use distroless base image

Signed-off-by: Matthias Bertschy <matthias.bertschy@gmail.com>
kubescape · Aug 9, 2023 · 491cef0 · 491cef0
1 parent 116f42c
commit 491cef0
Show file tree

Hide file tree

Showing 4 changed files with 15 additions and 19 deletions.
diff --git a/.github/workflows/pr-created.yaml b/.github/workflows/pr-created.yaml
@@ -21,5 +21,5 @@ jobs:
   pr-created:
     uses: kubescape/workflows/.github/workflows/incluster-comp-pr-created.yaml@main
     with:
-      GO_VERSION: "1.18"
-    secrets: inherit
+      GO_VERSION: "1.20"
+    secrets: inherit
diff --git a/.github/workflows/pr-merged.yaml b/.github/workflows/pr-merged.yaml
@@ -24,7 +24,7 @@ jobs:
       CGO_ENABLED: 0
       GO111MODULE: ""
       BUILD_PLATFORM: linux/amd64,linux/arm64
-      GO_VERSION: "1.18"
+      GO_VERSION: "1.20"
       REQUIRED_TESTS: '[
                         "vulnerability_scanning", 
                         "vulnerability_scanning_trigger_scan_on_new_image", 

diff --git a/build/Dockerfile b/build/Dockerfile
@@ -1,24 +1,20 @@
-FROM golang:1.19-alpine as builder
-
-ENV GO111MODULE=
-
-ENV CGO_ENABLED=0
+FROM --platform=$BUILDPLATFORM golang:1.20-bullseye as builder
 
+ENV GO111MODULE=on CGO_ENABLED=0
 WORKDIR /work
-ADD . .
+ARG TARGETOS TARGETARCH
 
-RUN apk add git
-
-WORKDIR /work
-RUN go build -o build/gateway
+RUN --mount=target=. \
+    --mount=type=cache,target=/root/.cache/go-build \
+    --mount=type=cache,target=/go/pkg \
+    GOOS=$TARGETOS GOARCH=$TARGETARCH go build -o /out/gateway .
 
-FROM alpine
+FROM gcr.io/distroless/static-debian11:nonroot
 
-RUN addgroup -S ks && adduser -S ks -G ks
-USER ks
-WORKDIR /home/ks/
+USER nonroot
+WORKDIR /home/nonroot/
 
-COPY --from=builder /work/build/gateway /usr/bin/gateway
+COPY --from=builder /out/gateway /usr/bin/gateway
 
 ARG image_version
 ENV RELEASE=$image_version

diff --git a/go.mod b/go.mod
@@ -1,6 +1,6 @@
 module github.com/kubescape/gateway
 
-go 1.19
+go 1.20
 
 require (
 	github.com/armosec/cluster-notifier-api-go v0.0.5