chore: switch to using distroless base image for driver-crds

Switches to using scratch base image for the driver-crds. The entrypoint is set to kubectl to prevent shell access. Enabled image scan for the driver-crds image. Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>
kubernetes-sigs · Jul 20, 2021 · 7cbfde8 · 7cbfde8
1 parent 651990f
commit 7cbfde8
Show file tree

Hide file tree

Showing 3 changed files with 24 additions and 10 deletions.
diff --git a/Makefile b/Makefile
@@ -145,8 +145,10 @@ sanity-test:
 image-scan: $(TRIVY)
 	# show all vulnerabilities
 	$(TRIVY) --severity MEDIUM,HIGH,CRITICAL $(IMAGE_TAG)
+	$(TRIVY) --severity MEDIUM,HIGH,CRITICAL $(CRD_IMAGE_TAG)
 	# show vulnerabilities that have been fixed
 	$(TRIVY) --exit-code 1 --ignore-unfixed --severity MEDIUM,HIGH,CRITICAL $(IMAGE_TAG)
+	$(TRIVY) --exit-code 1 --ignore-unfixed --severity MEDIUM,HIGH,CRITICAL $(CRD_IMAGE_TAG)
 
 ## --------------------------------------
 ## Tooling Binaries
@@ -263,11 +265,11 @@ endif
 
 .PHONY: container
 container: crd-container
-	docker build --no-cache --build-arg IMAGE_VERSION=$(IMAGE_VERSION) -t $(IMAGE_TAG) -f docker/Dockerfile .
+	docker build --platform="linux/$(ARCH)" --no-cache --build-arg IMAGE_VERSION=$(IMAGE_VERSION) -t $(IMAGE_TAG) -f docker/Dockerfile .
 
 .PHONY: crd-container
 crd-container: build-crds
-	docker build --no-cache -t $(CRD_IMAGE_TAG) -f docker/crd.Dockerfile _output/crds/
+	docker build --platform="linux/$(ARCH)" --no-cache -t $(CRD_IMAGE_TAG) -f docker/crd.Dockerfile _output/crds/
 
 .PHONY: crd-container-linux
 crd-container-linux: build-crds docker-buildx-builder
@@ -364,7 +366,7 @@ e2e-teardown: $(HELM)
 
 .PHONY: e2e-helm-deploy
 e2e-helm-deploy:
-	helm install csi-secrets-store manifest_staging/charts/secrets-store-csi-driver --namespace kube-system --wait --timeout=15m -v=5 --debug \
+	helm install csi-secrets-store manifest_staging/charts/secrets-store-csi-driver --namespace kube-system --timeout=2m -v=5 --debug \
 		--set linux.image.pullPolicy="IfNotPresent" \
 		--set windows.image.pullPolicy="IfNotPresent" \
 		--set linux.image.repository=$(REGISTRY)/$(IMAGE_NAME) \
@@ -377,7 +379,10 @@ e2e-helm-deploy:
 		--set linux.enabled=true \
 		--set syncSecret.enabled=true \
 		--set enableSecretRotation=true \
-		--set rotationPollInterval=30s
+		--set rotationPollInterval=30s || true
+	kubectl get pods -n kube-system
+	kubectl logs csi-secrets-store-secrets-store-csi-driver-upgrade-crds -n kube-system
+	kubectl describe pod csi-secrets-store-secrets-store-csi-driver-upgrade-crds -n kube-system
 
 .PHONY: e2e-helm-upgrade
 e2e-helm-upgrade:

diff --git a/docker/crd.Dockerfile b/docker/crd.Dockerfile
@@ -1,2 +1,12 @@
-FROM bitnami/kubectl:1.21.2
+FROM alpine as builder
+ARG KUBE_VERSION=v1.21.2
+ARG TARGETARCH
+
+RUN apk add --no-cache curl && \
+    curl -LO https://storage.googleapis.com/kubernetes-release/release/$KUBE_VERSION/bin/linux/amd64/kubectl && \
+    chmod +x kubectl
+
+FROM gcr.io/distroless/static
 COPY * /crds/
+COPY --from=builder /kubectl /kubectl
+ENTRYPOINT ["/kubectl"]
diff --git a/manifest_staging/charts/secrets-store-csi-driver/templates/crds-upgrade-hook.yaml b/manifest_staging/charts/secrets-store-csi-driver/templates/crds-upgrade-hook.yaml
@@ -53,11 +53,10 @@ spec:
   containers:
     - name: crds-upgrade
       image: "{{ .Values.linux.crds.image.repository }}:{{ .Values.linux.crds.image.tag }}"
-      command:
-      - sh
-      - -c
-      - >
-       kubectl apply -f /crds;
+      args:
+      - apply
+      - -f
+      - crds/
       imagePullPolicy: {{ .Values.linux.crds.image.pullPolicy }}
   {{- if .Values.imagePullSecrets }}
   imagePullSecrets: