Skip to content

Commit

Permalink
Chore(security): Add litmus hardened alpine as base image in chaos-sc…
Browse files Browse the repository at this point in the history 
…heduler (#29)

Signed-off-by: udit <[email protected]>
  • Loading branch information
@uditgaurav
uditgaurav authored Sep 30, 2021
1 parent a291ae0 commit 6a0fbba
Show file tree
Hide file tree
Showing 7 changed files with 42 additions and 40 deletions.
22 changes: 22 additions & 0 deletions .github/workflows/build.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,28 @@ jobs:
- name: unused-package check
run: make unused-package-check

trivy:
needs: pre-checks
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
with:
ref: ${{ github.event.pull_request.head.sha }}

- name: Build an image from Dockerfile
run: |
docker build -f build/Dockerfile -t docker.io/litmuschaos/chaos-scheduler:${{ github.sha }} . --build-arg TARGETPLATFORM=linux/amd64
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
image-ref: 'docker.io/litmuschaos/chaos-scheduler:${{ github.sha }}'
format: 'table'
exit-code: '1'
ignore-unfixed: true
vuln-type: 'os,library'
severity: 'CRITICAL,HIGH'

image-build:
runs-on: ubuntu-latest
needs: pre-checks
Expand Down
9 changes: 8 additions & 1 deletion Makefile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -84,4 +84,11 @@ build-amd64:
@echo "--------------------------------------------"
@echo "--> Build chaos-scheduler amd-64 docker image"
@echo "--------------------------------------------"
@sudo docker build --file build/Dockerfile --tag $(DOCKER_REPO)/$(DOCKER_IMAGE):$(DOCKER_TAG) . --build-arg TARGETARCH=amd64
@sudo docker build --file build/Dockerfile --tag $(DOCKER_REPO)/$(DOCKER_IMAGE):$(DOCKER_TAG) . --build-arg TARGETARCH=amd64

.PHONY: push-amd64
push-amd64:
@echo "--------------------------------------------"
@echo "--> Push chaos-scheduler amd-64 docker image"
@echo "--------------------------------------------"
@sudo docker push $(DOCKER_REPO)/$(DOCKER_IMAGE):$(DOCKER_TAG)
16 changes: 5 additions & 11 deletions build/Dockerfile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,19 +17,13 @@ RUN go env
RUN CGO_ENABLED=0 go build -o /output/chaos-scheduler -v ./cmd/manager/

# Packaging stage
FROM registry.access.redhat.com/ubi8/ubi-minimal:8.4
# Image source: https://github.com/litmuschaos/test-tools/blob/master/custom/hardened-alpine/infra/Dockerfile
# The base image is non-root (have litmus user) with default litmus directory.
FROM litmuschaos/infra-alpine

LABEL maintainer="LitmusChaos"

ENV SCHEDULER=/usr/local/bin/chaos-scheduler \
USER_UID=1001 \
USER_NAME=chaos-scheduler

ENV SCHEDULER=/usr/local/bin/chaos-scheduler
COPY --from=builder /output/chaos-scheduler ${SCHEDULER}

COPY build/bin /usr/local/bin
RUN /usr/local/bin/user_setup

ENTRYPOINT ["/usr/local/bin/entrypoint"]

USER ${USER_UID}
ENTRYPOINT ["/usr/local/bin/chaos-scheduler"]
12 changes: 0 additions & 12 deletions build/bin/entrypoint
View file

This file was deleted.

13 changes: 0 additions & 13 deletions build/bin/user_setup
View file

This file was deleted.

5 changes: 3 additions & 2 deletions go.mod
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,8 +10,9 @@ require (
github.com/operator-framework/operator-sdk v0.15.2
github.com/robfig/cron/v3 v3.0.1
github.com/spf13/pflag v1.0.5
k8s.io/api v0.17.3
k8s.io/apimachinery v0.17.3
golang.org/x/crypto v0.0.0-20201216223049-8b5274cf687f // indirect
k8s.io/api v0.22.2
k8s.io/apimachinery v0.22.2
k8s.io/client-go v12.0.0+incompatible
k8s.io/kube-openapi v0.0.0-20200121204235-bf4fb3bd569c
sigs.k8s.io/controller-runtime v0.4.0
Expand Down
5 changes: 4 additions & 1 deletion go.sum
View file
Original file line number Diff line number Diff line change
Expand Up @@ -879,8 +879,9 @@ golang.org/x/crypto v0.0.0-20190820162420-60c769a6c586/go.mod h1:yigFU9vqHzYiE8U
golang.org/x/crypto v0.0.0-20190911031432-227b76d455e7/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
golang.org/x/crypto v0.0.0-20191028145041-f83a4685e152/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9 h1:psW17arqaxU48Z5kZ0CQnkZWQJsqcURM6tKiBApRjXI=
golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
golang.org/x/crypto v0.0.0-20201216223049-8b5274cf687f h1:aZp0e2vLN4MToVqnjNEYEtrEA8RH8U8FN1CU7JgqsPU=
golang.org/x/crypto v0.0.0-20201216223049-8b5274cf687f/go.mod h1:jdWPYTVW3xRLrWPugEBEK3UY2ZEsg3UU495nc5E+M+I=
golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
golang.org/x/exp v0.0.0-20190125153040-c74c464bbbf2/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
golang.org/x/exp v0.0.0-20190312203227-4b39c73a6495/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8=
Expand Down Expand Up @@ -992,6 +993,8 @@ golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7w
golang.org/x/sys v0.0.0-20210119212857-b64e53b001e4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20210124154548-22da62e12c0c h1:VwygUrnw9jn88c4u8GD3rZQbqrP/tgas88tPUbBxQrk=
golang.org/x/sys v0.0.0-20210124154548-22da62e12c0c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/term v0.0.0-20201117132131-f5c789dd3221 h1:/ZHdbVpdR/jk3g30/d4yUL0JU9kksj8+F/bnQUVLGDM=
golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw=
golang.org/x/text v0.0.0-20160726164857-2910a502d2bf/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
golang.org/x/text v0.0.0-20170915090833-1cbadb444a80/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
Expand Down

0 comments on commit 6a0fbba

Please sign in to comment.