1# Copyright 2022 Google LLC
2#
3# Licensed under the Apache License, Version 2.0 (the "License");
4# you may not use this file except in compliance with the License.
5# You may obtain a copy of the License at
6#
7# http://www.apache.org/licenses/LICENSE-2.0
8#
9# Unless required by applicable law or agreed to in writing, software
10# distributed under the License is distributed on an "AS IS" BASIS,
11# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12# See the License for the specific language governing permissions and
13# limitations under the License.
14
15# This Dockerfile builds a thin image containing the webhook binary
16ARG BUILDER_IMG
17
18# Build the webhook binary
19FROM ${BUILDER_IMG} AS builder
20
21# Prepare a directory containing the binary and other artifacts, and configure
22# any required permissions
23FROM alpine:latest AS packager
24WORKDIR /configconnector/
25COPY --from=builder /go/src/github.com/GoogleCloudPlatform/k8s-config-connector/webhook .
26COPY --from=builder /go/src/github.com/GoogleCloudPlatform/k8s-config-connector/THIRD_PARTY_NOTICES/ THIRD_PARTY_NOTICES/
27COPY --from=builder /go/src/github.com/GoogleCloudPlatform/k8s-config-connector/MIRRORED_LIBRARY_SOURCE/ MIRRORED_LIBRARY_SOURCE/
28
29# Allow the binary to bind to privileged ports (ports below 1024)
30RUN apk --update add --no-cache libcap
31RUN setcap cap_net_bind_service+eip webhook
32
33# Set user with UID 1000 as the owner of the directory
34RUN chown 1000 /configconnector
35
36# Copy the directory into a thin, distroless image (go/gke-distroless)
37FROM gcr.io/gke-release/gke-distroless/static:gke_distroless_20230307.00_p0 AS final
38WORKDIR /configconnector/
39COPY --from=packager /configconnector /configconnector
40ENV PATH="/configconnector/:${PATH}"
41
42# Set the user to user with UID 1000 for subsequent commands
43USER 1000
44ENTRYPOINT ["./webhook"]
View as plain text