setup user on docker image to run it as rootless

pkg/scaffold/project.go

@@ -191,6 +191,8 @@ func (p *V2Project) Scaffold() error {
 		&scaffoldv2.GoMod{},
 		&scaffoldv2.Makefile{Image: imgName},
 		&scaffoldv2.Dockerfile{},
+		&scaffoldv2.Entrypoint{},
+		&scaffoldv2.UserSetup{},
 		&scaffoldv2.Kustomize{},
 		&scaffoldv2.ManagerWebhookPatch{},
 		&scaffoldv2.ManagerRoleBinding{},

pkg/scaffold/v2/dockerfile.go

@@ -17,9 +17,17 @@ limitations under the License.
 package v2
 
 import (
+	"path/filepath"
 	"sigs.k8s.io/kubebuilder/pkg/scaffold/input"
 )
 
+const BuildDir       = "build"
+// Separator to statically create directories.
+const filePathSep = string(filepath.Separator)
+const BuildScriptDir = BuildDir + filePathSep + "bin"
+
+const DockerfileFile = "Dockerfile"
+
 var _ input.File = &Dockerfile{}
 
 // Dockerfile scaffolds a Dockerfile for building a main
@@ -30,7 +38,7 @@ type Dockerfile struct {
 // GetInput implements input.File
 func (c *Dockerfile) GetInput() (input.Input, error) {
 	if c.Path == "" {
-		c.Path = "Dockerfile"
+		c.Path = DockerfileFile
 	}
 	c.TemplateBody = dockerfileTemplate
 	return c.Input, nil
@@ -51,14 +59,30 @@ RUN go mod download
 COPY main.go main.go
 COPY api/ api/
 COPY controllers/ controllers/
+COPY build/ build/
 
 # Build
 RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 GO111MODULE=on go build -a -o manager main.go
 
 # Use distroless as minimal base image to package the manager binary
 # Refer to https://github.com/GoogleContainerTools/distroless for more details
-FROM gcr.io/distroless/static:latest
+FROM gcr.io/distroless/base:latest
 WORKDIR /
 COPY --from=builder /workspace/manager .
-ENTRYPOINT ["/manager"]
-`
+COPY --from=builder /workspace/build .
+
+# Set env vars
+ENV OPERATOR=/manager \
+    USER_UID=1001 \
+    USER_NAME=manager
+
+# Setup the user 
+#RUN  bin/user_setup
+
+# Support Arbitrary User IDs
+# This is documented here:
+# https://docs.openshift.com/container-platform/3.11/creating_images/guidelines.html#openshift-specific-guidelines
+ENTRYPOINT ["bin/entrypoint"]
+
+# Start with the user
+USER ${USER_UID}`

pkg/scaffold/v2/entrypoint.go

@@ -0,0 +1,32 @@
+package v2
+
+import (
+	"path/filepath"
+	"sigs.k8s.io/kubebuilder/pkg/scaffold/input"
+)
+
+const EntrypointFile = "entrypoint"
+
+// Entrypoint - entrypoint script
+type Entrypoint struct {
+	input.Input
+}
+
+func (e *Entrypoint) GetInput() (input.Input, error) {
+	if e.Path == "" {
+		e.Path = filepath.Join(BuildScriptDir, EntrypointFile)
+	}
+	e.TemplateBody = entrypointTmpl
+	return e.Input, nil
+}
+
+const entrypointTmpl = `#!/bin/sh -e
+# This is documented here:
+# https://docs.openshift.com/container-platform/3.11/creating_images/guidelines.html#openshift-specific-guidelines
+if ! whoami &>/dev/null; then
+  if [ -w /etc/passwd ]; then
+    echo "${USER_NAME:-default}:x:$(id -u):$(id -g):${USER_NAME:-default} user:${HOME}:/sbin/nologin" >> /etc/passwd
+  fi
+fi
+exec ${OPERATOR} $@
+`

pkg/scaffold/v2/usersetup.go

@@ -0,0 +1,33 @@
+package v2
+
+import (
+	"path/filepath"
+	"sigs.k8s.io/kubebuilder/pkg/scaffold/input"
+)
+
+const UserSetupFile = "user_setup"
+
+// UserSetup - userSetup script
+type UserSetup struct {
+	input.Input
+}
+
+func (u *UserSetup) GetInput() (input.Input, error) {
+	if u.Path == "" {
+		u.Path = filepath.Join(BuildScriptDir, UserSetupFile)
+	}
+	u.TemplateBody = userSetupTmpl
+	return u.Input, nil
+}
+
+const userSetupTmpl = `#!/bin/sh
+set -x
+# ensure $HOME exists and is accessible by group 0 (we don't know what the runtime UID will be)
+mkdir -p ${HOME}
+chown ${USER_UID}:0 ${HOME}
+chmod ug+rwx ${HOME}
+# runtime user will need to be able to self-insert in /etc/passwd
+chmod g+rw /etc/passwd
+# no need for this script to remain in the image after running
+rm $0
+`