From 8350397ec6cd6d02009a187fae1721983b1a579f Mon Sep 17 00:00:00 2001 From: Vinayak Goyal Date: Wed, 4 Nov 2020 14:27:21 -0800 Subject: [PATCH] Adding a setcap image so that capabilities can be applied to kubernetes binaries. --- images/build/setcap/Dockerfile | 19 +++++++ images/build/setcap/Makefile | 80 +++++++++++++++++++++++++++++ images/build/setcap/README.md | 19 +++++++ images/build/setcap/cloudbuild.yaml | 45 ++++++++++++++++ images/build/setcap/variants.yaml | 5 ++ 5 files changed, 168 insertions(+) create mode 100644 images/build/setcap/Dockerfile create mode 100644 images/build/setcap/Makefile create mode 100644 images/build/setcap/README.md create mode 100644 images/build/setcap/cloudbuild.yaml create mode 100644 images/build/setcap/variants.yaml diff --git a/images/build/setcap/Dockerfile b/images/build/setcap/Dockerfile new file mode 100644 index 00000000000..2325865a4d9 --- /dev/null +++ b/images/build/setcap/Dockerfile @@ -0,0 +1,19 @@ +# Copyright 2021 The Kubernetes Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +ARG BASEIMAGE + +FROM ${BASEIMAGE} + +RUN apt-get update && apt-get -y --no-install-recommends install libcap2-bin diff --git a/images/build/setcap/Makefile b/images/build/setcap/Makefile new file mode 100644 index 00000000000..19d3ce28dd8 --- /dev/null +++ b/images/build/setcap/Makefile @@ -0,0 +1,80 @@ +# Copyright 2021 The Kubernetes Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +.PHONY: build push all all-build all-push-images all-push push-manifest + +REGISTRY?="gcr.io/k8s-staging-build-image" +IMAGE=$(REGISTRY)/setcap + +TAG ?= $(shell git describe --tags --always --dirty) +IMAGE_VERSION ?= buster-v1.4.0 +CONFIG ?= buster +DEBIAN_BASE_VERSION ?= buster-v1.4.0 + +ARCH?=amd64 +ALL_ARCH = amd64 arm arm64 ppc64le s390x + +BASE_REGISTRY?=k8s.gcr.io/build-image +BASEIMAGE?=$(BASE_REGISTRY)/debian-base-$(ARCH):$(DEBIAN_BASE_VERSION) + +# Build args +QEMUVERSION=5.2.0-2 + +# This option is for running docker manifest command +export DOCKER_CLI_EXPERIMENTAL := enabled + +build: +ifneq ($(ARCH),amd64) + # Register /usr/bin/qemu-ARCH-static as the handler for non-x86 binaries in the kernel + docker run --rm --privileged multiarch/qemu-user-static:$(QEMUVERSION) --reset -p yes + docker buildx version + BUILDER=$(shell docker buildx create --use) +endif + docker buildx build \ + --pull \ + --load \ + --platform linux/$(ARCH) \ + -t $(IMAGE)-$(ARCH):$(IMAGE_VERSION) \ + -t $(IMAGE)-$(ARCH):$(TAG)-$(CONFIG) \ + -t $(IMAGE)-$(ARCH):latest-$(CONFIG) \ + --build-arg=BASEIMAGE=$(BASEIMAGE) \ + . +ifneq ($(ARCH),amd64) + docker buildx rm $$BUILDER +endif + +push: build + docker push $(IMAGE)-$(ARCH):$(IMAGE_VERSION) + docker push $(IMAGE)-$(ARCH):$(TAG)-$(CONFIG) + docker push $(IMAGE)-$(ARCH):latest-$(CONFIG) + +sub-build-%: + $(MAKE) ARCH=$* build + +all-build: $(addprefix sub-build-,$(ALL_ARCH)) + +sub-push-image-%: + $(MAKE) ARCH=$* push + +all-push-images: $(addprefix sub-push-image-,$(ALL_ARCH)) + +all-push: all-push-images push-manifest + +push-manifest: + docker manifest create --amend $(IMAGE):$(IMAGE_VERSION) $(shell echo $(ALL_ARCH) | sed -e "s~[^ ]*~$(IMAGE)\-&:$(IMAGE_VERSION)~g") + @for arch in $(ALL_ARCH); do docker manifest annotate --arch $${arch} ${IMAGE}:${IMAGE_VERSION} ${IMAGE}-$${arch}:${IMAGE_VERSION}; done + docker manifest push --purge ${IMAGE}:${IMAGE_VERSION} + +all: all-push + diff --git a/images/build/setcap/README.md b/images/build/setcap/README.md new file mode 100644 index 00000000000..f267f20d228 --- /dev/null +++ b/images/build/setcap/README.md @@ -0,0 +1,19 @@ +setcap +This image is based on debian-base and installs the libcap2-bin package. The +main use of this image is to apply `CAP_NET_BIND_SERVICE` to the kube-apiserver +binary so that it can a bind to ports less than 1024 and still be run as non +root. + +This image is compiled for multiple architectures. + +How to release +If you're editing the Dockerfile or some other thing, please bump the TAG in the Makefile. + +Build and push images for all the architectures +$ make all-push +# ---> staging-k8s.gcr.io/setcap-amd64:TAG +# ---> staging-k8s.gcr.io/setcap-arm:TAG +# ---> staging-k8s.gcr.io/setcap-arm64:TAG +# ---> staging-k8s.gcr.io/setcap-ppc64le:TAG +# ---> staging-k8s.gcr.io/setcap-s390x:TAG +If you don't want to push the images, run `make sub-build-{target_arch}` or `make all-build` instead diff --git a/images/build/setcap/cloudbuild.yaml b/images/build/setcap/cloudbuild.yaml new file mode 100644 index 00000000000..310fa8c290d --- /dev/null +++ b/images/build/setcap/cloudbuild.yaml @@ -0,0 +1,45 @@ +# See https://cloud.google.com/cloud-build/docs/build-config +timeout: 1200s +options: + substitution_option: ALLOW_LOOSE + machineType: 'N1_HIGHCPU_8' +steps: + - name: 'gcr.io/k8s-testimages/gcb-docker-gcloud:v20201130-750d12f' + entrypoint: bash + dir: ./images/build/setcap + env: + - DOCKER_CLI_EXPERIMENTAL=enabled + - REGISTRY=gcr.io/$PROJECT_ID + - IMAGE=gcr.io/$PROJECT_ID/setcap + - TAG=$_GIT_TAG + - PULL_BASE_REF=$_PULL_BASE_REF + - IMAGE_VERSION=$_IMAGE_VERSION + - CONFIG=$_CONFIG + - DEBIAN_BASE_VERSION=$_DEBIAN_BASE_VERSION + - HOME=/root # for docker buildx + args: + - -c + - | + gcloud auth configure-docker && \ + make all-push +substitutions: + # _GIT_TAG will be filled with a git-based tag for the image, of the form vYYYYMMDD-hash, and + # can be used as a substitution + _GIT_TAG: '12345' + _PULL_BASE_REF: 'dev' + _IMAGE_VERSION: 'v0.0.0' + _CONFIG: 'codename' + _DEBIAN_BASE_VERSION: 'v0.0.0' + +tags: +- 'setcap' +- ${_GIT_TAG} +- ${_PULL_BASE_REF} +- ${_IMAGE_VERSION} +- ${_CONFIG} +- ${_DEBIAN_BASE_VERSION} + +images: + - 'gcr.io/$PROJECT_ID/setcap-amd64:$_IMAGE_VERSION' + - 'gcr.io/$PROJECT_ID/setcap-amd64:$_GIT_TAG-$_CONFIG' + - 'gcr.io/$PROJECT_ID/setcap-amd64:latest-$_CONFIG' diff --git a/images/build/setcap/variants.yaml b/images/build/setcap/variants.yaml new file mode 100644 index 00000000000..645d8d46699 --- /dev/null +++ b/images/build/setcap/variants.yaml @@ -0,0 +1,5 @@ +variants: + buster: + CONFIG: 'buster' + IMAGE_VERSION: 'buster-v1.4.0' + DEBIAN_BASE_VERSION: 'buster-v1.4.0'