diff --git a/Dockerfile b/Dockerfile index 74cbc4e545..905cdae165 100644 --- a/Dockerfile +++ b/Dockerfile @@ -11,4 +11,10 @@ RUN make install FROM alpine:3.16.0@sha256:686d8c9dfa6f3ccfc8230bc3178d23f84eeaf7e457f36f271ab1acc53015037c COPY --from=build /go/bin/metacontroller /usr/bin/metacontroller RUN apk update && apk add --no-cache ca-certificates + +# Run container as nonroot, use the same uid and naming convention as distroless images +# See https://github.com/GoogleContainerTools/distroless/blob/0d757ece34cdc83a2148cea6c697e262c333cb84/base/base.bzl#L8 +RUN addgroup -g 65532 -S nonroot && adduser -D -u 65532 -g nonroot -S nonroot -G nonroot +USER nonroot:nonroot + CMD ["/usr/bin/metacontroller"] diff --git a/Dockerfile.debug b/Dockerfile.debug index c88fbec84a..91a8187105 100644 --- a/Dockerfile.debug +++ b/Dockerfile.debug @@ -14,4 +14,10 @@ FROM alpine:3.16.0@sha256:686d8c9dfa6f3ccfc8230bc3178d23f84eeaf7e457f36f271ab1ac RUN apk update && apk add --no-cache ca-certificates COPY --from=build /go/bin/metacontroller /usr/bin/metacontroller COPY --from=build /go/bin/dlv / + +# Run container as nonroot, use the same uid and naming convention as distroless images +# See https://github.com/GoogleContainerTools/distroless/blob/0d757ece34cdc83a2148cea6c697e262c333cb84/base/base.bzl#L8 +RUN addgroup -g 65532 -S nonroot && adduser -D -u 65532 -g nonroot -S nonroot -G nonroot +USER nonroot:nonroot + CMD ["/dlv", "--listen=:40000", "--headless=true", "--api-version=2", "exec", "/usr/bin/metacontroller"] diff --git a/deploy/helm/metacontroller/ci/command-args-values.yaml b/deploy/helm/metacontroller/ci/command-args-values.yaml index 5d9152a057..f0ac9a31ac 100644 --- a/deploy/helm/metacontroller/ci/command-args-values.yaml +++ b/deploy/helm/metacontroller/ci/command-args-values.yaml @@ -21,7 +21,7 @@ serviceAccount: podAnnotations: {} podSecurityContext: {} - # fsGroup: 2000 + # fsGroup: 65532 securityContext: {} # capabilities: @@ -29,7 +29,7 @@ securityContext: {} # - ALL # readOnlyRootFilesystem: true # runAsNonRoot: true - # runAsUser: 1000 + # runAsUser: 65532 resources: {} # limits: diff --git a/deploy/helm/metacontroller/ci/debug-values.yaml b/deploy/helm/metacontroller/ci/debug-values.yaml index 398bf987ff..9b00bfbae2 100644 --- a/deploy/helm/metacontroller/ci/debug-values.yaml +++ b/deploy/helm/metacontroller/ci/debug-values.yaml @@ -21,7 +21,7 @@ serviceAccount: podAnnotations: {} podSecurityContext: {} - # fsGroup: 2000 + # fsGroup: 65532 securityContext: {} # capabilities: @@ -29,7 +29,7 @@ securityContext: {} # - ALL # readOnlyRootFilesystem: true # runAsNonRoot: true - # runAsUser: 1000 + # runAsUser: 65532 resources: {} # limits: diff --git a/deploy/helm/metacontroller/ci/leader-election-values.yaml b/deploy/helm/metacontroller/ci/leader-election-values.yaml index 3627ede111..eac4b1279d 100644 --- a/deploy/helm/metacontroller/ci/leader-election-values.yaml +++ b/deploy/helm/metacontroller/ci/leader-election-values.yaml @@ -21,7 +21,7 @@ serviceAccount: podAnnotations: {} podSecurityContext: {} - # fsGroup: 2000 + # fsGroup: 65532 securityContext: {} # capabilities: @@ -29,7 +29,7 @@ securityContext: {} # - ALL # readOnlyRootFilesystem: true # runAsNonRoot: true - # runAsUser: 1000 + # runAsUser: 65532 resources: {} # limits: diff --git a/deploy/helm/metacontroller/ci/rbac-aggregation-rule-values.yaml b/deploy/helm/metacontroller/ci/rbac-aggregation-rule-values.yaml index e4fda99f12..96762a0419 100644 --- a/deploy/helm/metacontroller/ci/rbac-aggregation-rule-values.yaml +++ b/deploy/helm/metacontroller/ci/rbac-aggregation-rule-values.yaml @@ -21,7 +21,8 @@ serviceAccount: podAnnotations: {} podSecurityContext: {} - # fsGroup: 2000 + # fsGroup: 65532 + securityContext: {} # capabilities: @@ -29,7 +30,7 @@ securityContext: {} # - ALL # readOnlyRootFilesystem: true # runAsNonRoot: true - # runAsUser: 1000 + # runAsUser: 65532 resources: {} # limits: diff --git a/deploy/helm/metacontroller/ci/rbac-rules-values.yaml b/deploy/helm/metacontroller/ci/rbac-rules-values.yaml index 19a3037e49..118b117fbf 100644 --- a/deploy/helm/metacontroller/ci/rbac-rules-values.yaml +++ b/deploy/helm/metacontroller/ci/rbac-rules-values.yaml @@ -21,7 +21,7 @@ serviceAccount: podAnnotations: {} podSecurityContext: {} - # fsGroup: 2000 + # fsGroup: 65532 securityContext: {} # capabilities: @@ -29,7 +29,7 @@ securityContext: {} # - ALL # readOnlyRootFilesystem: true # runAsNonRoot: true - # runAsUser: 1000 + # runAsUser: 65532 resources: {} # limits: diff --git a/deploy/helm/metacontroller/ci/security-context-values.yaml b/deploy/helm/metacontroller/ci/security-context-values.yaml new file mode 100644 index 0000000000..8bff0a7c9e --- /dev/null +++ b/deploy/helm/metacontroller/ci/security-context-values.yaml @@ -0,0 +1,75 @@ +rbac: + create: true + +image: + repository: metacontrollerio/metacontroller + pullPolicy: IfNotPresent + tag: "" + +imagePullSecrets: [] +nameOverride: "" +namespaceOverride: "" +fullnameOverride: "" + +serviceAccount: + create: true + annotations: {} + # The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template + name: "" + +podAnnotations: {} + +podSecurityContext: + fsGroup: 65532 + +securityContext: + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 65532 + +resources: {} + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + +nodeSelector: {} + +tolerations: [] + +affinity: {} + +# Command which is used to start metacontroller +command: "/usr/bin/metacontroller" + +# Command arguments which are used to start metacontroller +commandArgs: + - --zap-log-level=4 + - --discovery-interval=20s + - --cache-flush-interval=30m + +# The name of the PriorityClass that will be assigned to metacontroller +priorityClassName: "" + +clusterRole: + aggregationRule: {} + rules: + - apiGroups: + - "*" + resources: + - "*" + verbs: + - "*" + +replicas: 1 + +# podDisruptionBudget which can be enabled when running more than one replica +podDisruptionBudget: {} + # minAvailable: 1 + # maxUnavailable: 0 diff --git a/deploy/helm/metacontroller/values.yaml b/deploy/helm/metacontroller/values.yaml index 57f82c2994..1dc289848a 100644 --- a/deploy/helm/metacontroller/values.yaml +++ b/deploy/helm/metacontroller/values.yaml @@ -21,7 +21,7 @@ serviceAccount: podAnnotations: {} podSecurityContext: {} - # fsGroup: 2000 + # fsGroup: 65532 securityContext: {} # capabilities: @@ -29,7 +29,7 @@ securityContext: {} # - ALL # readOnlyRootFilesystem: true # runAsNonRoot: true - # runAsUser: 1000 + # runAsUser: 65532 resources: {} # limits: