Use scratch images

This change removes the alpine bloat from the existing docker files, for less possible attack vectors.
banzaicloud · Jul 1, 2021 · 24a7636 · 24a7636
1 parent 745ce8f
commit 24a7636
Show file tree

Hide file tree

Showing 2 changed files with 32 additions and 10 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -1,10 +1,17 @@
 # Copyright (c) 2019 Banzai Cloud Zrt. All Rights Reserved.
+ARG FROM_IMAGE=scratch
+ARG GO_VERSION=1.15
 
 # Build the manager binary
-FROM golang:1.15 as builder
+FROM golang:${GO_VERSION}-alpine3.11 as builder
 
-ARG GOPROXY
+# set up nsswitch.conf for Go's "netgo" implementation
+# https://github.com/gliderlabs/docker-alpine/issues/367#issuecomment-424546457
+RUN echo 'hosts: files dns' > /etc/nsswitch.conf.build
+
+RUN apk add --update --no-cache make bash curl ca-certificates git tzdata
 
+ARG GOPROXY
 ENV GOFLAGS="-mod=readonly"
 
 WORKDIR /workspace/
@@ -21,11 +28,14 @@ RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 GO111MODULE=on go build -a -o manager
 
 # Use distroless as minimal base image to package the manager binary
 # Refer to https://github.com/GoogleContainerTools/distroless for more details
-FROM alpine:3.13.4
-
-RUN apk add --update --no-cache ca-certificates
+FROM ${FROM_IMAGE}
 
 WORKDIR /
+
+COPY --from=builder /etc/nsswitch.conf.build /etc/nsswitch.conf
+COPY --from=builder /usr/share/zoneinfo /usr/share/zoneinfo
+COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
+
 COPY --from=builder /workspace/manager .
 USER nobody:nobody
 

diff --git a/Dockerfile-refresher b/Dockerfile-refresher
@@ -1,7 +1,16 @@
-# Copyright (c) 2019 Banzai Cloud Zrt. All Rights Reserved.
+# Copyright (c) 2021 Banzai Cloud Zrt. All Rights Reserved.
+
+ARG FROM_IMAGE=scratch
+ARG GO_VERSION=1.15
 
 # Build the manager binary
-FROM golang:1.15 as builder
+FROM golang:${GO_VERSION}-alpine3.11 as builder
+
+# set up nsswitch.conf for Go's "netgo" implementation
+# https://github.com/gliderlabs/docker-alpine/issues/367#issuecomment-424546457
+RUN echo 'hosts: files dns' > /etc/nsswitch.conf.build
+
+RUN apk add --update --no-cache make bash curl ca-certificates git tzdata
 
 ARG GOPROXY
 
@@ -21,11 +30,14 @@ RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 GO111MODULE=on go build -a -o manager
 
 # Use distroless as minimal base image to package the manager binary
 # Refer to https://github.com/GoogleContainerTools/distroless for more details
-FROM alpine:3.13.4
-
-RUN apk add --update --no-cache ca-certificates
+FROM ${FROM_IMAGE}
 
 WORKDIR /
+
+COPY --from=builder /etc/nsswitch.conf.build /etc/nsswitch.conf
+COPY --from=builder /usr/share/zoneinfo /usr/share/zoneinfo
+COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
+
 COPY --from=builder /workspace/manager .
 USER nobody:nobody