From 3f457329ebacdb248f2ab2135b188e530362bcf0 Mon Sep 17 00:00:00 2001 From: tberreis <88875030+tberreis@users.noreply.github.com> Date: Mon, 9 Sep 2024 18:40:14 +0200 Subject: [PATCH 1/7] fix: liniting error in gatekeeper-controller-manager-poddisruptionbudget.yaml (#3519) Signed-off-by: Thomas Berreis Co-authored-by: Jaydipkumar Arvindbhai Gabani --- cmd/build/helmify/main.go | 2 +- .../gatekeeper-controller-manager-poddisruptionbudget.yaml | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/cmd/build/helmify/main.go b/cmd/build/helmify/main.go index 90563093da2..074c09d5127 100644 --- a/cmd/build/helmify/main.go +++ b/cmd/build/helmify/main.go @@ -157,7 +157,7 @@ func (ks *kindSet) Write() error { } if name == "gatekeeper-controller-manager" && kind == "PodDisruptionBudget" { - obj = strings.Replace(obj, "apiVersion: policy/v1", "{{- $v1 := .Capabilities.APIVersions.Has \"policy/v1/PodDisruptionBudget\" -}}\n{{- $v1beta1 := .Capabilities.APIVersions.Has \"policy/v1beta1/PodDisruptionBudget\" -}}\napiVersion: policy/v1{{- if and (not $v1) $v1beta1 -}}beta1{{- end }}", 1) + obj = strings.Replace(obj, "apiVersion: policy/v1", "{{ $v1 := .Capabilities.APIVersions.Has \"policy/v1/PodDisruptionBudget\" -}}\n{{ $v1beta1 := .Capabilities.APIVersions.Has \"policy/v1beta1/PodDisruptionBudget\" -}}\napiVersion: policy/v1{{- if and (not $v1) $v1beta1 -}}beta1{{- end }}", 1) } if name == "gatekeeper-manager-role" && kind == "ClusterRole" { diff --git a/manifest_staging/charts/gatekeeper/templates/gatekeeper-controller-manager-poddisruptionbudget.yaml b/manifest_staging/charts/gatekeeper/templates/gatekeeper-controller-manager-poddisruptionbudget.yaml index 609270a92de..140c55f8895 100644 --- a/manifest_staging/charts/gatekeeper/templates/gatekeeper-controller-manager-poddisruptionbudget.yaml +++ b/manifest_staging/charts/gatekeeper/templates/gatekeeper-controller-manager-poddisruptionbudget.yaml @@ -1,6 +1,6 @@ --- -{{- $v1 := .Capabilities.APIVersions.Has "policy/v1/PodDisruptionBudget" -}} -{{- $v1beta1 := .Capabilities.APIVersions.Has "policy/v1beta1/PodDisruptionBudget" -}} +{{ $v1 := .Capabilities.APIVersions.Has "policy/v1/PodDisruptionBudget" -}} +{{ $v1beta1 := .Capabilities.APIVersions.Has "policy/v1beta1/PodDisruptionBudget" -}} apiVersion: policy/v1{{- if and (not $v1) $v1beta1 -}}beta1{{- end }} kind: PodDisruptionBudget metadata: From 5de3edb434a00f88f7dc2b60373a39d01abc7333 Mon Sep 17 00:00:00 2001 From: avinash patnala Date: Wed, 11 Sep 2024 12:51:44 -0700 Subject: [PATCH 2/7] refactor: Move setting up Obj to old obj on Delete logic to target handler (#3511) Signed-off-by: Avinash Patnala Co-authored-by: Avinash Patnala Co-authored-by: Rita Zhang --- pkg/gator/verify/runner.go | 3 -- pkg/gator/verify/runner_test.go | 4 +- pkg/target/target.go | 28 ++++++++++++ pkg/target/target_test.go | 67 +++++++++++++++++++++++++++++ pkg/util/request_validation.go | 33 -------------- pkg/util/request_validation_test.go | 63 --------------------------- pkg/webhook/policy.go | 56 ++++++++++++------------ 7 files changed, 125 insertions(+), 129 deletions(-) delete mode 100644 pkg/util/request_validation.go delete mode 100644 pkg/util/request_validation_test.go diff --git a/pkg/gator/verify/runner.go b/pkg/gator/verify/runner.go index 4f3126e5d0c..87557030c1d 100644 --- a/pkg/gator/verify/runner.go +++ b/pkg/gator/verify/runner.go @@ -361,9 +361,6 @@ func (r *Runner) validateAndReviewAdmissionReviewRequest(ctx context.Context, c } req := &admission.Request{AdmissionRequest: *ar.Request} - if err := util.SetObjectOnDelete(req); err != nil { - return nil, fmt.Errorf("%w: %w", gator.ErrInvalidK8sAdmissionReview, err) - } arr := target.AugmentedReview{ AdmissionRequest: &req.AdmissionRequest, diff --git a/pkg/gator/verify/runner_test.go b/pkg/gator/verify/runner_test.go index 6c855b31746..2c901f8acc4 100644 --- a/pkg/gator/verify/runner_test.go +++ b/pkg/gator/verify/runner_test.go @@ -10,8 +10,10 @@ import ( "github.com/google/go-cmp/cmp" "github.com/google/go-cmp/cmp/cmpopts" constraintclient "github.com/open-policy-agent/frameworks/constraint/pkg/client" + clienterrors "github.com/open-policy-agent/frameworks/constraint/pkg/client/errors" "github.com/open-policy-agent/gatekeeper/v3/pkg/gator" "github.com/open-policy-agent/gatekeeper/v3/pkg/gator/fixtures" + "github.com/open-policy-agent/gatekeeper/v3/pkg/target" "k8s.io/apimachinery/pkg/util/intstr" "k8s.io/utils/ptr" ) @@ -1155,7 +1157,7 @@ func TestRunner_Run(t *testing.T) { {Name: "invalid admission review object", Error: gator.ErrInvalidK8sAdmissionReview}, {Name: "missing admission request object", Error: gator.ErrMissingK8sAdmissionRequest}, {Name: "no objects to review", Error: gator.ErrNoObjectForReview}, - {Name: "no oldObject on delete", Error: gator.ErrInvalidK8sAdmissionReview}, + {Name: "no oldObject on delete", Error: &clienterrors.ErrorMap{target.Name: constraintclient.ErrReview}}, }, }, { diff --git a/pkg/target/target.go b/pkg/target/target.go index 95ca09e4e65..c32db99962a 100644 --- a/pkg/target/target.go +++ b/pkg/target/target.go @@ -18,6 +18,9 @@ import ( "k8s.io/apimachinery/pkg/util/validation/field" ) +// nolint: revive // Moved error out of pkg/webhook/admission; needs capitalization for backwards compat. +var ErrOldObjectIsNil = errors.New("oldObject cannot be nil for DELETE operations") + // Name is the name of Gatekeeper's Kubernetes validation target. const Name = "admission.k8s.gatekeeper.sh" @@ -127,6 +130,10 @@ func (h *K8sValidationTarget) handleReview(obj interface{}) (bool, *gkReview, er return false, nil, nil } + if err := setObjectOnDelete(review); err != nil { + return false, nil, err + } + return true, review, nil } @@ -249,3 +256,24 @@ func (h *K8sValidationTarget) ToMatcher(u *unstructured.Unstructured) (constrain func (h *K8sValidationTarget) GetCache() handler.Cache { return &h.cache } + +// setObjectOnDelete enforces that we use at least K8s API v1.15.0+ on DELETE operations +// and copies over the oldObject into the Object field for the given AdmissionRequest. +func setObjectOnDelete(review *gkReview) error { + if review.AdmissionRequest.Operation == admissionv1.Delete { + // oldObject is the existing object. + // It is null for DELETE operations in API servers prior to v1.15.0. + // https://github.com/kubernetes/website/pull/14671 + if review.AdmissionRequest.OldObject.Raw == nil { + return ErrOldObjectIsNil + } + + // For admission webhooks registered for DELETE operations on k8s built APIs or CRDs, + // the apiserver now sends the existing object as admissionRequest.Request.OldObject to the webhook + // object is the new object being admitted. + // It is null for DELETE operations. + // https://github.com/kubernetes/kubernetes/pull/76346 + review.AdmissionRequest.Object = review.AdmissionRequest.OldObject + } + return nil +} diff --git a/pkg/target/target_test.go b/pkg/target/target_test.go index a923439e8aa..81449a1d6e0 100644 --- a/pkg/target/target_test.go +++ b/pkg/target/target_test.go @@ -3,6 +3,7 @@ package target import ( "encoding/json" "errors" + "reflect" "sync" "testing" @@ -1149,3 +1150,69 @@ func newNsCache() *nsCache { cache: make(map[string]*corev1.Namespace), } } + +func TestHandleReviewForDelete(t *testing.T) { + testCases := []struct { + name string + req interface{} + checkEquality bool + wantErr error + }{ + { + name: "request not on delete", + req: admissionv1.AdmissionRequest{ + Operation: "CREATE", + Object: runtime.RawExtension{Raw: matchedRawData()}, + }, + checkEquality: false, + wantErr: nil, + }, + { + name: "err on request and nil object", + req: admissionv1.AdmissionRequest{ + Operation: "DELETE", + }, + wantErr: ErrOldObjectIsNil, + }, + { + name: "handle ok oldObject not nil", + req: admissionv1.AdmissionRequest{ + Operation: "DELETE", + OldObject: runtime.RawExtension{ + Raw: []byte{'a', 'b', 'c'}, + }, + }, + checkEquality: true, + wantErr: nil, + }, + } + + for _, tc := range testCases { + tc := tc + + t.Run(tc.name, func(t *testing.T) { + t.Parallel() + target := &K8sValidationTarget{} + + _, review, err := target.HandleReview(tc.req) + + if tc.wantErr != nil { + if !errors.Is(tc.wantErr, err) { + t.Fatalf("error did not match what was expected\n want: %v \n got: %v \n", tc.wantErr, err) + } + } + + gkr, ok := review.(*gkReview) + if !ok { + t.Fatalf("test %v: HandleReview failed to return gkReview object", tc.name) + } + + if tc.checkEquality { + // open box: make sure that the OldObject field has been copied into the Object field + if !reflect.DeepEqual(gkr.AdmissionRequest.OldObject, gkr.AdmissionRequest.Object) { + t.Fatal("oldObject and object need to match") + } + } + }) + } +} diff --git a/pkg/util/request_validation.go b/pkg/util/request_validation.go deleted file mode 100644 index 48b89b69012..00000000000 --- a/pkg/util/request_validation.go +++ /dev/null @@ -1,33 +0,0 @@ -package util - -import ( - "errors" - - admissionv1 "k8s.io/api/admission/v1" - "sigs.k8s.io/controller-runtime/pkg/webhook/admission" -) - -// nolint: revive // Moved error out of pkg/webhook/admission; needs capitalization for backwards compat. -var ErrOldObjectIsNil = errors.New("oldObject cannot be nil for DELETE operations") - -// SetObjectOnDelete enforces that we use at least K8s API v1.15.0+ on DELETE operations -// and copies over the oldObject into the Object field for the given AdmissionRequest. -func SetObjectOnDelete(req *admission.Request) error { - if req.AdmissionRequest.Operation == admissionv1.Delete { - // oldObject is the existing object. - // It is null for DELETE operations in API servers prior to v1.15.0. - // https://github.com/kubernetes/website/pull/14671 - if req.AdmissionRequest.OldObject.Raw == nil { - return ErrOldObjectIsNil - } - - // For admission webhooks registered for DELETE operations on k8s built APIs or CRDs, - // the apiserver now sends the existing object as admissionRequest.Request.OldObject to the webhook - // object is the new object being admitted. - // It is null for DELETE operations. - // https://github.com/kubernetes/kubernetes/pull/76346 - req.AdmissionRequest.Object = req.AdmissionRequest.OldObject - } - - return nil -} diff --git a/pkg/util/request_validation_test.go b/pkg/util/request_validation_test.go deleted file mode 100644 index b2231a53b22..00000000000 --- a/pkg/util/request_validation_test.go +++ /dev/null @@ -1,63 +0,0 @@ -package util - -import ( - "errors" - "reflect" - "testing" - - v1 "k8s.io/api/admission/v1" - "k8s.io/apimachinery/pkg/runtime" - "sigs.k8s.io/controller-runtime/pkg/webhook/admission" -) - -func TestSetObjectOnDelete(t *testing.T) { - testCases := []struct { - name string - req *admission.Request - wantErr error - }{ - { - name: "request not on delete", - req: &admission.Request{AdmissionRequest: v1.AdmissionRequest{ - Operation: "CREATE", - }}, - wantErr: nil, - }, - { - name: "err on request and nil oldObject", - req: &admission.Request{AdmissionRequest: v1.AdmissionRequest{ - Operation: "DELETE", - }}, - wantErr: ErrOldObjectIsNil, - }, - { - name: "handle ok oldObject not nil", - req: &admission.Request{AdmissionRequest: v1.AdmissionRequest{ - Operation: "DELETE", - OldObject: runtime.RawExtension{ - Raw: []byte{'a', 'b', 'c'}, - }, - }}, - wantErr: nil, - }, - } - - for _, tc := range testCases { - tc := tc - - t.Run(tc.name, func(t *testing.T) { - t.Parallel() - - err := SetObjectOnDelete(tc.req) - - if !errors.Is(tc.wantErr, err) { - t.Fatalf("error did not match what was expected\n want: %v \n got: %v \n", tc.wantErr, err) - } - - // open box: make sure that the OldObject field has been copied into the Object field - if !reflect.DeepEqual(tc.req.AdmissionRequest.OldObject, tc.req.AdmissionRequest.Object) { - t.Fatal("oldObject and object need to match") - } - }) - } -} diff --git a/pkg/webhook/policy.go b/pkg/webhook/policy.go index 6ae3f40402c..48af84aa08c 100644 --- a/pkg/webhook/policy.go +++ b/pkg/webhook/policy.go @@ -143,12 +143,6 @@ func (h *validationHandler) Handle(ctx context.Context, req admission.Request) a return admission.Allowed("Gatekeeper does not self-manage") } - if err := util.SetObjectOnDelete(&req); err != nil { - vResp := admission.Denied(err.Error()) - vResp.Result.Code = http.StatusInternalServerError - return vResp - } - if userErr, err := h.validateGatekeeperResources(ctx, &req); err != nil { var code int32 if userErr { @@ -582,29 +576,33 @@ func (h *validationHandler) reviewRequest(ctx context.Context, req *admission.Re return nil, fmt.Errorf("failed to create augmentedReview: %w", err) } - // Convert the request's generator resource to unstructured for expansion - obj := &unstructured.Unstructured{} - if _, _, err := deserializer.Decode(req.Object.Raw, nil, obj); err != nil { - return nil, fmt.Errorf("error decoding generator resource %s: %w", req.Name, err) - } - obj.SetNamespace(req.Namespace) - obj.SetGroupVersionKind( - schema.GroupVersionKind{ - Group: req.Kind.Group, - Version: req.Kind.Version, - Kind: req.Kind.Kind, - }) - - // Expand the generator and apply mutators to the resultant resources - // The base object is not mutated, so we do not need to specify its source - base := &mutationtypes.Mutable{ - Object: obj, - Namespace: review.Namespace, - Username: req.AdmissionRequest.UserInfo.Username, - } - resultants, err := h.expansionSystem.Expand(base) - if err != nil { - return nil, fmt.Errorf("unable to expand object: %w", err) + resultants := []*expansion.Resultant{} + // Skip the expansion if admissionRequest.Obj is nil. + if req.AdmissionRequest.Object.Raw != nil { + // Convert the request's generator resource to unstructured for expansion + obj := &unstructured.Unstructured{} + if _, _, err := deserializer.Decode(req.Object.Raw, nil, obj); err != nil { + return nil, fmt.Errorf("error decoding generator resource %s: %w", req.Name, err) + } + obj.SetNamespace(req.Namespace) + obj.SetGroupVersionKind( + schema.GroupVersionKind{ + Group: req.Kind.Group, + Version: req.Kind.Version, + Kind: req.Kind.Kind, + }) + + // Expand the generator and apply mutators to the resultant resources + // The base object is not mutated, so we do not need to specify its source + base := &mutationtypes.Mutable{ + Object: obj, + Namespace: review.Namespace, + Username: req.AdmissionRequest.UserInfo.Username, + } + resultants, err = h.expansionSystem.Expand(base) + if err != nil { + return nil, fmt.Errorf("unable to expand object: %w", err) + } } trace, dump := h.tracingLevel(ctx, req) From b4d2d2c785014fcead3675e190d854063a9db1f1 Mon Sep 17 00:00:00 2001 From: Jaydipkumar Arvindbhai Gabani Date: Thu, 12 Sep 2024 17:41:17 -0700 Subject: [PATCH 3/7] chore: adding helm lint ci test (#3536) Signed-off-by: Jaydip Gabani --- .github/workflows/helm-lint.yaml | 33 ++++++++++++++++++++++++++++++++ 1 file changed, 33 insertions(+) create mode 100644 .github/workflows/helm-lint.yaml diff --git a/.github/workflows/helm-lint.yaml b/.github/workflows/helm-lint.yaml new file mode 100644 index 00000000000..a71ba24abd3 --- /dev/null +++ b/.github/workflows/helm-lint.yaml @@ -0,0 +1,33 @@ +name: check-helm-lint +on: + push: + paths: + - "cmd/build/helmify/static/**" + - "manifest_staging/**" + pull_request: + paths: + - "cmd/build/helmify/static/**" + - "manifest_staging/**" + +permissions: read-all + +jobs: + helm_lint_test: + name: "Helm lint" + runs-on: ubuntu-22.04 + timeout-minutes: 15 + + steps: + - name: Check out code into the Go module directory + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + + - name: Set up Helm + uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4.2.0 + with: + version: "3.14.1" + id: install + + - name: Lint Helm charts + run: | + helm lint manifest_staging/charts/gatekeeper/ + helm lint cmd/build/helmify/static/ From 8fc3023951fdca04369629143f7c25ec007663dd Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Thu, 12 Sep 2024 17:42:19 -0700 Subject: [PATCH 4/7] chore: Patch docs for 3.17.1 release (#3540) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: JaydipGabani <20255485+JaydipGabani@users.noreply.github.com> Co-authored-by: Sertaç Özercan <852750+sozercan@users.noreply.github.com> --- website/versioned_docs/version-v3.17.x/install.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/website/versioned_docs/version-v3.17.x/install.md b/website/versioned_docs/version-v3.17.x/install.md index 7b99e93bc8a..8eece86e9a4 100644 --- a/website/versioned_docs/version-v3.17.x/install.md +++ b/website/versioned_docs/version-v3.17.x/install.md @@ -28,7 +28,7 @@ For either installation method, make sure you have cluster admin permissions: If you want to deploy a released version of Gatekeeper in your cluster with a prebuilt image, then you can run the following command: ```sh -kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper/v3.17.0/deploy/gatekeeper.yaml +kubectl apply -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper/v3.17.1/deploy/gatekeeper.yaml ``` ### Deploying a Release using development image @@ -92,7 +92,7 @@ You can alter the variables in `charts/gatekeeper/values.yaml` to customize your If you used a prebuilt image to deploy Gatekeeper, then you can delete all the Gatekeeper components with the following command: ```sh - kubectl delete -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper/v3.17.0/deploy/gatekeeper.yaml + kubectl delete -f https://raw.githubusercontent.com/open-policy-agent/gatekeeper/v3.17.1/deploy/gatekeeper.yaml ``` ### Using make From e32180b19863a8fb562533cf66a3c07d7f4ad369 Mon Sep 17 00:00:00 2001 From: Sebastian Stephan <5838370+sebastian-stephan@users.noreply.github.com> Date: Fri, 13 Sep 2024 02:56:28 +0200 Subject: [PATCH 5/7] fix: helm warning when setting NetworkPolicy ingress rule(s) (#3541) Signed-off-by: Sebastian Stephan Co-authored-by: Rita Zhang --- cmd/build/helmify/static/values.yaml | 2 +- manifest_staging/charts/gatekeeper/values.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/cmd/build/helmify/static/values.yaml b/cmd/build/helmify/static/values.yaml index a17db01235c..187322ce9b3 100644 --- a/cmd/build/helmify/static/values.yaml +++ b/cmd/build/helmify/static/values.yaml @@ -224,7 +224,7 @@ controllerManager: extraRules: [] networkPolicy: enabled: false - ingress: { } + ingress: [] # - from: # - ipBlock: # cidr: 0.0.0.0/0 diff --git a/manifest_staging/charts/gatekeeper/values.yaml b/manifest_staging/charts/gatekeeper/values.yaml index a17db01235c..187322ce9b3 100644 --- a/manifest_staging/charts/gatekeeper/values.yaml +++ b/manifest_staging/charts/gatekeeper/values.yaml @@ -224,7 +224,7 @@ controllerManager: extraRules: [] networkPolicy: enabled: false - ingress: { } + ingress: [] # - from: # - ipBlock: # cidr: 0.0.0.0/0 From 41db392de1490ac9d26f8490c2702bb8161025a2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Serta=C3=A7=20=C3=96zercan?= <852750+sozercan@users.noreply.github.com> Date: Fri, 13 Sep 2024 12:17:16 -0700 Subject: [PATCH 6/7] ci: remove dockerfile buildplatform (#3491) Signed-off-by: Sertac Ozercan Co-authored-by: Jaydipkumar Arvindbhai Gabani --- Dockerfile | 10 ++-------- gator.Dockerfile | 10 ++-------- test/externaldata/dummy-provider/Dockerfile | 8 ++------ test/pubsub/fake-subscriber/Dockerfile | 8 ++------ 4 files changed, 8 insertions(+), 28 deletions(-) diff --git a/Dockerfile b/Dockerfile index 3d832e3e4df..911bdeaa200 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,10 +1,4 @@ -ARG BUILDPLATFORM="linux/amd64" -ARG BUILDERIMAGE="golang:1.22-bookworm" -# Use distroless as minimal base image to package the manager binary -# Refer to https://github.com/GoogleContainerTools/distroless for more details -ARG BASEIMAGE="gcr.io/distroless/static-debian12:nonroot" - -FROM --platform=$BUILDPLATFORM $BUILDERIMAGE AS builder +FROM --platform=$BUILDPLATFORM golang:1.22-bookworm@sha256:39b7e6ebaca464d51989858871f792f2e186dce8ce0cbdba7e88e4444b244407 AS builder ARG TARGETPLATFORM ARG TARGETOS @@ -24,7 +18,7 @@ COPY . . RUN go build -mod vendor -a -ldflags "${LDFLAGS}" -o manager -FROM $BASEIMAGE +FROM gcr.io/distroless/static-debian12@sha256:8dd8d3ca2cf283383304fd45a5c9c74d5f2cd9da8d3b077d720e264880077c65 WORKDIR / COPY --from=builder /go/src/github.com/open-policy-agent/gatekeeper/manager . diff --git a/gator.Dockerfile b/gator.Dockerfile index 0fba2c5aa64..0d50654f967 100644 --- a/gator.Dockerfile +++ b/gator.Dockerfile @@ -1,10 +1,4 @@ -ARG BUILDPLATFORM="linux/amd64" -ARG BUILDERIMAGE="golang:1.22-bookworm" -# Use distroless as minimal base image to package the manager binary -# Refer to https://github.com/GoogleContainerTools/distroless for more details -ARG BASEIMAGE="gcr.io/distroless/static-debian12:nonroot" - -FROM --platform=$BUILDPLATFORM $BUILDERIMAGE AS builder +FROM --platform=$BUILDPLATFORM golang:1.22-bookworm@sha256:39b7e6ebaca464d51989858871f792f2e186dce8ce0cbdba7e88e4444b244407 AS builder ARG TARGETPLATFORM ARG TARGETOS @@ -23,7 +17,7 @@ WORKDIR /go/src/github.com/open-policy-agent/gatekeeper/cmd/gator RUN go build -mod vendor -a -ldflags "${LDFLAGS}" -o /gator -FROM --platform=$BUILDPLATFORM $BASEIMAGE AS build +FROM --platform=$BUILDPLATFORM gcr.io/distroless/static-debian12@sha256:8dd8d3ca2cf283383304fd45a5c9c74d5f2cd9da8d3b077d720e264880077c65 AS build USER 65532:65532 COPY --from=builder --chown=65532:65532 /gator /gator ENTRYPOINT ["/gator"] diff --git a/test/externaldata/dummy-provider/Dockerfile b/test/externaldata/dummy-provider/Dockerfile index eb498a0e4ea..b6b22dcb71a 100644 --- a/test/externaldata/dummy-provider/Dockerfile +++ b/test/externaldata/dummy-provider/Dockerfile @@ -1,8 +1,4 @@ -ARG BUILDPLATFORM="linux/amd64" -ARG BUILDERIMAGE="golang:1.22-bookworm" -ARG BASEIMAGE="gcr.io/distroless/static-debian12:nonroot" - -FROM --platform=$BUILDPLATFORM $BUILDERIMAGE as builder +FROM --platform=$BUILDPLATFORM golang:1.22-bookworm@sha256:39b7e6ebaca464d51989858871f792f2e186dce8ce0cbdba7e88e4444b244407 as builder ARG TARGETPLATFORM ARG TARGETOS @@ -24,7 +20,7 @@ RUN go mod init && go mod tidy RUN go build -o provider provider.go -FROM $BASEIMAGE +FROM gcr.io/distroless/static-debian12@sha256:8dd8d3ca2cf283383304fd45a5c9c74d5f2cd9da8d3b077d720e264880077c65 WORKDIR / diff --git a/test/pubsub/fake-subscriber/Dockerfile b/test/pubsub/fake-subscriber/Dockerfile index 9a8168a0b3a..05b9cb0e837 100644 --- a/test/pubsub/fake-subscriber/Dockerfile +++ b/test/pubsub/fake-subscriber/Dockerfile @@ -1,8 +1,4 @@ -ARG BUILDPLATFORM="linux/amd64" -ARG BUILDERIMAGE="golang:1.22-bookworm" -ARG BASEIMAGE="gcr.io/distroless/static-debian12:nonroot" - -FROM --platform=$BUILDPLATFORM $BUILDERIMAGE as builder +FROM --platform=$BUILDPLATFORM golang:1.22-bookworm@sha256:39b7e6ebaca464d51989858871f792f2e186dce8ce0cbdba7e88e4444b244407 as builder ARG TARGETPLATFORM ARG TARGETOS @@ -24,7 +20,7 @@ RUN go mod init && go mod tidy && go mod vendor RUN go build -o main -FROM $BASEIMAGE +FROM gcr.io/distroless/static-debian12@sha256:8dd8d3ca2cf283383304fd45a5c9c74d5f2cd9da8d3b077d720e264880077c65 WORKDIR / From 107a4ab8bc2222003487aa5d5dd0bdc1e3ff95ab Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 13 Sep 2024 12:31:58 -0700 Subject: [PATCH 7/7] chore: bump kubectl from v1.30.3 to v1.31.1 (#3543) Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- crd.Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/crd.Dockerfile b/crd.Dockerfile index 49e4a17054a..e4f6cceac24 100644 --- a/crd.Dockerfile +++ b/crd.Dockerfile @@ -1,4 +1,4 @@ -FROM --platform=$TARGETPLATFORM registry.k8s.io/kubectl:v1.30.3 AS builder +FROM --platform=$TARGETPLATFORM registry.k8s.io/kubectl:v1.31.1 AS builder ARG TARGETPLATFORM ARG TARGETOS