run as non-root

[apanzerj]

I'd like to be able to add the runAsNonRoot: true to my security context. This should make that work.

Kubernetes:

  securityContext:
    runAsUser: 1001
    runAsGroup: 1001

[apanzerj]

Now I just have to build this and test it

[apanzerj]

#14 0.214 container_linux.go:380: starting container process caused: exec: "/bin/sh": stat /bin/sh: no such file or directory

[apanzerj]

Note: https://medium.com/@lizrice/non-privileged-containers-based-on-the-scratch-image-a80105d6d341

[apanzerj]

Sweet! That builds:

➜  vouch-proxy git:(apanzerj/nonroot) docker build .
[+] Building 15.8s (16/16) FINISHED
 => [internal] load build definition from Dockerfile                                                                                                                                                                                      0.0s
 => => transferring dockerfile: 1.00kB                                                                                                                                                                                                    0.0s
 => [internal] load .dockerignore                                                                                                                                                                                                         0.0s
 => => transferring context: 35B                                                                                                                                                                                                          0.0s
 => [internal] load metadata for docker.io/library/golang:1.16                                                                                                                                                                            0.6s
 => [builder 1/8] FROM docker.io/library/golang:1.16@sha256:c8b7bf9166093208456120876e51e9cb387b0523bddb9d8c0b33ff621347e26f                                                                                                              0.0s
 => [internal] load build context                                                                                                                                                                                                         0.0s
 => => transferring context: 12.36kB                                                                                                                                                                                                      0.0s
 => CACHED [builder 2/8] RUN mkdir -p /go/src/github.com/vouch/vouch-proxy                                                                                                                                                                0.0s
 => CACHED [builder 3/8] WORKDIR /go/src/github.com/vouch/vouch-proxy                                                                                                                                                                     0.0s
 => CACHED [builder 4/8] COPY . .                                                                                                                                                                                                         0.0s
 => [builder 5/8] RUN groupadd -g 1001 vouch &&     useradd -m vouch_user --uid=1001 --gid=1001                                                                                                                                           0.3s
 => [builder 6/8] RUN ./do.sh goget                                                                                                                                                                                                       9.6s
 => [builder 7/8] RUN ./do.sh gobuildstatic # see `do.sh` for vouch-proxy build details                                                                                                                                                   4.8s
 => [builder 8/8] RUN ./do.sh install                                                                                                                                                                                                     0.3s
 => CACHED [stage-1 1/3] COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt                                                                                                                        0.0s
 => [stage-1 2/3] COPY --from=builder /etc/passwd /etc/passwd                                                                                                                                                                             0.0s
 => [stage-1 3/3] COPY --from=builder /go/bin/vouch-proxy /vouch-proxy                                                                                                                                                                    0.0s
 => exporting to image                                                                                                                                                                                                                    0.1s
 => => exporting layers                                                                                                                                                                                                                   0.1s
 => => writing image sha256:de5a95e583c792dc39772cd6372efd1bf2fec63c1ac30b710fb3df7058bf8173

[apanzerj]

Container boots!

[apanzerj]

I have tested this in our own cluster using Okta Auth and it works.

[apanzerj]

fixes #442

[apanzerj]

@bnfinet when you have a moment, can I get a review?

[bnfinet]

thanks for the contribution @apanzerj

Could you please..

• add a CHANGELOG entry
• set the UID and GID from an ARG such as ARG UID=1001

[apanzerj]

@bnfinet I think that's what you want. Thank you for the very quick reply!

[apanzerj]

Also, if you need to inspect/run the image, I put it in a public repo on quay

https://quay.io/repository/apanzerj/vouchtest

[apanzerj]

@bnfinet when you have a moment, can I get another review? I think this is ready.

[bnfinet]

thanks @apanzerj

Could you please add ARG to Dockerfile as well.

This won't be merged until the aspects of upgrade I mentioned in #442 are accommodated.