Create Your Own Operator Images
How to create Operator and dynamic admission controller images for your environment.
The Operator and dynamic admission controller binaries are statically linked so have no external dependencies on any libraries. The standard Kubernetes images are based on scratch containers that contain no operating system base image at all. This is a security measure to prevent anyone gaining shell access to the container running anything other than the Operator. This protects against attacks where an actor can download and execute an illegal binary.
There may, however, be times however when you need to create your own images to satisfy corporate policy. This guide describes how to create your own container images.
Creating a Dynamic Admission Controller Image
Create an empty directory and then change to it.
Create a fake /etc/passwd
file, this will be used to enforce execution as non-root:
$ echo 'non-root:x:8453:8453:non-root::' > passwd
Create the following Dockerfile
.
FROM couchbase/admission-controller:2.6.4 as official (1)
FROM scratch (2)
COPY --from=official /usr/local/bin/couchbase-admission-controller /usr/local/bin/ (3)
COPY passwd /etc/passwd (4)
USER 8453 (5)
1 | Define a source container from the official image. There are no differences between OpenShift and Kubernetes binaries, so we use the Kubernetes ones here for simplicity. |
2 | Define the base image you wish to use.
scratch is the default and contains nothing. |
3 | Copy the static binary from the official image to your custom one. |
4 | Copy in the password database so Docker can find the non-root user. |
5 | Enable the non-root user by default. |
To build and tag the image run the following:
$ docker build . -t my-company/couchbase-operator-admission:2.6.4
You may use any combination of tag you wish.
Creating an Operator Image
Create an empty directory and then change to it.
Create a fake /etc/passwd
file, this will be used to enforce execution as non-root:
$ echo 'non-root:x:8453:8453:non-root::' > passwd
Create he following Dockerfile
.
FROM couchbase/operator:2.6.4 as official (1)
FROM scratch (2)
COPY --from=official /usr/local/bin/couchbase-operator /usr/local/bin/ (3)
COPY passwd /etc/passwd (4)
USER 8453 (5)
1 | Define a source container from the official image. There are no differences between OpenShift and Kubernetes binaries, so we use the Kubernetes ones her e for simplicity. |
2 | Define the base image you wish to use.
scratch is the default and contains nothing. |
3 | Copy the static binary from the official image to your custom one. |
4 | Copy in the password database so Docker can find the non-root user. |
5 | Enable the non-root user by default. |
To build and tag the image run the following:
$ docker build . -t my-company/couchbase-operator:2.6.4
You may use any combination of tag you wish.
Using the Custom Images
When installing the Operator with cao
you can specify the images to use.
Consider the following command that uses the images we created in the prior steps:
$ cao create admission --image my-company/couchbase-operator-admission:2.6.4
$ cao create operator --image my-company/couchbase-operator:2.6.4