From 400645e682e0676bd2c9f0ead96e4d29ee306d13 Mon Sep 17 00:00:00 2001 From: afdesk Date: Mon, 15 Jun 2026 13:21:55 +0600 Subject: [PATCH] refactor: optimize layer structure of Dockerfiles (#2105) * refactor: optimize layer structure of Dockerfiles * chore: keep minmal security update * chore: update the comment about package adding * chore: re-order updating --- Dockerfile | 34 ++++++++++++++-------------------- Dockerfile.fips.ubi | 6 +----- Dockerfile.ubi | 6 +----- 3 files changed, 16 insertions(+), 30 deletions(-) diff --git a/Dockerfile b/Dockerfile index bc0b095d1..bcadcaa1f 100644 --- a/Dockerfile +++ b/Dockerfile @@ -11,27 +11,21 @@ RUN make build && cp kube-bench /go/bin/kube-bench FROM alpine:3.23.4 AS run WORKDIR /opt/kube-bench/ -# add GNU ps for -C, -o cmd, --no-headers support and add findutils to get GNU xargs -# https://github.com/aquasecurity/kube-bench/issues/109 -# https://github.com/aquasecurity/kube-bench/issues/1656 -RUN apk --no-cache add procps findutils -# Upgrading apk-tools to remediate CVE-2021-36159 - https://snyk.io/vuln/SNYK-ALPINE314-APKTOOLS-1533752 -# https://github.com/aquasecurity/kube-bench/issues/943 -RUN apk --no-cache upgrade apk-tools - -# Openssl is used by OpenShift tests -# https://github.com/aquasecurity/kube-bench/issues/535 -# Ensuring that we update/upgrade before installing openssl, to mitigate CVE-2021-3711 and CVE-2021-3712 -RUN apk update && apk upgrade && apk --no-cache add openssl - -# Add glibc for running oc command -RUN wget -q -O /etc/apk/keys/sgerrand.rsa.pub https://alpine-pkgs.sgerrand.com/sgerrand.rsa.pub -RUN apk add gcompat -RUN apk add jq - -# Add bash for running helper scripts -RUN apk add --no-cache bash kubectl +# procps adds GNU ps for -C, -o cmd, --no-headers support: https://github.com/aquasecurity/kube-bench/pull/115/ +# findutils is used to get GNU xargs: https://github.com/aquasecurity/kube-bench/pull/1657 +# Openssl is used by OpenShift tests: https://github.com/aquasecurity/kube-bench/pull/537 +# glibc is used for running oc command +# bash is used for running helper scripts +RUN apk --no-cache upgrade \ + && apk --no-cache add \ + bash \ + findutils \ + gcompat \ + jq \ + kubectl \ + openssl \ + procps ENV PATH=$PATH:/usr/local/mount-from-host/bin:/go/bin diff --git a/Dockerfile.fips.ubi b/Dockerfile.fips.ubi index 3c2f28ed4..cfb38fefe 100644 --- a/Dockerfile.fips.ubi +++ b/Dockerfile.fips.ubi @@ -16,11 +16,7 @@ ARG K8S_PKGS_VERSION=1.34 RUN microdnf install -y yum findutils openssl \ && yum -y update-minimal --security --sec-severity=Moderate --sec-severity=Important --sec-severity=Critical \ && yum update -y \ - && yum install -y glibc \ - && yum update -y glibc \ - && yum install -y procps \ - && yum update -y procps \ - && yum install jq -y \ + && yum install -y glibc jq procps \ && printf '%s\n' '[kubernetes]' 'name=Kubernetes' \ "baseurl=https://pkgs.k8s.io/core:/stable:/v${K8S_PKGS_VERSION}/rpm/" \ 'enabled=1' 'gpgcheck=1' \ diff --git a/Dockerfile.ubi b/Dockerfile.ubi index 6033d2ada..9fca181a6 100644 --- a/Dockerfile.ubi +++ b/Dockerfile.ubi @@ -16,11 +16,7 @@ ARG K8S_PKGS_VERSION=1.34 RUN microdnf install -y yum findutils openssl \ && yum -y update-minimal --security --sec-severity=Moderate --sec-severity=Important --sec-severity=Critical \ && yum update -y \ - && yum install -y glibc \ - && yum update -y glibc \ - && yum install -y procps \ - && yum update -y procps \ - && yum install jq -y \ + && yum install -y glibc jq procps \ && printf '%s\n' '[kubernetes]' 'name=Kubernetes' \ "baseurl=https://pkgs.k8s.io/core:/stable:/v${K8S_PKGS_VERSION}/rpm/" \ 'enabled=1' 'gpgcheck=1' \