CKS 模拟真题 Killer.sh | Question 16 | Docker Image Attack Surface

Task weight: 7%

Use context: kubectl config use-context workload-prod

There is a Deployment image-verify in Namespace team-blue which runs image registry.killer.sh:5000/image-verify:v1. DevSecOps has asked you to improve this image by:

• Changing the base image to alpine:3.12
• Not installing curl
• Updating nginx to use the version constraint >=1.18.0
• Running the main process as user myuser

Do not add any new lines to the Dockerfile, just edit existing ones. The file is located at /opt/course/16/image/Dockerfile.

Tag your version as v2. You can build, tag and push using:

cd /opt/course/16/image
podman build -t registry.killer.sh:5000/image-verify:v2 .
podman run registry.killer.sh:5000/image-verify:v2 # to test your changes
podman push registry.killer.sh:5000/image-verify:v2
Make the Deployment use your updated image tag v2.

译文

任务权重：7%

使用环境: kubectl config use-context workload-prod

名称空间 team-blue 中有一个部署 image-verify，运行 image registry.killer.sh:5000/image-verify:v1 。

• 将基础镜像改为 alpine:3.12
• 不安装 curl
• 更新nginx以使用版本约束>=1.18.0
• 以用户myuser身份运行主进程

不要 在Docker文件中添加任何新行，只需编辑现有的行。该文件位于 /opt/course/16/image/Dockerfile 。

将你的版本标记为 v2 .你可以用以下方式构建、标记和推送。

cd /opt/course/16/image
podman build -t registry.killer.sh:5000/image-verify:v2 。
podman run registry.killer.sh:5000/image-verify:v2 # 来测试你的改变
podman push registry.killer.sh:5000/image-verify:v2

让部署使用你更新的图像标签 v2。

解答

备份 编辑 dockerfile文件

cp /opt/course/16/image/Dockerfile Dockerfile.bak
vim Dockerfile

# /opt/course/16/image/Dockerfile
FROM alpine:3.4
RUN apk update && apk add vim curl nginx=1.10.3-r0
RUN addgroup -S myuser && adduser -S myuser -G myuser
COPY ./run.sh run.sh
RUN ["chmod", "+x", "./run.sh"]
USER root
ENTRYPOINT ["/bin/sh", "./run.sh"]

cat /opt/course/16/image/run.sh

# /opt/course/16/image/run.sh
while true; do date; id; echo; sleep 1; done

dockerfile 文件的内容 为 部署alpine3.4 添加了vim, curl,nginx, 添加了相关用户和组,循环执行run.sh, 间隔1s输出时间和 id

根据题目进行修改

# /opt/course/16/image/Dockerfile

# 更改版本
FROM alpine:3.12

# 更改 删除curl
RUN apk update && apk add vim nginx>=1.18.0

RUN addgroup -S myuser && adduser -S myuser -G myuser
COPY ./run.sh run.sh
RUN ["chmod", "+x", "./run.sh"]

# 更改用户
USER myuser

ENTRYPOINT ["/bin/sh", "./run.sh"]

重新构建image 并 执行

cd /opt/course/16/image
podman build -t registry.killer.sh:5000/image-verify:v2 .
podman run registry.killer.sh:5000/image-verify:v2

检查无误后进行push

podman push registry.killer.sh:5000/image-verify:v2

编辑deployment 使用更新的image

k -n team-blue edit deploy image-verify

# kubectl -n team-blue edit deploy image-verify
apiVersion: apps/v1
kind: Deployment
metadata:
...
spec:
...
  template:
...
    spec:
      containers:
      - image: registry.killer.sh:5000/image-verify:v2 # 更改

k -n team-blue logs -f -l id=image-verify

检查 验证curl nginx

k -n team-blue exec image-verify-55fbcd4c9b-x2flc -- curl
k -n team-blue exec image-verify-55fbcd4c9b-x2flc -- nginx -v