fix: high-risk vulnerabilities caused by low version of kubebuilder a…

…nd yq Signed-off-by: fsl <1171313930@qq.com>
open-policy-agent · Jan 10, 2023 · cb0a90d · cb0a90d
1 parent bb11f3e
commit cb0a90d
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 14 deletions.
diff --git a/Makefile b/Makefile
@@ -15,13 +15,14 @@ VERSION := v3.12.0-beta.0
 KIND_VERSION ?= 0.17.0
 # note: k8s version pinned since KIND image availability lags k8s releases
 KUBERNETES_VERSION ?= 1.26.0
+KUBEBUILDER_VERSION ?= 3.8.0
 KUSTOMIZE_VERSION ?= 3.8.9
 BATS_VERSION ?= 1.8.2
 ORAS_VERSION ?= 0.16.0
 BATS_TESTS_FILE ?= test/bats/test.bats
 HELM_VERSION ?= 3.7.2
 NODE_VERSION ?= 16-bullseye-slim
-YQ_VERSION ?= 4.2.0
+YQ_VERSION ?= 4.30.6
 FRAMEWORKS_VERSION ?= $(shell go list -f '{{ .Version }}' -m github.com/open-policy-agent/frameworks/constraint)
 OPA_VERSION ?= $(shell go list -f '{{ .Version }}' -m github.com/open-policy-agent/opa)
 
@@ -453,7 +454,10 @@ __test-image:
 		-t gatekeeper-test \
 		--build-arg YQ_VERSION=$(YQ_VERSION) \
 		--build-arg BATS_VERSION=$(BATS_VERSION) \
-		--build-arg ORAS_VERSION=$(ORAS_VERSION)
+		--build-arg ORAS_VERSION=$(ORAS_VERSION) \
+		--build-arg KUSTOMIZE_VERSION=$(KUSTOMIZE_VERSION) \
+		--build-arg KUBEBUILDER_VERSION=$(KUBEBUILDER_VERSION) \
+		--build-arg TARGETARCH="amd64"
 
 .PHONY: vendor
 vendor:

diff --git a/test/image/Dockerfile b/test/image/Dockerfile
@@ -4,25 +4,22 @@ FROM golang:1.19-bullseye as builder
 ARG BATS_VERSION
 ARG ORAS_VERSION
 ARG YQ_VERSION
+ARG KUSTOMIZE_VERSION
+ARG KUBEBUILDER_VERSION
+ARG TARGETARCH
 
 RUN apt-get update &&\
     apt-get install -y apt-utils make
 
 # Install kubebuilder
 WORKDIR /scratch
-ENV version=2.3.1
-ENV arch=amd64
-RUN curl -L -O "https://github.com/kubernetes-sigs/kubebuilder/releases/download/v${version}/kubebuilder_${version}_linux_${arch}.tar.gz" &&\
-    tar -zxvf kubebuilder_${version}_linux_${arch}.tar.gz &&\
-    mv kubebuilder_${version}_linux_${arch} /usr/local/kubebuilder &&\
-    rm kubebuilder_${version}_linux_${arch}.tar.gz
+RUN curl -L -O "https://github.com/kubernetes-sigs/kubebuilder/releases/download/v${KUBEBUILDER_VERSION}/kubebuilder_linux_${TARGETARCH}" &&\
+    mv kubebuilder_linux_${TARGETARCH} /usr/local/kubebuilder
 ENV PATH=$PATH:/usr/local/kubebuilder/bin:/usr/bin
 
 # Install kustomize
-ENV version=3.7.0
-ENV arch=amd64
-RUN curl -L -O "https://github.com/kubernetes-sigs/kustomize/releases/download/kustomize%2Fv${version}/kustomize_v${version}_linux_${arch}.tar.gz" &&\
-    tar -zxvf kustomize_v${version}_linux_${arch}.tar.gz &&\
+RUN curl -L -O "https://github.com/kubernetes-sigs/kustomize/releases/download/kustomize%2Fv${KUSTOMIZE_VERSION}/kustomize_v${KUSTOMIZE_VERSION}_linux_${TARGETARCH}.tar.gz" &&\
+    tar -zxvf kustomize_v${KUSTOMIZE_VERSION}_linux_${TARGETARCH}.tar.gz &&\
     chmod +x kustomize &&\
     mv kustomize /usr/local/bin
 
@@ -32,12 +29,12 @@ RUN curl -sSLO https://github.com/bats-core/bats-core/archive/v${BATS_VERSION}.t
     bash bats-core-${BATS_VERSION}/install.sh /usr/local
 
 # Install ORAS
-RUN curl -SsLO https://github.com/oras-project/oras/releases/download/v${ORAS_VERSION}/oras_${ORAS_VERSION}_linux_${arch}.tar.gz && \
+RUN curl -SsLO https://github.com/oras-project/oras/releases/download/v${ORAS_VERSION}/oras_${ORAS_VERSION}_linux_${TARGETARCH}.tar.gz && \
     mkdir -p oras-install/ && tar -zxf oras_${ORAS_VERSION}_*.tar.gz -C oras-install/ && \
     mv oras-install/oras /usr/local/bin/ && rm -rf oras_${ORAS_VERSION}_*.tar.gz oras-install/
 
 # Install yq and jq
-RUN curl -LsS https://github.com/mikefarah/yq/releases/download/v${YQ_VERSION}/yq_linux_${arch} -o /usr/local/bin/yq \
+RUN curl -LsS https://github.com/mikefarah/yq/releases/download/v${YQ_VERSION}/yq_linux_${TARGETARCH} -o /usr/local/bin/yq \
     && chmod +x /usr/local/bin/yq
 RUN apt-get update && yes | apt-get install jq