run image as non-root user & add securitycontext values (#138)

ericpaulsen · web-flow · commit 736495d03c52 · 2025-10-03T13:58:49.000+01:00
* run image as non-root user &amp; add securitycontext values

* rm redundant comments
diff --git a/helm/templates/service.yaml b/helm/templates/service.yaml
@@ -98,6 +98,10 @@ spec:
       nodeSelector:
       {{- toYaml . | nindent 8 }}
       {{- end }}
+      {{- with .Values.podSecurityContext }}
+      podSecurityContext:
+      {{- toYaml . | nindent 8 }}
+      {{- end }}
       containers:
         - name: coder-logstream-kube
           image: "{{ .Values.image.repo }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
diff --git a/helm/values.yaml b/helm/values.yaml
@@ -92,12 +92,20 @@ labels: {}
 
 # securityContext -- Container-level security context
 # See: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
-securityContext: {}
-  # allowPrivilegeEscalation: false
+securityContext:
+  runAsNonRoot: true
+  runAsUser: 65532
+  runAsGroup: 65532
+  allowPrivilegeEscalation: false
   # capabilities:
   #   drop:
   #   - ALL
   # readOnlyRootFilesystem: true
   # runAsNonRoot: true
   # seccompProfile:
   #   type: RuntimeDefault
+
+podSecurityContext: {}
+# Optional, only if your cluster requires group ownership for mounted volumes:
+# podSecurityContext:
+#   fsGroup: 65532
diff --git a/scripts/Dockerfile b/scripts/Dockerfile
@@ -1,4 +1,5 @@
 FROM --platform=$BUILDPLATFORM scratch AS base
 ARG TARGETARCH
-COPY ./coder-logstream-kube-${TARGETARCH} /coder-logstream-kube
+COPY --chmod=0555 ./coder-logstream-kube-${TARGETARCH} /coder-logstream-kube
+USER 65532:65532
 ENTRYPOINT ["/coder-logstream-kube"]
