forked from snyk/kubernetes-monitor
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathDockerfile
71 lines (51 loc) · 2.96 KB
/
Dockerfile
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
#---------------------------------------------------------------------
# STAGE 1: Build skopeo inside a temporary container
#---------------------------------------------------------------------
FROM fedora:32 AS skopeo-build
RUN dnf install -y golang git make
RUN dnf install -y go-md2man gpgme-devel libassuan-devel btrfs-progs-devel device-mapper-devel
RUN git clone --depth 1 -b 'v1.2.2' https://github.com/containers/skopeo $GOPATH/src/github.com/containers/skopeo
RUN cd $GOPATH/src/github.com/containers/skopeo \
&& make bin/skopeo DISABLE_CGO=1 \
&& make install
#---------------------------------------------------------------------
# STAGE 2: Build the kubernetes-monitor
#---------------------------------------------------------------------
FROM registry.access.redhat.com/ubi8/ubi:8.3
LABEL name="Snyk Controller" \
maintainer="support@snyk.io" \
vendor="Snyk Ltd" \
summary="Snyk integration for Kubernetes" \
description="Snyk Controller enables you to import and test your running workloads and identify vulnerabilities in their associated images and configurations that might make those workloads less secure."
COPY LICENSE /licenses/LICENSE
ENV NODE_ENV production
RUN curl -sL https://rpm.nodesource.com/setup_12.x | bash -
RUN yum install -y nodejs
RUN curl -L -o /usr/bin/dumb-init https://github.com/Yelp/dumb-init/releases/download/v1.2.2/dumb-init_1.2.2_amd64
RUN chmod 755 /usr/bin/dumb-init
RUN groupadd -g 10001 snyk
RUN useradd -g snyk -d /srv/app -u 10001 snyk
# @kubernetes/client-node@0.14.2 started using net-keepalive, which requires the following packages to build modules
RUN yum --disableplugin=subscription-manager install -y make gcc gcc-c++
WORKDIR /srv/app
COPY --chown=snyk:snyk --from=skopeo-build /usr/bin/skopeo /usr/bin/skopeo
COPY --chown=snyk:snyk --from=skopeo-build /etc/containers/registries.d/default.yaml /etc/containers/registries.d/default.yaml
COPY --chown=snyk:snyk --from=skopeo-build /etc/containers/policy.json /etc/containers/policy.json
# Add manifest files and install before adding anything else to take advantage of layer caching
ADD --chown=snyk:snyk package.json package-lock.json ./
# The `.config` directory is used by `snyk protect` and we also mount a K8s volume there at runtime.
# This clashes with OpenShift 3 which mounts things differently and prevents access to the directory.
# TODO: Remove this line once OpenShift 3 comes out of support.
RUN mkdir -p .config
RUN npm install
RUN yum remove -y make gcc gcc-c++
# add the rest of the app files
ADD --chown=snyk:snyk . .
# OpenShift 4 doesn't allow dumb-init access the app folder without this permission.
RUN chmod 755 /srv/app && chmod 755 /srv/app/bin && chmod +x /srv/app/bin/start
# This must be in the end for Red Hat Build Service
RUN chown -R snyk:snyk .
USER 10001:10001
# Complete any `prepare` tasks (e.g. typescript), as this step ran automatically prior to app being copied
RUN npm run prepare
ENTRYPOINT ["/usr/bin/dumb-init", "--", "bin/start"]