From cb05b8b35da4787bc0f0b66488c811d8ce29c108 Mon Sep 17 00:00:00 2001
From: "Volodymyr Pienskoi [EPAM / GCP]" <volodymyr_pienskoi@epam.com>
Date: Fri, 30 Jun 2023 12:08:05 +0000
Subject: [PATCH] GONRG-3522: Run image as non-root user
---
NOTICE | 2 +-
build/gc/Dockerfile | 6 ++++++
devops/gc/bootstrap-osdu-module/Dockerfile | 5 +++++
devops/gc/deploy/templates/opa-deployment.yaml | 3 +++
devops/gc/deploy/templates/policy-deployment-bootstrap.yaml | 3 +++
devops/gc/deploy/templates/policy-deployment.yaml | 2 +-
6 files changed, 19 insertions(+), 2 deletions(-)
diff --git a/NOTICE b/NOTICE
index 5cc410b4..523e9ac4 100644
--- a/NOTICE
+++ b/NOTICE
@@ -103,7 +103,7 @@ The following software have components provided under the terms of this license:
- coloredlogs (from https://coloredlogs.readthedocs.io)
- coverage (from https://github.com/nedbat/coveragepy)
- exceptiongroup (from https://pypi.org/project/exceptiongroup/1.0.1/, https://pypi.org/project/exceptiongroup/1.1.1/)
-- fastapi (from https://pypi.org/project/fastapi/0.86.0/, https://pypi.org/project/fastapi/0.97.0/)
+- fastapi (from https://pypi.org/project/fastapi/0.86.0/, https://pypi.org/project/fastapi/0.98.0/)
- h11
- humanfriendly (from https://humanfriendly.readthedocs.io)
- iniconfig (from http://github.com/RonnyPfannschmidt/iniconfig, https://pypi.org/project/iniconfig/2.0.0/)
diff --git a/build/gc/Dockerfile b/build/gc/Dockerfile
index 3dabd586..6676f997 100644
--- a/build/gc/Dockerfile
+++ b/build/gc/Dockerfile
@@ -15,4 +15,10 @@ RUN pip install --no-cache-dir --upgrade -r /opt/requirements.txt
# Admin UI POC tst
#COPY ./frontend/adminui/dist/policyservice /opt/assets
+# Add a non-root user
+RUN groupadd -g 10001 -r nonroot \
+ && useradd -g 10001 -r -u 10001 nonroot
+# Run as non-root user
+USER 10001:10001
+
CMD ["uvicorn", "main:app", "--host", "0.0.0.0", "--port", "8080"]
diff --git a/devops/gc/bootstrap-osdu-module/Dockerfile b/devops/gc/bootstrap-osdu-module/Dockerfile
index 1dd55602..ccc831b2 100644
--- a/devops/gc/bootstrap-osdu-module/Dockerfile
+++ b/devops/gc/bootstrap-osdu-module/Dockerfile
@@ -10,4 +10,9 @@ RUN apk add py3-pip wget
RUN pip3 install -r /opt/requirements_bootstrap.txt -r /opt/devops/gc/bootstrap-osdu-module/requirements.txt
RUN wget --quiet https://dl.min.io/client/mc/release/linux-amd64/mc && chmod +x mc && mv mc /usr/bin/mc
+RUN addgroup -g 10001 -S nonroot \
+ && adduser -h /opt -G nonroot -S -u 10001 nonroot
+RUN chown -R 10001:10001 /opt
+USER 10001:10001
+
CMD ["/bin/bash", "-c", "/opt/bootstrap_policy.sh && sleep 365d"]
diff --git a/devops/gc/deploy/templates/opa-deployment.yaml b/devops/gc/deploy/templates/opa-deployment.yaml
index bbf29b0d..8f8ff5f9 100644
--- a/devops/gc/deploy/templates/opa-deployment.yaml
+++ b/devops/gc/deploy/templates/opa-deployment.yaml
@@ -66,6 +66,9 @@ spec:
name: "{{ .Values.conf.minioSecretName }}"
key: AWS_REGION
{{- end }}
+ securityContext:
+ allowPrivilegeEscalation: false
+ runAsNonRoot: true
volumes:
- name: "{{ .Values.opa.conf.configmap }}"
configMap:
diff --git a/devops/gc/deploy/templates/policy-deployment-bootstrap.yaml b/devops/gc/deploy/templates/policy-deployment-bootstrap.yaml
index 9e038892..227fb9bb 100644
--- a/devops/gc/deploy/templates/policy-deployment-bootstrap.yaml
+++ b/devops/gc/deploy/templates/policy-deployment-bootstrap.yaml
@@ -37,4 +37,7 @@ spec:
- secretRef:
name: "{{ .Values.conf.bootstrapSecretName }}"
{{- end }}
+ securityContext:
+ allowPrivilegeEscalation: false
+ runAsNonRoot: true
serviceAccountName: "{{ .Values.data.bootstrapServiceAccountName }}"
diff --git a/devops/gc/deploy/templates/policy-deployment.yaml b/devops/gc/deploy/templates/policy-deployment.yaml
index 4b4bada1..08bb0b39 100644
--- a/devops/gc/deploy/templates/policy-deployment.yaml
+++ b/devops/gc/deploy/templates/policy-deployment.yaml
@@ -34,7 +34,7 @@ spec:
{{- end }}
securityContext:
allowPrivilegeEscalation: false
- runAsUser: 0
+ runAsNonRoot: true
ports:
- containerPort: 8080
resources:
--
GitLab