Building a Secure Docker Image with AWS CLI and Kubectl

Introduction

This documentation outlines building a secure and minimal custom Docker image that combines the official AWS CLI and kubectl images. This approach helps reduce vulnerabilities and ensures compatibility and reliability by leveraging official sources. The guide also covers how to update Kubernetes manifest files to use the newly created image and how to verify the successful deployment in the target environment.

Key Benefits:

• Security: Uses trusted base images (Amazon ECR’s Bitnami).
• Automation: CI/CD pipeline with AWS CodeBuild.
• GitOps: Flux CD ensures cluster-state consistency.

New Custom Image Creation

There is no official Docker image that combines both AWS CLI and kubectl. Therefore, we first create a custom image using the official AWS CLI and kubectl images, then update the Kubernetes manifest file to deploy it, helping reduce vulnerabilities by relying on trusted sources.This section provides a detailed breakdown of how the custom AWS CLI + Kubectl Docker image was built using a Dockerfile and deployed via AWS CodeBuild (buildspec.yml).

The new image was built using official AWS and kubectl base images:

• AWS CLI Base Image: public.ecr.aws/bitnami/aws-cli:2.24.0
• Kubectl Base Image: public.ecr.aws/bitnami/kubectl:1.31

Dockerfile
Objective:

• Combine aws-cli and kubectl in a single lightweight image.
• Use officially maintained base images to minimize vulnerabilities.

Docker file

Buildspec.yml for AWS CodeBuild

Objective:

• Automate the Docker image build & push to Amazon ECR.
• Ensure vulnerability scanning before deployment.

buildspec.yml

Deployment Workflow:

Step 1: Build & Push Using AWS CodeBuild

• Trigger CodeBuild (via Git push or manual execution).
• Build logs will show:

Step 2: Verify the Image in Amazon ECR

• Navigate to Amazon ECR and verify the latest image in the target repository.

Navigate to Amazon ECR > Repository awscli_kubectl and confirm the new image tag.
Ex:-
Repository: awscli_kubectl
Image: 113928787453.dkr.ecr.ap-south-1.amazonaws.com/awscli_kubectl:1.34

Update Image in Manifest Files (Code Commit):

• Repository Path: ppd-flux-eks-readiness/eks-readiness/4_cronjob
• Image Updated: –
  dkr.ecr.ap-south-1.amazonaws.com/awscli_kubectl:1.34
• Commit and push changes to the repository.

Flux CD Reconciliation

Do Flux reconcile (will automatically sync the changes in the cluster)

Command: – flux reconcile kustomization flux-system –with-source

Verification Steps

Verify Pod Status:
After the manifest is updated:

kubectl get pods -A | grep ecr-creds

Expected Output: All pods should be in Running state.

Check Pod Logs:
To ensure the pods are functioning correctly :

kubectl logs –f  –n  <namespace>  < ecr-creds-pod-name >

Expected Logs:

• No errors related to image pull or runtime.
• Logs should show successful execution (as per your attached snapshot).

Describe pod:
Check the events and confirm that the image update has been successfully deployed.
If logs show issues, debug using:
kubectl describe pod -n <namespace> <ecr-creds-pod-name>

Events:

Updated image:

Conclusion

This workflow demonstrates how to securely integrate AWS CLI and kubectl into a single Docker image while adhering to DevOps best practices.

Future enhancements could include multi-architecture support (ARM/x86) and scheduled vulnerability scans. This approach optimizes resource usage and aligns with compliance requirements for auditable infrastructure. Combining these tools reduces operational overhead for teams managing Kubernetes at scale while maintaining security and reproducibility.

Drop a query if you have any questions regarding DevOps and we will get back to you quickly.

About CloudThat