feat(Dockerfile): Run apline images as nonroot user

Signed-off-by: Mike Smith <10135646+mjsmith1028@users.noreply.github.com>
renovate-bot · May 26, 2022 · 6e633bd · 6e633bd
1 parent 85affb4
commit 6e633bd
Show file tree

Hide file tree

Showing 9 changed files with 100 additions and 12 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -11,4 +11,10 @@ RUN make install
 FROM alpine:3.16.0@sha256:686d8c9dfa6f3ccfc8230bc3178d23f84eeaf7e457f36f271ab1acc53015037c
 COPY --from=build /go/bin/metacontroller /usr/bin/metacontroller
 RUN apk update && apk add --no-cache ca-certificates
+
+# Run container as nonroot, use the same uid and naming convention as distroless images
+# See https://github.com/GoogleContainerTools/distroless/blob/0d757ece34cdc83a2148cea6c697e262c333cb84/base/base.bzl#L8
+RUN addgroup -g 65532 -S nonroot && adduser -D -u 65532 -g nonroot -S nonroot -G nonroot
+USER nonroot:nonroot
+
 CMD ["/usr/bin/metacontroller"]
diff --git a/Dockerfile.debug b/Dockerfile.debug
@@ -14,4 +14,10 @@ FROM alpine:3.16.0@sha256:686d8c9dfa6f3ccfc8230bc3178d23f84eeaf7e457f36f271ab1ac
 RUN apk update && apk add --no-cache ca-certificates
 COPY --from=build /go/bin/metacontroller /usr/bin/metacontroller
 COPY --from=build /go/bin/dlv /
+
+# Run container as nonroot, use the same uid and naming convention as distroless images
+# See https://github.com/GoogleContainerTools/distroless/blob/0d757ece34cdc83a2148cea6c697e262c333cb84/base/base.bzl#L8
+RUN addgroup -g 65532 -S nonroot && adduser -D -u 65532 -g nonroot -S nonroot -G nonroot
+USER nonroot:nonroot
+
 CMD ["/dlv", "--listen=:40000", "--headless=true", "--api-version=2", "exec", "/usr/bin/metacontroller"]
diff --git a/deploy/helm/metacontroller/ci/command-args-values.yaml b/deploy/helm/metacontroller/ci/command-args-values.yaml
@@ -21,15 +21,15 @@ serviceAccount:
 podAnnotations: {}
 
 podSecurityContext: {}
-  # fsGroup: 2000
+  # fsGroup: 65532
 
 securityContext: {}
   # capabilities:
   #   drop:
   #   - ALL
   # readOnlyRootFilesystem: true
   # runAsNonRoot: true
-  # runAsUser: 1000
+  # runAsUser: 65532
 
 resources: {}
   # limits:

diff --git a/deploy/helm/metacontroller/ci/debug-values.yaml b/deploy/helm/metacontroller/ci/debug-values.yaml
@@ -21,15 +21,15 @@ serviceAccount:
 podAnnotations: {}
 
 podSecurityContext: {}
-  # fsGroup: 2000
+  # fsGroup: 65532
 
 securityContext: {}
   # capabilities:
   #   drop:
   #   - ALL
   # readOnlyRootFilesystem: true
   # runAsNonRoot: true
-  # runAsUser: 1000
+  # runAsUser: 65532
 
 resources: {}
   # limits:

diff --git a/deploy/helm/metacontroller/ci/leader-election-values.yaml b/deploy/helm/metacontroller/ci/leader-election-values.yaml
@@ -21,15 +21,15 @@ serviceAccount:
 podAnnotations: {}
 
 podSecurityContext: {}
-  # fsGroup: 2000
+  # fsGroup: 65532
 
 securityContext: {}
   # capabilities:
   #   drop:
   #   - ALL
   # readOnlyRootFilesystem: true
   # runAsNonRoot: true
-  # runAsUser: 1000
+  # runAsUser: 65532
 
 resources: {}
   # limits:

diff --git a/deploy/helm/metacontroller/ci/rbac-aggregation-rule-values.yaml b/deploy/helm/metacontroller/ci/rbac-aggregation-rule-values.yaml
@@ -21,15 +21,16 @@ serviceAccount:
 podAnnotations: {}
 
 podSecurityContext: {}
-  # fsGroup: 2000
+  # fsGroup: 65532
+
 
 securityContext: {}
   # capabilities:
   #   drop:
   #   - ALL
   # readOnlyRootFilesystem: true
   # runAsNonRoot: true
-  # runAsUser: 1000
+  # runAsUser: 65532
 
 resources: {}
   # limits:

diff --git a/deploy/helm/metacontroller/ci/rbac-rules-values.yaml b/deploy/helm/metacontroller/ci/rbac-rules-values.yaml
@@ -21,15 +21,15 @@ serviceAccount:
 podAnnotations: {}
 
 podSecurityContext: {}
-  # fsGroup: 2000
+  # fsGroup: 65532
 
 securityContext: {}
   # capabilities:
   #   drop:
   #   - ALL
   # readOnlyRootFilesystem: true
   # runAsNonRoot: true
-  # runAsUser: 1000
+  # runAsUser: 65532
 
 resources: {}
   # limits:

diff --git a/deploy/helm/metacontroller/ci/security-context-values.yaml b/deploy/helm/metacontroller/ci/security-context-values.yaml
@@ -0,0 +1,75 @@
+rbac:
+  create: true
+
+image:
+  repository: metacontrollerio/metacontroller
+  pullPolicy: IfNotPresent
+  tag: ""
+
+imagePullSecrets: []
+nameOverride: ""
+namespaceOverride: ""
+fullnameOverride: ""
+
+serviceAccount:
+  create: true
+  annotations: {}
+  # The name of the service account to use.
+  # If not set and create is true, a name is generated using the fullname template
+  name: ""
+
+podAnnotations: {}
+
+podSecurityContext:
+  fsGroup: 65532
+
+securityContext:
+  capabilities:
+    drop:
+    - ALL
+  readOnlyRootFilesystem: true
+  runAsNonRoot: true
+  runAsUser: 65532
+
+resources: {}
+  # limits:
+  #   cpu: 100m
+  #   memory: 128Mi
+  # requests:
+  #   cpu: 100m
+  #   memory: 128Mi
+
+nodeSelector: {}
+
+tolerations: []
+
+affinity: {}
+
+# Command which is used to start metacontroller
+command: "/usr/bin/metacontroller"
+
+# Command arguments which are used to start metacontroller
+commandArgs:
+  - --zap-log-level=4
+  - --discovery-interval=20s
+  - --cache-flush-interval=30m
+
+# The name of the PriorityClass that will be assigned to metacontroller
+priorityClassName: ""
+
+clusterRole:
+  aggregationRule: {}
+  rules:
+  - apiGroups:
+      - "*"
+    resources:
+      - "*"
+    verbs:
+      - "*"
+
+replicas: 1
+
+# podDisruptionBudget which can be enabled when running more than one replica
+podDisruptionBudget: {}
+  # minAvailable: 1
+  # maxUnavailable: 0
diff --git a/deploy/helm/metacontroller/values.yaml b/deploy/helm/metacontroller/values.yaml
@@ -21,15 +21,15 @@ serviceAccount:
 podAnnotations: {}
 
 podSecurityContext: {}
-  # fsGroup: 2000
+  # fsGroup: 65532
 
 securityContext: {}
   # capabilities:
   #   drop:
   #   - ALL
   # readOnlyRootFilesystem: true
   # runAsNonRoot: true
-  # runAsUser: 1000
+  # runAsUser: 65532
 
 resources: {}
   # limits: