From 89fa2ed0d20b912d482fc600ac1eec8b60d3ae02 Mon Sep 17 00:00:00 2001 From: shen_vickie Date: Tue, 22 Jun 2021 22:04:51 -0400 Subject: [PATCH 1/3] rebuilt --- Dockerfile | 102 ++++++++++------------------------------ hardening_manifest.yaml | 82 +++++++++----------------------- renovate.json | 16 +++++-- 3 files changed, 56 insertions(+), 144 deletions(-) diff --git a/Dockerfile b/Dockerfile index 409a31c..d371736 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,90 +1,28 @@ -ARG BASE_REGISTRY=registry1.dsop.io +ARG BASE_REGISTRY=registry1.dso.mil ARG BASE_IMAGE=ironbank/redhat/ubi/ubi8 ARG BASE_TAG=8.4 -FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG} AS builder - -COPY kubernetes.tar.gz / - -RUN dnf upgrade -y && \ - dnf install -y make go gcc diffutils rsync && \ - dnf clean all && \ - rm -rf /var/cache/dnf && \ - mkdir -p $GOPATH/src/k8s.io/kubernetes && \ - tar -zxf /kubernetes.tar.gz -C $GOPATH/src/k8s.io/kubernetes --strip-components=1 && \ - rm -f /kubernetes.tar.gz && \ - cd $GOPATH/src/k8s.io/kubernetes/ && \ - make WHAT=cmd/kube-proxy - -COPY texinfo.tar.gz bison.tar.gz flex.tar.gz signatures/RPM-GPG-KEY-CentOS-Official \ - libtirpc-devel.rpm libmnl.tar.bz2 libnetfilter_conntrack.tar.bz2 \ - libnetfilter_cthelper.tar.bz2 libnetfilter_cttimeout.tar.bz2 \ - libnetfilter_queue.tar.bz2 texinfo.tar.gz libnfnetlink.tar.bz2 conntrack-tools.tar.bz2 / - -ENV PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin - -# Install necessary container packages for conntrack -# TODO: use WORKDIR? - -RUN dnf upgrade -y && \ - dnf install -y automake autoconf make gcc iptables ipset kmod bzip2 m4 \ - diffutils pkgconf pkgconf-m4 pkgconf-pkg-config man-db && \ - mkdir -p /usr/src/texinfo && \ - tar -zxf /texinfo.tar.gz --strip-components=1 -C /usr/src/texinfo && \ - cd /usr/src/texinfo && \ - ./configure && make && make install && \ - mkdir -p /usr/src/bison && \ - tar -zxf /bison.tar.gz --strip-components=1 -C /usr/src/bison && \ - cd /usr/src/bison && \ - ./configure && make && make install && \ - mkdir -p /usr/src/flex && \ - tar -zxf /flex.tar.gz --strip-components=1 -C /usr/src/flex && \ - cd /usr/src/flex && \ - ./configure && make && make install && \ - rpm --import /RPM-GPG-KEY-CentOS-Official && \ - rpm -iv /libtirpc-devel.rpm && \ - mkdir -p /usr/src/libnfnetlink && \ - tar -jxf /libnfnetlink.tar.bz2 --strip-components=1 -C /usr/src/libnfnetlink && \ - cd /usr/src/libnfnetlink && \ - ./configure && make && make install && \ - mkdir -p /usr/src/libmnl && \ - tar -jxf /libmnl.tar.bz2 --strip-components=1 -C /usr/src/libmnl && \ - cd /usr/src/libmnl && \ - ./configure && make && make install - -ENV PKG_CONFIG_PATH=/usr/local/lib/pkgconfig - -RUN mkdir -p /usr/src/libnetfilter_conntrack && \ - tar -jxf /libnetfilter_conntrack.tar.bz2 --strip-components=1 -C /usr/src/libnetfilter_conntrack && \ - cd /usr/src/libnetfilter_conntrack && \ - ./configure && make && make install && \ - mkdir -p /usr/src/libnetfilter_cttimeout && \ - tar -jxf /libnetfilter_cttimeout.tar.bz2 --strip-components=1 -C /usr/src/libnetfilter_cttimeout && \ - cd /usr/src/libnetfilter_cttimeout && \ - ./configure && make && make install && \ - mkdir -p /usr/src/libnetfilter_cthelper && \ - tar -jxf /libnetfilter_cthelper.tar.bz2 --strip-components=1 -C /usr/src/libnetfilter_cthelper && \ - cd /usr/src/libnetfilter_cthelper && \ - ./configure && make && make install && \ - mkdir -p /usr/src/libnetfilter_queue && \ - tar -jxf /libnetfilter_queue.tar.bz2 --strip-components=1 -C /usr/src/libnetfilter_queue && \ - cd /usr/src/libnetfilter_queue && \ - ./configure && make && make install && \ - mkdir -p /usr/src/conntrack-tools && \ - tar -jxf /conntrack-tools.tar.bz2 --strip-components=1 -C /usr/src/conntrack-tools && \ - cd /usr/src/conntrack-tools && \ - ./configure && make && make install +FROM k8s.gcr.io/kube-proxy:v1.19.12 as base FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG} -COPY --from=builder /src/k8s.io/kubernetes/_output/bin/kube-proxy /usr/local/bin/ -COPY --from=builder /usr/local/sbin/conntrack /usr/local/sbin/conntrack +COPY *.rpm / +COPY signatures/* / -ENV PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin +COPY --from=base /usr/local/bin/kube-proxy /usr/local/bin/kube-proxy +COPY --from=base /usr/sbin/xtables-legacy-multi /usr/sbin/xtables-legacy-multi +COPY --from=base /usr/sbin/iptables-wrapper /usr/sbin/iptables-wrapper RUN dnf upgrade -y && \ dnf install -y ipset iputils net-tools kmod procps iproute kmod iptables && \ dnf install -y which findutils && \ + rpm --import RPM-GPG-KEY-CentOS-Official && \ + rpm --import RPM-GPG-KEY-EPEL-8 && \ + rpm --import repomd.xml.key && \ + dnf localinstall -y libnetfilter_cthelper.rpm && \ + dnf localinstall -y libnetfilter_cttimeout.rpm && \ + dnf localinstall -y libnetfilter_queue.rpm && \ + dnf localinstall -y conntrack-tools.rpm && \ ln -fs /usr/sbin/xtables-legacy-multi /usr/sbin/iptables-restore && \ ln -fs /usr/sbin/xtables-legacy-multi /usr/sbin/iptables-save && \ ln -fs /usr/sbin/xtables-legacy-multi /usr/sbin/iptables-legacy && \ @@ -104,6 +42,14 @@ RUN dnf upgrade -y && \ dnf clean all && \ rm -rf /var/cache/dnf -CMD ["/bin/sh"] +RUN update-alternatives --install /usr/sbin/iptables iptables /usr/sbin/iptables-wrapper 100 \ + --slave /usr/sbin/iptables-restore iptables-restore /usr/sbin/iptables-wrapper \ + --slave /usr/sbin/iptables-save iptables-save /usr/sbin/iptables-wrapper +RUN update-alternatives --install /usr/sbin/ip6tables ip6tables /usr/sbin/iptables-wrapper 101 \ + --slave /usr/sbin/ip6tables-restore ip6tables-restore /usr/sbin/iptables-wrapper \ + --slave /usr/sbin/ip6tables-save ip6tables-save /usr/sbin/iptables-wrapper + +HEALTHCHECK --interval=10s --timeout=1s --start-period=10s --retries=6 \ + CMD curl -f http://locahost:10249 || exit 1 -HEALTHCHECK NONE \ No newline at end of file +CMD ["/bin/sh"] diff --git a/hardening_manifest.yaml b/hardening_manifest.yaml index 54dd768..b4f68da 100644 --- a/hardening_manifest.yaml +++ b/hardening_manifest.yaml @@ -24,87 +24,47 @@ labels: ## License(s) under which contained software is distributed org.opencontainers.image.licenses: "Apache-2.0" ## URL to find more information on the image - org.opencontainers.image.url: "https://kubernetes.io/" + org.opencontainers.image.url: "docker://k8s.gcr.io/kube-proxy" ## Name of the distributing entity, organization or individual org.opencontainers.image.vendor: "opensource" org.opencontainers.image.version: "v1.18.20" ## Keywords to help with search (ex. "cicd,gitops,golang") - mil.dso.ironbank.image.keywords: "kubernetes" + mil.dso.ironbank.image.keywords: "kube-proxy" ## This value can be "opensource" or "commercial" mil.dso.ironbank.image.type: "opensource" ## Product the image belongs to for grouping multiple images - mil.dso.ironbank.product.name: "kubernetes" + mil.dso.ironbank.product.name: "kube-proxy" # List of resources to make available to the offline build context resources: -- url: https://github.com/kubernetes/kubernetes/archive/v1.18.20.tar.gz - filename: kubernetes.tar.gz +- url: docker://k8s.gcr.io/kube-proxy@sha256:12f2b93c34db1caf73610092df74688e676c3b5abce940c25563ac5e93175381 + tag: k8s.gcr.io/kube-proxy:v1.18.20 +- filename: libnetfilter_cthelper.rpm + url: http://mirror.centos.org/centos/8/BaseOS/x86_64/os/Packages/libnetfilter_cthelper-1.0.0-15.el8.x86_64.rpm validation: type: sha256 - value: 45bcf77fb5beb52aa2ecb22594193938cecf033b1e9409ad1cd0f7af15f32e3b -- filename: texinfo.tar.gz - url: "https://ftp.gnu.org/gnu/texinfo/texinfo-6.7.tar.gz" + value: 1ff19864aecd9d21527e14cd1a254a42eb2296967544a03e2572358fcd9a7912 +- filename: libnetfilter_cttimeout.rpm + url: http://mirror.centos.org/centos/8/BaseOS/x86_64/os/Packages/libnetfilter_cttimeout-1.0.0-11.el8.x86_64.rpm validation: type: sha256 - value: a52d05076b90032cb2523673c50e53185938746482cf3ca0213e9b4b50ac2d3e -- filename: bison.tar.gz - url: "http://ftp.gnu.org/gnu/bison/bison-3.5.4.tar.gz" + value: 1ec9b84708a45c425a19e7112643686906a7529ce3648e902b341e3172e733c9 +- filename: libnetfilter_queue.rpm + url: http://mirror.centos.org/centos/8/BaseOS/x86_64/os/Packages/libnetfilter_queue-1.0.4-3.el8.x86_64.rpm validation: type: sha256 - value: c0dd154dfaba63553a892d41dc400c7baa88cc06a1e2e27813fdd503715e4c28 -- filename: flex.tar.gz - url: "https://github.com/westes/flex/releases/download/v2.6.4/flex-2.6.4.tar.gz" + value: 39e998ff6eb91d01e662fe5eaf92cf1759d0223e0e83c3655e5e5f1aa9bcd4e0 +- filename: conntrack-tools.rpm + url: http://mirror.centos.org/centos/8/BaseOS/x86_64/os/Packages/conntrack-tools-1.4.4-10.el8.x86_64.rpm validation: type: sha256 - value: e87aae032bf07c26f85ac0ed3250998c37621d95f8bd748b31f15b33c45ee995 -- filename: libtirpc-devel.rpm - url: "http://mirror.centos.org/centos/8/BaseOS/x86_64/os/Packages/libtirpc-devel-1.1.4-4.el8.x86_64.rpm" - validation: - type: sha256 - value: 4d3a43db83a983b7a375f18c87a9cc0298867e875b11571496ce42eaa3653d75 -- filename: libnfnetlink.tar.bz2 - url: "http://netfilter.org/projects/libnfnetlink/files/libnfnetlink-1.0.1.tar.bz2" - validation: - type: sha256 - value: f270e19de9127642d2a11589ef2ec97ef90a649a74f56cf9a96306b04817b51a -- filename: libmnl.tar.bz2 - url: "https://netfilter.org/projects/libmnl/files/libmnl-1.0.4.tar.bz2" - validation: - type: sha256 - value: 171f89699f286a5854b72b91d06e8f8e3683064c5901fb09d954a9ab6f551f81 -- filename: libnetfilter_conntrack.tar.bz2 - url: "https://netfilter.org/projects/libnetfilter_conntrack/files/libnetfilter_conntrack-1.0.8.tar.bz2" - validation: - type: sha256 - value: 0cd13be008923528687af6c6b860f35392d49251c04ee0648282d36b1faec1cf -- filename: libnetfilter_cttimeout.tar.bz2 - url: "https://netfilter.org/projects/libnetfilter_cttimeout/files/libnetfilter_cttimeout-1.0.0.tar.bz2" - validation: - type: sha256 - value: aeab12754f557cba3ce2950a2029963d817490df7edb49880008b34d7ff8feba -- filename: libnetfilter_cthelper.tar.bz2 - url: "https://netfilter.org/projects/libnetfilter_cthelper/files/libnetfilter_cthelper-1.0.0.tar.bz2" - validation: - type: sha256 - value: 07618e71c4d9a6b6b3dc1986540486ee310a9838ba754926c7d14a17d8fccf3d -- filename: libnetfilter_queue.tar.bz2 - url: "https://netfilter.org/projects/libnetfilter_queue/files/libnetfilter_queue-1.0.5.tar.bz2" - validation: - type: sha256 - value: f9ff3c11305d6e03d81405957bdc11aea18e0d315c3e3f48da53a24ba251b9f5 -- filename: conntrack-tools.tar.bz2 - url: "http://ftp.netfilter.org/pub/conntrack-tools/conntrack-tools-1.4.6.tar.bz2" - validation: - type: sha256 - value: 590859cc848245dbfd9c6487761dd303b3a1771e007f4f42213063ca56205d5f + value: a077f5a786a1c2f61da812a32de865ae51bc74f5f08d6328cf67ece4f7ce10de # List of project maintainers -# FIXME: Fill in the following details for the current container owner in the whitelist -# FIXME: Include any other vendor information if applicable maintainers: -- email: "jperez2@novetta.com" +- email: "shen_vickie@bah.com" # # The name of the current container owner - name: "Jason Perez" + name: "Vickie Shen" # # The gitlab username of the current container owner - username: "jperez2" - cht_member: false + username: "shen_vickie" + cht_member: true diff --git a/renovate.json b/renovate.json index 823b11e..2a723a6 100644 --- a/renovate.json +++ b/renovate.json @@ -1,6 +1,6 @@ { "assignees": [ - "@gavin.scallon" + "@shen_vickie" ], "baseBranches": [ "development" @@ -10,14 +10,20 @@ "packageRules": [ { "datasources": [ - "github-tags" + "docker" ], "packageNames": [ - "kubernetes/kubernetes" + "k8s.gcr.io/kube-proxy" ], "separateMinorPatch": true, + "major": { + "enabled": false + }, "minor": { "enabled": false + }, + "patch": { + "enabled": true } } ], @@ -30,8 +36,8 @@ "org\\.opencontainers\\.image\\.version:\\s+\"(?.+?)\"", "tags:\\s+-\\s+\"(?.+?)\"" ], - "depNameTemplate": "kubernetes/kubernetes", - "datasourceTemplate": "github-tags" + "depNameTemplate": "k8s.gcr.io/kube-proxy", + "datasourceTemplate": "docker" } ] } -- GitLab From c915b391e8284186e45290e96336a1d61064e42e Mon Sep 17 00:00:00 2001 From: shen_vickie Date: Tue, 22 Jun 2021 22:13:52 -0400 Subject: [PATCH 2/3] rebuilt --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index d371736..46cc118 100644 --- a/Dockerfile +++ b/Dockerfile @@ -2,7 +2,7 @@ ARG BASE_REGISTRY=registry1.dso.mil ARG BASE_IMAGE=ironbank/redhat/ubi/ubi8 ARG BASE_TAG=8.4 -FROM k8s.gcr.io/kube-proxy:v1.19.12 as base +FROM k8s.gcr.io/kube-proxy:v1.18.20 as base FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG} -- GitLab From 309e0bf58081fd4cb8bfa7d805176162768aac05 Mon Sep 17 00:00:00 2001 From: shen_vickie Date: Tue, 22 Jun 2021 22:22:25 -0400 Subject: [PATCH 3/3] rebuilt --- signatures/RPM-GPG-KEY-EPEL-8 | 28 ++++++++++++++++++++++++++++ signatures/repomd.xml.key | 20 ++++++++++++++++++++ 2 files changed, 48 insertions(+) create mode 100644 signatures/RPM-GPG-KEY-EPEL-8 create mode 100644 signatures/repomd.xml.key diff --git a/signatures/RPM-GPG-KEY-EPEL-8 b/signatures/RPM-GPG-KEY-EPEL-8 new file mode 100644 index 0000000..30b69a6 --- /dev/null +++ b/signatures/RPM-GPG-KEY-EPEL-8 @@ -0,0 +1,28 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mQINBFz3zvsBEADJOIIWllGudxnpvJnkxQz2CtoWI7godVnoclrdl83kVjqSQp+2 +dgxuG5mUiADUfYHaRQzxKw8efuQnwxzU9kZ70ngCxtmbQWGmUmfSThiapOz00018 ++eo5MFabd2vdiGo1y+51m2sRDpN8qdCaqXko65cyMuLXrojJHIuvRA/x7iqOrRfy +a8x3OxC4PEgl5pgDnP8pVK0lLYncDEQCN76D9ubhZQWhISF/zJI+e806V71hzfyL +/Mt3mQm/li+lRKU25Usk9dWaf4NH/wZHMIPAkVJ4uD4H/uS49wqWnyiTYGT7hUbi +ecF7crhLCmlRzvJR8mkRP6/4T/F3tNDPWZeDNEDVFUkTFHNU6/h2+O398MNY/fOh +yKaNK3nnE0g6QJ1dOH31lXHARlpFOtWt3VmZU0JnWLeYdvap4Eff9qTWZJhI7Cq0 +Wm8DgLUpXgNlkmquvE7P2W5EAr2E5AqKQoDbfw/GiWdRvHWKeNGMRLnGI3QuoX3U +pAlXD7v13VdZxNydvpeypbf/AfRyrHRKhkUj3cU1pYkM3DNZE77C5JUe6/0nxbt4 +ETUZBTgLgYJGP8c7PbkVnO6I/KgL1jw+7MW6Az8Ox+RXZLyGMVmbW/TMc8haJfKL +MoUo3TVk8nPiUhoOC0/kI7j9ilFrBxBU5dUtF4ITAWc8xnG6jJs/IsvRpQARAQAB +tChGZWRvcmEgRVBFTCAoOCkgPGVwZWxAZmVkb3JhcHJvamVjdC5vcmc+iQI4BBMB +AgAiBQJc9877AhsPBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRAh6kWrL4bW +oWagD/4xnLWws34GByVDQkjprk0fX7Iyhpm/U7BsIHKspHLL+Y46vAAGY/9vMvdE +0fcr9Ek2Zp7zE1RWmSCzzzUgTG6BFoTG1H4Fho/7Z8BXK/jybowXSZfqXnTOfhSF +alwDdwlSJvfYNV9MbyvbxN8qZRU1z7PEWZrIzFDDToFRk0R71zHpnPTNIJ5/YXTw +NqU9OxII8hMQj4ufF11040AJQZ7br3rzerlyBOB+Jd1zSPVrAPpeMyJppWFHSDAI +WK6x+am13VIInXtqB/Cz4GBHLFK5d2/IYspVw47Solj8jiFEtnAq6+1Aq5WH3iB4 +bE2e6z00DSF93frwOyWN7WmPIoc2QsNRJhgfJC+isGQAwwq8xAbHEBeuyMG8GZjz +xohg0H4bOSEujVLTjH1xbAG4DnhWO/1VXLX+LXELycO8ZQTcjj/4AQKuo4wvMPrv +9A169oETG+VwQlNd74VBPGCvhnzwGXNbTK/KH1+WRH0YSb+41flB3NKhMSU6dGI0 +SGtIxDSHhVVNmx2/6XiT9U/znrZsG5Kw8nIbbFz+9MGUUWgJMsd1Zl9R8gz7V9fp +n7L7y5LhJ8HOCMsY/Z7/7HUs+t/A1MI4g7Q5g5UuSZdgi0zxukiWuCkLeAiAP4y7 +zKK4OjJ644NDcWCHa36znwVmkz3ixL8Q0auR15Oqq2BjR/fyog== +=84m8 +-----END PGP PUBLIC KEY BLOCK----- diff --git a/signatures/repomd.xml.key b/signatures/repomd.xml.key new file mode 100644 index 0000000..23c0ddb --- /dev/null +++ b/signatures/repomd.xml.key @@ -0,0 +1,20 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- +Version: GnuPG v1.4.5 (GNU/Linux) + +mQENBFODA6oBCAC1ZlvBSl+aNBm+NH7xGiNa8JRpZ0ujQIc941ozc2T2Pqe3tscZ +Z6KjsqSwTX6jzomTgGyqJDYd308KEHeqIMuZVlCZQDsyHb6YiuOa051ice3eas94 +PVJ+z6Do9zSVOLwc0xsdy4jBdiB7K5XN3iGmmboK3oiFbNJRP0b+saFSJ3R9lQQ6 +c7iD++tFl36/ovwWitwqzJ3cYuWeGxHjBvTV4YCQb2JECQgskfloHcjqMIyevJm1 +4KNmrHn2Q12qPfrHECtnf/hP/9yrCvbekT/aLWx/IV/vIQdHJPwnYDRFDN6tyuDJ +kh4QVYYyFaKaSHNJ2it3lRMeIAzaCnSVJQ8lABEBAAG0MnNlY3VyaXR5IE9CUyBQ +cm9qZWN0IDxzZWN1cml0eUBidWlsZC5vcGVuc3VzZS5vcmc+iQE+BBMBAgAoBQJb +3PRcAhsDBQkMeKCyBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRBp0bKq7j0W +ajhOB/9SXnFdzfUQPHrNIqTC0vzHaSsRueFE4ektdaOG9Luku3gPolJQ/LzVd6Dq +2dApFix96PR9Z4EUI5U/Bgbh0UDhcoOgOFv5hC98h9+cIBpOAXi/j7vOc2vpxdQs +ELvplesgbH+BCoIvG0ssKVbPG0A3bqLCeABUTuG7W0Tb1PtIKXqIl/DoOjfEU7gV +pYVOrke5grPJ5BSV9ZG8Zuz9/GtN3tH4mJVEkMDb6flKZ15epgX7VzLSkEhZodwq +cSYQuuniA9XjMgNnHrdL07jE4zLI9KO5UEnRht9Z4yWU0bzSGzU0zXmbTl4iAjAw +bgf3B7FMvJkcaGYD0ZTVd0X5M73GiEYEExECAAYFAlODA6sACgkQOzARt2udZSO5 +wgCfdn5fA8nzafycfrO4iXjg7/E34E4AnixpDpJ8llW/+4r+MC59fMWa59oj +=CIXb +-----END PGP PUBLIC KEY BLOCK----- -- GitLab