15,7 @@
 # include the common image-building Makefiles
 include $(CURDIR)/../../Makefile.common-image $(CURDIR)/../Makefile.build-image
 
-IMGNAME = go-runner
+IMGNAME ?= go-runner
 IMAGE_VERSION ?= buster-v2.1.0
 CONFIG ?= buster
 
@@ -46,4 +46,5 @@ clean:
 	rm go-runner
 
 BUILD_ARGS = --build-arg=GO_VERSION=$(GO_VERSION) \
-             --build-arg=DISTROLESS_IMAGE=$(DISTROLESS_IMAGE)
+             --build-arg=DISTROLESS_IMAGE=$(DISTROLESS_IMAGE) \
+             --build-arg=IMGNAME=$(IMGNAME)
diff --git a/images/build/go-runner/cloudbuild.yaml b/images/build/go-runner/cloudbuild.yaml
@@ -21,12 +21,12 @@ steps:
     - CONFIG=$_CONFIG
     - GO_VERSION=$_GO_VERSION
     - DISTROLESS_IMAGE=$_DISTROLESS_IMAGE
+    - IMGNAME=$_IMGNAME
     args:
     - '-c'
     - |
       gcloud auth configure-docker \
       && make manifest
-
 substitutions:
   # _GIT_TAG will be filled with a git-based tag for the image, of the form vYYYYMMDD-hash, and
   # can be used as a substitution
@@ -38,7 +38,7 @@ substitutions:
   _DISTROLESS_IMAGE: 'static-debian00'
 
 tags:
-- 'go-runner'
+- ${_IMGNAME}
 - ${_GIT_TAG}
 - ${_PULL_BASE_REF}
 - ${_IMAGE_VERSION}
@@ -47,6 +47,6 @@ tags:
 - ${_DISTROLESS_IMAGE}
 
 images:
-  - 'gcr.io/$PROJECT_ID/go-runner-amd64:$_IMAGE_VERSION'
-  - 'gcr.io/$PROJECT_ID/go-runner-amd64:$_GIT_TAG-$_CONFIG'
-  - 'gcr.io/$PROJECT_ID/go-runner-amd64:latest-$_CONFIG'
+  - 'gcr.io/$PROJECT_ID/$_IMGNAME-amd64:$_IMAGE_VERSION'
+  - 'gcr.io/$PROJECT_ID/$_IMGNAME-amd64:$_GIT_TAG-$_CONFIG'
+  - 'gcr.io/$PROJECT_ID/$_IMGNAME-amd64:latest-$_CONFIG'
diff --git a/images/build/go-runner/variants.yaml b/images/build/go-runner/variants.yaml
@@ -1,5 +1,12 @@
 variants:
-  buster:
+  base:
+    IMGNAME: 'go-runner'
+    CONFIG: 'buster'
+    IMAGE_VERSION: 'buster-v2.1.0'
+    GO_VERSION: '1.15.3'
+    DISTROLESS_IMAGE: 'static-debian10'
+  setcap:
+    IMGNAME: 'go-runner-setcap'
     CONFIG: 'buster'
     IMAGE_VERSION: 'buster-v2.1.0'
     GO_VERSION: '1.15.3'