Merge branch 'master' of https://community.opengroup.org/osdu/platform/system/indexer-service

684c6304 · Zhibin Mai · 4cf84301 · 59d71531 · 684c6304 · 684c6304
Commit 684c6304 authored 1 year ago by Zhibin Mai
--- a/devops/gc/deploy/templates/deployment.yaml
+++ b/devops/gc/deploy/templates/deployment.yaml
@@ -49,7 +49,7 @@ spec:
        {{- end }}
        securityContext:
          allowPrivilegeEscalation: false
-          runAsUser: 0
+          runAsNonRoot: true
        ports:
        - containerPort: 8080
        resources:

--- a/provider/indexer-gc/cloudbuild/Dockerfile.cloudbuild
+++ b/provider/indexer-gc/cloudbuild/Dockerfile.cloudbuild
 FROM azul/zulu-openjdk:8-latest
 WORKDIR /app
 ARG PROVIDER_NAME
 ENV PROVIDER_NAME $PROVIDER_NAME
 ARG PORT
 ENV PORT $PORT
 # Copy the jar to the production image from the builder stage.
 COPY provider/indexer-${PROVIDER_NAME}/target/indexer-${PROVIDER_NAME}-*-spring-boot.jar indexer-${PROVIDER_NAME}.jar
+# Add a non-root user
+RUN groupadd -g 10001 -r nonroot \
+  && useradd -g 10001 -r -u 10001 nonroot
+# Run as non-root user
+USER 10001:10001
 # Run the web service on container startup.
 CMD java -Djava.security.egd=indexer:/dev/./urandom -Dserver.port=${PORT} -Dlog4j.formatMsgNoLookups=true -jar /app/indexer-${PROVIDER_NAME}.jar