UNCLASSIFIED

Skip to content

GitLab

Commit 4a655a1b authored by Vickie Shen's avatar Vickie Shen
Browse files

rebuilt

parent 10167974
Pipeline #317246 passed with stages
in 8 minutes and 12 seconds
Hide whitespace changes
Inline Side-by-side
Showing with 110 additions and 147 deletions
Dockerfile
View file @ 4a655a1b
ARG BASE_REGISTRY=registry1.dsop.io ARG BASE_REGISTRY=registry1.dso.mil
ARG BASE_IMAGE=ironbank/redhat/ubi/ubi8 ARG BASE_IMAGE=ironbank/redhat/ubi/ubi8
ARG BASE_TAG=8.4 ARG BASE_TAG=8.4
FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG} AS builder FROM kubeimage/kube-proxy-amd64:v1.19.11 as base
#install Go 1.15.2
COPY go1.15.2.linux-amd64.tar.gz /
RUN tar -C /usr/local -xzf go1.15.2.linux-amd64.tar.gz
ENV PATH="$PATH:/usr/local/go/bin"
COPY kubernetes.tar.gz /
RUN dnf upgrade -y && \
dnf install -y make gcc diffutils rsync && \
dnf clean all && \
rm -rf /var/cache/dnf && \
mkdir -p $GOPATH/src/k8s.io/kubernetes && \
tar -zxf /kubernetes.tar.gz -C $GOPATH/src/k8s.io/kubernetes --strip-components=1 && \
rm -f /kubernetes.tar.gz && \
cd $GOPATH/src/k8s.io/kubernetes/ && \
make WHAT=cmd/kube-proxy
COPY texinfo.tar.gz bison.tar.gz flex.tar.gz signatures/RPM-GPG-KEY-CentOS-Official \
libtirpc-devel.rpm libmnl.tar.bz2 libnetfilter_conntrack.tar.bz2 \
libnetfilter_cthelper.tar.bz2 libnetfilter_cttimeout.tar.bz2 \
libnetfilter_queue.tar.bz2 texinfo.tar.gz libnfnetlink.tar.bz2 conntrack-tools.tar.bz2 /
ENV PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
# Install necessary container packages for conntrack
# TODO: use WORKDIR?
RUN dnf upgrade -y && \
dnf install -y automake autoconf make gcc iptables ipset kmod bzip2 m4 \
diffutils pkgconf pkgconf-m4 pkgconf-pkg-config man-db && \
mkdir -p /usr/src/texinfo && \
tar -zxf /texinfo.tar.gz --strip-components=1 -C /usr/src/texinfo && \
cd /usr/src/texinfo && \
./configure && make && make install && \
mkdir -p /usr/src/bison && \
tar -zxf /bison.tar.gz --strip-components=1 -C /usr/src/bison && \
cd /usr/src/bison && \
./configure && make && make install && \
mkdir -p /usr/src/flex && \
tar -zxf /flex.tar.gz --strip-components=1 -C /usr/src/flex && \
cd /usr/src/flex && \
./configure && make && make install && \
rpm --import /RPM-GPG-KEY-CentOS-Official && \
rpm -iv /libtirpc-devel.rpm && \
mkdir -p /usr/src/libnfnetlink && \
tar -jxf /libnfnetlink.tar.bz2 --strip-components=1 -C /usr/src/libnfnetlink && \
cd /usr/src/libnfnetlink && \
./configure && make && make install && \
mkdir -p /usr/src/libmnl && \
tar -jxf /libmnl.tar.bz2 --strip-components=1 -C /usr/src/libmnl && \
cd /usr/src/libmnl && \
./configure && make && make install
ENV PKG_CONFIG_PATH=/usr/local/lib/pkgconfig
RUN mkdir -p /usr/src/libnetfilter_conntrack && \
tar -jxf /libnetfilter_conntrack.tar.bz2 --strip-components=1 -C /usr/src/libnetfilter_conntrack && \
cd /usr/src/libnetfilter_conntrack && \
./configure && make && make install && \
mkdir -p /usr/src/libnetfilter_cttimeout && \
tar -jxf /libnetfilter_cttimeout.tar.bz2 --strip-components=1 -C /usr/src/libnetfilter_cttimeout && \
cd /usr/src/libnetfilter_cttimeout && \
./configure && make && make install && \
mkdir -p /usr/src/libnetfilter_cthelper && \
tar -jxf /libnetfilter_cthelper.tar.bz2 --strip-components=1 -C /usr/src/libnetfilter_cthelper && \
cd /usr/src/libnetfilter_cthelper && \
./configure && make && make install && \
mkdir -p /usr/src/libnetfilter_queue && \
tar -jxf /libnetfilter_queue.tar.bz2 --strip-components=1 -C /usr/src/libnetfilter_queue && \
cd /usr/src/libnetfilter_queue && \
./configure && make && make install && \
mkdir -p /usr/src/conntrack-tools && \
tar -jxf /conntrack-tools.tar.bz2 --strip-components=1 -C /usr/src/conntrack-tools && \
cd /usr/src/conntrack-tools && \
./configure && make && make install
FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG} FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG}
COPY --from=builder /src/k8s.io/kubernetes/_output/bin/kube-proxy /usr/local/bin/ COPY *.rpm /
COPY --from=builder /usr/local/sbin/conntrack /usr/local/sbin/conntrack COPY signatures/* /
ENV PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin COPY --from=base /usr/local/bin/kube-proxy /usr/local/bin/kube-proxy
COPY --from=base /usr/sbin/xtables-legacy-multi /usr/sbin/
COPY --from=base /usr/sbin/iptables-wrapper /usr/sbin/
RUN dnf upgrade -y && \ RUN dnf upgrade -y && \
dnf install -y iptables ipset kmod && \ dnf install -y ipset iputils net-tools kmod procps iproute kmod iptables && \
dnf install -y which findutils && \
rpm --import RPM-GPG-KEY-CentOS-Official && \
rpm --import RPM-GPG-KEY-EPEL-8 && \
rpm --import repomd.xml.key && \
dnf localinstall -y libnetfilter_cthelper.rpm && \
dnf localinstall -y libnetfilter_cttimeout.rpm && \
dnf localinstall -y libnetfilter_queue.rpm && \
dnf localinstall -y conntrack-tools.rpm && \
ln -fs /usr/sbin/xtables-legacy-multi /usr/sbin/iptables-restore && \
ln -fs /usr/sbin/xtables-legacy-multi /usr/sbin/iptables-save && \
ln -fs /usr/sbin/xtables-legacy-multi /usr/sbin/iptables-legacy && \
ln -fs /usr/sbin/xtables-legacy-multi /usr/sbin/iptables-legacy-restore && \
ln -fs /usr/sbin/xtables-legacy-multi /usr/sbin/iptables-legacy-save && \
ln -fs /usr/sbin/xtables-legacy-multi /usr/sbin/ip6tables-legacy && \
ln -fs /usr/sbin/xtables-legacy-multi /usr/sbin/ip6tables-legacy-restore && \
ln -fs /usr/sbin/xtables-legacy-multi /usr/sbin/ip6tables-legacy-save && \
ln -fs /usr/sbin/xtables-nft-multi /usr/sbin/iptables-nft && \
ln -fs /usr/sbin/xtables-nft-multi /usr/sbin/iptables-nft-restore && \
ln -fs /usr/sbin/xtables-nft-multi /usr/sbin/iptables-nft-save && \
ln -fs /usr/sbin/xtables-nft-multi /usr/sbin/ip6tables-nft && \
ln -fs /usr/sbin/xtables-nft-multi /usr/sbin/ip6tables-nft-restore && \
ln -fs /usr/sbin/xtables-nft-multi /usr/sbin/ip6tables-nft-save && \
alternatives --install /usr/sbin/iptables iptables /usr/sbin/iptables-legacy 1 && \
alternatives --install /usr/sbin/ip6tables ip6tables /usr/sbin/ip6tables-legacy 1 && \
dnf clean all && \ dnf clean all && \
rm -rf /var/cache/dnf rm -rf /var/cache/dnf
CMD ["/bin/sh"] RUN update-alternatives --install /usr/sbin/iptables iptables /usr/sbin/iptables-wrapper 100 \
--slave /usr/sbin/iptables-restore iptables-restore /usr/sbin/iptables-wrapper \
--slave /usr/sbin/iptables-save iptables-save /usr/sbin/iptables-wrapper
RUN update-alternatives --install /usr/sbin/ip6tables ip6tables /usr/sbin/iptables-wrapper 101 \
--slave /usr/sbin/ip6tables-restore ip6tables-restore /usr/sbin/iptables-wrapper \
--slave /usr/sbin/ip6tables-save ip6tables-save /usr/sbin/iptables-wrapper
HEALTHCHECK --interval=10s --timeout=1s --start-period=10s --retries=6 \
CMD curl -f http://locahost:10249 || exit 1
hardening_manifest.yaml
View file @ 4a655a1b
...@@ -24,90 +24,47 @@ labels: ...@@ -24,90 +24,47 @@ labels:
## License(s) under which contained software is distributed ## License(s) under which contained software is distributed
org.opencontainers.image.licenses: "Apache-2.0" org.opencontainers.image.licenses: "Apache-2.0"
## URL to find more information on the image ## URL to find more information on the image
org.opencontainers.image.url: "https://kubernetes.io/" org.opencontainers.image.url: "https://hub.docker.com/r/kubeimage/kube-proxy-amd64"
## Name of the distributing entity, organization or individual ## Name of the distributing entity, organization or individual
org.opencontainers.image.vendor: "opensource" org.opencontainers.image.vendor: "opensource"
org.opencontainers.image.version: "v1.19.11" org.opencontainers.image.version: "v1.19.11"
## Keywords to help with search (ex. "cicd,gitops,golang") ## Keywords to help with search (ex. "cicd,gitops,golang")
mil.dso.ironbank.image.keywords: "kubernetes" mil.dso.ironbank.image.keywords: "kube-proxy"
## This value can be "opensource" or "commercial" ## This value can be "opensource" or "commercial"
mil.dso.ironbank.image.type: "opensource" mil.dso.ironbank.image.type: "opensource"
## Product the image belongs to for grouping multiple images ## Product the image belongs to for grouping multiple images
mil.dso.ironbank.product.name: "kubernetes" mil.dso.ironbank.product.name: "kube-proxy"
# List of resources to make available to the offline build context # List of resources to make available to the offline build context
resources: resources:
- url: https://github.com/kubernetes/kubernetes/archive/v1.19.11.tar.gz - tag: kubeimage/kube-proxy-amd64:v1.19.11
filename: kubernetes.tar.gz url: docker://docker.io/kubeimage/kube-proxy-amd64@sha256:7b9820db91f8ba56f5fb41c439ef805bb9601b1f9d0a23479c1298150689664c
- filename: libnetfilter_cthelper.rpm
url: http://mirror.centos.org/centos/8/BaseOS/x86_64/os/Packages/libnetfilter_cthelper-1.0.0-15.el8.x86_64.rpm
validation: validation:
type: sha256 type: sha256
value: 85cf92acfe33e84847783e331582e853c0a6986534f36ed46fac47cc0ddcb151 value: 1ff19864aecd9d21527e14cd1a254a42eb2296967544a03e2572358fcd9a7912
- filename: go1.15.2.linux-amd64.tar.gz - filename: libnetfilter_cttimeout.rpm
url: https://golang.org/dl/go1.15.2.linux-amd64.tar.gz url: http://mirror.centos.org/centos/8/BaseOS/x86_64/os/Packages/libnetfilter_cttimeout-1.0.0-11.el8.x86_64.rpm
validation: validation:
type: sha256 type: sha256
value: b49fda1ca29a1946d6bb2a5a6982cf07ccd2aba849289508ee0f9918f6bb4552 value: 1ec9b84708a45c425a19e7112643686906a7529ce3648e902b341e3172e733c9
- filename: texinfo.tar.gz - filename: libnetfilter_queue.rpm
url: "https://ftp.gnu.org/gnu/texinfo/texinfo-6.7.tar.gz" url: http://mirror.centos.org/centos/8/BaseOS/x86_64/os/Packages/libnetfilter_queue-1.0.4-3.el8.x86_64.rpm
validation: validation:
type: sha256 type: sha256
value: a52d05076b90032cb2523673c50e53185938746482cf3ca0213e9b4b50ac2d3e value: 39e998ff6eb91d01e662fe5eaf92cf1759d0223e0e83c3655e5e5f1aa9bcd4e0
- filename: bison.tar.gz - filename: conntrack-tools.rpm
url: "http://ftp.gnu.org/gnu/bison/bison-3.5.4.tar.gz" url: http://mirror.centos.org/centos/8/BaseOS/x86_64/os/Packages/conntrack-tools-1.4.4-10.el8.x86_64.rpm
validation: validation:
type: sha256 type: sha256
value: c0dd154dfaba63553a892d41dc400c7baa88cc06a1e2e27813fdd503715e4c28 value: a077f5a786a1c2f61da812a32de865ae51bc74f5f08d6328cf67ece4f7ce10de
- filename: flex.tar.gz
url: "https://github.com/westes/flex/releases/download/v2.6.4/flex-2.6.4.tar.gz"
validation:
type: sha256
value: e87aae032bf07c26f85ac0ed3250998c37621d95f8bd748b31f15b33c45ee995
- filename: libtirpc-devel.rpm
url: "http://mirror.centos.org/centos/8/BaseOS/x86_64/os/Packages/libtirpc-devel-1.1.4-4.el8.x86_64.rpm"
validation:
type: sha256
value: 4d3a43db83a983b7a375f18c87a9cc0298867e875b11571496ce42eaa3653d75
- filename: libnfnetlink.tar.bz2
url: "http://netfilter.org/projects/libnfnetlink/files/libnfnetlink-1.0.1.tar.bz2"
validation:
type: sha256
value: f270e19de9127642d2a11589ef2ec97ef90a649a74f56cf9a96306b04817b51a
- filename: libmnl.tar.bz2
url: "https://netfilter.org/projects/libmnl/files/libmnl-1.0.4.tar.bz2"
validation:
type: sha256
value: 171f89699f286a5854b72b91d06e8f8e3683064c5901fb09d954a9ab6f551f81
- filename: libnetfilter_conntrack.tar.bz2
url: "https://netfilter.org/projects/libnetfilter_conntrack/files/libnetfilter_conntrack-1.0.8.tar.bz2"
validation:
type: sha256
value: 0cd13be008923528687af6c6b860f35392d49251c04ee0648282d36b1faec1cf
- filename: libnetfilter_cttimeout.tar.bz2
url: "https://netfilter.org/projects/libnetfilter_cttimeout/files/libnetfilter_cttimeout-1.0.0.tar.bz2"
validation:
type: sha256
value: aeab12754f557cba3ce2950a2029963d817490df7edb49880008b34d7ff8feba
- filename: libnetfilter_cthelper.tar.bz2
url: "https://netfilter.org/projects/libnetfilter_cthelper/files/libnetfilter_cthelper-1.0.0.tar.bz2"
validation:
type: sha256
value: 07618e71c4d9a6b6b3dc1986540486ee310a9838ba754926c7d14a17d8fccf3d
- filename: libnetfilter_queue.tar.bz2
url: "https://netfilter.org/projects/libnetfilter_queue/files/libnetfilter_queue-1.0.5.tar.bz2"
validation:
type: sha256
value: f9ff3c11305d6e03d81405957bdc11aea18e0d315c3e3f48da53a24ba251b9f5
- filename: conntrack-tools.tar.bz2
url: "http://ftp.netfilter.org/pub/conntrack-tools/conntrack-tools-1.4.6.tar.bz2"
validation:
type: sha256
value: 590859cc848245dbfd9c6487761dd303b3a1771e007f4f42213063ca56205d5f
# List of project maintainers # List of project maintainers
maintainers: maintainers:
- email: "jperez2@novetta.com" - email: "shen_vickie@bah.com"
# # The name of the current container owner # # The name of the current container owner
name: "Jason Perez" name: "Vickie Shen"
# # The gitlab username of the current container owner # # The gitlab username of the current container owner
username: "jperez2" username: "shen_vickie"
cht_member: false cht_member: true
signatures/RPM-GPG-KEY-EPEL-8 0 → 100644
View file @ 4a655a1b
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQINBFz3zvsBEADJOIIWllGudxnpvJnkxQz2CtoWI7godVnoclrdl83kVjqSQp+2
dgxuG5mUiADUfYHaRQzxKw8efuQnwxzU9kZ70ngCxtmbQWGmUmfSThiapOz00018
+eo5MFabd2vdiGo1y+51m2sRDpN8qdCaqXko65cyMuLXrojJHIuvRA/x7iqOrRfy
a8x3OxC4PEgl5pgDnP8pVK0lLYncDEQCN76D9ubhZQWhISF/zJI+e806V71hzfyL
/Mt3mQm/li+lRKU25Usk9dWaf4NH/wZHMIPAkVJ4uD4H/uS49wqWnyiTYGT7hUbi
ecF7crhLCmlRzvJR8mkRP6/4T/F3tNDPWZeDNEDVFUkTFHNU6/h2+O398MNY/fOh
yKaNK3nnE0g6QJ1dOH31lXHARlpFOtWt3VmZU0JnWLeYdvap4Eff9qTWZJhI7Cq0
Wm8DgLUpXgNlkmquvE7P2W5EAr2E5AqKQoDbfw/GiWdRvHWKeNGMRLnGI3QuoX3U
pAlXD7v13VdZxNydvpeypbf/AfRyrHRKhkUj3cU1pYkM3DNZE77C5JUe6/0nxbt4
ETUZBTgLgYJGP8c7PbkVnO6I/KgL1jw+7MW6Az8Ox+RXZLyGMVmbW/TMc8haJfKL
MoUo3TVk8nPiUhoOC0/kI7j9ilFrBxBU5dUtF4ITAWc8xnG6jJs/IsvRpQARAQAB
tChGZWRvcmEgRVBFTCAoOCkgPGVwZWxAZmVkb3JhcHJvamVjdC5vcmc+iQI4BBMB
AgAiBQJc9877AhsPBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRAh6kWrL4bW
oWagD/4xnLWws34GByVDQkjprk0fX7Iyhpm/U7BsIHKspHLL+Y46vAAGY/9vMvdE
0fcr9Ek2Zp7zE1RWmSCzzzUgTG6BFoTG1H4Fho/7Z8BXK/jybowXSZfqXnTOfhSF
alwDdwlSJvfYNV9MbyvbxN8qZRU1z7PEWZrIzFDDToFRk0R71zHpnPTNIJ5/YXTw
NqU9OxII8hMQj4ufF11040AJQZ7br3rzerlyBOB+Jd1zSPVrAPpeMyJppWFHSDAI
WK6x+am13VIInXtqB/Cz4GBHLFK5d2/IYspVw47Solj8jiFEtnAq6+1Aq5WH3iB4
bE2e6z00DSF93frwOyWN7WmPIoc2QsNRJhgfJC+isGQAwwq8xAbHEBeuyMG8GZjz
xohg0H4bOSEujVLTjH1xbAG4DnhWO/1VXLX+LXELycO8ZQTcjj/4AQKuo4wvMPrv
9A169oETG+VwQlNd74VBPGCvhnzwGXNbTK/KH1+WRH0YSb+41flB3NKhMSU6dGI0
SGtIxDSHhVVNmx2/6XiT9U/znrZsG5Kw8nIbbFz+9MGUUWgJMsd1Zl9R8gz7V9fp
n7L7y5LhJ8HOCMsY/Z7/7HUs+t/A1MI4g7Q5g5UuSZdgi0zxukiWuCkLeAiAP4y7
zKK4OjJ644NDcWCHa36znwVmkz3ixL8Q0auR15Oqq2BjR/fyog==
=84m8
-----END PGP PUBLIC KEY BLOCK-----
signatures/repomd.xml.key 0 → 100644
View file @ 4a655a1b
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.5 (GNU/Linux)
mQENBFODA6oBCAC1ZlvBSl+aNBm+NH7xGiNa8JRpZ0ujQIc941ozc2T2Pqe3tscZ
Z6KjsqSwTX6jzomTgGyqJDYd308KEHeqIMuZVlCZQDsyHb6YiuOa051ice3eas94
PVJ+z6Do9zSVOLwc0xsdy4jBdiB7K5XN3iGmmboK3oiFbNJRP0b+saFSJ3R9lQQ6
c7iD++tFl36/ovwWitwqzJ3cYuWeGxHjBvTV4YCQb2JECQgskfloHcjqMIyevJm1
4KNmrHn2Q12qPfrHECtnf/hP/9yrCvbekT/aLWx/IV/vIQdHJPwnYDRFDN6tyuDJ
kh4QVYYyFaKaSHNJ2it3lRMeIAzaCnSVJQ8lABEBAAG0MnNlY3VyaXR5IE9CUyBQ
cm9qZWN0IDxzZWN1cml0eUBidWlsZC5vcGVuc3VzZS5vcmc+iQE+BBMBAgAoBQJb
3PRcAhsDBQkMeKCyBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRBp0bKq7j0W
ajhOB/9SXnFdzfUQPHrNIqTC0vzHaSsRueFE4ektdaOG9Luku3gPolJQ/LzVd6Dq
2dApFix96PR9Z4EUI5U/Bgbh0UDhcoOgOFv5hC98h9+cIBpOAXi/j7vOc2vpxdQs
ELvplesgbH+BCoIvG0ssKVbPG0A3bqLCeABUTuG7W0Tb1PtIKXqIl/DoOjfEU7gV
pYVOrke5grPJ5BSV9ZG8Zuz9/GtN3tH4mJVEkMDb6flKZ15epgX7VzLSkEhZodwq
cSYQuuniA9XjMgNnHrdL07jE4zLI9KO5UEnRht9Z4yWU0bzSGzU0zXmbTl4iAjAw
bgf3B7FMvJkcaGYD0ZTVd0X5M73GiEYEExECAAYFAlODA6sACgkQOzARt2udZSO5
wgCfdn5fA8nzafycfrO4iXjg7/E34E4AnixpDpJ8llW/+4r+MC59fMWa59oj
=CIXb
-----END PGP PUBLIC KEY BLOCK-----
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment

UNCLASSIFIED