🐛 fix: update shell command to use /bin/bash for init containers (#1497)

Author: slntopp

controllers/container_image/resources.go

@@ -384,7 +384,7 @@ func validateContainerRegistryWIF(wif *v1alpha2.WorkloadIdentityConfig) error {
 // registryWIFInitContainer creates an init container that generates docker config credentials
 // using cloud-native Workload Identity Federation
 func registryWIFInitContainer(wif *v1alpha2.WorkloadIdentityConfig) corev1.Container {
-	var image, script string
+	var image, shell, script string
 	var env []corev1.EnvVar
 
 	// Common retry wrapper for transient failures
@@ -410,6 +410,7 @@ retry() {
 	switch wif.Provider {
 	case v1alpha2.CloudProviderGKE:
 		image = k8s_scan.GCloudSDKImage
+		shell = "/bin/bash"
 		script = retryWrapper + `
 # Use WIF identity to get an access token for Artifact Registry / GCR
 TOKEN=$(retry gcloud auth print-access-token)
@@ -456,6 +457,7 @@ echo "Docker config generated for $(echo "$AUTHS" | tr ',' '\n' | wc -l) registr
 
 	case v1alpha2.CloudProviderEKS:
 		image = k8s_scan.AWSCLIImage
+		shell = "/bin/bash"
 		script = retryWrapper + `
 # Use IRSA identity to get ECR login password
 PASSWORD=$(retry aws ecr get-login-password --region "$AWS_REGION")
@@ -483,6 +485,7 @@ echo "Docker config generated for ECR registry: ${REGISTRY}"
 
 	case v1alpha2.CloudProviderAKS:
 		image = k8s_scan.AzureCLIImage
+		shell = "/bin/bash"
 		script = retryWrapper + `
 # Azure WIF webhook injects AZURE_CLIENT_ID, AZURE_TENANT_ID, AZURE_FEDERATED_TOKEN_FILE
 retry az login --federated-token "$(cat "$AZURE_FEDERATED_TOKEN_FILE")" \
@@ -511,6 +514,7 @@ echo "Docker config generated for ACR: ${ACR_LOGIN_SERVER}"
 
 	default:
 		image = "busybox:1.36"
+		shell = "/bin/sh"
 		script = `echo "ERROR: Unknown workload identity provider"; exit 1`
 		env = []corev1.EnvVar{}
 	}
@@ -519,7 +523,7 @@ echo "Docker config generated for ACR: ${ACR_LOGIN_SERVER}"
 		Name:            "generate-registry-creds",
 		Image:           image,
 		ImagePullPolicy: corev1.PullIfNotPresent,
-		Command:         []string{"/bin/sh", "-c", script},
+		Command:         []string{shell, "-c", script},
 		Env:             env,
 		VolumeMounts: []corev1.VolumeMount{
 			{Name: "docker-config", MountPath: "/etc/opt/mondoo/docker"},

controllers/k8s_scan/resources.go

@@ -669,7 +669,7 @@ const (
 
 // wifInitContainer creates an init container that generates kubeconfig using cloud CLI tools
 func wifInitContainer(cluster v1alpha2.ExternalCluster) corev1.Container {
-	var image, script string
+	var image, shell, script string
 	var env []corev1.EnvVar
 
 	// Common retry wrapper for transient failures
@@ -695,6 +695,7 @@ retry() {
 	switch cluster.WorkloadIdentity.Provider {
 	case v1alpha2.CloudProviderGKE:
 		image = GCloudSDKImage
+		shell = "/bin/bash"
 		script = retryWrapper + `
 retry gcloud container clusters get-credentials "$CLUSTER_NAME" \
   --project "$PROJECT_ID" \
@@ -713,6 +714,7 @@ echo "=== END DEBUG ==="
 
 	case v1alpha2.CloudProviderEKS:
 		image = AWSCLIImage
+		shell = "/bin/bash"
 		script = retryWrapper + `
 retry aws eks update-kubeconfig \
   --name "$CLUSTER_NAME" \
@@ -730,6 +732,7 @@ echo "=== END DEBUG ==="
 
 	case v1alpha2.CloudProviderAKS:
 		image = AzureCLIImage
+		shell = "/bin/bash"
 		script = retryWrapper + `
 # Azure CLI requires explicit login with the federated token injected by the
 # AKS Workload Identity webhook (AZURE_CLIENT_ID, AZURE_TENANT_ID,
@@ -752,8 +755,8 @@ retry az aks get-credentials \
 		}
 
 	default:
-		// This should never happen if validation is correct, but handle gracefully
 		image = "busybox:1.36"
+		shell = "/bin/sh"
 		script = `echo "ERROR: Unknown workload identity provider"; exit 1`
 		env = []corev1.EnvVar{}
 	}
@@ -762,7 +765,7 @@ retry az aks get-credentials \
 		Name:            "generate-kubeconfig",
 		Image:           image,
 		ImagePullPolicy: corev1.PullIfNotPresent,
-		Command:         []string{"/bin/sh", "-c", script},
+		Command:         []string{shell, "-c", script},
 		Env:             env,
 		VolumeMounts: []corev1.VolumeMount{
 			{Name: "kubeconfig", MountPath: "/etc/opt/mondoo/kubeconfig"},

go.sum

@@ -818,14 +818,10 @@ howett.net/plist v1.0.1 h1:37GdZ8tP09Q35o9ych3ehygcsL+HqKSwzctveSlarvM=
 howett.net/plist v1.0.1/go.mod h1:lqaXoTrLY4hg8tnEzNru53gicrbv7rrk+2xJA/7hw9g=
 k8s.io/api v0.36.0 h1:SgqDhZzHdOtMk40xVSvCXkP9ME0H05hPM3p9AB1kL80=
 k8s.io/api v0.36.0/go.mod h1:m1LVrGPNYax5NBHdO+QuAedXyuzTt4RryI/qnmNvs34=
-k8s.io/apiextensions-apiserver v0.35.2 h1:iyStXHoJZsUXPh/nFAsjC29rjJWdSgUmG1XpApE29c0=
-k8s.io/apiextensions-apiserver v0.35.2/go.mod h1:OdyGvcO1FtMDWQ+rRh/Ei3b6X3g2+ZDHd0MSRGeS8rU=
 k8s.io/apiextensions-apiserver v0.36.0 h1:Wt7E8J+VBCbj4FjiBfDTK/neXDDjyJVJc7xfuOHImZ0=
 k8s.io/apiextensions-apiserver v0.36.0/go.mod h1:kGDjH0msuiIB3tgsYRV0kS9GqpMYMUsQ3GHv7TApyug=
 k8s.io/apimachinery v0.36.0 h1:jZyPzhd5Z+3h9vJLt0z9XdzW9VzNzWAUw+P1xZ9PXtQ=
 k8s.io/apimachinery v0.36.0/go.mod h1:FklypaRJt6n5wUIwWXIP6GJlIpUizTgfo1T/As+Tyxc=
-k8s.io/apiserver v0.35.2 h1:rb52v0CZGEL0FkhjS+I6jHflAp7fZ4MIaKcEHX7wmDk=
-k8s.io/apiserver v0.35.2/go.mod h1:CROJUAu0tfjZLyYgSeBsBan2T7LUJGh0ucWwTCSSk7g=
 k8s.io/apiserver v0.36.0 h1:Jg5OFAENUACByUCg15CmhZAYrr5ZyJ+jodyA1mHl3YE=
 k8s.io/apiserver v0.36.0/go.mod h1:mHvwdHf+qKEm+1/hYm756SV+oREOKSPnsjagOpx6Vho=
 k8s.io/client-go v0.36.0 h1:pOYi7C4RHChYjMiHpZSpSbIM6ZxVbRXBy7CuiIwqA3c=
@@ -852,12 +848,8 @@ modernc.org/sqlite v1.50.0 h1:eMowQSWLK0MeiQTdmz3lqoF5dqclujdlIKeJA11+7oM=
 modernc.org/sqlite v1.50.0/go.mod h1:m0w8xhwYUVY3H6pSDwc3gkJ/irZT/0YEXwBlhaxQEew=
 moul.io/http2curl v1.0.0 h1:6XwpyZOYsgZJrU8exnG87ncVkU1FVCcTRpwzOkTDUi8=
 moul.io/http2curl v1.0.0/go.mod h1:f6cULg+e4Md/oW1cYmwW4IWQOVl2lGbmCNGOHvzX2kE=
-sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.33.0 h1:qPrZsv1cwQiFeieFlRqT627fVZ+tyfou/+S5S0H5ua0=
-sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.33.0/go.mod h1:Ve9uj1L+deCXFrPOk1LpFXqTg7LCFzFso6PA48q/XZw=
 sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.34.0 h1:hSfpvjjTQXQY2Fol2CS0QHMNs/WI1MOSGzCm1KhM5ec=
 sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.34.0/go.mod h1:Ve9uj1L+deCXFrPOk1LpFXqTg7LCFzFso6PA48q/XZw=
-sigs.k8s.io/controller-runtime v0.23.3 h1:VjB/vhoPoA9l1kEKZHBMnQF33tdCLQKJtydy4iqwZ80=
-sigs.k8s.io/controller-runtime v0.23.3/go.mod h1:B6COOxKptp+YaUT5q4l6LqUJTRpizbgf9KSRNdQGns0=
 sigs.k8s.io/controller-runtime v0.24.0 h1:Ck6N2LdS8Lovy1o25BB4r1xjvLEKUl1s2o9kU+KWDE4=
 sigs.k8s.io/controller-runtime v0.24.0/go.mod h1:vFkfY5fGt5xAC/sKb8IBFKgWPNKG9OUG29dR8Y2wImw=
 sigs.k8s.io/gateway-api v1.5.0 h1:duoo14Ky/fJXpjpmyMISE2RTBGnfCg8zICfTYLTnBJA=