Merge pull request #1 from max-rocket-internet/non_root

switching to use non-root user and read-only file system
max-rocket-internet · Jun 12, 2019 · 88a8bdb · 88a8bdb
2 parents f95958a + 917475b
commit 88a8bdb
Show file tree

Hide file tree

Showing 3 changed files with 9 additions and 4 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -3,9 +3,11 @@ WORKDIR /go/src/github.com/deliveryhero/k8s-event-logger
 COPY main.go .
 RUN go get -d -v ./...
 RUN CGO_ENABLED=0 GOOS=linux go build -a -installsuffix cgo -o main .
-
+RUN adduser --disabled-login --no-create-home --disabled-password --system --uid 101 non-root
 FROM alpine:3.9.3
 RUN apk --no-cache add ca-certificates
-WORKDIR /root/
+WORKDIR /
 COPY --from=0 /go/src/github.com/deliveryhero/k8s-event-logger/main k8s-event-logger
-CMD ["/root/k8s-event-logger"]
+USER 101
+ENV USER non-root
+CMD ["/k8s-event-logger"]
diff --git a/chart/templates/deployment.yaml b/chart/templates/deployment.yaml
@@ -28,6 +28,9 @@ spec:
         - name: app
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
+          securityContext:
+            readOnlyRootFilesystem: true
+            runAsNonRoot: true
           env:
 {{- range $key, $value := .Values.env }}
           - name: {{ $key }}

diff --git a/chart/values.yaml b/chart/values.yaml
@@ -1,6 +1,6 @@
 image:
   repository: tools4k8s/k8s-event-logger
-  tag: "1.2"
+  tag: "1.3"
   pullPolicy: IfNotPresent
 
 resources: