Skip to content

Commit

Permalink
fix: high-risk vulnerabilities caused by low version of kubebuilder a…
Browse files Browse the repository at this point in the history
…nd yq (#2505)

Signed-off-by: fsl <1171313930@qq.com>

Signed-off-by: fsl <1171313930@qq.com>
Co-authored-by: Rita Zhang <rita.z.zhang@gmail.com>
  • Loading branch information
fengshunli and ritazh authored Jan 12, 2023
1 parent beb2432 commit 149fb90
Show file tree
Hide file tree
Showing 2 changed files with 20 additions and 17 deletions.
10 changes: 7 additions & 3 deletions Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -15,13 +15,14 @@ VERSION := v3.12.0-beta.0
KIND_VERSION ?= 0.17.0
# note: k8s version pinned since KIND image availability lags k8s releases
KUBERNETES_VERSION ?= 1.26.0
KUBEBUILDER_VERSION ?= 3.8.0
KUSTOMIZE_VERSION ?= 3.8.9
BATS_VERSION ?= 1.8.2
ORAS_VERSION ?= 0.16.0
BATS_TESTS_FILE ?= test/bats/test.bats
HELM_VERSION ?= 3.7.2
NODE_VERSION ?= 16-bullseye-slim
YQ_VERSION ?= 4.2.0
YQ_VERSION ?= 4.30.6
FRAMEWORKS_VERSION ?= $(shell go list -f '{{ .Version }}' -m github.com/open-policy-agent/frameworks/constraint)
OPA_VERSION ?= $(shell go list -f '{{ .Version }}' -m github.com/open-policy-agent/opa)

Expand Down Expand Up @@ -449,11 +450,14 @@ __tooling-image:
-t gatekeeper-tooling

__test-image:
docker build test/image \
docker buildx build test/image \
-t gatekeeper-test \
--load \
--build-arg YQ_VERSION=$(YQ_VERSION) \
--build-arg BATS_VERSION=$(BATS_VERSION) \
--build-arg ORAS_VERSION=$(ORAS_VERSION)
--build-arg ORAS_VERSION=$(ORAS_VERSION) \
--build-arg KUSTOMIZE_VERSION=$(KUSTOMIZE_VERSION) \
--build-arg KUBEBUILDER_VERSION=$(KUBEBUILDER_VERSION)

.PHONY: vendor
vendor:
Expand Down
27 changes: 13 additions & 14 deletions test/image/Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -4,25 +4,22 @@ FROM golang:1.19-bullseye as builder
ARG BATS_VERSION
ARG ORAS_VERSION
ARG YQ_VERSION
ARG KUSTOMIZE_VERSION
ARG KUBEBUILDER_VERSION
ARG TARGETARCH

RUN apt-get update &&\
apt-get install -y apt-utils make

# Install kubebuilder
WORKDIR /scratch
ENV version=2.3.1
ENV arch=amd64
RUN curl -L -O "https://github.com/kubernetes-sigs/kubebuilder/releases/download/v${version}/kubebuilder_${version}_linux_${arch}.tar.gz" &&\
tar -zxvf kubebuilder_${version}_linux_${arch}.tar.gz &&\
mv kubebuilder_${version}_linux_${arch} /usr/local/kubebuilder &&\
rm kubebuilder_${version}_linux_${arch}.tar.gz
RUN curl -L -O "https://github.com/kubernetes-sigs/kubebuilder/releases/download/v${KUBEBUILDER_VERSION}/kubebuilder_linux_${TARGETARCH}" &&\
mv kubebuilder_linux_${TARGETARCH} /usr/local/kubebuilder
ENV PATH=$PATH:/usr/local/kubebuilder/bin:/usr/bin

# Install kustomize
ENV version=3.7.0
ENV arch=amd64
RUN curl -L -O "https://github.com/kubernetes-sigs/kustomize/releases/download/kustomize%2Fv${version}/kustomize_v${version}_linux_${arch}.tar.gz" &&\
tar -zxvf kustomize_v${version}_linux_${arch}.tar.gz &&\
RUN curl -L -O "https://github.com/kubernetes-sigs/kustomize/releases/download/kustomize%2Fv${KUSTOMIZE_VERSION}/kustomize_v${KUSTOMIZE_VERSION}_linux_${TARGETARCH}.tar.gz" &&\
tar -zxvf kustomize_v${KUSTOMIZE_VERSION}_linux_${TARGETARCH}.tar.gz &&\
chmod +x kustomize &&\
mv kustomize /usr/local/bin

Expand All @@ -31,14 +28,16 @@ RUN curl -sSLO https://github.com/bats-core/bats-core/archive/v${BATS_VERSION}.t
tar -zxvf v${BATS_VERSION}.tar.gz && \
bash bats-core-${BATS_VERSION}/install.sh /usr/local

# Install ORAS
RUN curl -SsLO https://github.com/oras-project/oras/releases/download/v${ORAS_VERSION}/oras_${ORAS_VERSION}_linux_${arch}.tar.gz && \
# Install oras
RUN curl -SsLO https://github.com/oras-project/oras/releases/download/v${ORAS_VERSION}/oras_${ORAS_VERSION}_linux_${TARGETARCH}.tar.gz && \
mkdir -p oras-install/ && tar -zxf oras_${ORAS_VERSION}_*.tar.gz -C oras-install/ && \
mv oras-install/oras /usr/local/bin/ && rm -rf oras_${ORAS_VERSION}_*.tar.gz oras-install/

# Install yq and jq
RUN curl -LsS https://github.com/mikefarah/yq/releases/download/v${YQ_VERSION}/yq_linux_${arch} -o /usr/local/bin/yq \
# Install yq
RUN curl -LsS https://github.com/mikefarah/yq/releases/download/v${YQ_VERSION}/yq_linux_${TARGETARCH} -o /usr/local/bin/yq \
&& chmod +x /usr/local/bin/yq

# Install jq
RUN apt-get update && yes | apt-get install jq

# Install docker
Expand Down

0 comments on commit 149fb90

Please sign in to comment.