Backend - Starting the api-server container build from scratch (#1699)

* Backend - Starting the container build from scratch This reduces the image size, reduces the attack surface and avoids security vulnerabilities. Fixes https://github.com/kubeflow/pipelines/issues/1545 * Starting building other controller images from scratch
2019-08-02 11:27:53 -07:00 · 2019-08-02 11:27:53 -07:00 · 24347fbaed
parent e8a6feb229
commit 24347fbaed
4 changed files with 6 additions and 8 deletions
--- a/backend/Dockerfile
+++ b/backend/Dockerfile
@ -1,7 +1,7 @@
 FROM l.gcr.io/google/bazel:0.24.0 as builder

 RUN apt-get update && \
-  apt-get install -y cmake clang musl-dev openssl
+  apt-get install -y cmake clang musl-dev openssl ca-certificates
 WORKDIR /go/src/github.com/kubeflow/pipelines

 COPY WORKSPACE WORKSPACE
@ -31,7 +31,7 @@ COPY ./samples .
 #The "for" loop breaks on all whitespace, so we either need to override IFS or use the "read" command instead.
 RUN  find . -maxdepth 3 -name '*.py' -type f | while read pipeline; do dsl-compile --py "$pipeline" --output "$pipeline.tar.gz"; done

-FROM debian:stretch
+FROM scratch

 ARG COMMIT_SHA=unknown
 ENV COMMIT_SHA=${COMMIT_SHA}
@ -45,7 +45,7 @@ COPY backend/src/apiserver/config/ /config
 COPY --from=compiler /samples/ /samples/

 # Adding CA certificate so API server can download pipeline through URL
-RUN apt-get update && apt-get install -y ca-certificates
+COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/

 # Expose apiserver port
 EXPOSE 8888
--- a/backend/Dockerfile.persistenceagent
+++ b/backend/Dockerfile.persistenceagent
@ -9,7 +9,7 @@ RUN apk update && apk upgrade && \

 RUN GO111MODULE=on go build -o /bin/persistence_agent backend/src/agent/persistence/*.go

-FROM alpine:3.8
+FROM scratch
 WORKDIR /bin

 COPY --from=builder /bin/persistence_agent /bin/persistence_agent
--- a/backend/Dockerfile.scheduledworkflow
+++ b/backend/Dockerfile.scheduledworkflow
@ -9,12 +9,11 @@ RUN apk update && apk upgrade && \

 RUN GO111MODULE=on go build -o /bin/controller backend/src/crd/controller/scheduledworkflow/*.go

-FROM alpine:3.8
+FROM scratch
 WORKDIR /bin

 COPY --from=builder /bin/controller /bin/controller
 COPY --from=builder /go/src/github.com/kubeflow/pipelines/third_party/license.txt /bin/license.txt
-RUN chmod +x /bin/controller

 ENV NAMESPACE ""

--- a/backend/Dockerfile.viewercontroller
+++ b/backend/Dockerfile.viewercontroller
@ -9,7 +9,7 @@ COPY . .
 RUN go mod vendor
 RUN go build -o /bin/controller backend/src/crd/controller/viewer/*.go

-FROM alpine
+FROM scratch
 WORKDIR /src
 COPY --from=builder /src/github.com/kubeflow/pipelines/vendor vendor

@ -17,7 +17,6 @@ WORKDIR /bin

 COPY --from=builder /bin/controller /bin/controller
 COPY --from=builder /src/github.com/kubeflow/pipelines/third_party/license.txt /bin/license.txt
-RUN chmod +x /bin/controller

 ENV MAX_NUM_VIEWERS "50"
 ENV NAMESPACE "kubeflow"