Non-root containers (stolostron#1274)

* Use non-root user for tests container Signed-off-by: Douglas Camata <[email protected]> * Tighten container permissions Signed-off-by: Douglas Camata <[email protected]> --------- Signed-off-by: Douglas Camata <[email protected]>
coleenquadros · Nov 6, 2023 · 4d9d8fd · 4d9d8fd
1 parent fe7f3ba
commit 4d9d8fd
Show file tree

Hide file tree

Showing 7 changed files with 15 additions and 5 deletions.
diff --git a/collectors/metrics/Dockerfile b/collectors/metrics/Dockerfile
@@ -47,6 +47,8 @@ RUN microdnf update &&\
     mkdir /licenses &&\
     microdnf clean all
 
+USER 1001:1001
+
 COPY --from=builder /workspace/metrics-collector /usr/bin/
 
 # standalone required parameters

diff --git a/loaders/dashboards/Dockerfile b/loaders/dashboards/Dockerfile
@@ -45,6 +45,8 @@ WORKDIR /
 
 RUN microdnf update -y && microdnf clean all
 
+USER 1001:1001
+
 COPY --from=builder /workspace/main grafana-dashboard-loader
 
 EXPOSE 3002

diff --git a/operators/multiclusterobservability/bundle.Dockerfile b/operators/multiclusterobservability/bundle.Dockerfile
@@ -1,5 +1,7 @@
 FROM scratch
 
+USER 1001:1001
+
 LABEL operators.operatorframework.io.bundle.mediatype.v1=registry+v1
 LABEL operators.operatorframework.io.bundle.manifests.v1=manifests/
 LABEL operators.operatorframework.io.bundle.metadata.v1=metadata/

diff --git a/proxy/Dockerfile b/proxy/Dockerfile
@@ -42,6 +42,9 @@ LABEL org.label-schema.vendor="Red Hat" \
     io.openshift.tags="$IMAGE_OPENSHIFT_TAGS"
 
 WORKDIR /
+
+USER 1001:1001
+
 COPY --from=builder /workspace/main rbac-query-proxy
 
 EXPOSE 3002

diff --git a/tests/Dockerfile b/tests/Dockerfile
@@ -11,8 +11,8 @@ RUN go install github.com/onsi/ginkgo/[email protected] && go mod vendor && ginkgo
 # create new docker image to hold built artifacts
 FROM registry.access.redhat.com/ubi8/ubi-minimal:latest
 
-# run as root
-USER root
+# run as non-root
+USER 1001:1001
 
 # expose env vars for runtime
 ENV KUBECONFIG "/opt/.kube/config"

diff --git a/tools/simulator/metrics-collector/Dockerfile b/tools/simulator/metrics-collector/Dockerfile
@@ -1,3 +1,3 @@
 FROM registry.access.redhat.com/ubi8/ubi-minimal:latest
-
+USER 1001:1001
 COPY timeseries.txt /tmp/
diff --git a/tools/simulator/metrics-collector/metrics-extractor/Dockerfile b/tools/simulator/metrics-collector/metrics-extractor/Dockerfile
@@ -11,10 +11,11 @@ RUN microdnf install wget -y \
 RUN microdnf install tar gzip jq bc -y\
     && microdnf clean all
 
+USER 1001:1001
 
 RUN wget https://mirror.openshift.com/pub/openshift-v4/clients/ocp/stable-4.13/openshift-client-linux.tar.gz -P /ocp-tools
 WORKDIR /ocp-tools
-RUN chmod 777 /ocp-tools
+RUN chmod 644 /ocp-tools
 RUN tar xvf openshift-client-linux.tar.gz oc kubectl
 RUN rm openshift-client-linux.tar.gz
 RUN cp oc /usr/local/bin
@@ -38,7 +39,7 @@ RUN export matches=$(curl -L $METRICS_ALLOW_LIST_URL | $GOJSONTOYAML_BIN --yamlt
 
 
 COPY ./extract-metrics-data.sh /metrics-extractor/
-RUN chmod 777 /metrics-extractor
+RUN chmod 744 /metrics-extractor
 
 
 CMD [ "/bin/bash", "/metrics-extractor/extract-metrics-data.sh" ]