From 4332a49abe2dc5d129985514738146865c94fa0b Mon Sep 17 00:00:00 2001
From: andyzhangx <xiazhang@microsoft.com>
Date: Tue, 29 Sep 2020 14:37:24 +0000
Subject: [PATCH] fix: create nonroot user in Dockerfile

---
 .../latest/blob-csi-driver/templates/csi-blob-controller.yaml | 2 ++
 charts/latest/blob-csi-driver/templates/csi-blob-node.yaml    | 1 +
 deploy/csi-blob-controller.yaml                               | 2 ++
 deploy/csi-blob-node.yaml                                     | 1 +
 pkg/blobplugin/Dockerfile                                     | 4 ++++
 pkg/blobplugin/dev.Dockerfile                                 | 4 ++++
 6 files changed, 14 insertions(+)

diff --git a/charts/latest/blob-csi-driver/templates/csi-blob-controller.yaml b/charts/latest/blob-csi-driver/templates/csi-blob-controller.yaml
index 1e3792a96..a9c989398 100644
--- a/charts/latest/blob-csi-driver/templates/csi-blob-controller.yaml
+++ b/charts/latest/blob-csi-driver/templates/csi-blob-controller.yaml
@@ -96,6 +96,8 @@ spec:
             - name: CSI_ENDPOINT
               value: unix:///csi/csi.sock
           imagePullPolicy: {{ .Values.image.blob.pullPolicy }}
+          securityContext:
+            runAsUser: 0
           volumeMounts:
             - mountPath: /csi
               name: socket-dir
diff --git a/charts/latest/blob-csi-driver/templates/csi-blob-node.yaml b/charts/latest/blob-csi-driver/templates/csi-blob-node.yaml
index 968fe0dee..2e2b18a72 100644
--- a/charts/latest/blob-csi-driver/templates/csi-blob-node.yaml
+++ b/charts/latest/blob-csi-driver/templates/csi-blob-node.yaml
@@ -106,6 +106,7 @@ spec:
           imagePullPolicy: {{ .Values.image.pullPolicy }}
           securityContext:
             privileged: true
+            runAsUser: 0
           volumeMounts:
             - mountPath: /csi
               name: socket-dir
diff --git a/deploy/csi-blob-controller.yaml b/deploy/csi-blob-controller.yaml
index bfd337f6b..409509654 100644
--- a/deploy/csi-blob-controller.yaml
+++ b/deploy/csi-blob-controller.yaml
@@ -93,6 +93,8 @@ spec:
                   optional: true
             - name: CSI_ENDPOINT
               value: unix:///csi/csi.sock
+          securityContext:
+            runAsUser: 0
           volumeMounts:
             - mountPath: /csi
               name: socket-dir
diff --git a/deploy/csi-blob-node.yaml b/deploy/csi-blob-node.yaml
index 1927cf23e..0b412a714 100644
--- a/deploy/csi-blob-node.yaml
+++ b/deploy/csi-blob-node.yaml
@@ -104,6 +104,7 @@ spec:
                   fieldPath: spec.nodeName
           securityContext:
             privileged: true
+            runAsUser: 0
           volumeMounts:
             - mountPath: /csi
               name: socket-dir
diff --git a/pkg/blobplugin/Dockerfile b/pkg/blobplugin/Dockerfile
index d10f0bffd..93e215372 100644
--- a/pkg/blobplugin/Dockerfile
+++ b/pkg/blobplugin/Dockerfile
@@ -30,4 +30,8 @@ RUN apt update && apt install nfs-common nfs-kernel-server -y || true
 LABEL maintainers="andyzhangx"
 LABEL description="Azure Blob Storage CSI driver"
 
+# Create a nonroot user
+RUN useradd -u 10001 nonroot
+USER nonroot
+
 ENTRYPOINT ["/blobplugin"]
diff --git a/pkg/blobplugin/dev.Dockerfile b/pkg/blobplugin/dev.Dockerfile
index 93e7a998e..3b4972e46 100644
--- a/pkg/blobplugin/dev.Dockerfile
+++ b/pkg/blobplugin/dev.Dockerfile
@@ -18,5 +18,9 @@ RUN dpkg -i /tmp/packages-microsoft-prod.deb && apt-get update && apt-get instal
 LABEL maintainers="andyzhangx"
 LABEL description="Azure Blob Storage CSI driver"
 
+# Create a nonroot user
+RUN useradd -u 10001 nonroot
+USER nonroot
+
 COPY ./_output/blobplugin /blobplugin
 ENTRYPOINT ["/blobplugin"]