Update Dockerfiles to use redhat ubi as base image

Signed-off-by: rksharma95 <[email protected]>
kubearmor · Sep 5, 2023 · 87f8a2e · 87f8a2e
1 parent 49939f4
commit 87f8a2e
Show file tree

Hide file tree

Showing 30 changed files with 471 additions and 59 deletions.
diff --git a/.github/workflows/ci-latest-release.yml b/.github/workflows/ci-latest-release.yml
@@ -115,11 +115,13 @@ jobs:
         run: | 
           echo "imagedigest=$(jq -r '.["containerimage.digest"]' kubearmor.json)" >> $GITHUB_OUTPUT
           echo "initdigest=$(jq -r '.["containerimage.digest"]' kubearmor-init.json)" >> $GITHUB_OUTPUT
+          echo "ubidigest=$(jq -r '.["containerimage.digest"]' kubearmor-ubi.json)" >> $GITHUB_OUTPUT
 
       - name: Sign the Container Images
         run: |
           cosign sign -r kubearmor/kubearmor@${{ steps.digest.outputs.imagedigest }} --yes
           cosign sign -r kubearmor/kubearmor-init@${{ steps.digest.outputs.initdigest }} --yes
+          cosign sign -r kubearmor/kubearmor-ubi@${{ steps.digest.outputs.ubidigest }} --yes
 
   push-stable-version:
     name: Create KubeArmor stable release
@@ -165,6 +167,7 @@ jobs:
         run: |
           STABLE_VERSION=`cat STABLE-RELEASE`
           regctl image copy kubearmor/kubearmor:$STABLE_VERSION kubearmor/kubearmor:stable --digest-tags
+          regctl image copy kubearmor/kubearmor-ubi:$STABLE_VERSION kubearmor/kubearmor-ubi:stable --digest-tags
           regctl image copy kubearmor/kubearmor-controller:$STABLE_VERSION kubearmor/kubearmor-controller:stable --digest-tags
   
   kubearmor-controller-release:

diff --git a/.github/workflows/ci-stable-release.yml b/.github/workflows/ci-stable-release.yml
@@ -35,6 +35,7 @@ jobs:
         run: |
           STABLE_VERSION=`cat STABLE-RELEASE`
           regctl image copy kubearmor/kubearmor:$STABLE_VERSION kubearmor/kubearmor:stable --digest-tags
+          regctl image copy kubearmor/kubearmor-ubi:$STABLE_VERSION kubearmor/kubearmor-ubi:stable --digest-tags
           regctl image copy kubearmor/kubearmor-controller:$STABLE_VERSION kubearmor/kubearmor-controller:stable --digest-tags
 
   update-helm-chart:

diff --git a/.github/workflows/ci-test-controllers.yml b/.github/workflows/ci-test-controllers.yml
@@ -32,6 +32,7 @@ jobs:
           helm upgrade --install kubearmor ./deployments/helm/KubeArmor \
           --values ./KubeArmor/build/kubearmor-helm-test-values.yaml \
           --set kubearmorController.imagePullPolicy=Never \
+          --set kubearmorInit.imagePullPolicy=Always \
           --set kubearmor.imagePullPolicy=Always \
           --set kubearmor.image.tag=latest \
           -n kube-system;

diff --git a/.github/workflows/ci-test-ubi-image.yml b/.github/workflows/ci-test-ubi-image.yml
@@ -0,0 +1,107 @@
+name: ci-test-ubi-ginkgo
+
+on:
+  push:
+    branches: [main]
+    paths:
+      - "KubeArmor/**"
+      - "tests/**"
+      - "protobuf/**"
+      - ".github/workflows/ci-test-ginkgo.yml"
+  pull_request:
+    branches: [main]
+    paths:
+      - "KubeArmor/**"
+      - "tests/**"
+      - "protobuf/**"
+      - ".github/workflows/ci-test-ginkgo.yml"
+
+jobs:
+  build:
+    name: Auto-testing Framework / ${{ matrix.os }} / ${{ matrix.runtime }}
+    runs-on: ${{ matrix.os }}
+    env:
+      RUNTIME: ${{ matrix.runtime }}
+    strategy:
+      fail-fast: false
+      matrix:
+        os: ["bpflsm"]
+
+        runtime: ["crio"]
+
+
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          submodules: true
+
+      - uses: actions/setup-go@v3
+        with:
+          go-version: "v1.20"
+
+      - name: Install the latest LLVM toolchain
+        run: ./.github/workflows/install-llvm.sh
+
+      - name: Compile libbpf
+        run: ./.github/workflows/install-libbpf.sh
+
+      - name: Setup a Kubernetes environment
+        run: ./.github/workflows/install-k3s.sh
+
+      - name: Generate KubeArmor artifacts
+        run: |
+          GITHUB_SHA=$GITHUB_SHA ./KubeArmor/build/build_kubearmor.sh
+
+      - name: Run KubeArmor
+        run: |
+          sudo podman pull docker-daemon:kubearmor/kubearmor-init:latest
+          sudo podman pull docker-daemon:kubearmor/kubearmor-ubi:latest
+          helm upgrade --install kubearmor-operator ./deployments/helm/KubeArmorOperator -n kube-system
+          kubectl wait --for=condition=ready --timeout=5m -n kube-system pod -l kubearmor-app=kubearmor-operator
+          kubectl get pods -A
+          kubectl apply -f pkg/KubeArmorOperator/config/samples/kubearmor-ubi-test.yaml
+          kubectl wait -n kube-system --timeout=5m --for=jsonpath='{.status.phase}'=Running kubearmorconfigs/kubearmorconfig-test
+          kubectl wait --timeout=5m --for=condition=ready pod -l kubearmor-app,kubearmor-app!=kubearmor-snitch -n kube-system
+          kubectl get pods -A
+
+      - name: Test KubeArmor using Ginkgo
+        run: |
+          go install -mod=mod github.com/onsi/ginkgo/v2/ginkgo
+          make
+        working-directory: ./tests
+        timeout-minutes: 30
+
+      - name: Get karmor sysdump
+        if: ${{ failure() }}
+        run: |
+          kubectl describe pod -n kube-system -l kubearmor-app=kubearmor
+          curl -sfL http://get.kubearmor.io/ | sudo sh -s -- -b /usr/local/bin
+          mkdir -p /tmp/kubearmor/ && cd /tmp/kubearmor && karmor sysdump
+
+      - name: Archive log artifacts
+        if: ${{ failure() }}
+        uses: actions/upload-artifact@v3
+        with:
+          name: kubearmor.logs
+          path: |
+            /tmp/kubearmor/
+            /tmp/kubearmor.*
+
+      - name: Measure code coverage
+        if: ${{ always() }}
+        run: |
+          go install github.com/modocache/gover@latest
+          gover
+          go tool cover -func=gover.coverprofile
+        working-directory: KubeArmor
+        env:
+          GOPATH: /home/vagrant/go
+      - uses: codecov/codecov-action@v3
+        if: ${{ always() }}
+        with:
+          files: ./KubeArmor/gover.coverprofile
+      - name: Run cleanup
+        if: ${{ always() }}
+        run: ./.github/workflows/cleanup.sh
+
+
diff --git a/.github/workflows/cleanup.sh b/.github/workflows/cleanup.sh
@@ -0,0 +1,20 @@
+#!/bin/bash
+# SPDX-License-Identifier: Apache-2.0
+# Copyright 2021 Authors of KubeArmor
+
+# Cleanup function
+cleanup() {
+  echo "Performing cleanup..."
+
+  ./usr/local/bin/k3s-killall.sh
+
+  /usr/local/bin/k3s-uninstall.sh
+
+  docker system prune -a -f
+
+  # rm -rf /home/vagrant/actions-runner/_work/KubeArmor
+
+  echo "Cleanup complete."
+}
+# Invoke the cleanup function
+cleanup
diff --git a/Dockerfile b/Dockerfile
@@ -30,3 +30,52 @@ COPY --from=builder /usr/src/KubeArmor/KubeArmor/kubearmor /KubeArmor/kubearmor
 COPY --from=builder /usr/src/KubeArmor/KubeArmor/templates/* /KubeArmor/templates/
 
 ENTRYPOINT ["/KubeArmor/kubearmor"]
+
+### TODO ###
+
+### build apparmor_parser binary
+
+## debian:10 uses glibc2.28 version similar to ubi9
+# FROM debian:10 AS apparmor-builder
+# RUN apt-get update && apt-get install -y apparmor
+# RUN mkdir /tmp/apparmor && \
+#     cp /sbin/apparmor_parser /tmp/apparmor/
+
+### Make UBI-based executable image
+
+FROM redhat/ubi9-minimal as kubearmor-ubi
+
+ARG VERSION=latest
+ENV KUBEARMOR_UBI=true
+
+LABEL name="kubearmor" \
+      vendor="Accuknox" \
+      version=${VERSION} \
+      release=${VERSION} \
+      summary="kubearmor container image based on redhat ubi" \
+      description="KubeArmor is a cloud-native runtime security enforcement system that restricts the behavior \
+                  (such as process execution, file access, and networking operations) of pods, containers, and nodes (VMs) \
+                  at the system level."
+
+RUN microdnf -y update && \
+    microdnf -y install --nodocs --setopt=install_weak_deps=0 --setopt=keepcache=0 shadow-utils procps libcap && \
+    microdnf clean all && \
+    rm -rf /var/cache/yum
+
+RUN groupadd --gid 1000 default \
+  && useradd --uid 1000 --gid default --shell /bin/bash --create-home default
+
+COPY LICENSE /licenses/license.txt
+COPY --from=builder --chown=default:dafault /usr/src/KubeArmor/KubeArmor/kubearmor /KubeArmor/kubearmor
+COPY --from=builder --chown=default:default /usr/src/KubeArmor/KubeArmor/templates/* /KubeArmor/templates/
+
+# TODO
+# COPY --from=apparmor-builder /tmp/apparmor/apparmor_parser /usr/sbin/
+# RUN chmod u+s /usr/sbin/apparmor_parser
+
+RUN setcap "cap_sys_admin=ep cap_sys_ptrace=ep cap_ipc_lock=ep cap_sys_resource=ep cap_dac_override=ep cap_dac_read_search=ep" /KubeArmor/kubearmor
+
+USER 1000
+ENTRYPOINT ["/KubeArmor/kubearmor"]
+
+
diff --git a/Dockerfile.init b/Dockerfile.init
@@ -2,15 +2,40 @@
 # Copyright 2021 Authors of KubeArmor
 
 ### Make compiler image
-FROM alpine:3.17 as kubearmor-init
+FROM redhat/ubi9-minimal as kubearmor-init
 
-RUN apk --no-cache update
-RUN echo "@edge http://dl-cdn.alpinelinux.org/alpine/edge/main" | tee -a /etc/apk/repositories
-RUN echo "@edge http://dl-cdn.alpinelinux.org/alpine/edge/community" | tee -a /etc/apk/repositories
+ARG VERSION=latest
 
-RUN apk --no-cache update
-RUN apk --no-cache add bash git clang llvm make gcc bpftool@edge
+LABEL name="kubearmor-init" \
+      vendor="Accuknox" \
+      version=${VERSION} \
+      release=${VERSION} \
+      summary="kubearmor-init container image based on redhat ubi" \
+      description="kubearmor-init image for kubearmor init container image"
 
+RUN microdnf -y update && \
+    microdnf -y install --nodocs --setopt=install_weak_deps=0 --setopt=keepcache=0 shadow-utils git clang llvm make gcc libbpf tar gzip && \
+    microdnf clean all && \
+    rm -rf /var/cache/yum
+
+# install bpftool  
+RUN arch=$(uname -m) bpftool_version=v7.2.0 && \
+    if [[ "$arch" == "aarch64" ]]; then \
+        arch=arm64; \
+    elif [[ "$arch" == "x86_64" ]]; then \
+        arch=amd64; \   
+    fi && \
+    curl -LO https://github.com/libbpf/bpftool/releases/download/$bpftool_version/bpftool-$bpftool_version-$arch.tar.gz && \
+    tar -xzf bpftool-$bpftool_version-$arch.tar.gz -C /usr/local/bin && \
+    chmod +x /usr/local/bin/bpftool
+
+RUN groupadd --gid 1000 default \
+  && useradd --uid 1000 --gid default --shell /bin/bash --create-home default
+
+COPY LICENSE /licenses/license.txt
 COPY ./KubeArmor/BPF /KubeArmor/BPF/
 COPY ./KubeArmor/build/compile.sh /KubeArmor/compile.sh
+RUN chown -R default:default /KubeArmor
+
+USER 1000
 ENTRYPOINT ["/KubeArmor/compile.sh"]
diff --git a/KubeArmor/build/build_kubearmor.sh b/KubeArmor/build/build_kubearmor.sh
@@ -4,6 +4,8 @@
 
 [[ "$REPO" == "" ]] && REPO="kubearmor/kubearmor"
 
+UBIREPO="kubearmor/kubearmor-ubi"
+
 realpath() {
     CURR=$PWD
 
@@ -56,12 +58,23 @@ echo "[PASSED] Built $REPO:$VERSION"
 # build a kubearmor-init image
 DTAGINI="-t $REPO-init:$VERSION"
 echo "[INFO] Building $DTAGINI"
-cd $ARMOR_HOME/..; docker build $DTAGINI -f Dockerfile.init --target kubearmor-init . $LABEL
+cd $ARMOR_HOME/..; docker build $DTAGINI -f Dockerfile.init --build-arg VERSION=$VERSION --target kubearmor-init . $LABEL
 
 if [ $? != 0 ]; then
     echo "[FAILED] Failed to build $REPO-init:$VERSION"
     exit 1
 fi
 echo "[PASSED] Built $REPO-init:$VERSION"
 
+# build a kubearmor-ubi image
+DTAGUBI="-t $UBIREPO:$VERSION"
+echo "[INFO] Building $UBIREPO"
+cd $ARMOR_HOME/..; docker build $DTAGUBI -f Dockerfile --build-arg VERSION=$VERSION --target kubearmor-ubi . $LABEL
+
+if [ $? != 0 ]; then
+    echo "[FAILED] Failed to build $DTAGUBI:$VERSION"
+    exit 1
+fi
+echo "[PASSED] Built $DTAGUBI:$VERSION"
+
 exit 0
diff --git a/KubeArmor/build/push_kubearmor.sh b/KubeArmor/build/push_kubearmor.sh
@@ -8,6 +8,8 @@
 
 [[ "$STABLE_VERSION" != "" ]] && STABEL_LABEL="--label stabel-version=$STABLE_VERSION"
 
+UBIREPO="kubearmor/kubearmor-ubi"
+
 # set LABEL
 unset LABEL
 [[ "$GITHUB_SHA" != "" ]] && LABEL="--label github_sha=$GITHUB_SHA"
@@ -42,16 +44,23 @@ pwd
 
 # push $REPO
 echo "[INFO] Pushing $REPO:$VERSION"
-cd $ARMOR_HOME/..; docker buildx build --metadata-file kubearmor.json --platform $PLATFORMS -t $REPO:$VERSION -f Dockerfile --push $LABEL $STABEL_LABEL .
+cd $ARMOR_HOME/..; docker buildx build --metadata-file kubearmor.json --platform $PLATFORMS --target kubearmor -t $REPO:$VERSION -f Dockerfile --push $LABEL $STABEL_LABEL .
 
 [[ $? -ne 0 ]] && echo "[FAILED] Failed to push $REPO:$VERSION" && exit 1
 echo "[PASSED] Pushed $REPO:$VERSION"
 
 # push $REPO-init
 echo "[INFO] Pushing $REPO-init:$VERSION"
-cd $ARMOR_HOME/..; docker buildx build --metadata-file kubearmor-init.json --platform $PLATFORMS -t $REPO-init:$VERSION -f Dockerfile.init --push $LABEL $STABEL_LABEL .
+cd $ARMOR_HOME/..; docker buildx build --metadata-file kubearmor-init.json --platform $PLATFORMS --build-arg VERSION=$VERSION -t $REPO-init:$VERSION -f Dockerfile.init --push $LABEL $STABEL_LABEL .
 
 [[ $? -ne 0 ]] && echo "[FAILED] Failed to push $REPO-init:$VERSION" && exit 1
 echo "[PASSED] Pushed $REPO-init:$VERSION"
 
+# push $UBIREPO
+echo "[INFO] Pushing $UBIREPO:$VERSION"
+cd $ARMOR_HOME/..; docker buildx build --metadata-file kubearmor-ubi.json --platform $PLATFORMS --build-arg VERSION=$VERSION --target kubearmor-ubi -t $UBIREPO:$VERSION -f Dockerfile --push $LABEL $STABEL_LABEL .
+
+[[ $? -ne 0 ]] && echo "[FAILED] Failed to push $UBIREPO:$VERSION" && exit 1
+echo "[PASSED] Pushed $UBIREPO:$VERSION"
+
 exit 0
diff --git a/KubeArmor/main.go b/KubeArmor/main.go
@@ -13,8 +13,13 @@ import (
 	kg "github.com/kubearmor/KubeArmor/KubeArmor/log"
 )
 
+// GitCommit represents build-time info for git commit
 var GitCommit string
+
+// GitBranch represents build-time info for git branch
 var GitBranch string
+
+// BuildDate represents build-time info for build date
 var BuildDate string
 
 func printBuildDetails() {
@@ -31,8 +36,10 @@ func init() {
 
 func main() {
 	if os.Geteuid() != 0 {
-		kg.Printf("Need to have root privileges to run %s\n", os.Args[0])
-		return
+		if os.Getenv("KUBEARMOR_UBI") == "" {
+			kg.Printf("Need to have root privileges to run %s\n", os.Args[0])
+			return
+		}
 	}
 
 	dir, err := filepath.Abs(filepath.Dir(os.Args[0]))

diff --git a/deployments/helm/KubeArmor/templates/daemonset.yaml b/deployments/helm/KubeArmor/templates/daemonset.yaml
@@ -80,7 +80,7 @@ spec:
       hostPID: true
       initContainers:
       - image: {{printf "%s:%s" .Values.kubearmorInit.image.repository .Values.kubearmorInit.image.tag}}
-        imagePullPolicy: {{ .Values.kubearmor.imagePullPolicy }}
+        imagePullPolicy: {{ .Values.kubearmorInit.imagePullPolicy }}
         name: init
         securityContext:
           capabilities: