From 7af89cb00c224c57ece37dc14ea37caf1eb769db Mon Sep 17 00:00:00 2001 From: Camila Macedo Date: Tue, 10 Sep 2019 21:24:08 +0100 Subject: [PATCH] Setup user on docker image to run it as no root by using gcr.io/distroless/static:nonroot and the targetPort 9843 for webhoocks --- pkg/scaffold/v2/dockerfile.go | 4 +++- pkg/scaffold/v2/main.go | 1 + pkg/scaffold/v2/webhook/service.go | 2 +- pkg/scaffold/v2/webhook_manager_patch.go | 2 +- testdata/project-v2/config/default/manager_webhook_patch.yaml | 2 +- testdata/project-v2/config/webhook/service.yaml | 2 +- testdata/project-v2/main.go | 1 + 7 files changed, 9 insertions(+), 5 deletions(-) diff --git a/pkg/scaffold/v2/dockerfile.go b/pkg/scaffold/v2/dockerfile.go index 179a7c2cd5a..161ed9dca5c 100644 --- a/pkg/scaffold/v2/dockerfile.go +++ b/pkg/scaffold/v2/dockerfile.go @@ -57,8 +57,10 @@ RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 GO111MODULE=on go build -a -o manager # Use distroless as minimal base image to package the manager binary # Refer to https://github.com/GoogleContainerTools/distroless for more details -FROM gcr.io/distroless/static:latest +FROM gcr.io/distroless/static:nonroot WORKDIR / COPY --from=builder /workspace/manager . +USER nonroot:nonroot + ENTRYPOINT ["/manager"] ` diff --git a/pkg/scaffold/v2/main.go b/pkg/scaffold/v2/main.go index 3716ed2175b..4ed6561de1a 100644 --- a/pkg/scaffold/v2/main.go +++ b/pkg/scaffold/v2/main.go @@ -166,6 +166,7 @@ func main() { Scheme: scheme, MetricsBindAddress: metricsAddr, LeaderElection: enableLeaderElection, + Port: 9443, }) if err != nil { setupLog.Error(err, "unable to start manager") diff --git a/pkg/scaffold/v2/webhook/service.go b/pkg/scaffold/v2/webhook/service.go index fd754936049..012bb8a83ba 100644 --- a/pkg/scaffold/v2/webhook/service.go +++ b/pkg/scaffold/v2/webhook/service.go @@ -48,7 +48,7 @@ metadata: spec: ports: - port: 443 - targetPort: 443 + targetPort: 9443 selector: control-plane: controller-manager ` diff --git a/pkg/scaffold/v2/webhook_manager_patch.go b/pkg/scaffold/v2/webhook_manager_patch.go index 9025c6e456f..df5de84efbe 100644 --- a/pkg/scaffold/v2/webhook_manager_patch.go +++ b/pkg/scaffold/v2/webhook_manager_patch.go @@ -47,7 +47,7 @@ spec: containers: - name: manager ports: - - containerPort: 443 + - containerPort: 9443 name: webhook-server protocol: TCP volumeMounts: diff --git a/testdata/project-v2/config/default/manager_webhook_patch.yaml b/testdata/project-v2/config/default/manager_webhook_patch.yaml index f2f7157b464..738de350b71 100644 --- a/testdata/project-v2/config/default/manager_webhook_patch.yaml +++ b/testdata/project-v2/config/default/manager_webhook_patch.yaml @@ -9,7 +9,7 @@ spec: containers: - name: manager ports: - - containerPort: 443 + - containerPort: 9443 name: webhook-server protocol: TCP volumeMounts: diff --git a/testdata/project-v2/config/webhook/service.yaml b/testdata/project-v2/config/webhook/service.yaml index b4861025ab4..31e0f829591 100644 --- a/testdata/project-v2/config/webhook/service.yaml +++ b/testdata/project-v2/config/webhook/service.yaml @@ -7,6 +7,6 @@ metadata: spec: ports: - port: 443 - targetPort: 443 + targetPort: 9443 selector: control-plane: controller-manager diff --git a/testdata/project-v2/main.go b/testdata/project-v2/main.go index 0b040421298..202379885c0 100644 --- a/testdata/project-v2/main.go +++ b/testdata/project-v2/main.go @@ -58,6 +58,7 @@ func main() { Scheme: scheme, MetricsBindAddress: metricsAddr, LeaderElection: enableLeaderElection, + Port: 9843, }) if err != nil { setupLog.Error(err, "unable to start manager")