Merge pull request #124 from andyzhangx/nonroot

fix: create nonroot user in Dockerfile
kubernetes-csi · Sep 30, 2020 · 341d133 · 341d133
2 parents 93873a8 + e5e0558
commit 341d133
Show file tree

Hide file tree

Showing 9 changed files with 17 additions and 3 deletions.
diff --git a/.github/workflows/darwin.yaml b/.github/workflows/darwin.yaml
@@ -1,4 +1,4 @@
-name: MacOS Unit Tests
+name: MacOS Build & Unit Test
 on:
   push:
     branches: [ master ]

diff --git a/.github/workflows/ubuntu.yml b/.github/workflows/ubuntu.yml
@@ -1,4 +1,4 @@
-name: Linux Unit tests
+name: Ubuntu Test
 on:
   push:
     branches: [ master ]

diff --git a/.github/workflows/windows.yml b/.github/workflows/windows.yml
@@ -1,4 +1,4 @@
-name: Windows Unit Tests
+name: Windows Build & Unit Test
 on:
   push:
     branches: [ master ]

diff --git a/charts/latest/csi-driver-smb/templates/csi-smb-controller.yaml b/charts/latest/csi-driver-smb/templates/csi-smb-controller.yaml
@@ -90,6 +90,8 @@ spec:
           env:
             - name: CSI_ENDPOINT
               value: unix:///csi/csi.sock
+          securityContext:
+            runAsUser: 0
           volumeMounts:
             - mountPath: /csi
               name: socket-dir

diff --git a/charts/latest/csi-driver-smb/templates/csi-smb-node.yaml b/charts/latest/csi-driver-smb/templates/csi-smb-node.yaml
@@ -100,6 +100,7 @@ spec:
                   fieldPath: spec.nodeName
           securityContext:
             privileged: true
+            runAsUser: 0
           volumeMounts:
             - mountPath: /csi
               name: socket-dir

diff --git a/deploy/csi-smb-controller.yaml b/deploy/csi-smb-controller.yaml
@@ -86,6 +86,8 @@ spec:
           env:
             - name: CSI_ENDPOINT
               value: unix:///csi/csi.sock
+          securityContext:
+            runAsUser: 0
           volumeMounts:
             - mountPath: /csi
               name: socket-dir

diff --git a/deploy/csi-smb-node.yaml b/deploy/csi-smb-node.yaml
@@ -96,6 +96,7 @@ spec:
                   fieldPath: spec.nodeName
           securityContext:
             privileged: true
+            runAsUser: 0
           volumeMounts:
             - mountPath: /csi
               name: socket-dir

diff --git a/pkg/smbplugin/Dockerfile b/pkg/smbplugin/Dockerfile
@@ -25,5 +25,9 @@ RUN clean-install ca-certificates cifs-utils util-linux e2fsprogs mount udev xfs
 LABEL maintainers="andyzhangx"
 LABEL description="SMB CSI Driver"
 
+# Create a nonroot user
+RUN useradd -u 10001 nonroot
+USER nonroot
+
 COPY ./_output/smbplugin /smbplugin
 ENTRYPOINT ["/smbplugin"]
diff --git a/pkg/smbplugin/dev.Dockerfile b/pkg/smbplugin/dev.Dockerfile
@@ -17,5 +17,9 @@ RUN apt-get update && apt-get install -y ca-certificates cifs-utils util-linux e
 LABEL maintainers="andyzhangx"
 LABEL description="SMB CSI Driver"
 
+# Create a nonroot user
+RUN useradd -u 10001 nonroot
+USER nonroot
+
 COPY ./_output/smbplugin /smbplugin
 ENTRYPOINT ["/smbplugin"]