This repository has been archived by the owner on Sep 21, 2020. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 2
/
Dockerfile
51 lines (42 loc) · 1.62 KB
/
Dockerfile
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
FROM golang:1.12.1-alpine3.9 AS build
ENV SAA_RELEASE=v0.0.3 \
SAA_PROJECT=github.com/imduffy15/k8s-gke-service-account-assigner \
SAA_FORK=github.com/gpii-ops/k8s-gke-service-account-assigner \
SAA_GIT_SHA=db948368ed86de33a3049d88f88bfa9285b408b3 \
CGO_ENABLED=0 \
LANG=C.UTF-8 \
ARCH=linux
ENV SAA_GIT_REPO=https://${SAA_FORK}.git \
REPO_VERSION=${SAA_RELEASE}
RUN apk add --update --no-cache \
curl \
git \
make \
&& git clone --branch "${SAA_RELEASE}" --depth=1 -- "${SAA_GIT_REPO}" "${GOPATH}/src/${SAA_PROJECT}" \
&& cd "${GOPATH}/src/${SAA_PROJECT}" \
&& git show-ref --verify HEAD | grep -q "^${SAA_GIT_SHA}" \
&& make setup \
&& make -e build \
&& mv /go/src/${SAA_PROJECT}/build/bin/${ARCH}/k8s-gke-service-account-assigner /service-account-assigner
FROM alpine:3.9
ENV SAA_UID=10000 \
SAA_GID=10000 \
SAA_USER=saa \
SAA_GROUP=saa \
SAA_HOME=/opt/saa
RUN apk add --update --no-cache \
ca-certificates \
iptables \
libcap \
&& mkdir -p "${SAA_HOME}" \
&& addgroup -g "${SAA_GID}" "${SAA_GROUP}" \
&& adduser -g "Service Account Assigner user" -D -h "${SAA_HOME}" -G "${SAA_GROUP}" -s /sbin/nologin -u "${SAA_UID}" "${SAA_USER}" \
# /run is needed for /run/xtables.lock
&& chown -R "${SAA_USER}:${SAA_GROUP}" "${SAA_HOME}" /run \
# SAA needs to run iptables
&& setcap CAP_NET_RAW,CAP_NET_ADMIN=+ep /sbin/xtables-multi \
&& apk del \
libcap
COPY --from=build /service-account-assigner "/${SAA_HOME}/service-account-assigner"
USER ${SAA_USER}:${SAA_GROUP}
ENTRYPOINT ["/opt/saa/service-account-assigner"]