Pod securityContext + poetry-pyinstaller-plugin for ligther image

LawiK974 · Jun 20, 2024 · 88fe69c · 88fe69c
1 parent 55cb279
commit 88fe69c
Show file tree

Hide file tree

Showing 7 changed files with 40 additions and 94 deletions.
diff --git a/.python-version b/.python-version
@@ -1 +1 @@
-3.11
+3.12
diff --git a/Dockerfile b/Dockerfile
@@ -3,28 +3,27 @@ FROM python:alpine AS builder
 
 ENV PYTHONUNBUFFERED=1 REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt
 WORKDIR /app
-RUN apk add --no-cache gcc musl-dev libffi-dev git \
-    && pip install poetry==1.8.3 pyinstaller==6.8.0
 COPY . /app
-# Disable virtual env creation by poetry, it's not needed in Docker
-RUN poetry config virtualenvs.create false
-# Install poetry version plugin see https://github.com/tiangolo/poetry-version-plugin
-RUN poetry self add "poetry-dynamic-versioning[plugin]==v1.3.0"
-# Install dependencies only (to improve caching)
-RUN poetry install --no-root
-# Build the package (this creates the package wheel)
-RUN poetry build && pip install --no-cache-dir /app/dist/*.whl
-# Package into one single standalone binary
-RUN pyinstaller --onefile /usr/local/lib/python3.12/site-packages/kube_notify/app.py
+RUN apk add --no-cache gcc musl-dev libffi-dev git \
+    && pip install poetry==1.8.3 pyinstaller==6.8.0 virtualenv==20.26.2 && \
+    # Install poetry version plugin see https://github.com/tiangolo/poetry-version-plugin
+    poetry self add "poetry-dynamic-versioning[plugin]==v1.3.0" && \
+    poetry self add "poetry-pyinstaller-plugin==1.1.10" && \
+    # Build the package (this creates the package wheel)
+    poetry build
 
 # Stage 2: Lightweight production stage with minimal footprint
 FROM busybox:musl
 
 COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt
-COPY --from=builder /app/dist/app /usr/local/bin/kube-notify
+COPY --from=builder /app/dist/pyinstaller/*/* /usr/local/bin/
+# get necessary libc libraries
 COPY --from=builder /lib/ld-musl-*.so.1 /lib/
 COPY --from=builder /lib/libz.so.1 /lib/libz.so.1
-RUN export ARCH=$(uname -m) && ln -snf /lib/ld-musl-$ARCH.so.1 /lib/libc.musl-$ARCH.so.1 && chmod a+rx /usr/local/bin/kube-notify && kube-notify --version
+RUN export ARCH=$(uname -m) && \
+    ln -snf "/lib/ld-musl-${ARCH}.so.1" "/lib/libc.musl-${ARCH}.so.1" && \
+    chmod a+rx /usr/local/bin/kube-notify && \
+    kube-notify --version
 LABEL maintainer="Loïc DUBARD <loic97429@gmail.com> @Lawik974"
 USER nobody:nobody
 ENV PYTHONUNBUFFERED=1 REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt

diff --git a/deployment.yaml b/deployment.yaml
@@ -17,6 +17,10 @@ spec:
         app: kube-notify
     spec:
       serviceAccountName: kube-notify-watcher
+      securityContext:
+        readOnlyRootFilesystem: true
+        allowPrivilegeEscalation: false
+        runAsNonRoot: true
       containers:
       - name: kube-notify
         resources:
@@ -36,7 +40,7 @@ spec:
         #         command:
         #         - /bin/sh
         #         - -c
-        #         - wget -O /usr/local/share/ca-certificates/acr.pem --no-check-certificate https://mydomain/acr.pem && update-ca-certificates
+        #         - wget -O - --no-check-certificate https://mydomain/acr.pem >> /etc/ssl/certs/ca-certificates.crt
         volumeMounts:
         - name: config
           mountPath: /app/config.yaml

diff --git a/kube_notify/app.py b/kube_notify/app.py
@@ -1,5 +1,6 @@
 import asyncio
 import datetime
+import os
 
 import kubernetes_asyncio
 import yaml
@@ -196,6 +197,7 @@ def main() -> None:
     logger.logger.info(
         f"Starting kube-notify {kube_notify.__version__} at {kube_notify.STARTUP_TIME}"
     )
+    logger.logger.info(f"PYTHONUNBUFFERED={os.environ["PYTHONUNBUFFERED"]}")
     # Initialize Kubernetes client
     ioloop = asyncio.get_event_loop()
     if args.inCluster: