From 4b83c760a95f299731f82f7a345faeaf81fab084 Mon Sep 17 00:00:00 2001 From: Jake Sanders Date: Wed, 24 Feb 2021 11:04:34 -0800 Subject: [PATCH] Split the setcap image from the base images, make them easier to override --- build/common.sh | 29 ++++++++++++++------ build/dependencies.yaml | 4 +-- build/lib/release.sh | 6 ++-- build/server-image/Dockerfile | 5 ++-- build/server-image/kube-apiserver/Dockerfile | 9 +++--- 5 files changed, 33 insertions(+), 20 deletions(-) diff --git a/build/common.sh b/build/common.sh index 9bfeebe4525..1b8049d64ee 100755 --- a/build/common.sh +++ b/build/common.sh @@ -85,22 +85,35 @@ readonly KUBE_RSYNC_PORT="${KUBE_RSYNC_PORT:-}" # mapped to KUBE_RSYNC_PORT via docker networking. readonly KUBE_CONTAINER_RSYNC_PORT=8730 +# These are the default versions (image tags) for their respective base images. +readonly __default_debian_iptables_version=buster-v1.5.0 +readonly __default_go_runner_version=buster-v2.3.1 + +# These are the base images for the Docker-wrapped binaries. +readonly KUBE_GORUNNER_IMAGE="${KUBE_GORUNNER_IMAGE:-$KUBE_BASE_IMAGE_REGISTRY/go-runner:$__default_go_runner_version}" +readonly KUBE_APISERVER_BASE_IMAGE="${KUBE_APISERVER_BASE_IMAGE:-$KUBE_GORUNNER_IMAGE}" +readonly KUBE_CONTROLLER_MANAGER_BASE_IMAGE="${KUBE_CONTROLLER_MANAGER_BASE_IMAGE:-$KUBE_GORUNNER_IMAGE}" +readonly KUBE_SCHEDULER_BASE_IMAGE="${KUBE_SCHEDULER_BASE_IMAGE:-$KUBE_GORUNNER_IMAGE}" +readonly KUBE_PROXY_BASE_IMAGE="${KUBE_PROXY_BASE_IMAGE:-$KUBE_BASE_IMAGE_REGISTRY/debian-iptables:$__default_debian_iptables_version}" + +# This is the image used in a multi-stage build to apply capabilities to Docker-wrapped binaries. +readonly KUBE_BUILD_SETCAP_IMAGE="${KUBE_BUILD_SETCAP_IMAGE:-$KUBE_BASE_IMAGE_REGISTRY/setcap:buster-v1.4.0}" + # Get the set of master binaries that run in Docker (on Linux) -# Entry format is ",:". +# Entry format is ",". # Binaries are placed in /usr/local/bin inside the image. -# When building these images the registry for the base images is considered to be ${KUBE_BASE_IMAGE_REGISTRY}. +# `make` users can override any or all of the base images using the associated +# environment variables. # # $1 - server architecture kube::build::get_docker_wrapped_binaries() { - local debian_iptables_version=buster-v1.5.0 - local go_runner_version=buster-v2.3.1 ### If you change any of these lists, please also update DOCKERIZED_BINARIES ### in build/BUILD. And kube::golang::server_image_targets local targets=( - "kube-apiserver,go-runner:${go_runner_version}" - "kube-controller-manager,go-runner:${go_runner_version}" - "kube-scheduler,go-runner:${go_runner_version}" - "kube-proxy,debian-iptables:${debian_iptables_version}" + "kube-apiserver,${KUBE_APISERVER_BASE_IMAGE}" + "kube-controller-manager,${KUBE_CONTROLLER_MANAGER_BASE_IMAGE}" + "kube-scheduler,${KUBE_SCHEDULER_BASE_IMAGE}" + "kube-proxy,${KUBE_PROXY_BASE_IMAGE}" ) echo "${targets[@]}" diff --git a/build/dependencies.yaml b/build/dependencies.yaml index 7205d7145af..0369c77150f 100644 --- a/build/dependencies.yaml +++ b/build/dependencies.yaml @@ -156,7 +156,7 @@ dependencies: version: buster-v1.5.0 refPaths: - path: build/common.sh - match: debian_iptables_version= + match: __default_debian_iptables_version= - path: build/workspace.bzl match: tag = - path: test/utils/image/manifest.go @@ -166,7 +166,7 @@ dependencies: version: buster-v2.3.1 refPaths: - path: build/common.sh - match: go_runner_version= + match: __default_go_runner_version= - path: build/workspace.bzl match: tag = diff --git a/build/lib/release.sh b/build/lib/release.sh index 007c9459497..446d6302df5 100644 --- a/build/lib/release.sh +++ b/build/lib/release.sh @@ -361,7 +361,7 @@ function kube::release::create_docker_images_for_server() { for wrappable in $binaries; do local binary_name=${wrappable%%,*} - local base_image_name=${wrappable##*,} + local base_image=${wrappable##*,} local binary_file_path="${binary_dir}/${binary_name}" local docker_build_path="${binary_file_path}.dockerbuild" local docker_image_tag="${docker_registry}/${binary_name}-${arch}:${docker_tag}" @@ -384,8 +384,8 @@ function kube::release::create_docker_images_for_server() { --platform linux/"${arch}" \ --load ${docker_build_opts:+"${docker_build_opts}"} \ -t "${docker_image_tag}" \ - --build-arg BASE_IMAGE_REGISTRY="${KUBE_BASE_IMAGE_REGISTRY}" \ - --build-arg BASE_IMAGE_NAME="${base_image_name}" \ + --build-arg BASEIMAGE="${base_image}" \ + --build-arg SETCAP_IMAGE="${KUBE_BUILD_SETCAP_IMAGE}" \ --build-arg BINARY="${binary_name}" \ "${docker_build_path}" >"${build_log}" 2>&1; then cat "${build_log}" diff --git a/build/server-image/Dockerfile b/build/server-image/Dockerfile index 43d875c60c2..78e01c36474 100644 --- a/build/server-image/Dockerfile +++ b/build/server-image/Dockerfile @@ -14,10 +14,9 @@ # Dockerfile used for the server images. -ARG BASE_IMAGE_REGISTRY -ARG BASE_IMAGE_NAME +ARG BASEIMAGE ARG BINARY -FROM "${BASE_IMAGE_REGISTRY}/${BASE_IMAGE_NAME}" +FROM "${BASEIMAGE}" COPY ${BINARY} /usr/local/bin/${BINARY} diff --git a/build/server-image/kube-apiserver/Dockerfile b/build/server-image/kube-apiserver/Dockerfile index e0c43531cc0..d5ac37d14f1 100644 --- a/build/server-image/kube-apiserver/Dockerfile +++ b/build/server-image/kube-apiserver/Dockerfile @@ -13,17 +13,18 @@ # limitations under the License. # This file create the kube-apiserver image. -ARG BASE_IMAGE_REGISTRY -ARG BASE_IMAGE_NAME +ARG BASEIMAGE +ARG SETCAP_IMAGE + # we use the hosts platform to apply the capabilities to avoid the need # to setup qemu for the builder. -FROM --platform=linux/$BUILDARCH ${BASE_IMAGE_REGISTRY}/setcap:buster-v1.4.0 +FROM --platform=linux/$BUILDARCH ${SETCAP_IMAGE} ARG BINARY COPY ${BINARY} /${BINARY} # We apply cap_net_bind_service so that kube-apiserver can be run as # non-root and still listen on port less than 1024 RUN setcap cap_net_bind_service=+ep /${BINARY} -FROM --platform=linux/$TARGETARCH ${BASE_IMAGE_REGISTRY}/${BASE_IMAGE_NAME} +FROM --platform=linux/$TARGETARCH ${BASEIMAGE} ARG BINARY COPY --from=0 /${BINARY} /usr/local/bin/${BINARY}