Merge pull request #32 from jchauncey/run-as-nonroot

feat(Dockerfile): Run as nonroot user
kubernetes-sigs · Jun 4, 2020 · 5bfe3a1 · 5bfe3a1
2 parents 33ef516 + fc984f0
commit 5bfe3a1
Showing 1 changed file with 6 additions and 5 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -30,20 +30,21 @@ RUN echo "Building for $GOARCH" \
     && ln -sf `pwd` ${GOPATH}/src/github.com/kubernetes-sigs/dashboard-metrics-scraper \
     && GOARCH=${GOARCH} hack/build.sh 
 
+# Create a nonroot user for final image
+RUN useradd -u 10001 nonroot 
+
 # Final stage: the running container.
 FROM scratch AS final
 
-# Import the Certificate-Authority certificates for enabling HTTPS.
-COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
-
 # Import the compiled executable from the second stage.
 COPY --from=builder /metrics-sidecar /metrics-sidecar
 
-# We need a tmp folder too
-COPY --from=builder /tmp /tmp
+# Copy nonroot user
+COPY --from=builder /etc/passwd /etc/passwd
 
 # Declare the port on which the webserver will be exposed.
 EXPOSE 8080
+USER nonroot
 
 # Run the compiled binary.
 ENTRYPOINT ["/metrics-sidecar"]