amd64 docker images have not been published #502
Description
Which version of kube-score are you using?
I am using the zegl/kube-score:v1.15.0-helm3 docker image on an x86_64 system:
$ uname -a
Linux ubuntu 5.4.0-135-generic #152-Ubuntu SMP Wed Nov 23 20:19:22 UTC 2022 x86_64 x86_64 x86_64 GNU/LinuxWhat did you do?
I pulled the Docker image from the Docker Hub with the following command:
docker pull zegl/kube-score:v1.15.0-helm3I then tried to run kube-score with the following command:
cat swiss-army-knife.yaml | docker run --rm -i zegl/kube-score:v1.15.0-helm3 kube-score score -What did you expect to see?
I expected kube-score to run without warning
What did you see instead?
Docker shows a warning telling me that the image I am trying to run does not match my host platform:
$ cat swiss-army-knife.yaml | docker run --rm -i zegl/kube-score:v1.15.0-helm3 kube-score score -
WARNING: The requested image's platform (linux/arm64/v8) does not match the detected host platform (linux/amd64) and no specific platform was requested
apps/v1/Deployment swiss-army-knife 💥
[CRITICAL] Pod NetworkPolicy
· The pod does not have a matching NetworkPolicy
Create a NetworkPolicy that targets this pod to control who/what
can communicate with this pod. Note, this feature needs to be
supported by the CNI implementation used in the Kubernetes cluster
to have an effect.
[CRITICAL] Container Security Context ReadOnlyRootFilesystem
· swiss-army-knife -> Container has no configured security context
Set securityContext to run the container in a more secure context.
[CRITICAL] Container Resources
· swiss-army-knife -> CPU limit is not set
Resource limits are recommended to avoid resource DDOS. Set
resources.limits.cpu
· swiss-army-knife -> Memory limit is not set
Resource limits are recommended to avoid resource DDOS. Set
resources.limits.memory
· swiss-army-knife -> CPU request is not set
Resource requests are recommended to make sure that the application
can start and run without crashing. Set resources.requests.cpu
· swiss-army-knife -> Memory request is not set
Resource requests are recommended to make sure that the application
can start and run without crashing. Set resources.requests.memory
[CRITICAL] Container Ephemeral Storage Request and Limit
· swiss-army-knife -> Ephemeral Storage limit is not set
Resource limits are recommended to avoid resource DDOS. Set
resources.limits.ephemeral-storage
[CRITICAL] Container Security Context User Group ID
· swiss-army-knife -> Container has no configured security context
Set securityContext to run the container in a more secure context.
[CRITICAL] Container Image Tag
· swiss-army-knife -> Image with latest tag
Using a fixed tag is recommended to avoid accidental upgrades
Additional details
The digest of the image I pulled:
$ docker image inspect zegl/kube-score:v1.15.0-helm3 | jq ".[0].RepoDigests"
[
"zegl/kube-score@sha256:8e794bb74eb171d065f4faed7d43f3a08995e2ce106326368eaf280a3701383b"
]Even though I pulled the image from a x86_64 system, I got an arm64 image:
$ docker image inspect zegl/kube-score@sha256:8e794bb74eb171d065f4faed7d43f3a08995e2ce106326368eaf280a3701383b | jq ".[0].Architecture"
"arm64"On Docker Hub, the zegl/kube-score@sha256:8e794bb74eb171d065f4faed7d43f3a08995e2ce106326368eaf280a3701383b docker image corresponds to a arm64 image. It seems no image has been published for the x86_64 architecture.
Kube-score manages to scan my manifest because the kube-score binary is a x86_64 binary. After extracting the image, here is the result of the file command on the kube-score binary that was inside the image:
$ file ./usr/bin/kube-score
./usr/bin/kube-score: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, Go BuildID=U5aCVzrMF1jCUG3Y8UnR/4Y2YPR3xDaScAfEzWmBf/Dx6swBXZFofLvYid1Cz7/kMR0wBQneVKsqqfWthn4, strippedSo a x86_64 binary has been copied into an arm64 Docker image and no x86_64 image has been published.
Can you please:
- publish x86_64 Docker images for kube-score 1.15.0
- re-publish the arm64 Docker images with a arm64 kube-score binary