From ef74fa35869b95ce1aaaae322801c10f5353627b Mon Sep 17 00:00:00 2001 From: Srinivas Boga Date: Thu, 3 Oct 2024 18:26:09 +0000 Subject: [PATCH] Running gtoken as non-root user --- cmd/gtoken-webhook/Dockerfile | 10 ++++++++-- cmd/gtoken/Dockerfile | 10 ++++++++-- 2 files changed, 16 insertions(+), 4 deletions(-) diff --git a/cmd/gtoken-webhook/Dockerfile b/cmd/gtoken-webhook/Dockerfile index 0082dca..a0de999 100644 --- a/cmd/gtoken-webhook/Dockerfile +++ b/cmd/gtoken-webhook/Dockerfile @@ -33,6 +33,8 @@ RUN make # ------ get latest CA certificates # FROM alpine:3.15 as certs +RUN addgroup -S -g 9000 gtoken +RUN adduser -S -u 9000 -g 9000 gtoken RUN apk --update add ca-certificates @@ -43,8 +45,12 @@ FROM scratch # copy CA certificates COPY --from=certs /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt - +# copy /etc.passwd and /etc/group +COPY --from=certs /etc/passwd /etc/passwd +COPY --from=certs /etc/group /etc/group # this is the last commabd since it's never cached COPY --from=build /go/src/gtoken-webhook/.bin/github.com/doitintl/gtoken-webhook /gtoken-webhook -ENTRYPOINT ["/gtoken-webhook"] \ No newline at end of file +USER 9000:9000 + +ENTRYPOINT ["/gtoken-webhook"] diff --git a/cmd/gtoken/Dockerfile b/cmd/gtoken/Dockerfile index 6e57e24..edfc7bf 100644 --- a/cmd/gtoken/Dockerfile +++ b/cmd/gtoken/Dockerfile @@ -34,6 +34,8 @@ RUN make # ------ get latest CA certificates # FROM alpine:3.15 as certs +RUN addgroup -S -g 9000 gtoken +RUN adduser -S -g 9000 -u 9000 gtoken RUN apk --update add ca-certificates # this is for debug only Alpine image COPY --from=build /go/src/gtoken/.bin/github.com/doitintl/gtoken /gtoken @@ -46,8 +48,12 @@ FROM scratch # copy CA certificates COPY --from=certs /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt - +# copy /etc/passwd and /etc/group +COPY --from=certs /etc/passwd /etc/passwd +COPY --from=certs /etc/group /etc/group # this is the last commabd since it's never cached COPY --from=build /go/src/gtoken/.bin/github.com/doitintl/gtoken /gtoken -ENTRYPOINT ["/gtoken"] \ No newline at end of file +USER 9000:9000 + +ENTRYPOINT ["/gtoken"]