Merge pull request #983 from camilamacedo86/change-image

Setup user on docker image to run it as no root
kubernetes-sigs · Sep 19, 2019 · c7a28a2 · c7a28a2
2 parents 76963b3 + 7af89cb
commit c7a28a2
Show file tree

Hide file tree

Showing 7 changed files with 9 additions and 5 deletions.
diff --git a/pkg/scaffold/v2/dockerfile.go b/pkg/scaffold/v2/dockerfile.go
@@ -57,8 +57,10 @@ RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 GO111MODULE=on go build -a -o manager
 
 # Use distroless as minimal base image to package the manager binary
 # Refer to https://github.com/GoogleContainerTools/distroless for more details
-FROM gcr.io/distroless/static:latest
+FROM gcr.io/distroless/static:nonroot 
 WORKDIR /
 COPY --from=builder /workspace/manager .
+USER nonroot:nonroot
+
 ENTRYPOINT ["/manager"]
 `
diff --git a/pkg/scaffold/v2/main.go b/pkg/scaffold/v2/main.go
@@ -166,6 +166,7 @@ func main() {
 		Scheme:             scheme,
 		MetricsBindAddress: metricsAddr,
 		LeaderElection:     enableLeaderElection,
+		Port:               9443, 
 	})
 	if err != nil {
 		setupLog.Error(err, "unable to start manager")

diff --git a/pkg/scaffold/v2/webhook/service.go b/pkg/scaffold/v2/webhook/service.go
@@ -48,7 +48,7 @@ metadata:
 spec:
   ports:
     - port: 443
-      targetPort: 443
+      targetPort: 9443
   selector:
     control-plane: controller-manager
 `
diff --git a/pkg/scaffold/v2/webhook_manager_patch.go b/pkg/scaffold/v2/webhook_manager_patch.go
@@ -47,7 +47,7 @@ spec:
       containers:
       - name: manager
         ports:
-        - containerPort: 443
+        - containerPort: 9443
           name: webhook-server
           protocol: TCP
         volumeMounts:

diff --git a/testdata/project-v2/config/default/manager_webhook_patch.yaml b/testdata/project-v2/config/default/manager_webhook_patch.yaml
@@ -9,7 +9,7 @@ spec:
       containers:
       - name: manager
         ports:
-        - containerPort: 443
+        - containerPort: 9443
           name: webhook-server
           protocol: TCP
         volumeMounts:

diff --git a/testdata/project-v2/config/webhook/service.yaml b/testdata/project-v2/config/webhook/service.yaml
@@ -7,6 +7,6 @@ metadata:
 spec:
   ports:
     - port: 443
-      targetPort: 443
+      targetPort: 9443
   selector:
     control-plane: controller-manager
diff --git a/testdata/project-v2/main.go b/testdata/project-v2/main.go
@@ -58,6 +58,7 @@ func main() {
 		Scheme:             scheme,
 		MetricsBindAddress: metricsAddr,
 		LeaderElection:     enableLeaderElection,
+		Port:               9843,
 	})
 	if err != nil {
 		setupLog.Error(err, "unable to start manager")