From c1bec6bd973a07e89d002f3e82234ed00a3a4f50 Mon Sep 17 00:00:00 2001 From: Benjamin Wang Date: Mon, 19 Dec 2022 08:04:42 +0800 Subject: [PATCH] security: use distroless base image to address critical Vulnerabilities Command: trivy image --severity CRITICAL gcr.io/etcd-development/etcd:v3.4.22 -f json -o 3.4.22_image_critical.json Signed-off-by: Benjamin Wang --- Dockerfile-release | 7 +++++-- Dockerfile-release.arm64 | 7 +++++-- Dockerfile-release.ppc64le | 7 +++++-- 3 files changed, 15 insertions(+), 6 deletions(-) diff --git a/Dockerfile-release b/Dockerfile-release index 1a2337b59..25f9271c6 100644 --- a/Dockerfile-release +++ b/Dockerfile-release @@ -1,5 +1,8 @@ -# TODO: move to k8s.gcr.io/build-image/debian-base:bullseye-v1.y.z when patched -FROM debian:bullseye-20210927 +FROM --platform=linux/amd64 busybox:1.34.1 as source +FROM --platform=linux/amd64 gcr.io/distroless/base-debian11 + +COPY --from=source /bin/sh /bin/sh +COPY --from=source /bin/mkdir /bin/mkdir ADD etcd /usr/local/bin/ ADD etcdctl /usr/local/bin/ diff --git a/Dockerfile-release.arm64 b/Dockerfile-release.arm64 index 31e93ca12..d960ee440 100644 --- a/Dockerfile-release.arm64 +++ b/Dockerfile-release.arm64 @@ -1,5 +1,8 @@ -# TODO: move to k8s.gcr.io/build-image/debian-base-arm64:bullseye-1.y.z when patched -FROM arm64v8/debian:bullseye-20210927 +FROM --platform=linux/arm64 busybox:1.34.1 as source +FROM --platform=linux/arm64 gcr.io/distroless/base-debian11 + +COPY --from=source /bin/sh /bin/sh +COPY --from=source /bin/mkdir /bin/mkdir ADD etcd /usr/local/bin/ ADD etcdctl /usr/local/bin/ diff --git a/Dockerfile-release.ppc64le b/Dockerfile-release.ppc64le index a34f75084..74bd72a97 100644 --- a/Dockerfile-release.ppc64le +++ b/Dockerfile-release.ppc64le @@ -1,5 +1,8 @@ -# TODO: move to k8s.gcr.io/build-image/debian-base-ppc64le:bullseye-1.y.z when patched -FROM ppc64le/debian:bullseye-20210927 +FROM --platform=linux/ppc64le busybox:1.34.1 as source +FROM --platform=linux/ppc64le gcr.io/distroless/base-debian11 + +COPY --from=source /bin/sh /bin/sh +COPY --from=source /bin/mkdir /bin/mkdir ADD etcd /usr/local/bin/ ADD etcdctl /usr/local/bin/