From 436890e63143f007ed6bb57ea1264c4a86090b64 Mon Sep 17 00:00:00 2001 From: "BordenIT, LLC Admin" <49888529+bordenit@users.noreply.github.com> Date: Mon, 22 Jan 2024 17:10:26 -0500 Subject: [PATCH 1/3] make_more_secureish --- Dockerfile | 11 ++++++++++- .../charts/godaddy-webhook/templates/deployment.yaml | 10 ++++++++++ 2 files changed, 20 insertions(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index eb5f6b1..90e47c7 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,5 +1,4 @@ FROM golang:1.20-alpine AS builder - WORKDIR /go/src/webhook-app COPY . . RUN --mount=type=cache,target=$HOME/go/pkg/mod go mod download @@ -9,9 +8,19 @@ ARG TARGETARCH RUN CGO_ENABLED=0 GOOS=${TARGETOS} GOARCH=${TARGETARCH} go build -o /webhook-app -ldflags '-w -extldflags "-static"' . FROM alpine:3 +ENV USER=godaddyWebhook #also the group name +ENV UID=2050 +ENV GID=2050 + +RUN addgroup --system --gid ${GID} ${USER} + +RUN adduser --system --disabled-password --home /home/${USER} \ + --uid ${UID} --ingroup ${USER} ${USER} RUN apk add --no-cache git ca-certificates COPY --from=builder /webhook-app /usr/local/bin/webhook +RUN chown -R ${UID}:${GID} /usr/local/bin/webhook +USER ${UID} ENTRYPOINT ["webhook"] diff --git a/deploy/charts/godaddy-webhook/templates/deployment.yaml b/deploy/charts/godaddy-webhook/templates/deployment.yaml index debfdb5..071f17d 100644 --- a/deploy/charts/godaddy-webhook/templates/deployment.yaml +++ b/deploy/charts/godaddy-webhook/templates/deployment.yaml @@ -25,6 +25,16 @@ spec: - name: {{ .Chart.Name }} image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" imagePullPolicy: {{ .Values.image.pullPolicy }} + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsGroup: 2050 + runAsNonRoot: true + runAsUser: 2050 + seccompProfile: + type: RuntimeDefault args: - --tls-cert-file=/tls/tls.crt - --tls-private-key-file=/tls/tls.key From 3ac90d5b0a10b28317c6aef8ac773292cbe55b65 Mon Sep 17 00:00:00 2001 From: "BordenIT, LLC Admin" <49888529+bordenit@users.noreply.github.com> Date: Mon, 22 Jan 2024 17:15:18 -0500 Subject: [PATCH 2/3] Update Dockerfile --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 90e47c7..43f31ef 100644 --- a/Dockerfile +++ b/Dockerfile @@ -8,7 +8,7 @@ ARG TARGETARCH RUN CGO_ENABLED=0 GOOS=${TARGETOS} GOARCH=${TARGETARCH} go build -o /webhook-app -ldflags '-w -extldflags "-static"' . FROM alpine:3 -ENV USER=godaddyWebhook #also the group name +ENV USER=godaddyWebhook ENV UID=2050 ENV GID=2050 From ed436972eef3d4e3aed36b2ef3cf97370c1e8ff3 Mon Sep 17 00:00:00 2001 From: "BordenIT, LLC Admin" <49888529+bordenit@users.noreply.github.com> Date: Mon, 22 Jan 2024 17:35:00 -0500 Subject: [PATCH 3/3] Update deployment.yaml --- .../godaddy-webhook/templates/deployment.yaml | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/deploy/charts/godaddy-webhook/templates/deployment.yaml b/deploy/charts/godaddy-webhook/templates/deployment.yaml index 071f17d..9dc562f 100644 --- a/deploy/charts/godaddy-webhook/templates/deployment.yaml +++ b/deploy/charts/godaddy-webhook/templates/deployment.yaml @@ -26,15 +26,15 @@ spec: image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" imagePullPolicy: {{ .Values.image.pullPolicy }} securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - runAsGroup: 2050 - runAsNonRoot: true - runAsUser: 2050 - seccompProfile: - type: RuntimeDefault + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + runAsGroup: 2050 + runAsNonRoot: true + runAsUser: 2050 + seccompProfile: + type: RuntimeDefault args: - --tls-cert-file=/tls/tls.crt - --tls-private-key-file=/tls/tls.key