Merge pull request #26 from barcostreams/run-as-non-root

Run as non-root and set security context
polarstreams · Sep 21, 2022 · 6e2e82e · 6e2e82e
2 parents 8e5fab0 + 3d1ddb1
commit 6e2e82e
Show file tree

Hide file tree

Showing 3 changed files with 19 additions and 0 deletions.
diff --git a/.dockerignore b/.dockerignore
@@ -0,0 +1,2 @@
+/docs
+/build
diff --git a/build/container/Dockerfile b/build/container/Dockerfile
@@ -22,4 +22,13 @@ LABEL org.opencontainers.image.description="Lightweight, elastic, kubernetes-nat
 
 WORKDIR /work/
 COPY --from=builder /build/barco .
+
+RUN mkdir /var/lib/barco
+
+RUN chgrp -R 0 /var/lib/barco && \
+    chmod -R g=u /var/lib/barco && \
+    chown -R 1001:0 /var/lib/barco
+
+USER 1001
+
 CMD ["/work/barco"]
diff --git a/deploy/kubernetes/barco.yaml b/deploy/kubernetes/barco.yaml
@@ -101,6 +101,14 @@ spec:
       - name: barco
         image: barcostreams/barco:dev1
         imagePullPolicy: Always
+        securityContext:
+          seccompProfile:
+            type: RuntimeDefault
+          capabilities:
+            drop:
+              - ALL
+          allowPrivilegeEscalation: false
+          runAsNonRoot: true
         ports:
         - containerPort: 9250
           name: discovery