Split the setcap image from the base images, make them easier to override

build/common.sh

@@ -85,22 +85,35 @@ readonly KUBE_RSYNC_PORT="${KUBE_RSYNC_PORT:-}"
 # mapped to KUBE_RSYNC_PORT via docker networking.
 readonly KUBE_CONTAINER_RSYNC_PORT=8730
 
+# These are the default versions (image tags) for their respective base images.
+readonly __default_debian_iptables_version=buster-v1.5.0
+readonly __default_go_runner_version=buster-v2.3.1
+
+# These are the base images for the Docker-wrapped binaries.
+readonly KUBE_GORUNNER_IMAGE="${KUBE_GORUNNER_IMAGE:-$KUBE_BASE_IMAGE_REGISTRY/go-runner:$__default_go_runner_version}"
+readonly KUBE_APISERVER_BASE_IMAGE="${KUBE_APISERVER_BASE_IMAGE:-$KUBE_GORUNNER_IMAGE}"
+readonly KUBE_CONTROLLER_MANAGER_BASE_IMAGE="${KUBE_CONTROLLER_MANAGER_BASE_IMAGE:-$KUBE_GORUNNER_IMAGE}"
+readonly KUBE_SCHEDULER_BASE_IMAGE="${KUBE_SCHEDULER_BASE_IMAGE:-$KUBE_GORUNNER_IMAGE}"
+readonly KUBE_PROXY_BASE_IMAGE="${KUBE_PROXY_BASE_IMAGE:-$KUBE_BASE_IMAGE_REGISTRY/debian-iptables:$__default_debian_iptables_version}"
+
+# This is the image used in a multi-stage build to apply capabilities to Docker-wrapped binaries.
+readonly KUBE_BUILD_SETCAP_IMAGE="${KUBE_BUILD_SETCAP_IMAGE:-$KUBE_BASE_IMAGE_REGISTRY/setcap:buster-v1.4.0}"
+
 # Get the set of master binaries that run in Docker (on Linux)
-# Entry format is "<name-of-binary>,<base-image-name>:<base-image-version>".
+# Entry format is "<binary-name>,<base-image>".
 # Binaries are placed in /usr/local/bin inside the image.
-# When building these images the registry for the base images is considered to be ${KUBE_BASE_IMAGE_REGISTRY}.
+# `make` users can override any or all of the base images using the associated
+# environment variables.
 #
 # $1 - server architecture
 kube::build::get_docker_wrapped_binaries() {
-  local debian_iptables_version=buster-v1.5.0
-  local go_runner_version=buster-v2.3.1
   ### If you change any of these lists, please also update DOCKERIZED_BINARIES
   ### in build/BUILD. And kube::golang::server_image_targets
   local targets=(
-    "kube-apiserver,go-runner:${go_runner_version}"
+    "kube-apiserver,${KUBE_APISERVER_BASE_IMAGE}"
-    "kube-controller-manager,go-runner:${go_runner_version}"
+    "kube-controller-manager,${KUBE_CONTROLLER_MANAGER_BASE_IMAGE}"
-    "kube-scheduler,go-runner:${go_runner_version}"
+    "kube-scheduler,${KUBE_SCHEDULER_BASE_IMAGE}"
-    "kube-proxy,debian-iptables:${debian_iptables_version}"
+    "kube-proxy,${KUBE_PROXY_BASE_IMAGE}"
   )
 
   echo "${targets[@]}"

build/dependencies.yaml

@@ -156,7 +156,7 @@ dependencies:
     version: buster-v1.5.0
     refPaths:
     - path: build/common.sh
-      match: debian_iptables_version=
+      match: __default_debian_iptables_version=
     - path: build/workspace.bzl
       match: tag =
     - path: test/utils/image/manifest.go
@@ -166,7 +166,7 @@ dependencies:
     version: buster-v2.3.1
     refPaths:
     - path: build/common.sh
-      match: go_runner_version=
+      match: __default_go_runner_version=
     - path: build/workspace.bzl
       match: tag =
 

build/lib/release.sh

@@ -361,7 +361,7 @@ function kube::release::create_docker_images_for_server() {
     for wrappable in $binaries; do
 
       local binary_name=${wrappable%%,*}
-      local base_image_name=${wrappable##*,}
+      local base_image=${wrappable##*,}
       local binary_file_path="${binary_dir}/${binary_name}"
       local docker_build_path="${binary_file_path}.dockerbuild"
       local docker_image_tag="${docker_registry}/${binary_name}-${arch}:${docker_tag}"
@@ -384,8 +384,8 @@ function kube::release::create_docker_images_for_server() {
           --platform linux/"${arch}" \
           --load ${docker_build_opts:+"${docker_build_opts}"} \
           -t "${docker_image_tag}" \
-          --build-arg BASE_IMAGE_REGISTRY="${KUBE_BASE_IMAGE_REGISTRY}" \
+          --build-arg BASEIMAGE="${base_image}" \
-          --build-arg BASE_IMAGE_NAME="${base_image_name}" \
+          --build-arg SETCAP_IMAGE="${KUBE_BUILD_SETCAP_IMAGE}" \
           --build-arg BINARY="${binary_name}" \
           "${docker_build_path}" >"${build_log}" 2>&1; then
             cat "${build_log}"

build/server-image/Dockerfile

@@ -14,10 +14,9 @@
 
 # Dockerfile used for the server images.
 
-ARG BASE_IMAGE_REGISTRY
+ARG BASEIMAGE
-ARG BASE_IMAGE_NAME
 ARG BINARY
 
 
-FROM "${BASE_IMAGE_REGISTRY}/${BASE_IMAGE_NAME}"
+FROM "${BASEIMAGE}"
 COPY ${BINARY} /usr/local/bin/${BINARY}

build/server-image/kube-apiserver/Dockerfile

@@ -13,17 +13,18 @@
 # limitations under the License.
 
 # This file create the kube-apiserver image.
-ARG BASE_IMAGE_REGISTRY
+ARG BASEIMAGE
-ARG BASE_IMAGE_NAME
+ARG SETCAP_IMAGE
+
 # we use the hosts platform to apply the capabilities to avoid the need
 # to setup qemu for the builder.
-FROM --platform=linux/$BUILDARCH ${BASE_IMAGE_REGISTRY}/setcap:buster-v1.4.0
+FROM --platform=linux/$BUILDARCH ${SETCAP_IMAGE}
 ARG BINARY
 COPY ${BINARY} /${BINARY}
 # We apply cap_net_bind_service so that kube-apiserver can be run as
 # non-root and still listen on port less than 1024
 RUN setcap cap_net_bind_service=+ep /${BINARY}
 
-FROM --platform=linux/$TARGETARCH ${BASE_IMAGE_REGISTRY}/${BASE_IMAGE_NAME}
+FROM --platform=linux/$TARGETARCH ${BASEIMAGE}
 ARG BINARY
 COPY --from=0 /${BINARY} /usr/local/bin/${BINARY}