chore: update CISO Dockerfile base image (#40)

yana1205 · web-flow · commit 68f381e8ebef · 2025-04-07T10:45:41.000-04:00
---------

Signed-off-by: Takumi Yanagawa &lt;yana@jp.ibm.com&gt;
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -9,6 +9,7 @@ updates:
   - package-ecosystem: docker
     directories:
       - sre/tools/**/
+      - ciso/Dockerfile
     schedule:
       interval: weekly
 
diff --git a/ciso/Dockerfile b/ciso/Dockerfile
@@ -1,43 +1,56 @@
-FROM python:3.11.10-slim
+FROM registry.access.redhat.com/ubi9/python-311:9.5-1743582312
 
-RUN apt update -y && apt install -y curl gnupg2 unzip ssh
+USER 0
+RUN dnf update -y && dnf install -y gnupg2 unzip openssh
 RUN mkdir /etc/agent-benchmark
 RUN ln -sf /bin/bash /bin/sh
 
 # install `ansible-playbook`
+RUN pip install --upgrade setuptools==70.0.0
 RUN pip install ansible-core jmespath kubernetes==31.0.0 --no-cache-dir passlib
-RUN ansible-galaxy collection install kubernetes.core community.crypto
 # install `helm`
-RUN curl https://baltocdn.com/helm/signing.asc | gpg --dearmor | tee /usr/share/keyrings/helm.gpg > /dev/null && \
-    apt install apt-transport-https --yes && \
-    echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/helm.gpg] https://baltocdn.com/helm/stable/debian/ all main" | tee /etc/apt/sources.list.d/helm-stable-debian.list && \
-    apt update && \
-    apt install -y helm
+RUN curl -fsSL https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 | bash
 # install `jq`
-RUN apt install -y jq
+RUN dnf install -y jq
 # install `make`
-RUN apt install -y make
+RUN dnf install -y make
+
+# identify architecture
+ENV ARCH=unknown
+RUN ARCH=$(uname -m) && \
+    case "$ARCH" in \
+      x86_64) ARCH=amd64 ;; \
+      aarch64) ARCH=arm64 ;; \
+      *) echo "unsupported architecture: $ARCH" && exit 1 ;; \
+    esac && \
+    echo "ARCH=$ARCH" >> /etc/environment
+
 # install `kubectl`
-RUN curl -LO https://dl.k8s.io/release/v1.31.0/bin/linux/$(dpkg --print-architecture)/kubectl && \
+RUN source /etc/environment && \
+    curl -LO https://dl.k8s.io/release/v1.31.0/bin/linux/${ARCH}/kubectl && \
     chmod +x ./kubectl && \
     mv ./kubectl /usr/local/bin/kubectl
 # install `aws` (need this for using kubectl against AWS cluster)
 RUN curl "https://awscli.amazonaws.com/awscli-exe-linux-$(uname -m).zip" -o "awscliv2.zip" && \
     unzip awscliv2.zip && \
     ./aws/install
 # install `opa`
-RUN curl -L -o opa https://github.com/open-policy-agent/opa/releases/download/v1.0.0/opa_linux_$(dpkg --print-architecture)_static && \
+RUN source /etc/environment && \
+    curl -L -o opa https://github.com/open-policy-agent/opa/releases/download/v1.0.0/opa_linux_${ARCH}_static && \
     chmod +x ./opa && \
     mv ./opa /usr/local/bin/opa
 
+RUN echo "StrictHostKeyChecking no" >> /etc/ssh/ssh_config
+
+USER 1001
+RUN ansible-galaxy collection install kubernetes.core community.crypto
+
 WORKDIR /etc/ciso-task-scenarios
 ENV FOREGROUND=true
 ENV MAKEFLAGS=-s
 ENV KUBECONFIG=/etc/ciso-task-scenarios/kubeconfig.yaml
 ENV SHARED_WORKSPACE=/tmp/agent
 
-RUN echo "StrictHostKeyChecking no" >> /etc/ssh/ssh_config
-
 COPY 1.gen-cis-b-k8s-kyverno ./1.gen-cis-b-k8s-kyverno
 COPY 2.gen-cis-b-k8s-kubectl-opa ./2.gen-cis-b-k8s-kubectl-opa
 COPY 3.gen-cis-b-rhel9-ansible-opa ./3.gen-cis-b-rhel9-ansible-opa
