-
Notifications
You must be signed in to change notification settings - Fork 59
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
contro-service: job-builder-secure using kaniko fix
The same fix as applied on job-builder here (#2429) need to be applied on job-builder-secure This also slightly refactors and simplifies the image build code by reusing the job-builder image thus reducing unneeded duplication. There were a few previous fixes in job-builder that were never ported to job-builder-secure. Added a bit more clear readme.
- Loading branch information
1 parent
1be736a
commit 1163d4f
Showing
4 changed files
with
10 additions
and
108 deletions.
There are no files selected for viewing
30 changes: 2 additions & 28 deletions
30
projects/control-service/projects/job-builder-secure/Dockerfile
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,32 +1,6 @@ | ||
| # Used to trigger a build for a data job image. | ||
|
|
||
| FROM gcr.io/kaniko-project/executor | ||
|
|
||
| FROM alpine | ||
|
|
||
| COPY --from=0 /kaniko /kaniko | ||
|
|
||
|
|
||
| ENV PATH $PATH:/kaniko | ||
| ENV SSL_CERT_DIR=/kaniko/ssl/certs | ||
| ENV DOCKER_CONFIG /kaniko/.docker/ | ||
|
|
||
| WORKDIR /workspace | ||
| FROM versatiledatakit/job-builder:latest | ||
|
|
||
| # overwrite the Dockerfile used to build VDK jobs with our own with extra security hardening. | ||
| COPY Dockerfile.python.vdk /workspace/Dockerfile | ||
| COPY build_image.sh /build_image.sh | ||
| RUN chmod +x /build_image.sh | ||
|
|
||
|
|
||
| # Setup Python and Git | ||
| ## Update & Install dependencies | ||
| RUN apk add --no-cache --update \ | ||
| git \ | ||
| bash | ||
|
|
||
| RUN apk add --update --no-cache python3=3.10.10-r0 py3-pip \ | ||
| && pip3 install awscli \ | ||
| && apk --purge -v del py3-pip \ | ||
| && rm -rf /var/cache/apk/* | ||
|
|
||
| ENTRYPOINT ["/build_image.sh"] |
8 changes: 7 additions & 1 deletion
8
projects/control-service/projects/job-builder-secure/README.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,2 +1,8 @@ | ||
| # Secure Job Builder | ||
| This package provides a way to configure and build your own Data Job images. | ||
|
|
||
| Secure Job Builder extends [the standard job-builder ](../job-builder/README.md) and | ||
| provides a secure environment for the execution of data jobs in Python. | ||
|
|
||
| It uses a [secure base Python image](versatiledatakit/data-job-base-python-3.10-secure:latest), | ||
| creates a non-root user to perform tasks, remove execution permissions on data job files. | ||
| It also removes several system executables and pip, minimizing the attack surface within the container. |
78 changes: 0 additions & 78 deletions
78
projects/control-service/projects/job-builder-secure/build_image.sh
This file was deleted.
Oops, something went wrong.
2 changes: 1 addition & 1 deletion
2
projects/control-service/projects/job-builder-secure/version.txt
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1 +1 @@ | ||
| 1.1.3 | ||
| 1.2.0 |