Comments (17)
@amitsadaphule happy to accept a PR if you have a fix. I don't have much knowledge for that archictecture.
from kube-rbac-proxy.
I would need to double check myself, does quay support multi arch images? If so I'm happy to publish those images, but would like to avoid having to maintain multiple repositories for each arch.
from kube-rbac-proxy.
@brancz yes, I found one example of a multi arch images on quay here https://quay.io/repository/coreos/flannel?tab=tags
They are distinguishing based on tag names, as seen.
from kube-rbac-proxy.
That's not what I was thinking, the docker registry spec has a way to have multiple architectures under the same image+tag.
from kube-rbac-proxy.
Yes, so there are multiple ways to do this. On dockerhub they have different namespaces, so for example, for postgres,
the ppc64le image is here https://hub.docker.com/r/ppc64le/postgres
the amd64 is here https://hub.docker.com/r/amd64/postgres
and https://hub.docker.com/_/postgres is actually the multi-arch manifest that, when pulled, will pull the correct image
Steps are here https://docs.docker.com/engine/reference/commandline/manifest/
Images are built here https://doi-janky.infosiftr.net/job/multiarch/
In cases where we have single namespace either image names can differ
https://cloud.docker.com/u/ibmcom/repository/docker/ibmcom/kibana-ppc64le
https://cloud.docker.com/u/ibmcom/repository/docker/ibmcom/kibana-amd64
https://cloud.docker.com/u/ibmcom/repository/docker/ibmcom/kibana
or tags can differ like in the above example.
from kube-rbac-proxy.
So that means we do still always have to maintain multiple repositories no matter what?
from kube-rbac-proxy.
Different images, will need to be built, yes.
It would help to simplify things from a maintenance perspective if we can have all the docker builds going on on Travis - we have Power support for Travis and the travis.yml file for Intel / Power would essentially be the same, with only one additional flag enabled. example here https://github.com/fluent/fluentd-docker-image/blob/master/.travis.yml
If this sounds like a reasonable solution, I can help with the Power changes and validation.
Please suggest.
from kube-rbac-proxy.
@brancz , any thoughts on this? thank you!!
from kube-rbac-proxy.
I'm having a conversation with Kubernetes SIG auth to potentially donate this project to sig-auth, I'd prefer to hold off on this until we figure that out, as the build/publish process would likely change anyways.
from kube-rbac-proxy.
@brancz - okay, thanks for letting me know.
from kube-rbac-proxy.
Any updates on this? Would love to not have to build my own amd64/arm64/arm images.
from kube-rbac-proxy.
@brancz I have a requirement for using the kube-rbac-proxy image on Power(ppc64le) architecture for IBM Cloud Operators deployment. I tried using the images available at https://quay.io/repository/brancz/kube-rbac-proxy?tab=tags and https://console.cloud.google.com/gcr/images/kubebuilder/GLOBAL/kube-rbac-proxy?gcrImageListsize=30. But it seems that the images tagged with ppc64le actually belong to amd64 arch. I checked the same for s390x image as well and that image is amd64 arch as well.
I checked the CI logs @ https://github.com/brancz/kube-rbac-proxy/runs/3659930457 and found that the binaries are correctly built for each ARCH. But the make container command always pulls in the amd64 based gcr.io/distroless/static:nonroot base image. I could see two ways to fix this:
- add buildx usage to build multi-arch image to the CI
- pass ARCH as parameter to the dockerfile and use that to distinguish the base images for different ARCHs. Patch below:
diff --git a/Dockerfile b/Dockerfile
index 8ae83311..a937b785 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,4 +1,5 @@
-FROM gcr.io/distroless/static:nonroot
+ARG GOARCH=amd64
+FROM gcr.io/distroless/static:nonroot-$GOARCH
ARG BINARY=kube-rbac-proxy-linux-amd64
COPY _output/$BINARY /usr/local/bin/kube-rbac-proxy
diff --git a/Makefile b/Makefile
index 50e90c23..bb6c7d90 100644
--- a/Makefile
+++ b/Makefile
@@ -45,7 +45,7 @@ $(OUT_DIR)/$(BIN)-%:
build: $(OUT_DIR)/$(BIN)
container: $(OUT_DIR)/$(BIN)-$(GOOS)-$(GOARCH) Dockerfile
- docker build --build-arg BINARY=$(BIN)-$(GOOS)-$(GOARCH) -t $(DOCKER_REPO):$(VERSION)-$(GOARCH) .
+ docker build --build-arg BINARY=$(BIN)-$(GOOS)-$(GOARCH) --build-arg GOARCH=$(GOARCH) -t $(DOCKER_REPO):$(VERSION)-$(GOARCH) .
ifeq ($(GOARCH), amd64)
docker tag $(DOCKER_REPO):$(VERSION)-$(GOARCH) $(DOCKER_REPO):$(VERSION)
endif
Looking at the current scenario/implementation, I prefer option 2. Please let me know your feedback, so that I can work on raising a PR.
from kube-rbac-proxy.
@brancz @s-urbaniak can you please let me know your thoughts on my comment above?
from kube-rbac-proxy.
Thanks @s-urbaniak! Will raise a PR with the above fix shortly.
from kube-rbac-proxy.
@s-urbaniak @brancz kindly review #147.
from kube-rbac-proxy.
@s-urbaniak can you please let me know when you're planning to push out a new tag/release? I need to use that for adding Power support to IBM Cloud Operators repo.
from kube-rbac-proxy.
@s-urbaniak can you please let me know when you're planning to push out a new tag/release? I need to use that for adding Power support to IBM Cloud Operators repo.
@s-urbaniak @brancz any update on the above?
from kube-rbac-proxy.
Related Issues (20)
- Bump golang version HOT 2
- Sig-Auth Pre-Acceptance 2nd Review HOT 10
- Cut a new release with golang version 1.20 HOT 3
- Add livenessProbe support for kube-rbac-proxy HOT 2
- Twistlock reporting CVE PRISMA-2022-0227 HOT 2
- kube-rbac-proxy failing authentication and authorization intermittently with error: HOT 2
- Option to output the logs as JSON HOT 1
- vulnerabilities on kube-rbac-proxy v0.14.2 HOT 2
- Image of kube-rbac-proxy new version (v0.14.3) wasn't pushed to quay.io repository HOT 4
- Failing to instantiate OIDC authenticator when --oidc-ca-file is not specified HOT 6
- vulnerabilities on kube-rbac-proxy v0.14.4 HOT 6
- Can they be friends --ignore-path and --allow-path? HOT 3
- CVE high security vulnerabilities found in image: quay.io/brancz/kube-rbac-proxy:v0.15.0 HOT 14
- Compability with new K8S versions HOT 2
- Can kube rbac proxy be used for kubeedge? HOT 3
- CVE vulnerabilities found for golang-runtime:1.20.4 (usr/local/bin/kube-rbac-proxy) HOT 3
- Multi Arch Image pulled from quay.io does not work in arm64/graviton nodes HOT 3
- 0.16 Image does not appear to be available HOT 3
- CVE-2023-47108 "Vulnerability detected affecting otelgrpc v0.42.0" found in kube-rbac-proxy v0.16.0 HOT 7
- [HELP] Trying to expose Hubble UI with kube-rbac-proxy HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from kube-rbac-proxy.