🦊
kubernetes exam in action
  • kubernetes exam in action
  • 云原生
  • KCNA 考试
    • KCNA 1:云原生架构
    • KCNA 2:容器编排
    • KCNA 3:kubernetes基础知识
    • KCNA 4:kubernetes实践
    • KCNA 5:持续交付
    • KCNA 6:监控与探测
    • KCNA 7:测试题
  • CKA考试
    • CKA、CKAD考试经验
    • CKA试题
  • CKAD考试
    • 1. Core Concepts (13%)
    • 2. Configuration (18%)
    • 3. Multi-Container Pods (10%)
    • 4. Observability (18%)
    • 5. Pod Design (20%)
    • 6. Networking (13%)
    • 7. State Persistence (8%)
    • 8. 考试小技巧
  • CKS考试
    • cks 试题
    • RBAC
    • Dashboard
    • Secure Ingress
    • Node Metadata
    • CIS Benchmarks
    • Verify Platform
    • Networkpolicy
    • Restrict API Access
    • ServiceAccounts
    • Upgrade Kubernetes
    • Secrets 安全
    • Container Runtime Sandboxes
    • securityContext and podsecurityPolicies
    • SecurityContext and StartupProbe
    • Open Policy Agent (OPA)
    • Image build
    • Image Vulnerability Scanning(Trivy)
    • ImagePolicyWebhook
    • Static Analysis(OPA)
    • /proc and Env
    • Auditing
    • Apparmor
    • Falco
    • Strace
由 GitBook 提供支持
在本页
  • 1. 介绍
  • 2. 多阶段镜像构建
  • 3. 安全加固
  1. CKS考试

Image build

上一页Open Policy Agent (OPA)下一页Image Vulnerability Scanning(Trivy)

最后更新于3年前

1. 介绍

2. 多阶段镜像构建

root@master:~/cks/image_footprint# cat Dockerfile 
FROM ubuntu
ARG DEBIAN_FRONTEND=noninteractive
RUN apt-get update && apt-get install -y golang-go
COPY app.go .
RUN CGO_ENABLED=0 go build app.go
CMD ["./app"]



root@master:~/cks/image_footprint# cat app.go 
package main

import (
    "fmt"
    "time"
    "os/user"
)

func main () {
    user, err := user.Current()
    if err != nil {
        panic(err)
    }

    for {
        fmt.Println("user: " + user.Username + " id: " + user.Uid)
        time.Sleep(1 * time.Second)
    }
}
root@master:~/cks/image_footprint# docker  build  -t app .
root@master:~/cks/image_footprint# docker  build --network=host -t app .
....
....
Step 4/6 : COPY app.go .
 ---> 3e1402a9aa76
Step 5/6 : RUN CGO_ENABLED=0 go build app.go
 ---> Running in 40d3a61c48c1
Removing intermediate container 40d3a61c48c1
 ---> badcd4b100b5
Step 6/6 : CMD ["./app"]
 ---> Running in 90bf3a7cd05b
Removing intermediate container 90bf3a7cd05b
 ---> 847a0ea160db
Successfully built 847a0ea160db
Successfully tagged app:latest




root@master:~/cks/image_footprint# docker run app
user: root id: 0
user: root id: 0
user: root id: 0
user: root id: 0
^Cuser: root id: 0


root@master:~/cks/image_footprint# docker images  |grep app
app                                    latest              5acf9df3a2ee        About a minute ago   678MB


#利用上一个镜像构建下一个镜像
root@node1:~/cks/image_footprint# cat Dockerfile 
FROM ubuntu
ARG DEBIAN_FRONTEND=noninteractive
RUN apt-get update && apt-get install -y golang-go
COPY app.go .
RUN CGO_ENABLED=0 go build app.go


FROM alpine
COPY --from=0 /app .
CMD ["./app"]


oot@node1:~/cks/image_footprint# docker  build --network=host -t app .
Sending build context to Docker daemon  3.072kB
Step 1/8 : FROM ubuntu
 ---> 7e0aa2d69a15
Step 2/8 : ARG DEBIAN_FRONTEND=noninteractive
 ---> Using cache
 ---> ca181f94a1d8
Step 3/8 : RUN apt-get update && apt-get install -y golang-go
 ---> Using cache
 ---> 2b8ae7feb9d3
Step 4/8 : COPY app.go .
 ---> Using cache
 ---> 2bfae84136e8
Step 5/8 : RUN CGO_ENABLED=0 go build app.go
 ---> Using cache
 ---> 396e81b07b04
Step 6/8 : FROM alpine
latest: Pulling from library/alpine
540db60ca938: Pull complete 
Digest: sha256:69e70a79f2d41ab5d637de98c1e0b055206ba40a8145e7bddb55ccc04e13cf8f
Status: Downloaded newer image for alpine:latest
 ---> 6dbb9cc54074
Step 7/8 : COPY --from=0 /app .
 ---> 82a88cf8bdaa
Step 8/8 : CMD ["./app"]
 ---> Running in 4bfb018ccea7
Removing intermediate container 4bfb018ccea7
 ---> 3a81c4f3f3dc
Successfully built 3a81c4f3f3dc
Successfully tagged app:latest

功能正常
root@node1:~/cks/image_footprint# docker run app
user: root id: 0
user: root id: 0
user: root id: 0
user: root id: 0

#镜像变得超级小了
^Croot@node1:~/cks/image_footprint# docker images |grep app
app                                                                            latest              3a81c4f3f3dc        16 hours ago        7.75MB

3. 安全加固

# 1. 修改镜像版本
# build container stage 1
FROM ubuntu
ARG DEBIAN_FRONTEND=noninteractive
RUN apt-get update && apt-get install -y golang-go
COPY app.go .
RUN CGO_ENABLED=0 go build app.go

# app container stage 2
FROM alpine:3.11.6
COPY --from=0 /app .
CMD ["./app"]
# 2. 非roo用户执行
# build container stage 1
FROM ubuntu:20.04
ARG DEBIAN_FRONTEND=noninteractive
RUN apt-get update && apt-get install -y golang-go=2:1.13~1ubuntu2
COPY app.go .
RUN pwd
RUN CGO_ENABLED=0 go build app.go

# app container stage 2
FROM alpine:3.12.0
RUN addgroup -S appgroup && adduser -S appuser -G appgroup -h /home/appuser
COPY --from=0 /app /home/appuser/
USER appuser
CMD ["/home/appuser/app"]
# 3.配置只读文件
# build container stage 1
FROM ubuntu:20.04
ARG DEBIAN_FRONTEND=noninteractive
RUN apt-get update && apt-get install -y golang-go=2:1.13~1ubuntu2
COPY app.go .
RUN pwd
RUN CGO_ENABLED=0 go build app.go

# app container stage 2
FROM alpine:3.12.0
RUN chmod a-w /etc
RUN addgroup -S appgroup && adduser -S appuser -G appgroup -h /home/appuser
COPY --from=0 /app /home/appuser/
USER appuser
CMD ["/home/appuser/app"]
# 4. 禁用shell相关命令
# build container stage 1
FROM ubuntu:20.04
ARG DEBIAN_FRONTEND=noninteractive
RUN apt-get update && apt-get install -y golang-go=2:1.13~1ubuntu2
COPY app.go .
RUN pwd
RUN CGO_ENABLED=0 go build app.go

# app container stage 2
FROM alpine:3.12.0
RUN addgroup -S appgroup && adduser -S appuser -G appgroup -h /home/appuser
RUN rm -rf /bin/*
COPY --from=0 /app /home/appuser/
USER appuser
CMD ["/home/appuser/app"]
在这里插入图片描述

如果报错 执行

配置Dockerfile

更多细节链接:

Docker build “Could not resolve ‘archive.ubuntu.com’” apt-get fails to install anything
docker build与Dockerfile
在这里插入图片描述