Switch core master base images from debian to distroless

Signed-off-by: Davanum Srinivas <davanum@gmail.com>
2025-11-13 06:04:02 +00:00 · 2019-05-02 10:12:38 -07:00
parent ba3bf32300
commit 1aa67fc525
12 changed files with 90 additions and 31 deletions
--- a/cluster/gce/gci/apiserver_etcd_test.go
+++ b/cluster/gce/gci/apiserver_etcd_test.go
@@ -71,14 +71,14 @@ func TestServerOverride(t *testing.T) {

 			c.mustInvokeFunc(
 				tc.env,
-				kubeAPIServerConfigScriptName,
+				[]string{"configure-helper.sh", kubeAPIServerConfigScriptName},
 				"etcd.template",
 				"testdata/kube-apiserver/base.template",
 				"testdata/kube-apiserver/etcd.template",
 			)
 			c.mustLoadPodFromManifest()

-			execArgs := c.pod.Spec.Containers[0].Command[2]
+			execArgs := strings.Join(c.pod.Spec.Containers[0].Command, " ")
 			for _, f := range tc.want {
 				if !strings.Contains(execArgs, f) {
 					t.Fatalf("Got %q, want it to contain %q", execArgs, f)
@@ -127,14 +127,14 @@ func TestStorageOptions(t *testing.T) {

 			c.mustInvokeFunc(
 				tc.env,
-				kubeAPIServerConfigScriptName,
+				[]string{"configure-helper.sh", kubeAPIServerConfigScriptName},
 				"etcd.template",
 				"testdata/kube-apiserver/base.template",
 				"testdata/kube-apiserver/etcd.template",
 			)
 			c.mustLoadPodFromManifest()

-			execArgs := c.pod.Spec.Containers[0].Command[2]
+			execArgs := strings.Join(c.pod.Spec.Containers[0].Command, " ")
 			for _, f := range tc.want {
 				if !strings.Contains(execArgs, f) {
 					t.Fatalf("Got %q, want it to contain %q", execArgs, f)
@@ -191,14 +191,14 @@ func TestTLSFlags(t *testing.T) {

 			c.mustInvokeFunc(
 				tc.env,
-				kubeAPIServerConfigScriptName,
+				[]string{"configure-helper.sh", kubeAPIServerConfigScriptName},
 				"etcd.template",
 				"testdata/kube-apiserver/base.template",
 				"testdata/kube-apiserver/etcd.template",
 			)
 			c.mustLoadPodFromManifest()

-			execArgs := c.pod.Spec.Containers[0].Command[2]
+			execArgs := strings.Join(c.pod.Spec.Containers[0].Command, " ")
 			for _, f := range tc.want {
 				if !strings.Contains(execArgs, f) {
 					t.Fatalf("Got %q, want it to contain %q", execArgs, f)
--- a/cluster/gce/gci/apiserver_kms_test.go
+++ b/cluster/gce/gci/apiserver_kms_test.go
@@ -45,11 +45,6 @@ type kubeAPIServerEnv struct {

 func TestEncryptionProviderFlag(t *testing.T) {
 	var (
-		//	command": [
-		//   "/bin/sh", - Index 0
-		//   "-c",      - Index 1
-		//   "exec /usr/local/bin/kube-apiserver " - Index 2
-		execArgsIndex        = 2
 		encryptionConfigFlag = "--encryption-provider-config"
 	)

@@ -83,13 +78,13 @@ func TestEncryptionProviderFlag(t *testing.T) {

 			c.mustInvokeFunc(
 				e,
-				kubeAPIServerConfigScriptName,
+				[]string{"configure-helper.sh", kubeAPIServerConfigScriptName},
 				"kms.template",
 				"testdata/kube-apiserver/base.template",
 				"testdata/kube-apiserver/kms.template")
 			c.mustLoadPodFromManifest()

-			execArgs := c.pod.Spec.Containers[0].Command[execArgsIndex]
+			execArgs := strings.Join(c.pod.Spec.Containers[0].Command, " ")
 			flagIsInArg := strings.Contains(execArgs, encryptionConfigFlag)
 			flag := fmt.Sprintf("%s=%s", encryptionConfigFlag, e.EncryptionProviderConfigPath)

@@ -118,7 +113,7 @@ func TestEncryptionProviderConfig(t *testing.T) {

 	c.mustInvokeFunc(
 		e,
-		kubeAPIServerConfigScriptName,
+		[]string{"configure-helper.sh", kubeAPIServerConfigScriptName},
 		"kms.template",

 		"testdata/kube-apiserver/base.template",
@@ -189,7 +184,7 @@ func TestKMSIntegration(t *testing.T) {

 			c.mustInvokeFunc(
 				e,
-				kubeAPIServerConfigScriptName,
+				[]string{"configure-helper.sh", kubeAPIServerConfigScriptName},
 				"kms.template",

 				"testdata/kube-apiserver/base.template",
--- a/cluster/gce/gci/audit_policy_test.go
+++ b/cluster/gce/gci/audit_policy_test.go
@@ -54,7 +54,7 @@ func TestCreateMasterAuditPolicy(t *testing.T) {
 	// Initialize required environment variables.
 	c.mustInvokeFunc(
 		kubeAPIServerEnv{KubeHome: c.kubeHome},
-		"configure-helper.sh",
+		[]string{"configure-helper.sh"},
 		"base.template",
 		"testdata/kube-apiserver/base.template",
 	)
--- a/cluster/gce/gci/configure-helper.sh
+++ b/cluster/gce/gci/configure-helper.sh
@@ -25,6 +25,24 @@ set -o errexit
 set -o nounset
 set -o pipefail

+function convert-manifest-params {
+  # A helper function to convert the manifest args from a string to a list of
+  # flag arguments.
+  # Old format:
+  #   command=["/bin/sh", "-c", "exec KUBE_EXEC_BINARY --param1=val1 --param2-val2"].
+  # New format:
+  #   command=["KUBE_EXEC_BINARY"]  # No shell dependencies.
+  #   args=["--param1=val1", "--param2-val2"]
+  IFS=' ' read -ra FLAGS <<< "$1"
+  params=""
+  for flag in "${FLAGS[@]}"; do
+    params+="\n\"$flag\","
+  done
+  if [ ! -z $params ]; then
+    echo "${params::-1}"  #  drop trailing comma
+  fi
+}
+
 function setup-os-params {
  # Reset core_pattern. On GCI, the default core_pattern pipes the core dumps to
  # /sbin/crash_reporter which is more restrictive in saving crash dumps. So for
@@ -1927,6 +1945,8 @@ function start-kube-scheduler {
    params+=" --use-legacy-policy-config"
    params+=" --policy-config-file=/etc/srv/kubernetes/kube-scheduler/policy-config"
  fi
+
+  params="$(convert-manifest-params "${params}")"
  local -r kube_scheduler_docker_tag=$(cat "${KUBE_HOME}/kube-docker-files/kube-scheduler.docker_tag")

  # Remove salt comments and replace variables with values.
--- a/cluster/gce/gci/configure-kubeapiserver.sh
+++ b/cluster/gce/gci/configure-kubeapiserver.sh
@@ -354,6 +354,7 @@ function start-kube-apiserver {
  # params is passed by reference, so no "$"
  setup-etcd-encryption "${src_file}" params

+  params="$(convert-manifest-params "${params}")"
  # Evaluate variables.
  local -r kube_apiserver_docker_tag="${KUBE_API_SERVER_DOCKER_TAG:-$(cat /home/kubernetes/kube-docker-files/kube-apiserver.docker_tag)}"
  sed -i -e "s@{{params}}@${params}@g" "${src_file}"
--- a/cluster/gce/gci/configure_helper_test.go
+++ b/cluster/gce/gci/configure_helper_test.go
@@ -106,15 +106,19 @@ func (c *ManifestTestCase) mustCreateManifestDstDir() {
 	}
 }

-func (c *ManifestTestCase) mustInvokeFunc(env interface{}, scriptName, targetTemplate string, templates ...string) {
+func (c *ManifestTestCase) mustInvokeFunc(env interface{}, scriptNames []string, targetTemplate string, templates ...string) {
 	envScriptPath := c.mustCreateEnv(env, targetTemplate, templates...)
-	args := fmt.Sprintf("source %q ; source %q; %s", envScriptPath, scriptName, c.manifestFuncName)
+	args := fmt.Sprintf("source %q ;", envScriptPath)
+	for _, script := range scriptNames {
+		args += fmt.Sprintf("source %q ;", script)
+	}
+	args += c.manifestFuncName
 	cmd := exec.Command("bash", "-c", args)

 	bs, err := cmd.CombinedOutput()
 	if err != nil {
 		c.t.Logf("%q", bs)
-		c.t.Fatalf("Failed to run %q: %v", scriptName, err)
+		c.t.Fatalf("Failed to run %q: %v", cmd.Args, err)
 	}
 	c.t.Logf("%s", string(bs))
 }
--- a/cluster/gce/manifests/kube-apiserver.manifest
+++ b/cluster/gce/manifests/kube-apiserver.manifest
@@ -26,9 +26,10 @@
      }
    },
    "command": [
-                 "/bin/sh",
-                 "-c",
-                 "exec /usr/local/bin/kube-apiserver {{params}} --allow-privileged={{pillar['allow_privileged']}} 1>>/var/log/kube-apiserver.log 2>&1"
+                 "/go-runner", "--log-file=/var/log/kube-apiserver.log", "--also-stdout=false", "--redirect-stderr=true",
+                 "/usr/local/bin/kube-apiserver",
+                 "--allow-privileged={{pillar['allow_privileged']}}",
+                 {{params}}
               ],
    {{container_env}}
    "livenessProbe": {
--- a/cluster/gce/manifests/kube-scheduler.manifest
+++ b/cluster/gce/manifests/kube-scheduler.manifest
@@ -38,9 +38,9 @@
      }
    },
    "command": [
-                 "/bin/sh",
-                 "-c",
-                 "exec /usr/local/bin/kube-scheduler {{params}} 1>>/var/log/kube-scheduler.log 2>&1"
+                 "/go-runner", "--log-file=/var/log/kube-scheduler.log", "--also-stdout=false", "--redirect-stderr=true",
+                 "/usr/local/bin/kube-scheduler",
+                 {{params}}
               ],
    "livenessProbe": {
      "httpGet": {