cni: use scratch as the base runtime docker image (#237)

Currently, the CNI plugin Docker image uses a Debian base image at runtime. Debian is used to install some packages that are dependencies of the `install-cni.sh` script, namely `inotifywatch`, `jq`, and `pgrep`. However, these packages are the only things we need, and it's not strictly necessary to run the CNI plugin in an entire Debian install. We could install these tools from a Debian image, and then actually run in a `scratch` image. This branch changes the CNI plugin `Dockerfile` to use a `scratch` base image for the final runtime layer. `debian:bullseye-slim` is still used when building the image, in order to install the required packages using APT, and then the installed binaries are copied into the final image. This is the same change as linkerd/linkerd2#10845, but applied to the dockerfile in this repo instead.
linkerd · May 2, 2023 · 9f2f586 · 9f2f586
1 parent 9215ddf
commit 9f2f586
Showing 1 changed file with 10 additions and 7 deletions.
diff --git a/Dockerfile-cni-plugin b/Dockerfile-cni-plugin
@@ -7,7 +7,7 @@
 # Cross compile from native platform to target arch
 FROM --platform=$BUILDPLATFORM ghcr.io/linkerd/dev:v39-go as go
 WORKDIR /build
-COPY --link go.mod go.sum .
+COPY --link go.mod go.sum ./
 COPY --link ./cni-plugin ./cni-plugin
 COPY --link ./proxy-init ./proxy-init
 COPY --link ./internal ./internal
@@ -17,22 +17,25 @@ RUN CGO_ENABLED=0 GOOS=linux GOARCH=$TARGETARCH GO111MODULE=on \
     go build -o /go/bin/linkerd-cni -mod=readonly -ldflags "-s -w" -v ./cni-plugin/
 
 ##
-## Runtime
+## Runtime dependencies
 ##
 
-FROM debian:bullseye-slim
+FROM debian:bullseye-slim as deps
 WORKDIR /linkerd
 RUN apt-get update && apt-get install -y --no-install-recommends \
-    iptables \
     inotify-tools \
     procps \
     jq && \
     rm -rf /var/lib/apt/lists/*
 
-# We still rely on old iptables-legacy syntax.
-RUN update-alternatives --set iptables /usr/sbin/iptables-legacy \
-    && update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy
+##
+## Runtime
+##
 
+FROM scratch as runtime
+COPY --from=deps /usr/bin/inotifywait /usr/bin/inotifywait
+COPY --from=deps /usr/bin/pgrep /usr/bin/pgrep
+COPY --from=deps /usr/bin/jq /usr/bin/jq
 COPY --from=go /go/bin/linkerd-cni /opt/cni/bin/
 COPY LICENSE .
 COPY cni-plugin/deployment/scripts/install-cni.sh .