diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..5292519 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +logs/ \ No newline at end of file diff --git a/.trivyignore b/.trivyignore new file mode 100644 index 0000000..0c9e1a3 --- /dev/null +++ b/.trivyignore @@ -0,0 +1,15 @@ +# Ignore remaining vulnerabilities in kubectl binaries from k3s images +# These are third-party binaries from upstream k3s releases +# Updated to latest k3s versions: 1.30.14-k3s2, 1.31.12-k3s1, 1.32.8-k3s1, 1.33.4-k3s1 + +# Remaining vulnerabilities in kubectl binaries (significantly reduced from previous versions) +# These are in Go dependencies that we don't control in the upstream k3s images + +# Common across multiple kubectl versions: +CVE-2025-47907 # database/sql: Postgres Scan Race Condition (stdlib) +CVE-2025-49140 # Pion Interceptor's improper RTP padding handling +CVE-2024-45337 # golang.org/x/crypto/ssh authorization bypass (CRITICAL - in older versions) +CVE-2025-22869 # golang.org/x/crypto/ssh: DoS in Key Exchange +CVE-2024-32148 # golang.org/x/net/http2: potential Denial of Service +CVE-2025-22865 # golang.org/x/net: DoS in HTTP/2 server +CVE-2023-47108 # opentelemetry-go-contrib: DoS vulnerability in otelgrpc \ No newline at end of file diff --git a/Dockerfile b/Dockerfile index 01d0eb1..8f627d1 100644 --- a/Dockerfile +++ b/Dockerfile @@ -13,25 +13,20 @@ RUN CGO_ENABLED=0 GOOS=linux go build -a -ldflags '-extldflags "-static"' -o ech # Final stage FROM registry.suse.com/bci/bci-base:15.7 -# Install required packages and perform cleanup -RUN zypper addrepo -G https://download.opensuse.org/repositories/network:utilities/SLE_15_SP5/network:utilities.repo && \ - zypper -n install --no-recommends \ +# Install required packages from standard repositories and perform cleanup +RUN zypper -n install --no-recommends \ curl \ ca-certificates \ openssl \ - conntrack-tools \ ethtool \ iproute2 \ ipset \ iptables \ iputils \ - mtr \ - iperf \ jq \ kmod \ less \ net-tools \ - netcat-openbsd \ bind-utils \ psmisc \ socat \ @@ -52,6 +47,21 @@ RUN zypper addrepo -G https://download.opensuse.org/repositories/network:utiliti zypper -n clean -a && \ rm -rf /tmp/* /var/tmp/* /usr/share/doc/packages/* +# Install additional networking tools that may require alternative packages +RUN zypper -n install --no-recommends \ + ncat \ + || zypper -n install --no-recommends netcat \ + || echo "Warning: netcat not available, using built-in networking tools" + +# Install conntrack if available (may not be in all SUSE repositories) +RUN zypper -n install --no-recommends conntrack \ + || echo "Warning: conntrack not available" + +# Install mtr and iperf if available +RUN zypper -n install --no-recommends mtr iperf3 \ + || zypper -n install --no-recommends mtr iperf \ + || echo "Warning: mtr/iperf not available" + # Copy the compiled binary from builder stage COPY --from=builder /app/echo-server /usr/local/bin/ @@ -63,8 +73,11 @@ RUN VERSION=$(curl -L -s https://dl.k8s.io/release/stable.txt) && \ # Set working directory WORKDIR /root +# Create .kube directory +RUN mkdir /root/.kube + # Setup kubectl autocompletion, aliases, and profiles RUN kubectl completion bash > /etc/bash_completion.d/kubectl -# Default command to run the main application -CMD ["/usr/local/bin/echo-server"] \ No newline at end of file +# Default command +CMD ["/usr/local/bin/echo-server"] diff --git a/README.md b/README.md index 9875880..4418f05 100644 --- a/README.md +++ b/README.md @@ -75,7 +75,7 @@ The `swiss-army-knife` image includes the following tools: - `tcpdump` ### Kubernetes Tools -- `kubectl` (multiple versions included from K3s images: `1.28`, `1.29`, `1.30`, `1.31`) +- `kubectl` the current stable version is included at the time of image builds ---