Skip to content

Commit

Permalink
Build nonroot user (#3)
Browse files Browse the repository at this point in the history 
Signed-off-by: Tamal Saha <[email protected]>
  • Loading branch information
@tamalsaha
tamalsaha authored Jan 26, 2024
1 parent ee916c7 commit 7bec796
Show file tree
Hide file tree
Showing 5 changed files with 101 additions and 5 deletions.
13 changes: 8 additions & 5 deletions .github/workflows/ci.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -28,11 +28,11 @@ jobs:
# - "1.17"
# - "1.18"
# - "1.19"
# - "1.20"
# - "1.21"
# - "1.22"
# - "1.23"
# - "1.24"
- "1.20"
- "1.21"
- "1.22"
- "1.23"
- "1.24"
- "1.25"
- "1.26"
- "1.27"
Expand All @@ -55,4 +55,7 @@ jobs:
USERNAME: 1gtm
run: |
docker login ghcr.io --username ${USERNAME} --password ${DOCKER_TOKEN}
cd root
make release RELEASE=${{ matrix.k8s }}
cd ../nonroot
make release RELEASE=${{ matrix.k8s }}
31 changes: 31 additions & 0 deletions nonroot/Dockerfile
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,31 @@
FROM alpine

ARG TARGETOS
ARG TARGETARCH
ARG VERSION

RUN set -x \
&& apk add --update ca-certificates curl zip bzip2

RUN set -x \
&& curl -LO https://github.com/moparisthebest/static-curl/archive/refs/heads/master.zip \
&& unzip master.zip \
&& cd static-curl-master \
&& ARCH=${TARGETARCH} ./build.sh

RUN set -x \
&& curl -fsSL https://dl.k8s.io/$VERSION/kubernetes-client-${TARGETOS}-${TARGETARCH}.tar.gz | tar -zxv



FROM busybox

LABEL org.opencontainers.image.source https://github.com/appscodelabs/kubectl-docker

ARG TARGETARCH

COPY --from=0 /tmp/release/curl-$TARGETARCH /usr/bin/curl
COPY --from=0 /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt
COPY --from=0 /kubernetes/client/bin/kubectl /usr/bin/kubectl

USER 65534
62 changes: 62 additions & 0 deletions nonroot/Makefile
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,62 @@
SHELL=/bin/bash -o pipefail

REGISTRY ?= appscode
BIN := kubectl-nonroot
IMAGE := $(REGISTRY)/$(BIN)
RELEASE ?= 1.20
VERSION ?= $(shell curl -fsSL https://storage.googleapis.com/kubernetes-release/release/stable-$(RELEASE).txt)
SRC_REG ?=

DOCKER_PLATFORMS := linux/amd64 linux/386 linux/arm64 linux/ppc64le linux/s390x
PLATFORM ?= $(firstword $(DOCKER_PLATFORMS))
TAG = $(VERSION)_$(subst /,_,$(PLATFORM))

container-%:
@$(MAKE) container \
--no-print-directory \
PLATFORM=$(subst _,/,$*)

push-%:
@$(MAKE) push \
--no-print-directory \
PLATFORM=$(subst _,/,$*)

all-container: $(addprefix container-, $(subst /,_,$(DOCKER_PLATFORMS)))

all-push: $(addprefix push-, $(subst /,_,$(DOCKER_PLATFORMS)))

ifeq (,$(SRC_REG))
container:
@echo "container: $(IMAGE):$(TAG)"
@docker buildx build --platform $(PLATFORM) --build-arg VERSION=$(VERSION) --load --pull -t $(IMAGE):$(TAG) -f Dockerfile .
@echo
else
container:
@echo "container: $(IMAGE):$(TAG)"
@docker tag $(SRC_REG)/$(BIN):$(TAG) $(IMAGE):$(TAG)
@echo
endif

push: container
@docker push $(IMAGE):$(TAG)
@echo "pushed: $(IMAGE):$(TAG)"
@echo

.PHONY: manifest-version
manifest-version:
docker manifest create -a $(IMAGE):$(VERSION) $(foreach PLATFORM,$(DOCKER_PLATFORMS),$(IMAGE):$(VERSION)_$(subst /,_,$(PLATFORM)))
docker manifest push $(IMAGE):$(VERSION)

.PHONY: manifest-release
manifest-release:
docker manifest create -a $(IMAGE):v$(RELEASE) $(foreach PLATFORM,$(DOCKER_PLATFORMS),$(IMAGE):$(VERSION)_$(subst /,_,$(PLATFORM)))
docker manifest push $(IMAGE):v$(RELEASE)
docker manifest create -a $(IMAGE):$(RELEASE) $(foreach PLATFORM,$(DOCKER_PLATFORMS),$(IMAGE):$(VERSION)_$(subst /,_,$(PLATFORM)))
docker manifest push $(IMAGE):$(RELEASE)

.PHONY: docker-manifest
docker-manifest: manifest-version manifest-release

.PHONY: release
release:
@$(MAKE) all-push docker-manifest --no-print-directory
0 Dockerfile → root/Dockerfile
View file
File renamed without changes.
0 Makefile → root/Makefile
View file
File renamed without changes.

0 comments on commit 7bec796

Please sign in to comment.