Split the setcap image from the base images, make them easier to override

2025-10-31 02:08:13 +00:00 · 2021-02-24 11:04:34 -08:00
parent 8f15f7cf5e
commit 4b83c760a9
5 changed files with 33 additions and 20 deletions
--- a/build/common.sh
+++ b/build/common.sh
@@ -85,22 +85,35 @@ readonly KUBE_RSYNC_PORT="${KUBE_RSYNC_PORT:-}"
 # mapped to KUBE_RSYNC_PORT via docker networking.
 readonly KUBE_CONTAINER_RSYNC_PORT=8730

+# These are the default versions (image tags) for their respective base images.
+readonly __default_debian_iptables_version=buster-v1.5.0
+readonly __default_go_runner_version=buster-v2.3.1
+
+# These are the base images for the Docker-wrapped binaries.
+readonly KUBE_GORUNNER_IMAGE="${KUBE_GORUNNER_IMAGE:-$KUBE_BASE_IMAGE_REGISTRY/go-runner:$__default_go_runner_version}"
+readonly KUBE_APISERVER_BASE_IMAGE="${KUBE_APISERVER_BASE_IMAGE:-$KUBE_GORUNNER_IMAGE}"
+readonly KUBE_CONTROLLER_MANAGER_BASE_IMAGE="${KUBE_CONTROLLER_MANAGER_BASE_IMAGE:-$KUBE_GORUNNER_IMAGE}"
+readonly KUBE_SCHEDULER_BASE_IMAGE="${KUBE_SCHEDULER_BASE_IMAGE:-$KUBE_GORUNNER_IMAGE}"
+readonly KUBE_PROXY_BASE_IMAGE="${KUBE_PROXY_BASE_IMAGE:-$KUBE_BASE_IMAGE_REGISTRY/debian-iptables:$__default_debian_iptables_version}"
+
+# This is the image used in a multi-stage build to apply capabilities to Docker-wrapped binaries.
+readonly KUBE_BUILD_SETCAP_IMAGE="${KUBE_BUILD_SETCAP_IMAGE:-$KUBE_BASE_IMAGE_REGISTRY/setcap:buster-v1.4.0}"
+
 # Get the set of master binaries that run in Docker (on Linux)
-# Entry format is "<name-of-binary>,<base-image-name>:<base-image-version>".
+# Entry format is "<binary-name>,<base-image>".
 # Binaries are placed in /usr/local/bin inside the image.
-# When building these images the registry for the base images is considered to be ${KUBE_BASE_IMAGE_REGISTRY}.
+# `make` users can override any or all of the base images using the associated
+# environment variables.
 #
 # $1 - server architecture
 kube::build::get_docker_wrapped_binaries() {
-  local debian_iptables_version=buster-v1.5.0
-  local go_runner_version=buster-v2.3.1
  ### If you change any of these lists, please also update DOCKERIZED_BINARIES
  ### in build/BUILD. And kube::golang::server_image_targets
  local targets=(
-    "kube-apiserver,go-runner:${go_runner_version}"
-    "kube-controller-manager,go-runner:${go_runner_version}"
-    "kube-scheduler,go-runner:${go_runner_version}"
-    "kube-proxy,debian-iptables:${debian_iptables_version}"
+    "kube-apiserver,${KUBE_APISERVER_BASE_IMAGE}"
+    "kube-controller-manager,${KUBE_CONTROLLER_MANAGER_BASE_IMAGE}"
+    "kube-scheduler,${KUBE_SCHEDULER_BASE_IMAGE}"
+    "kube-proxy,${KUBE_PROXY_BASE_IMAGE}"
  )

  echo "${targets[@]}"
--- a/build/dependencies.yaml
+++ b/build/dependencies.yaml
@@ -156,7 +156,7 @@ dependencies:
    version: buster-v1.5.0
    refPaths:
    - path: build/common.sh
-      match: debian_iptables_version=
+      match: __default_debian_iptables_version=
    - path: build/workspace.bzl
      match: tag =
    - path: test/utils/image/manifest.go
@@ -166,7 +166,7 @@ dependencies:
    version: buster-v2.3.1
    refPaths:
    - path: build/common.sh
-      match: go_runner_version=
+      match: __default_go_runner_version=
    - path: build/workspace.bzl
      match: tag =

--- a/build/lib/release.sh
+++ b/build/lib/release.sh
@@ -361,7 +361,7 @@ function kube::release::create_docker_images_for_server() {
    for wrappable in $binaries; do

      local binary_name=${wrappable%%,*}
-      local base_image_name=${wrappable##*,}
+      local base_image=${wrappable##*,}
      local binary_file_path="${binary_dir}/${binary_name}"
      local docker_build_path="${binary_file_path}.dockerbuild"
      local docker_image_tag="${docker_registry}/${binary_name}-${arch}:${docker_tag}"
@@ -384,8 +384,8 @@ function kube::release::create_docker_images_for_server() {
          --platform linux/"${arch}" \
          --load ${docker_build_opts:+"${docker_build_opts}"} \
          -t "${docker_image_tag}" \
-          --build-arg BASE_IMAGE_REGISTRY="${KUBE_BASE_IMAGE_REGISTRY}" \
-          --build-arg BASE_IMAGE_NAME="${base_image_name}" \
+          --build-arg BASEIMAGE="${base_image}" \
+          --build-arg SETCAP_IMAGE="${KUBE_BUILD_SETCAP_IMAGE}" \
          --build-arg BINARY="${binary_name}" \
          "${docker_build_path}" >"${build_log}" 2>&1; then
            cat "${build_log}"
--- a/build/server-image/Dockerfile
+++ b/build/server-image/Dockerfile
@@ -14,10 +14,9 @@

 # Dockerfile used for the server images.

-ARG BASE_IMAGE_REGISTRY
-ARG BASE_IMAGE_NAME
+ARG BASEIMAGE
 ARG BINARY


-FROM "${BASE_IMAGE_REGISTRY}/${BASE_IMAGE_NAME}"
+FROM "${BASEIMAGE}"
 COPY ${BINARY} /usr/local/bin/${BINARY}
--- a/build/server-image/kube-apiserver/Dockerfile
+++ b/build/server-image/kube-apiserver/Dockerfile
@@ -13,17 +13,18 @@
 # limitations under the License.

 # This file create the kube-apiserver image.
-ARG BASE_IMAGE_REGISTRY
-ARG BASE_IMAGE_NAME
+ARG BASEIMAGE
+ARG SETCAP_IMAGE
+
 # we use the hosts platform to apply the capabilities to avoid the need
 # to setup qemu for the builder.
-FROM --platform=linux/$BUILDARCH ${BASE_IMAGE_REGISTRY}/setcap:buster-v1.4.0
+FROM --platform=linux/$BUILDARCH ${SETCAP_IMAGE}
 ARG BINARY
 COPY ${BINARY} /${BINARY}
 # We apply cap_net_bind_service so that kube-apiserver can be run as
 # non-root and still listen on port less than 1024
 RUN setcap cap_net_bind_service=+ep /${BINARY}

-FROM --platform=linux/$TARGETARCH ${BASE_IMAGE_REGISTRY}/${BASE_IMAGE_NAME}
+FROM --platform=linux/$TARGETARCH ${BASEIMAGE}
 ARG BINARY
 COPY --from=0 /${BINARY} /usr/local/bin/${BINARY}