From a60bae052e0e971154f47784138ffa15ace94349 Mon Sep 17 00:00:00 2001
From: "Yauheni  Rykhter (EPAM)" <yauheni_rykhter@epam.com>
Date: Fri, 30 Jun 2023 12:25:36 +0000
Subject: [PATCH] GONRG-7392: use non-root user for images

---
 devops/gc/deploy/templates/deployment.yaml          |  2 +-
 .../indexer-gc/cloudbuild/Dockerfile.cloudbuild     | 13 ++++++++++++-
 2 files changed, 13 insertions(+), 2 deletions(-)

diff --git a/devops/gc/deploy/templates/deployment.yaml b/devops/gc/deploy/templates/deployment.yaml
index fcb3a7d59..06855a6c7 100644
--- a/devops/gc/deploy/templates/deployment.yaml
+++ b/devops/gc/deploy/templates/deployment.yaml
@@ -49,7 +49,7 @@ spec:
         {{- end }}
         securityContext:
           allowPrivilegeEscalation: false
-          runAsUser: 0
+          runAsNonRoot: true
         ports:
         - containerPort: 8080
         resources:
diff --git a/provider/indexer-gc/cloudbuild/Dockerfile.cloudbuild b/provider/indexer-gc/cloudbuild/Dockerfile.cloudbuild
index e0d0005b0..3ebc13d39 100644
--- a/provider/indexer-gc/cloudbuild/Dockerfile.cloudbuild
+++ b/provider/indexer-gc/cloudbuild/Dockerfile.cloudbuild
@@ -1,11 +1,22 @@
 FROM azul/zulu-openjdk:8-latest
+
 WORKDIR /app
+
 ARG PROVIDER_NAME
 ENV PROVIDER_NAME $PROVIDER_NAME
+
 ARG PORT
 ENV PORT $PORT
+
 # Copy the jar to the production image from the builder stage.
 COPY provider/indexer-${PROVIDER_NAME}/target/indexer-${PROVIDER_NAME}-*-spring-boot.jar indexer-${PROVIDER_NAME}.jar
+
+# Add a non-root user
+RUN groupadd -g 10001 -r nonroot \
+  && useradd -g 10001 -r -u 10001 nonroot
+
+# Run as non-root user
+USER 10001:10001
+
 # Run the web service on container startup.
 CMD java -Djava.security.egd=indexer:/dev/./urandom -Dserver.port=${PORT} -Dlog4j.formatMsgNoLookups=true -jar /app/indexer-${PROVIDER_NAME}.jar
-
-- 
GitLab