From 841619055ee74f6feab96ebf603a1758fff03b18 Mon Sep 17 00:00:00 2001 From: Alex Szakaly Date: Fri, 1 May 2020 10:24:26 +0200 Subject: [PATCH] Move to non-root container * Create user (1001) during build and copy into SCRATCH image * Set spec.template.spec.securityContext.runAsUser: 1001 Fixes #32 Signed-off-by: Alex Szakaly --- Dockerfile | 5 +++++ deploy/operator.yaml | 2 ++ 2 files changed, 7 insertions(+) diff --git a/Dockerfile b/Dockerfile index 25bd91b..163532b 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,5 +1,7 @@ FROM golang:1.11 as builder +RUN useradd -u 1001 kubelet-rubber-stamp + WORKDIR /src # Add dependency and download it @@ -17,5 +19,8 @@ RUN CGO_ENABLED=0 GOOS=linux GOARCH=${ARCH} go build -a -installsuffix cgo -o ku FROM scratch COPY --from=builder /src/kubelet-rubber-stamp /kubelet-rubber-stamp +COPY --from=builder /etc/passwd /etc/passwd + +USER 1001 ENTRYPOINT ["/kubelet-rubber-stamp", "-logtostderr"] diff --git a/deploy/operator.yaml b/deploy/operator.yaml index 5a9cec8..6e89893 100644 --- a/deploy/operator.yaml +++ b/deploy/operator.yaml @@ -13,6 +13,8 @@ spec: labels: name: kubelet-rubber-stamp spec: + securityContext: + runAsUser: 1001 serviceAccountName: kubelet-rubber-stamp tolerations: - effect: NoSchedule