Merge pull request #20 from bork91/master

Make image run non-root
wacken89 · Oct 3, 2024 · fd4aa3d · fd4aa3d
2 parents 2301fcc + f874627
commit fd4aa3d
Show file tree

Hide file tree

Showing 3 changed files with 23 additions and 7 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -1,5 +1,8 @@
 FROM python:3.8-slim
 
+RUN addgroup --gid 11000 app && \
+    adduser -uid 11001 --disabled-login -gid 11000 --home /code app
+
 COPY code /code
 RUN pip install --no-cache-dir -r /code/requirements.txt
 
@@ -8,4 +11,6 @@ ENV PYTHONPATH '/code/'
 
 EXPOSE 8000
 
+USER 11001
+
 CMD ["python" , "-u", "/code/exporter.py"]
diff --git a/deploy/helm-chart/values.yaml b/deploy/helm-chart/values.yaml
@@ -54,13 +54,15 @@ env:
 podSecurityContext: {}
   # fsGroup: 2000
 
-securityContext: {}
-  # capabilities:
-  #   drop:
-  #   - ALL
-  # readOnlyRootFilesystem: true
-  # runAsNonRoot: true
-  # runAsUser: 1000
+securityContext: 
+  capabilities:
+    drop:
+    - ALL
+  readOnlyRootFilesystem: true
+  runAsNonRoot: true
+  runAsUser: 11001
+  seccompProfile:
+    type: RuntimeDefault
 
 service:
   type: ClusterIP

diff --git a/deploy/kubernetes-manifest/kubernetes.yaml b/deploy/kubernetes-manifest/kubernetes.yaml
@@ -46,5 +46,14 @@ spec:
           limits:
             memory: "128Mi"
             cpu: "250m"
+        securityContext:
+          capabilities:
+            drop:
+            - ALL
+          readOnlyRootFilesystem: true
+          runAsNonRoot: true
+          runAsUser: 11001
+          seccompProfile:
+            type: RuntimeDefault
         ports:
         - containerPort: 8000