Merge pull request projectcalico#7955 from liudalibj/s390x-image-fix

calico-kube-controllers: Run as non-root by default for the s390x image
cyclinder · Aug 29, 2023 · b494be8 · b494be8
2 parents dbf696c + 967fc99
commit b494be8
Showing 1 changed file with 26 additions and 0 deletions.
diff --git a/kube-controllers/Dockerfile.s390x b/kube-controllers/Dockerfile.s390x
@@ -11,9 +11,35 @@
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
+
+ARG UBI_IMAGE
+ARG QEMU_IMAGE
+
+FROM ${QEMU_IMAGE} as qemu
+FROM --platform=linux/s390x ${UBI_IMAGE} as ubi
+
+# Enable non-native builds of this image on an amd64 hosts.
+# This must be the first RUN command in this file!
+COPY --from=qemu /usr/bin/qemu-s390x-static /usr/bin/
+
+# Add in top-level license file
+RUN mkdir /licenses
+COPY LICENSE /licenses
+
+# Make sure the status and pprof files are owned by our user.
+RUN mkdir /status /profiles
+RUN touch /status/status.json && chown 999 /status/status.json
+RUN touch /profiles/mem.pprof && chown 999 /profiles/mem.pprof
+RUN touch /profiles/cpu.pprof && chown 999 /profiles/cpu.pprof
+
 FROM scratch
 LABEL maintainer "LoZ Open Source Ecosystem (https://www.ibm.com/developerworks/community/groups/community/lozopensource)"
 
+COPY --from=ubi /licenses /licenses
+COPY --from=ubi /profiles /profiles
+COPY --from=ubi /status /status
+
 ADD bin/kube-controllers-linux-s390x /usr/bin/kube-controllers
 ADD bin/check-status-linux-s390x /usr/bin/check-status
+USER 999
 ENTRYPOINT ["/usr/bin/kube-controllers"]