Skip to content

Commit 4e571d7

Browse files
ivanstanevivanstanev
committed
feat: switch to alpine base image to reduce vulns
We have made the decision to publish the snyk-monitor with an Alpine base image, which has less packages and therefore less vulnerabilities. We have recently been struck with a long case of high severity vulnerabilities in the UBI8 base image which had no fixes. Some of our customers' pipelines break because we're publishing an image with high severity vulnerabilities. They therefore have to triage the vulns and also raise it with us to resolve. This change affects the default Helm chart installation but overall should not have any performance impact or any problems with the product. The Operator installation will NOT use Alpine - it will still use UBI8 because it is a requirement for running on Red Hat OpenShift and being a Certified product.
1 parent 5470efb commit 4e571d7

12 files changed

+312
-174
lines changed

.circleci/config.yml

Lines changed: 40 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -73,8 +73,8 @@ jobs:
7373
- run:
7474
command: |
7575
export IMAGE_TAG=$([[ "$CIRCLE_BRANCH" == "staging" ]] && echo "staging-candidate" || echo "discardable")
76-
OPERATOR_TAG="${IMAGE_TAG}-${CIRCLE_SHA1}"
77-
MONITOR_TAG="${IMAGE_TAG}-${CIRCLE_SHA1}"
76+
OPERATOR_TAG="${IMAGE_TAG}-ubi8-${CIRCLE_SHA1}"
77+
MONITOR_TAG="${IMAGE_TAG}-ubi8-${CIRCLE_SHA1}"
7878
scripts/operator/create_operator_and_push.py "${OPERATOR_TAG}" "${MONITOR_TAG}" "${DOCKERHUB_USER}" "${DOCKERHUB_PASSWORD}"
7979
echo "export OPERATOR_TAG=$OPERATOR_TAG" >> $BASH_ENV
8080
name: Create Operator and push Operator image to DockerHub
@@ -86,16 +86,16 @@ jobs:
8686
- run:
8787
command: |
8888
export IMAGE_TAG=$([[ "$CIRCLE_BRANCH" == "staging" ]] && echo "staging-candidate" || echo "discardable")
89-
export SNYK_MONITOR_IMAGE_TAG="${IMAGE_TAG}-${CIRCLE_SHA1}"
90-
export SNYK_OPERATOR_VERSION="0.0.1-${CIRCLE_SHA1}"
89+
export SNYK_MONITOR_IMAGE_TAG="${IMAGE_TAG}-ubi8-${CIRCLE_SHA1}"
90+
export SNYK_OPERATOR_VERSION="0.0.1-ubi8-${CIRCLE_SHA1}"
9191
export SNYK_OPERATOR_IMAGE_TAG="${SNYK_MONITOR_IMAGE_TAG}"
9292
OPERATOR_PATH=$(scripts/operator/package_operator_bundle.py "${SNYK_OPERATOR_VERSION}" "${SNYK_OPERATOR_IMAGE_TAG}" "${SNYK_MONITOR_IMAGE_TAG}")
9393
echo "export OPERATOR_PATH=$OPERATOR_PATH" >> $BASH_ENV
9494
name: Package Operator Bundle
9595
- run:
9696
command: |
9797
export OPERATOR_DIR=$OPERATOR_PATH
98-
export PACKAGE_VERSION="0.0.1-${CIRCLE_SHA1}"
98+
export PACKAGE_VERSION="0.0.1-ubi8-${CIRCLE_SHA1}"
9999
scripts/operator/create_operator_bundle_and_index_and_push.py "${OPERATOR_DIR}" "${PACKAGE_VERSION}" "${DOCKERHUB_USER}" "${DOCKERHUB_PASSWORD}"
100100
name: Create Operator Bundle and Index and push to Docker Hub
101101
- run:
@@ -106,29 +106,40 @@ jobs:
106106
working_directory: ~/kubernetes-monitor
107107
build_image:
108108
machine:
109-
image: ubuntu-2004:202111-01
109+
image: ubuntu-2004:202111-02
110110
steps:
111111
- checkout
112112
- install_python_requests
113113
- run:
114114
command: |
115115
IMAGE_TAG=$([[ "$CIRCLE_BRANCH" == "staging" ]] && echo "staging-candidate" || echo "discardable")
116116
IMAGE_NAME_CANDIDATE=snyk/kubernetes-monitor:${IMAGE_TAG}-${CIRCLE_SHA1}
117+
IMAGE_NAME_CANDIDATE_UBI8=snyk/kubernetes-monitor:${IMAGE_TAG}-ubi8-${CIRCLE_SHA1}
117118
echo "export IMAGE_NAME_CANDIDATE=$IMAGE_NAME_CANDIDATE" >> $BASH_ENV
119+
echo "export IMAGE_NAME_CANDIDATE_UBI8=$IMAGE_NAME_CANDIDATE_UBI8" >> $BASH_ENV
118120
name: Export environment variables
119121
- run:
120122
command: |
121123
docker login --username ${DOCKERHUB_USER} --password ${DOCKERHUB_PASSWORD}
122124
./scripts/docker/build-image.sh ${IMAGE_NAME_CANDIDATE}
125+
./scripts/docker/build-image-ubi8.sh ${IMAGE_NAME_CANDIDATE_UBI8}
123126
name: Build image
124127
- snyk/scan:
128+
additional-arguments: --project-name=alpine
125129
docker-image-name: ${IMAGE_NAME_CANDIDATE}
126130
monitor-on-build: false
127131
severity-threshold: high
128132
target-file: Dockerfile
133+
- snyk/scan:
134+
additional-arguments: --project-name=ubi8
135+
docker-image-name: ${IMAGE_NAME_CANDIDATE_UBI8}
136+
monitor-on-build: false
137+
severity-threshold: high
138+
target-file: Dockerfile.ubi8
129139
- run:
130140
command: |
131141
docker push ${IMAGE_NAME_CANDIDATE}
142+
docker push ${IMAGE_NAME_CANDIDATE_UBI8}
132143
name: Push image
133144
- run:
134145
command: |
@@ -330,7 +341,8 @@ jobs:
330341
name: Create temporary directory for logs
331342
- run:
332343
command: |
333-
export OPERATOR_VERSION="0.0.1-${CIRCLE_SHA1}"
344+
export OPERATOR_VERSION="0.0.1-ubi8-${CIRCLE_SHA1}"
345+
export IMAGE_TAG_UBI_SUFFIX="-ubi8"
334346
export KUBERNETES_MONITOR_IMAGE_NAME_AND_TAG=$(./scripts/circleci-jobs/setup-integration-tests.py)
335347
.circleci/do-exclusively --branch staging --job ${CIRCLE_JOB} npm run test:integration:kindolm:operator
336348
name: Operator integration tests on vanilla Kubernetes
@@ -387,7 +399,7 @@ jobs:
387399
openshift3_integration_tests:
388400
machine:
389401
docker_layer_caching: true
390-
image: ubuntu-2004:202111-01
402+
image: ubuntu-2004:202111-02
391403
steps:
392404
- checkout
393405
- setup_node16
@@ -397,6 +409,7 @@ jobs:
397409
name: Create temporary directory for logs
398410
- run:
399411
command: |
412+
export IMAGE_TAG_UBI_SUFFIX="-ubi8"
400413
export KUBERNETES_MONITOR_IMAGE_NAME_AND_TAG=$(./scripts/circleci-jobs/setup-integration-tests.py)
401414
npm run test:integration:openshift3:yaml
402415
name: Integration tests OpenShift 3
@@ -410,7 +423,7 @@ jobs:
410423
openshift4_integration_tests:
411424
machine:
412425
docker_layer_caching: true
413-
image: ubuntu-2004:202111-01
426+
image: ubuntu-2004:202111-02
414427
steps:
415428
- checkout
416429
- setup_node16
@@ -420,7 +433,8 @@ jobs:
420433
name: create temp dir for logs
421434
- run:
422435
command: |
423-
export OPERATOR_VERSION="0.0.1-${CIRCLE_SHA1}"
436+
export OPERATOR_VERSION="0.0.1-ubi8-${CIRCLE_SHA1}"
437+
export IMAGE_TAG_UBI_SUFFIX="-ubi8"
424438
export KUBERNETES_MONITOR_IMAGE_NAME_AND_TAG=$(./scripts/circleci-jobs/setup-integration-tests.py)
425439
.circleci/do-exclusively --branch staging --job ${CIRCLE_JOB} npm run test:integration:openshift4:operator
426440
name: Integration tests OpenShift 4
@@ -673,25 +687,40 @@ jobs:
673687
LATEST_TAG=${LATEST_TAG_WITH_V:1}
674688
IMAGE_NAME_APPROVED=snyk/kubernetes-monitor:${LATEST_TAG}-approved
675689
IMAGE_NAME_PUBLISHED=snyk/kubernetes-monitor:${LATEST_TAG}
690+
IMAGE_NAME_APPROVED_UBI8=snyk/kubernetes-monitor:${LATEST_TAG}-ubi8-approved
691+
IMAGE_NAME_PUBLISHED_UBI8=snyk/kubernetes-monitor:${LATEST_TAG}-ubi8
676692
echo "export LATEST_TAG=${LATEST_TAG}" >> $BASH_ENV
677693
echo "export IMAGE_NAME_APPROVED=${IMAGE_NAME_APPROVED}" >> $BASH_ENV
678694
echo "export IMAGE_NAME_PUBLISHED=${IMAGE_NAME_PUBLISHED}" >> $BASH_ENV
695+
echo "export IMAGE_NAME_APPROVED_UBI8=${IMAGE_NAME_APPROVED_UBI8}" >> $BASH_ENV
696+
echo "export IMAGE_NAME_PUBLISHED_UBI8=${IMAGE_NAME_PUBLISHED_UBI8}" >> $BASH_ENV
679697
name: Export environment variables
680698
- snyk/scan:
681699
monitor-on-build: true
682700
severity-threshold: high
683701
- snyk/scan:
702+
additional-arguments: --project-name=alpine
684703
docker-image-name: ${IMAGE_NAME_APPROVED}
685704
monitor-on-build: true
686705
severity-threshold: high
687706
target-file: Dockerfile
707+
- snyk/scan:
708+
additional-arguments: --project-name=ubi8
709+
docker-image-name: ${IMAGE_NAME_APPROVED_UBI8}
710+
monitor-on-build: true
711+
severity-threshold: high
712+
target-file: Dockerfile.ubi8
688713
- run:
689714
command: |
690715
docker login --username ${DOCKERHUB_USER} --password ${DOCKERHUB_PASSWORD} &&
691716
docker pull ${IMAGE_NAME_APPROVED} &&
692717
docker tag ${IMAGE_NAME_APPROVED} ${IMAGE_NAME_PUBLISHED} &&
693718
docker push ${IMAGE_NAME_PUBLISHED} &&
719+
docker pull ${IMAGE_NAME_APPROVED_UBI8} &&
720+
docker tag ${IMAGE_NAME_APPROVED_UBI8} ${IMAGE_NAME_PUBLISHED_UBI8} &&
721+
docker push ${IMAGE_NAME_PUBLISHED_UBI8} &&
694722
./scripts/slack/notify_push.py ${IMAGE_NAME_PUBLISHED} &&
723+
./scripts/slack/notify_push.py ${IMAGE_NAME_PUBLISHED_UBI8} &&
695724
./scripts/publish-gh-pages.sh ${LATEST_TAG}
696725
name: Publish
697726
- run:
@@ -705,7 +734,7 @@ jobs:
705734
- run:
706735
command: |
707736
export OPERATOR_TAG="${LATEST_TAG}"
708-
export MONITOR_TAG="${LATEST_TAG}"
737+
export MONITOR_TAG="${LATEST_TAG}-ubi8"
709738
python3 scripts/operator/create_operator_and_push.py "${OPERATOR_TAG}" "${MONITOR_TAG}" "${DOCKERHUB_USER}" "${DOCKERHUB_PASSWORD}"
710739
echo "export OPERATOR_TAG=${OPERATOR_TAG}" >> $BASH_ENV
711740
name: Create Operator and push Operator image to DockerHub

.circleci/config/jobs/@jobs.yml

Lines changed: 16 additions & 134 deletions
Original file line numberDiff line numberDiff line change
@@ -1,86 +1,3 @@
1-
build_image:
2-
machine:
3-
image: ubuntu-2004:202111-01
4-
working_directory: ~/kubernetes-monitor
5-
steps:
6-
- checkout
7-
- install_python_requests
8-
- run:
9-
name: Export environment variables
10-
command: |
11-
IMAGE_TAG=$([[ "$CIRCLE_BRANCH" == "staging" ]] && echo "staging-candidate" || echo "discardable")
12-
IMAGE_NAME_CANDIDATE=snyk/kubernetes-monitor:${IMAGE_TAG}-${CIRCLE_SHA1}
13-
echo "export IMAGE_NAME_CANDIDATE=$IMAGE_NAME_CANDIDATE" >> $BASH_ENV
14-
- run:
15-
name: Build image
16-
command: |
17-
docker login --username ${DOCKERHUB_USER} --password ${DOCKERHUB_PASSWORD}
18-
./scripts/docker/build-image.sh ${IMAGE_NAME_CANDIDATE}
19-
- snyk/scan:
20-
docker-image-name: ${IMAGE_NAME_CANDIDATE}
21-
severity-threshold: high
22-
target-file: Dockerfile
23-
monitor-on-build: false
24-
- run:
25-
name: Push image
26-
command: |
27-
docker push ${IMAGE_NAME_CANDIDATE}
28-
- run:
29-
name: Notify Slack on failure
30-
command: |
31-
./scripts/slack/notify_failure_on_branch.py "${CIRCLE_BRANCH}" "${CIRCLE_JOB}" "${CIRCLE_BUILD_URL}" "${CIRCLE_PULL_REQUEST}" "${SLACK_WEBHOOK}"
32-
when: on_fail
33-
34-
build_and_upload_operator:
35-
docker:
36-
- image: cimg/python:3.10
37-
auth:
38-
username: $DOCKERHUB_USER
39-
password: $DOCKERHUB_PASSWORD
40-
working_directory: ~/kubernetes-monitor
41-
steps:
42-
- checkout
43-
- setup_remote_docker
44-
- install_python_requests
45-
- run:
46-
name: Download Operator SDK and Operator Package Manager
47-
command: |
48-
scripts/operator/download_operator_sdk.py
49-
scripts/operator/download_operator_package_manager.py
50-
- run:
51-
name: Create Operator and push Operator image to DockerHub
52-
command: |
53-
export IMAGE_TAG=$([[ "$CIRCLE_BRANCH" == "staging" ]] && echo "staging-candidate" || echo "discardable")
54-
OPERATOR_TAG="${IMAGE_TAG}-${CIRCLE_SHA1}"
55-
MONITOR_TAG="${IMAGE_TAG}-${CIRCLE_SHA1}"
56-
scripts/operator/create_operator_and_push.py "${OPERATOR_TAG}" "${MONITOR_TAG}" "${DOCKERHUB_USER}" "${DOCKERHUB_PASSWORD}"
57-
echo "export OPERATOR_TAG=$OPERATOR_TAG" >> $BASH_ENV
58-
- snyk/scan:
59-
docker-image-name: snyk/kubernetes-operator:${OPERATOR_TAG}
60-
severity-threshold: high
61-
target-file: snyk-operator/build/Dockerfile
62-
monitor-on-build: false
63-
- run:
64-
name: Package Operator Bundle
65-
command: |
66-
export IMAGE_TAG=$([[ "$CIRCLE_BRANCH" == "staging" ]] && echo "staging-candidate" || echo "discardable")
67-
export SNYK_MONITOR_IMAGE_TAG="${IMAGE_TAG}-${CIRCLE_SHA1}"
68-
export SNYK_OPERATOR_VERSION="0.0.1-${CIRCLE_SHA1}"
69-
export SNYK_OPERATOR_IMAGE_TAG="${SNYK_MONITOR_IMAGE_TAG}"
70-
OPERATOR_PATH=$(scripts/operator/package_operator_bundle.py "${SNYK_OPERATOR_VERSION}" "${SNYK_OPERATOR_IMAGE_TAG}" "${SNYK_MONITOR_IMAGE_TAG}")
71-
echo "export OPERATOR_PATH=$OPERATOR_PATH" >> $BASH_ENV
72-
- run:
73-
name: Create Operator Bundle and Index and push to Docker Hub
74-
command: |
75-
export OPERATOR_DIR=$OPERATOR_PATH
76-
export PACKAGE_VERSION="0.0.1-${CIRCLE_SHA1}"
77-
scripts/operator/create_operator_bundle_and_index_and_push.py "${OPERATOR_DIR}" "${PACKAGE_VERSION}" "${DOCKERHUB_USER}" "${DOCKERHUB_PASSWORD}"
78-
- run:
79-
name: Notify Slack on failure
80-
command: |
81-
./scripts/slack/notify_failure_on_branch.py "${CIRCLE_BRANCH}" "${CIRCLE_JOB}" "${CIRCLE_BUILD_URL}" "${CIRCLE_PULL_REQUEST}" "${SLACK_WEBHOOK}"
82-
when: on_fail
83-
841
lint:
852
machine:
863
docker_layer_caching: true
@@ -301,56 +218,6 @@ aks_integration_tests:
301218
- store_artifacts:
302219
path: /tmp/logs/test/integration/aks
303220

304-
openshift3_integration_tests:
305-
machine:
306-
image: ubuntu-2004:202111-01
307-
docker_layer_caching: true
308-
working_directory: ~/kubernetes-monitor
309-
steps:
310-
- checkout
311-
- setup_node16
312-
- install_python_requests
313-
- run:
314-
name: Create temporary directory for logs
315-
command: mkdir -p /tmp/logs/test/integration/openshift3
316-
- run:
317-
name: Integration tests OpenShift 3
318-
command: |
319-
export KUBERNETES_MONITOR_IMAGE_NAME_AND_TAG=$(./scripts/circleci-jobs/setup-integration-tests.py)
320-
npm run test:integration:openshift3:yaml
321-
- run:
322-
name: Notify Slack on failure
323-
command: ./scripts/slack/notify_failure.py "${CIRCLE_BRANCH}" "${CIRCLE_JOB}" "${CIRCLE_BUILD_URL}" "${CIRCLE_PULL_REQUEST}" "${SLACK_WEBHOOK}"
324-
when: on_fail
325-
- store_artifacts:
326-
path: /tmp/logs/test/integration/openshift3
327-
328-
openshift4_integration_tests:
329-
machine:
330-
image: ubuntu-2004:202111-01
331-
docker_layer_caching: true
332-
working_directory: ~/kubernetes-monitor
333-
steps:
334-
- checkout
335-
- setup_node16
336-
- install_python_requests
337-
- run:
338-
name: create temp dir for logs
339-
command: mkdir -p /tmp/logs/test/integration/openshift4
340-
- run:
341-
name: Integration tests OpenShift 4
342-
command: |
343-
export OPERATOR_VERSION="0.0.1-${CIRCLE_SHA1}"
344-
export KUBERNETES_MONITOR_IMAGE_NAME_AND_TAG=$(./scripts/circleci-jobs/setup-integration-tests.py)
345-
.circleci/do-exclusively --branch staging --job ${CIRCLE_JOB} npm run test:integration:openshift4:operator
346-
- run:
347-
name: Notify Slack on failure
348-
command: |
349-
./scripts/slack/notify_failure_on_branch.py "${CIRCLE_BRANCH}" "${CIRCLE_JOB}" "${CIRCLE_BUILD_URL}" "${CIRCLE_PULL_REQUEST}" "${SLACK_WEBHOOK}"
350-
when: on_fail
351-
- store_artifacts:
352-
path: /tmp/logs/test/integration/openshift4
353-
354221
######################## MERGE TO STAGING ########################
355222
tag_and_push:
356223
docker:
@@ -400,9 +267,13 @@ publish:
400267
LATEST_TAG=${LATEST_TAG_WITH_V:1}
401268
IMAGE_NAME_APPROVED=snyk/kubernetes-monitor:${LATEST_TAG}-approved
402269
IMAGE_NAME_PUBLISHED=snyk/kubernetes-monitor:${LATEST_TAG}
270+
IMAGE_NAME_APPROVED_UBI8=snyk/kubernetes-monitor:${LATEST_TAG}-ubi8-approved
271+
IMAGE_NAME_PUBLISHED_UBI8=snyk/kubernetes-monitor:${LATEST_TAG}-ubi8
403272
echo "export LATEST_TAG=${LATEST_TAG}" >> $BASH_ENV
404273
echo "export IMAGE_NAME_APPROVED=${IMAGE_NAME_APPROVED}" >> $BASH_ENV
405274
echo "export IMAGE_NAME_PUBLISHED=${IMAGE_NAME_PUBLISHED}" >> $BASH_ENV
275+
echo "export IMAGE_NAME_APPROVED_UBI8=${IMAGE_NAME_APPROVED_UBI8}" >> $BASH_ENV
276+
echo "export IMAGE_NAME_PUBLISHED_UBI8=${IMAGE_NAME_PUBLISHED_UBI8}" >> $BASH_ENV
406277
- snyk/scan:
407278
severity-threshold: high
408279
monitor-on-build: true
@@ -411,14 +282,25 @@ publish:
411282
severity-threshold: high
412283
target-file: Dockerfile
413284
monitor-on-build: true
285+
additional-arguments: --project-name=alpine
286+
- snyk/scan:
287+
docker-image-name: ${IMAGE_NAME_APPROVED_UBI8}
288+
severity-threshold: high
289+
target-file: Dockerfile.ubi8
290+
monitor-on-build: true
291+
additional-arguments: --project-name=ubi8
414292
- run:
415293
name: Publish
416294
command: |
417295
docker login --username ${DOCKERHUB_USER} --password ${DOCKERHUB_PASSWORD} &&
418296
docker pull ${IMAGE_NAME_APPROVED} &&
419297
docker tag ${IMAGE_NAME_APPROVED} ${IMAGE_NAME_PUBLISHED} &&
420298
docker push ${IMAGE_NAME_PUBLISHED} &&
299+
docker pull ${IMAGE_NAME_APPROVED_UBI8} &&
300+
docker tag ${IMAGE_NAME_APPROVED_UBI8} ${IMAGE_NAME_PUBLISHED_UBI8} &&
301+
docker push ${IMAGE_NAME_PUBLISHED_UBI8} &&
421302
./scripts/slack/notify_push.py ${IMAGE_NAME_PUBLISHED} &&
303+
./scripts/slack/notify_push.py ${IMAGE_NAME_PUBLISHED_UBI8} &&
422304
./scripts/publish-gh-pages.sh ${LATEST_TAG}
423305
- run:
424306
name: Download operator-sdk
@@ -432,7 +314,7 @@ publish:
432314
name: Create Operator and push Operator image to DockerHub
433315
command: |
434316
export OPERATOR_TAG="${LATEST_TAG}"
435-
export MONITOR_TAG="${LATEST_TAG}"
317+
export MONITOR_TAG="${LATEST_TAG}-ubi8"
436318
python3 scripts/operator/create_operator_and_push.py "${OPERATOR_TAG}" "${MONITOR_TAG}" "${DOCKERHUB_USER}" "${DOCKERHUB_PASSWORD}"
437319
echo "export OPERATOR_TAG=${OPERATOR_TAG}" >> $BASH_ENV
438320
- snyk/scan:

0 commit comments

Comments
 (0)