Use distroless base image for linux builds

Signed-off-by: Eddie Torres <[email protected]>
kubernetes-sigs · May 11, 2022 · 19fb00d · 19fb00d
1 parent 864a106
commit 19fb00d
Show file tree

Hide file tree

Showing 3 changed files with 49 additions and 11 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -22,11 +22,50 @@ ARG TARGETOS
 ARG TARGETARCH
 RUN OS=$TARGETOS ARCH=$TARGETARCH make $TARGETOS/$TARGETARCH
 
-FROM amazonlinux:2 AS linux-amazon
-RUN yum update -y && \
-    yum install ca-certificates e2fsprogs xfsprogs util-linux -y && \
-    yum clean all
+FROM k8s.gcr.io/build-image/debian-base:bullseye-v1.2.0 as debian
+RUN clean-install util-linux e2fsprogs mount ca-certificates udev xfsprogs
+
+FROM gcr.io/distroless/base-debian11 AS distroless-amd64
+ENV LIB_DIRECTORY /lib/x86_64-linux-gnu/
+
+FROM gcr.io/distroless/base-debian11 AS distroless-arm64
+ENV LIB_DIRECTORY /lib/aarch64-linux-gnu/
+
+FROM distroless-$TARGETARCH as linux-distroless
 COPY --from=builder /go/src/github.com/kubernetes-sigs/aws-ebs-csi-driver/bin/aws-ebs-csi-driver /bin/aws-ebs-csi-driver
+COPY --from=debian /sbin/blkid \
+                   /sbin/blockdev \
+                   /sbin/dumpe2fs \
+                   /sbin/resize2fs \
+                   /sbin/fsck /sbin/fsck.ext4 /sbin/fsck.ext3 /sbin/fsck.xfs \
+                   /sbin/mkfs /sbin/mkfs.ext4 /sbin/mkfs.ext3 /sbin/mkfs.xfs \
+                   /sbin/
+COPY --from=debian /usr/sbin/xfs_io \
+                   /usr/sbin/xfs_growfs \
+                   /usr/sbin/
+COPY --from=debian /bin/umount \
+                   /bin/mount \
+                   /bin
+COPY --from=debian ${LIB_DIRECTORY}/libcom_err.so.2 \
+                   ${LIB_DIRECTORY}/libdevmapper.so.1.02.1 \
+                   ${LIB_DIRECTORY}/libdl.so.2 \
+                   ${LIB_DIRECTORY}/libe2p.so.2 \
+                   ${LIB_DIRECTORY}/libext2fs.so.2 \
+                   ${LIB_DIRECTORY}/libm.so.6 \
+                   ${LIB_DIRECTORY}/libpthread.so.0 \
+                   ${LIB_DIRECTORY}/libselinux.so.1 \
+                   ${LIB_DIRECTORY}/libtinfo.so.6 \
+                   ${LIB_DIRECTORY}/
+COPY --from=debian /usr/${LIB_DIRECTORY}/libblkid.so.1 \
+                   /usr/${LIB_DIRECTORY}/libbsd.so.0 \
+                   /usr/${LIB_DIRECTORY}/libedit.so.2 \
+                   /usr/${LIB_DIRECTORY}/libinih.so.1 \
+                   /usr/${LIB_DIRECTORY}/libmd.so.0 \
+                   /usr/${LIB_DIRECTORY}/libmount.so.1 \
+                   /usr/${LIB_DIRECTORY}/libpcre2-8.so.0 \
+                   /usr/${LIB_DIRECTORY}/libudev.so.1 \
+                   /usr/${LIB_DIRECTORY}/libuuid.so.1 \
+                   /usr/${LIB_DIRECTORY}/
 ENTRYPOINT ["/bin/aws-ebs-csi-driver"]
 
 FROM mcr.microsoft.com/windows/servercore:1809 AS windows-1809
@@ -39,4 +78,4 @@ ENTRYPOINT ["/aws-ebs-csi-driver.exe"]
 
 FROM mcr.microsoft.com/windows/servercore:ltsc2019 AS windows-ltsc2019
 COPY --from=builder /go/src/github.com/kubernetes-sigs/aws-ebs-csi-driver/bin/aws-ebs-csi-driver.exe /aws-ebs-csi-driver.exe
-ENTRYPOINT ["/aws-ebs-csi-driver.exe"]
+ENTRYPOINT ["/aws-ebs-csi-driver.exe"]
diff --git a/Makefile b/Makefile
@@ -34,11 +34,11 @@ OUTPUT_TYPE?=docker
 
 OS?=linux
 ARCH?=amd64
-OSVERSION?=amazon
+OSVERSION?=distroless
 
 ALL_OS?=linux windows
 ALL_ARCH_linux?=amd64 arm64
-ALL_OSVERSION_linux?=amazon
+ALL_OSVERSION_linux?=distroless
 ALL_OS_ARCH_OSVERSION_linux=$(foreach arch, $(ALL_ARCH_linux), $(foreach osversion, ${ALL_OSVERSION_linux}, linux-$(arch)-${osversion}))
 
 ALL_ARCH_windows?=amd64
@@ -96,7 +96,6 @@ sub-image-%:
 image: .image-$(TAG)-$(OS)-$(ARCH)-$(OSVERSION)
 .image-$(TAG)-$(OS)-$(ARCH)-$(OSVERSION):
 	docker buildx build \
-		--no-cache-filter=linux-amazon \
 		--platform=$(OS)/$(ARCH) \
 		--progress=plain \
 		--target=$(OS)-$(OSVERSION) \
@@ -234,4 +233,4 @@ generate-kustomize: bin/helm
 	cd charts/aws-ebs-csi-driver && ../../bin/helm template kustomize . -s templates/node.yaml  > ../../deploy/kubernetes/base/node.yaml
 	cd charts/aws-ebs-csi-driver && ../../bin/helm template kustomize . -s templates/poddisruptionbudget-controller.yaml > ../../deploy/kubernetes/base/poddisruptionbudget-controller.yaml
 	cd charts/aws-ebs-csi-driver && ../../bin/helm template kustomize . -s templates/serviceaccount-csi-controller.yaml > ../../deploy/kubernetes/base/serviceaccount-csi-controller.yaml
-	cd charts/aws-ebs-csi-driver && ../../bin/helm template kustomize . -s templates/serviceaccount-csi-node.yaml > ../../deploy/kubernetes/base/serviceaccount-csi-node.yaml
+	cd charts/aws-ebs-csi-driver && ../../bin/helm template kustomize . -s templates/serviceaccount-csi-node.yaml > ../../deploy/kubernetes/base/serviceaccount-csi-node.yaml
diff --git a/hack/e2e/ecr.sh b/hack/e2e/ecr.sh
@@ -18,8 +18,8 @@ function ecr_build_and_push() {
     set -e
     loudecho "Building and pushing test driver image to ${IMAGE_NAME}:${IMAGE_TAG}"
     aws ecr get-login-password --region "${REGION}" | docker login --username AWS --password-stdin "${AWS_ACCOUNT_ID}".dkr.ecr."${REGION}".amazonaws.com
-    IMAGE=${IMAGE_NAME} TAG=${IMAGE_TAG} OS=linux ARCH=amd64 OSVERSION=amazon make image
-    docker tag "${IMAGE_NAME}":"${IMAGE_TAG}"-linux-amd64-amazon "${IMAGE_NAME}":"${IMAGE_TAG}"
+    IMAGE=${IMAGE_NAME} TAG=${IMAGE_TAG} OS=linux ARCH=amd64 OSVERSION=distroless make image
+    docker tag "${IMAGE_NAME}":"${IMAGE_TAG}"-linux-amd64-distroless "${IMAGE_NAME}":"${IMAGE_TAG}"
     docker push "${IMAGE_NAME}":"${IMAGE_TAG}"
   fi
 }