From 917475b40c158cdd2320552dbc194040fde53c04 Mon Sep 17 00:00:00 2001 From: Max Williams Date: Wed, 12 Jun 2019 15:57:02 +0200 Subject: [PATCH] switching to use non-root user and read-only file system --- Dockerfile | 8 +++++--- chart/templates/deployment.yaml | 3 +++ chart/values.yaml | 2 +- 3 files changed, 9 insertions(+), 4 deletions(-) diff --git a/Dockerfile b/Dockerfile index d0014f1..459a142 100644 --- a/Dockerfile +++ b/Dockerfile @@ -3,9 +3,11 @@ WORKDIR /go/src/github.com/deliveryhero/k8s-event-logger COPY main.go . RUN go get -d -v ./... RUN CGO_ENABLED=0 GOOS=linux go build -a -installsuffix cgo -o main . - +RUN adduser --disabled-login --no-create-home --disabled-password --system --uid 101 non-root FROM alpine:3.9.3 RUN apk --no-cache add ca-certificates -WORKDIR /root/ +WORKDIR / COPY --from=0 /go/src/github.com/deliveryhero/k8s-event-logger/main k8s-event-logger -CMD ["/root/k8s-event-logger"] +USER 101 +ENV USER non-root +CMD ["/k8s-event-logger"] diff --git a/chart/templates/deployment.yaml b/chart/templates/deployment.yaml index 8e1989c..8683b2b 100644 --- a/chart/templates/deployment.yaml +++ b/chart/templates/deployment.yaml @@ -28,6 +28,9 @@ spec: - name: app image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" imagePullPolicy: {{ .Values.image.pullPolicy }} + securityContext: + readOnlyRootFilesystem: true + runAsNonRoot: true env: {{- range $key, $value := .Values.env }} - name: {{ $key }} diff --git a/chart/values.yaml b/chart/values.yaml index c579645..a567c1e 100644 --- a/chart/values.yaml +++ b/chart/values.yaml @@ -1,6 +1,6 @@ image: repository: tools4k8s/k8s-event-logger - tag: "1.2" + tag: "1.3" pullPolicy: IfNotPresent resources: