From 8727d97ac67eb8ce251cc4c4325acce60bf9c955 Mon Sep 17 00:00:00 2001
From: Aananth K <aananthraj1995@gmail.com>
Date: Fri, 30 Aug 2019 14:57:07 +0530
Subject: [PATCH] Run containers using Non Privileged user

This Commit,
- runs botkube containers as Non Privileged user
- adds `securityContext` filed to containers in all yaml files.
- adds `securityContext` fields to helm charts
---
 build/Dockerfile                       | 7 +++++++
 deploy-all-in-one-tls.yaml             | 4 ++++
 deploy-all-in-one.yaml                 | 4 ++++
 helm/botkube/templates/deployment.yaml | 6 ++++++
 helm/botkube/values.yaml               | 6 ++++++
 5 files changed, 27 insertions(+)

diff --git a/build/Dockerfile b/build/Dockerfile
index e3023a08c..dd7a66cbe 100644
--- a/build/Dockerfile
+++ b/build/Dockerfile
@@ -29,6 +29,13 @@ RUN apk add --no-cache ca-certificates bash git \
 # Production image
 FROM alpine:3.10
 
+# Create Non Privilaged user
+RUN groupadd -g 101 botkube && \
+ useradd -r -u 101 -g botkube botkube
+
+# Run as Non Privilaged user
+USER botkube
+
 COPY --from=BUILD-ENV /go/bin/botkube /go/bin/botkube
 COPY --from=BUILD-ENV /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt
 COPY --from=BUILD-ENV /usr/local/bin/kubectl /usr/local/bin/kubectl
diff --git a/deploy-all-in-one-tls.yaml b/deploy-all-in-one-tls.yaml
index 9852fd906..66f538861 100644
--- a/deploy-all-in-one-tls.yaml
+++ b/deploy-all-in-one-tls.yaml
@@ -319,3 +319,7 @@ spec:
         - name: certs
           secret:
             secretName: botkube-secret
+      # run as non privilaged user
+      securityContext:
+        runAsUser: 101
+        runAsGroup: 101
diff --git a/deploy-all-in-one.yaml b/deploy-all-in-one.yaml
index b564981e8..30e3e983d 100644
--- a/deploy-all-in-one.yaml
+++ b/deploy-all-in-one.yaml
@@ -305,3 +305,7 @@ spec:
         - name: config-volume
           configMap:
             name: botkube-configmap
+      # run as non privilaged user
+      securityContext:
+        runAsUser: 101
+        runAsGroup: 101
\ No newline at end of file
diff --git a/helm/botkube/templates/deployment.yaml b/helm/botkube/templates/deployment.yaml
index 7d163a953..809392ad2 100644
--- a/helm/botkube/templates/deployment.yaml
+++ b/helm/botkube/templates/deployment.yaml
@@ -57,3 +57,9 @@ spec:
           secret:
             secretName: {{ include "botkube.fullname" . }}-secret
       {{ end }}
+      {{- if .Values.securityContext }}
+      securityContext:
+        runAsUser: {{ .Values.securityContext.runAsUser }}
+        runAsGroup: {{ .Values.securityContext.runAsGroup }}
+      {{ end }}
+
diff --git a/helm/botkube/values.yaml b/helm/botkube/values.yaml
index 88861a238..34521aae2 100644
--- a/helm/botkube/values.yaml
+++ b/helm/botkube/values.yaml
@@ -14,6 +14,12 @@ image:
 nameOverride: ""
 fullnameOverride: ""
 
+# Configure securityContext to manage user Privileges in pods
+# set to run as a Non-Privileged user by default
+securityContext:
+  runAsUser: 101
+  runAsGroup: 101
+
 # set one of the log levels- info, warn, debug, error, fatal, panic
 logLevel: info