CSPL-3064: Support for Distroless Image Creation in Splunk Operator for Kubernetes

Dockerfile.distroless

@@ -0,0 +1,45 @@
+# Build the manager binary
+FROM golang:1.23.0 AS builder
+
+WORKDIR /workspace
+# Copy the Go Modules manifests
+COPY go.mod go.mod
+COPY go.sum go.sum
+# Cache dependencies before building to speed up future builds
+RUN go mod download
+
+# Copy the go source
+COPY main.go main.go
+COPY api/ api/
+COPY controllers/ controllers/
+COPY pkg/ pkg/
+COPY tools/ tools/
+COPY hack hack/
+
+# Build
+# TARGETOS and TARGETARCH are provided(inferred) by buildx via the --platforms flag
+RUN CGO_ENABLED=0 GOOS=${TARGETOS} GOARCH=${TARGETARCH} go build -a -o manager main.go
+
+# Use distroless as minimal base image to package the manager binary
+# Refer to https://github.com/GoogleContainerTools/distroless
+FROM gcr.io/distroless/static:nonroot
+
+# Set environment variables
+ENV OPERATOR=/manager \
+    USER_UID=1001 \
+    USER_NAME=nonroot
+
+# Create necessary directories
+WORKDIR /
+COPY --from=builder /workspace/manager /
+COPY tools/EULA_Red_Hat_Universal_Base_Image_English_20190422.pdf /licenses/
+COPY LICENSE /licenses/LICENSE-2.0.txt
+COPY tools/k8_probes/livenessProbe.sh /tools/k8_probes/
+COPY tools/k8_probes/readinessProbe.sh /tools/k8_probes/
+COPY tools/k8_probes/startupProbe.sh /tools/k8_probes/
+
+# Use non-root user for running the application
+USER 1001
+
+# Specify the entry point
+ENTRYPOINT ["/manager"]

Makefile

@@ -154,15 +154,25 @@ docker-push: ## Push docker image with the manager.
 PLATFORMS ?= linux/amd64
 BASE_IMAGE ?= registry.access.redhat.com/ubi8/ubi
 BASE_IMAGE_VERSION ?= 8.10
+
 docker-buildx:
 	@if [ -z "$(IMG)" ]; then \
 		echo "Error: IMG is a mandatory argument. Usage: make docker-buildx IMG=<image_name> ...."; \
 		exit 1; \
-	fi
-	docker buildx build --push --platform="${PLATFORMS}" \
-		--build-arg BASE_IMAGE="${BASE_IMAGE}" \
-		--build-arg BASE_IMAGE_VERSION="${BASE_IMAGE_VERSION}" \
-		--tag "${IMG}" -f Dockerfile .
+	fi; \
+	if echo "$(BASE_IMAGE)" | grep -q "distroless"; then \
+		DOCKERFILE="Dockerfile.distroless"; \
+		BUILD_TAG="$(IMG)-distroless"; \
+	else \
+		DOCKERFILE="Dockerfile"; \
+		BUILD_TAG="$(IMG)"; \
+	fi; \
+	docker buildx build --push --platform="$(PLATFORMS)" \
+		--build-arg BASE_IMAGE="$(BASE_IMAGE)" \
+		--build-arg BASE_IMAGE_VERSION="$(BASE_IMAGE_VERSION)" \
+		--tag "$$BUILD_TAG" -f "$$DOCKERFILE" .
+
+
 
 ##@ Deployment
 install: manifests kustomize ## Install CRDs into the K8s cluster specified in ~/.kube/config.

docs/Install.md

@@ -78,6 +78,32 @@ If you are using a private registry for the Docker images, edit `deployment` `sp
               fieldPath: metadata.name
 ...
 ```
+## Distroless Image Support
+
+As part of enhancing security and reducing the attack surface of the Splunk Operator container, a **distroless image** is now supported. The distroless image contains only the essential components required to run the Splunk Operator, without a shell or package manager, resulting in a smaller and more secure image.
+
+### How to Use the Distroless Image
+
+1. **Image Tag**:
+   - The distroless image can be identified by the `-distroless` suffix in its tag.
+   - Example: `splunk/splunk-operator:2.7.0-distroless`
+
+2. **Modifying the Deployment**:
+   - To use the distroless image, update the `manager` container image in the `splunk-operator-controller-manager` deployment as follows:
+
+   ```yaml
+   # Replace this with the distroless image name
+   image: splunk/splunk-operator:2.7.0-distroless
+   ```
+
+3. **Private Registry**:
+   - If using a private registry, ensure that the distroless image is retagged and pushed appropriately, and update the deployment image reference.
+
+### Debugging with Distroless Images
+
+Since distroless images do not contain a shell, debugging may require additional steps. One approach is to use a **sidecar container** that includes a shell and necessary utilities to inspect mapped volumes and files. This will be documented in future releases.
+
+---
 
 ## Cluster Domain
 
@@ -88,3 +114,6 @@ environment variable to the operator's deployment spec:
 - name: CLUSTER_DOMAIN
   value: "mydomain.com"
 ```
+
+
+