Building a Secure Docker Image with AWS CLI and Kubectl

Introduction

This documentation outlines building a secure and minimal custom Docker image that combines the official AWS CLI and kubectl images. This approach helps reduce vulnerabilities and ensures compatibility and reliability by leveraging official sources. The guide also covers how to update Kubernetes manifest files to use the newly created image and how to verify the successful deployment in the target environment.

Key Benefits:

• Security: Uses trusted base images (Amazon ECR’s Bitnami).
• Automation: CI/CD pipeline with AWS CodeBuild.
• GitOps: Flux CD ensures cluster-state consistency.

New Custom Image Creation

There is no official Docker image that combines both AWS CLI and kubectl. Therefore, we first create a custom image using the official AWS CLI and kubectl images, then update the Kubernetes manifest file to deploy it, helping reduce vulnerabilities by relying on trusted sources.This section provides a detailed breakdown of how the custom AWS CLI + Kubectl Docker image was built using a Dockerfile and deployed via AWS CodeBuild (buildspec.yml).

The new image was built using official AWS and kubectl base images:

• AWS CLI Base Image: public.ecr.aws/bitnami/aws-cli:2.24.0
• Kubectl Base Image: public.ecr.aws/bitnami/kubectl:1.31

Dockerfile
Objective:

• Combine aws-cli and kubectl in a single lightweight image.
• Use officially maintained base images to minimize vulnerabilities.

Docker file

Buildspec.yml for AWS CodeBuild

Objective:

• Automate the Docker image build & push to Amazon ECR.
• Ensure vulnerability scanning before deployment.

buildspec.yml

Deployment Workflow:

Step 1: Build & Push Using AWS CodeBuild

• Trigger CodeBuild (via Git push or manual execution).
• Build logs will show:

Step 2: Verify the Image in Amazon ECR

• Navigate to Amazon ECR and verify the latest image in the target repository.

Navigate to Amazon ECR > Repository awscli_kubectl and confirm the new image tag.
Ex:-
Repository: awscli_kubectl
Image: 113928787453.dkr.ecr.ap-south-1.amazonaws.com/awscli_kubectl:1.34

Update Image in Manifest Files (Code Commit):

• Repository Path: ppd-flux-eks-readiness/eks-readiness/4_cronjob
• Image Updated: –
  dkr.ecr.ap-south-1.amazonaws.com/awscli_kubectl:1.34
• Commit and push changes to the repository.

Flux CD Reconciliation

Do Flux reconcile (will automatically sync the changes in the cluster)

Command: – flux reconcile kustomization flux-system –with-source

Verification Steps

Verify Pod Status:
After the manifest is updated:

kubectl get pods -A | grep ecr-creds

Expected Output: All pods should be in Running state.

Check Pod Logs:
To ensure the pods are functioning correctly :

kubectl logs –f  –n  <namespace>  < ecr-creds-pod-name >

Expected Logs:

• No errors related to image pull or runtime.
• Logs should show successful execution (as per your attached snapshot).

Describe pod:
Check the events and confirm that the image update has been successfully deployed.
If logs show issues, debug using:
kubectl describe pod -n <namespace> <ecr-creds-pod-name>

Events:

Updated image:

Conclusion

This workflow demonstrates how to securely integrate AWS CLI and kubectl into a single Docker image while adhering to DevOps best practices.

Future enhancements could include multi-architecture support (ARM/x86) and scheduled vulnerability scans. This approach optimizes resource usage and aligns with compliance requirements for auditable infrastructure. Combining these tools reduces operational overhead for teams managing Kubernetes at scale while maintaining security and reproducibility.

Drop a query if you have any questions regarding DevOps and we will get back to you quickly.

About CloudThat

CloudThat is a leading provider of Cloud Training and Consulting services with a global presence in India, the USA, Asia, Europe, and Africa. Specializing in AWS, Microsoft Azure, GCP, VMware, Databricks, and more, the company serves mid-market and enterprise clients, offering comprehensive expertise in Cloud Migration, Data Platforms, DevOps, IoT, AI/ML, and more.

CloudThat is the first Indian Company to win the prestigious Microsoft Partner 2024 Award and is recognized as a top-tier partner with AWS and Microsoft, including the prestigious ‘Think Big’ partner award from AWS and the Microsoft Superstars FY 2023 award in Asia & India. Having trained 850k+ professionals in 600+ cloud certifications and completed 500+ consulting projects globally, CloudThat is an official AWS Advanced Consulting Partner, Microsoft Gold Partner, AWS Training Partner, AWS Migration Partner, AWS Data and Analytics Partner, AWS DevOps Competency Partner, AWS GenAI Competency Partner, Amazon QuickSight Service Delivery Partner, Amazon EKS Service Delivery Partner,  AWS Microsoft Workload Partners, Amazon EC2 Service Delivery Partner, Amazon ECS Service Delivery Partner, AWS Glue Service Delivery Partner, Amazon Redshift Service Delivery Partner, AWS Control Tower Service Delivery Partner, AWS WAF Service Delivery Partner, Amazon CloudFront Service Delivery Partner, Amazon OpenSearch Service Delivery Partner, AWS DMS Service Delivery Partner, AWS Systems Manager Service Delivery Partner, Amazon RDS Service Delivery Partner, AWS CloudFormation Service Delivery Partner, AWS Config, Amazon EMR and many more.