-
Notifications
You must be signed in to change notification settings - Fork 54
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Dockerfile multistage with bci-micro #166
Dockerfile multistage with bci-micro #166
Conversation
Use bci-minal as final image Buil/Copy binaries from builder to final
…uired packages with zypper 2. Use micro image as final image
Resolves the following error in run_sonobuoy_plugin.sh + tar -czf kb.tar.gz controlplane.json error.log etcd.json master.json node.json policies.json /bin/sh: gzip: command not found
Diving in We could potentially go to |
@andypitcher Could you please resolve the conflicts? |
Done. also replaced kubectl download URL from storage.googleapis.com to dl.k8s.io as per kubernetes/k8s.io#2396 |
zypper --installroot /chroot clean -a && \ | ||
rm -rf /chroot/var/cache/zypp/* /chroot/var/log/zypp/* | ||
|
||
# Main stage using bco-mirco as the base image |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit:
# Main stage using bco-mirco as the base image | |
# Main stage using bco-micro as the base image |
Infracloud is testing this. |
@MKlimuszka it may be worth testing this together with rancher/cis-operator#232. |
Parent issue: https://github.com/rancher/security-team/issues/387
This PR covers the following:
Tested with RKE2, the scan is working and delivers the same results:
Note: The final image size can't be smaller than ~280MB even if we're using bci-micro here. Indeed, the number of binaries and their dependencies increases it. This said here are some advantages using micro here:
zypper
is here by default. This might help an attacker to install other artifacts onto the container.403
when usingbci-base
and354
when usingbci-micro
.