Conversation
There was a problem hiding this comment.
Pull Request Overview
Hardening kubectl image by minimizing installed packages, tightening file permissions, removing build-time tools, and enforcing non-root execution.
- Removes git and later uninstalls curl to shrink and harden the runtime image.
- Changes executable permissions for kubectl and yq from +x (default 0755) to numeric 0555 (read/execute only) and strips all setuid/setgid bits.
- Adds cleanup steps, non-root user configuration, tmp permissions, and environment/history hardening.
Reviewed Changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 4 comments.
| File | Description |
|---|---|
| apps/kubectl-1.34/Dockerfile | Applies hardening: permission changes, removal of curl, SUID stripping, user and WORKDIR adjustments. |
| apps/kubectl-1.33/Dockerfile | Mirrors hardening changes for previous kubectl version image to keep versions aligned. |
Comments suppressed due to low confidence (4)
Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
| curl -fsSL "https://dl.k8s.io/release/v${KUBECTL_VERSION}/bin/linux/${ARCH}/kubectl.sha256" -o /tmp/kubectl.sha256 && \ | ||
| echo "$(cat /tmp/kubectl.sha256) /usr/local/bin/kubectl" | sha256sum -c - && \ | ||
| chmod +x /usr/local/bin/kubectl && \ | ||
| chmod 0555 /usr/local/bin/kubectl && \ |
There was a problem hiding this comment.
[nitpick] Using mode 0555 removes write permission for root (image owner), which can hinder debugging or layering (e.g., replacing/updating the binaries in derived images). Consider reverting to 0755 or explicitly documenting this breaking change in image release notes.
| curl -fsSL "https://github.com/mikefarah/yq/releases/latest/download/checksums" -o /tmp/yq.checksums && \ | ||
| grep "^yq_linux_${ARCH} " /tmp/yq.checksums | awk '{print $19 " /usr/local/bin/yq"}' | sha256sum -c - && \ | ||
| chmod +x /usr/local/bin/yq && \ | ||
| chmod 0555 /usr/local/bin/yq && \ |
There was a problem hiding this comment.
[nitpick] Using mode 0555 removes write permission for root (image owner), which can hinder debugging or layering (e.g., replacing/updating the binaries in derived images). Consider reverting to 0755 or explicitly documenting this breaking change in image release notes.
| RUN apt-get remove -y curl && \ | ||
| apt-get autoremove -y && \ |
There was a problem hiding this comment.
[nitpick] Removing curl from the final image is a functional change; consumers may rely on curl to fetch manifests or auxiliary resources. If retaining minimal footprint is the goal, note this as a breaking change or consider keeping curl (small footprint) and documenting rationale.
| RUN apt-get remove -y curl && \ | |
| apt-get autoremove -y && \ | |
| RUN apt-get autoremove -y && \ |
| apt-get clean && \ | ||
| rm -rf /var/lib/apt/lists/* /var/cache/apt/archives/* /var/log/* /tmp/* /var/tmp/* | ||
|
|
||
| RUN find / -xdev -perm /6000 -type f -exec chmod a-s {} \; 2>/dev/null || true |
There was a problem hiding this comment.
[nitpick] Blanket stripping all setuid/setgid bits may unintentionally break legitimate utilities (e.g., ping) and makes future troubleshooting harder. Recommend targeting a known list of binaries or starting from a base image that already minimizes privileged binaries instead of a broad filesystem sweep.
| RUN find / -xdev -perm /6000 -type f -exec chmod a-s {} \; 2>/dev/null || true | |
| RUN chmod a-s /usr/local/bin/kubectl /usr/local/bin/yq |
mydoomfr
force-pushed
the
main
branch
5 times, most recently
from
e5306af to
696069c
Compare
Signed-off-by: Benjamin Pinchon <dev@mdfr.me>
mydoomfr
force-pushed
the
harden-kubectl-images
branch
from
598e8e7 to
add7298
Compare
No description provided.