From b766840c3b2158b0c48533b8351facc05d00946a Mon Sep 17 00:00:00 2001 From: Benjamin Wang Date: Mon, 19 Dec 2022 07:49:05 +0800 Subject: [PATCH] security: use distroless base image to address critical Vulnerabilities Command: trivy image --severity CRITICAL gcr.io/etcd-development/etcd:v3.5.6 -f json -o 3.5.6_image_critical.json Signed-off-by: Benjamin Wang --- Dockerfile-release.amd64 | 7 +++++-- Dockerfile-release.arm64 | 7 +++++-- Dockerfile-release.ppc64le | 7 +++++-- Dockerfile-release.s390x | 8 ++++++-- 4 files changed, 21 insertions(+), 8 deletions(-) diff --git a/Dockerfile-release.amd64 b/Dockerfile-release.amd64 index 45fef8513..67400b696 100644 --- a/Dockerfile-release.amd64 +++ b/Dockerfile-release.amd64 @@ -1,5 +1,8 @@ -# TODO: move to k8s.gcr.io/build-image/debian-base:bullseye-v1.y.z when patched -FROM debian:bullseye-20220328 +FROM --platform=linux/amd64 busybox:1.34.1 as source +FROM --platform=linux/amd64 gcr.io/distroless/base-debian11 + +COPY --from=source /bin/sh /bin/sh +COPY --from=source /bin/mkdir /bin/mkdir ADD etcd /usr/local/bin/ ADD etcdctl /usr/local/bin/ diff --git a/Dockerfile-release.arm64 b/Dockerfile-release.arm64 index dee01782e..b8ce477af 100644 --- a/Dockerfile-release.arm64 +++ b/Dockerfile-release.arm64 @@ -1,5 +1,8 @@ -# TODO: move to k8s.gcr.io/build-image/debian-base-arm64:bullseye-1.y.z when patched -FROM arm64v8/debian:bullseye-20220328 +FROM --platform=linux/arm64 busybox:1.34.1 as source +FROM --platform=linux/arm64 gcr.io/distroless/base-debian11 + +COPY --from=source /bin/sh /bin/sh +COPY --from=source /bin/mkdir /bin/mkdir ADD etcd /usr/local/bin/ ADD etcdctl /usr/local/bin/ diff --git a/Dockerfile-release.ppc64le b/Dockerfile-release.ppc64le index 40a24f7f2..9cfe5d433 100644 --- a/Dockerfile-release.ppc64le +++ b/Dockerfile-release.ppc64le @@ -1,5 +1,8 @@ -# TODO: move to k8s.gcr.io/build-image/debian-base-ppc64le:bullseye-1.y.z when patched -FROM ppc64le/debian:bullseye-20220328 +FROM --platform=linux/ppc64le busybox:1.34.1 as source +FROM --platform=linux/ppc64le gcr.io/distroless/base-debian11 + +COPY --from=source /bin/sh /bin/sh +COPY --from=source /bin/mkdir /bin/mkdir ADD etcd /usr/local/bin/ ADD etcdctl /usr/local/bin/ diff --git a/Dockerfile-release.s390x b/Dockerfile-release.s390x index 66cac7697..d901b410c 100644 --- a/Dockerfile-release.s390x +++ b/Dockerfile-release.s390x @@ -1,5 +1,9 @@ -# TODO: move to k8s.gcr.io/build-image/debian-base-s390x:bullseye-1.y.z when patched -FROM s390x/debian:bullseye-20220328 +FROM --platform=linux/s390x busybox:1.34.1 as source +FROM --platform=linux/s390x gcr.io/distroless/base-debian11 + +COPY --from=source /bin/sh /bin/sh +COPY --from=source /bin/mkdir /bin/mkdir + ADD etcd /usr/local/bin/ ADD etcdctl /usr/local/bin/