-
Notifications
You must be signed in to change notification settings - Fork 6
/
Copy pathDockerfile
105 lines (74 loc) · 4.95 KB
/
Dockerfile
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
FROM alpine:3.14
RUN apk --update add python3 py3-netifaces py3-prettytable py3-certifi \
py3-chardet py3-future py3-idna py3-netaddr py3-parsing py3-six\
nmap nmap-scripts curl tcpdump bind-tools jq nmap-ncat bash libcap libcap-ng-utils && \
rm -rf /var/cache/apk/*
#Kubernetes 1.12 for old clusters
RUN curl -O https://storage.googleapis.com/kubernetes-release/release/v1.12.8/bin/linux/amd64/kubectl && \
chmod +x kubectl && mv kubectl /usr/local/bin/kubectl112
#Kubernetes 1.16 for medium old clusters
RUN curl -O https://storage.googleapis.com/kubernetes-release/release/v1.16.7/bin/linux/amd64/kubectl && \
chmod +x kubectl && mv kubectl /usr/local/bin/kubectl116
#Kubernetes 1.21 for new clusters
RUN curl -O https://storage.googleapis.com/kubernetes-release/release/v1.21.5/bin/linux/amd64/kubectl && \
chmod +x kubectl && mv kubectl /usr/local/bin/kubectl
#Get docker we're not using the apk as it includes the server binaries that we don't need
RUN curl -OL https://download.docker.com/linux/static/stable/x86_64/docker-20.10.9.tgz && tar -xzvf docker-20.10.9.tgz && \
cp docker/docker /usr/local/bin && chmod +x /usr/local/bin/docker && rm -rf docker/ && rm -f docker-20.10.9.tgz
#Get etcdctl
RUN curl -OL https://github.com/etcd-io/etcd/releases/download/v3.3.13/etcd-v3.3.13-linux-amd64.tar.gz && \
tar -xzvf etcd-v3.3.13-linux-amd64.tar.gz && cp etcd-v3.3.13-linux-amd64/etcdctl /usr/local/bin && \
chmod +x /usr/local/bin/etcdctl && rm -rf etcd-v3.3.13-linux-amd64 && rm -f etcd-v3.3.13-linux-amd64.tar.gz
#Get AmIcontained
RUN curl -OL https://github.com/genuinetools/amicontained/releases/download/v0.4.9/amicontained-linux-amd64 && \
mv amicontained-linux-amd64 /usr/local/bin/amicontained && chmod +x /usr/local/bin/amicontained
#Get botb
RUN curl -OL https://github.com/brompwnie/botb/releases/download/1.8.0/botb-linux-amd64 && \
mv botb-linux-amd64 /usr/local/bin/botb && chmod +x /usr/local/bin/botb
#Get Reg
RUN curl -OL https://github.com/genuinetools/reg/releases/download/v0.16.1/reg-linux-amd64 && \
mv reg-linux-amd64 /usr/local/bin/reg && chmod +x /usr/local/bin/reg
#Get Rakkess
RUN curl -LO https://github.com/corneliusweig/rakkess/releases/download/v0.4.4/rakkess-amd64-linux.tar.gz && \
tar -xzvf rakkess-amd64-linux.tar.gz && chmod +x rakkess-amd64-linux && mv rakkess-amd64-linux /usr/local/bin/rakkess && rm -f rakkess-amd64-linux.tar.gz
#Get kubectl-who-can
RUN curl -OL https://github.com/aquasecurity/kubectl-who-can/releases/download/v0.1.0/kubectl-who-can_linux_x86_64.tar.gz && \
tar -xzvf kubectl-who-can_linux_x86_64.tar.gz && mv kubectl-who-can /usr/local/bin && rm -f kubectl-who-can_linux_x86_64.tar.gz
#Get Helm3
RUN curl -OL https://get.helm.sh/helm-v3.7.0-linux-amd64.tar.gz && \
tar -xzvf helm-v3.7.0-linux-amd64.tar.gz && mv linux-amd64/helm /usr/local/bin/helm && \
chmod +x /usr/local/bin/helm && rm -rf linux-amd64 && rm -f helm-v3.7.0-linux-amd64.tar.gz
#Get Go-Pillage-Registries
RUN curl -OL https://github.com/nccgroup/go-pillage-registries/releases/download/v1.0/go-pillage-registries_1.0_Linux_x86_64.tar.gz && \
tar -xzvf go-pillage-registries_1.0_Linux_x86_64.tar.gz && mv go-pillage-registries /usr/local/bin && \
rm -f go-pillage-registries_1.0_Linux_x86_64.tar.gz
#Get oc
RUN curl -OL https://github.com/openshift/origin/releases/download/v3.10.0/openshift-origin-client-tools-v3.10.0-dd10d17-linux-64bit.tar.gz && \
tar -xzvf openshift-origin-client-tools-v3.10.0-dd10d17-linux-64bit.tar.gz && cp openshift-origin-client-tools-v3.10.0-dd10d17-linux-64bit/oc /usr/local/bin && \
chmod +x /usr/local/bin/oc && rm -rf openshift-origin-client-tools-v3.10.0-dd10d17-linux-64bit && rm -f openshift-origin-client-tools-v3.10.0-dd10d17-linux-64bit.tar.gz
#Get rbac-tool
RUN curl -OL https://github.com/alcideio/rbac-tool/releases/download/v1.4.0/rbac-tool_v1.4.0_linux_amd64.tar.gz && \
tar -xzvf rbac-tool_v1.4.0_linux_amd64.tar.gz && mv rbac-tool /usr/local/bin && chmod +x /usr/local/bin/rbac-tool && \
rm -f rbac-tool_v1.4.0_linux_amd64.tar.gz LICENSE README.md
#Get kdigger
RUN curl -OL https://github.com/quarkslab/kdigger/releases/download/v1.4.0/kdigger-linux-amd64 && \
mv kdigger-linux-amd64 /usr/local/bin/kdigger && chmod +x /usr/local/bin/kdigger
COPY /bin/conmachi /usr/local/bin/
#Having a setuid shell could be handy
RUN cp /bin/bash /bin/setuidbash && chmod 4755 /bin/setuidbash
#Set Capabilities on busybox
RUN setcap 'cap_net_raw,cap_net_bind_service,cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_sys_chroot,cap_mknod,cap_audit_write,cap_setfcap=+ep' /bin/busybox
#Create a group for our user
RUN addgroup -g 1001 -S tester
#create our new user
RUN adduser -S --ingroup tester --uid 1001 tester
#set the workdir, why not
WORKDIR /home/tester
USER tester
#Put a Sample Privileged Pod Chart in the Image
RUN mkdir charts
COPY --chown=tester /charts/* /home/tester/charts/
RUN mkdir manifests
COPY --chown=tester /manifests/* /home/tester/manifests/
# This is a Dumb Hack
CMD ["tail", "-f" , "/dev/null"]