We deployed the tekton/kaniko in aws eks. And AWS GuardDuty , a threat detection service, found there is a critical issue in kaniko building process:
A container has executed a newly created binary file.
The kaniko image version:
gcr.io/kaniko-project/executor:v1.18.0@sha256:f085ac43d71fc24b4b5a57596eee04e2ea0e85ed43d923760911049dcc00aa2e
It starts from /tekton/bin/entrypoint --> /kaniko/executor --> /bin/dash --> /usr/bin/wget. It seems that the executor wget something than compile it and execute it .
The kaniko executor get and compile the image is OK,why execute it?
We deployed the tekton/kaniko in aws eks. And AWS GuardDuty , a threat detection service, found there is a critical issue in kaniko building process:
The kaniko image version: gcr.io/kaniko-project/executor:v1.18.0@sha256:f085ac43d71fc24b4b5a57596eee04e2ea0e85ed43d923760911049dcc00aa2e
It starts from /tekton/bin/entrypoint --> /kaniko/executor --> /bin/dash --> /usr/bin/wget. It seems that the executor wget something than compile it and execute it .
The kaniko executor get and compile the image is OK,why execute it?