From 149fb90ab145980c02b36f8ceeb2a8927386ff04 Mon Sep 17 00:00:00 2001 From: fsl <1171313930@qq.com> Date: Thu, 12 Jan 2023 23:29:00 +0800 Subject: [PATCH] fix: high-risk vulnerabilities caused by low version of kubebuilder and yq (#2505) Signed-off-by: fsl <1171313930@qq.com> Signed-off-by: fsl <1171313930@qq.com> Co-authored-by: Rita Zhang --- Makefile | 10 +++++++--- test/image/Dockerfile | 27 +++++++++++++-------------- 2 files changed, 20 insertions(+), 17 deletions(-) diff --git a/Makefile b/Makefile index 96d4c5a7e24..ca2010e7f7d 100644 --- a/Makefile +++ b/Makefile @@ -15,13 +15,14 @@ VERSION := v3.12.0-beta.0 KIND_VERSION ?= 0.17.0 # note: k8s version pinned since KIND image availability lags k8s releases KUBERNETES_VERSION ?= 1.26.0 +KUBEBUILDER_VERSION ?= 3.8.0 KUSTOMIZE_VERSION ?= 3.8.9 BATS_VERSION ?= 1.8.2 ORAS_VERSION ?= 0.16.0 BATS_TESTS_FILE ?= test/bats/test.bats HELM_VERSION ?= 3.7.2 NODE_VERSION ?= 16-bullseye-slim -YQ_VERSION ?= 4.2.0 +YQ_VERSION ?= 4.30.6 FRAMEWORKS_VERSION ?= $(shell go list -f '{{ .Version }}' -m github.com/open-policy-agent/frameworks/constraint) OPA_VERSION ?= $(shell go list -f '{{ .Version }}' -m github.com/open-policy-agent/opa) @@ -449,11 +450,14 @@ __tooling-image: -t gatekeeper-tooling __test-image: - docker build test/image \ + docker buildx build test/image \ -t gatekeeper-test \ + --load \ --build-arg YQ_VERSION=$(YQ_VERSION) \ --build-arg BATS_VERSION=$(BATS_VERSION) \ - --build-arg ORAS_VERSION=$(ORAS_VERSION) + --build-arg ORAS_VERSION=$(ORAS_VERSION) \ + --build-arg KUSTOMIZE_VERSION=$(KUSTOMIZE_VERSION) \ + --build-arg KUBEBUILDER_VERSION=$(KUBEBUILDER_VERSION) .PHONY: vendor vendor: diff --git a/test/image/Dockerfile b/test/image/Dockerfile index 884184f340b..86f791fad22 100644 --- a/test/image/Dockerfile +++ b/test/image/Dockerfile @@ -4,25 +4,22 @@ FROM golang:1.19-bullseye as builder ARG BATS_VERSION ARG ORAS_VERSION ARG YQ_VERSION +ARG KUSTOMIZE_VERSION +ARG KUBEBUILDER_VERSION +ARG TARGETARCH RUN apt-get update &&\ apt-get install -y apt-utils make # Install kubebuilder WORKDIR /scratch -ENV version=2.3.1 -ENV arch=amd64 -RUN curl -L -O "https://github.com/kubernetes-sigs/kubebuilder/releases/download/v${version}/kubebuilder_${version}_linux_${arch}.tar.gz" &&\ - tar -zxvf kubebuilder_${version}_linux_${arch}.tar.gz &&\ - mv kubebuilder_${version}_linux_${arch} /usr/local/kubebuilder &&\ - rm kubebuilder_${version}_linux_${arch}.tar.gz +RUN curl -L -O "https://github.com/kubernetes-sigs/kubebuilder/releases/download/v${KUBEBUILDER_VERSION}/kubebuilder_linux_${TARGETARCH}" &&\ + mv kubebuilder_linux_${TARGETARCH} /usr/local/kubebuilder ENV PATH=$PATH:/usr/local/kubebuilder/bin:/usr/bin # Install kustomize -ENV version=3.7.0 -ENV arch=amd64 -RUN curl -L -O "https://github.com/kubernetes-sigs/kustomize/releases/download/kustomize%2Fv${version}/kustomize_v${version}_linux_${arch}.tar.gz" &&\ - tar -zxvf kustomize_v${version}_linux_${arch}.tar.gz &&\ +RUN curl -L -O "https://github.com/kubernetes-sigs/kustomize/releases/download/kustomize%2Fv${KUSTOMIZE_VERSION}/kustomize_v${KUSTOMIZE_VERSION}_linux_${TARGETARCH}.tar.gz" &&\ + tar -zxvf kustomize_v${KUSTOMIZE_VERSION}_linux_${TARGETARCH}.tar.gz &&\ chmod +x kustomize &&\ mv kustomize /usr/local/bin @@ -31,14 +28,16 @@ RUN curl -sSLO https://github.com/bats-core/bats-core/archive/v${BATS_VERSION}.t tar -zxvf v${BATS_VERSION}.tar.gz && \ bash bats-core-${BATS_VERSION}/install.sh /usr/local -# Install ORAS -RUN curl -SsLO https://github.com/oras-project/oras/releases/download/v${ORAS_VERSION}/oras_${ORAS_VERSION}_linux_${arch}.tar.gz && \ +# Install oras +RUN curl -SsLO https://github.com/oras-project/oras/releases/download/v${ORAS_VERSION}/oras_${ORAS_VERSION}_linux_${TARGETARCH}.tar.gz && \ mkdir -p oras-install/ && tar -zxf oras_${ORAS_VERSION}_*.tar.gz -C oras-install/ && \ mv oras-install/oras /usr/local/bin/ && rm -rf oras_${ORAS_VERSION}_*.tar.gz oras-install/ -# Install yq and jq -RUN curl -LsS https://github.com/mikefarah/yq/releases/download/v${YQ_VERSION}/yq_linux_${arch} -o /usr/local/bin/yq \ +# Install yq +RUN curl -LsS https://github.com/mikefarah/yq/releases/download/v${YQ_VERSION}/yq_linux_${TARGETARCH} -o /usr/local/bin/yq \ && chmod +x /usr/local/bin/yq + +# Install jq RUN apt-get update && yes | apt-get install jq # Install docker