From 553eaab3d7b2aad0f285771be34cd442697b8fe0 Mon Sep 17 00:00:00 2001
From: Yauheni Rykhter <yauheni_rykhter@epam.com>
Date: Thu, 29 Jun 2023 11:29:00 +0400
Subject: [PATCH] GONRG-7392: use non-root user for images

---
 devops/gc/deploy/templates/deployment.yaml                | 2 +-
 provider/notification-gc/cloudbuild/Dockerfile.cloudbuild | 5 +++++
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/devops/gc/deploy/templates/deployment.yaml b/devops/gc/deploy/templates/deployment.yaml
index 3f22bdecc..71a8cb86e 100644
--- a/devops/gc/deploy/templates/deployment.yaml
+++ b/devops/gc/deploy/templates/deployment.yaml
@@ -38,7 +38,7 @@ spec:
           {{- end }}
           securityContext:
             allowPrivilegeEscalation: false
-            runAsUser: 0
+            runAsNonRoot: true
           ports:
             - containerPort: 8080
           resources:
diff --git a/provider/notification-gc/cloudbuild/Dockerfile.cloudbuild b/provider/notification-gc/cloudbuild/Dockerfile.cloudbuild
index d9a1915cb..ed50fe0ed 100644
--- a/provider/notification-gc/cloudbuild/Dockerfile.cloudbuild
+++ b/provider/notification-gc/cloudbuild/Dockerfile.cloudbuild
@@ -6,5 +6,10 @@ ARG PORT
 ENV PORT $PORT
 # Copy the jar to the production image from the builder stage.
 COPY provider/notification-${PROVIDER_NAME}/target/notification-${PROVIDER_NAME}-*-spring-boot.jar notification-${PROVIDER_NAME}.jar
+# Add a non-root user
+RUN groupadd -g 10001 -r nonroot \
+  && useradd -g 10001 -r -u 10001 nonroot
+# Run as non-root user
+USER 10001:10001
 # Run the web service on container startup.
 CMD java -Djava.security.egd=file:/dev/./urandom -Dserver.port=${PORT} -Dlog4j.formatMsgNoLookups=true -jar /app/notification-${PROVIDER_NAME}.jar
-- 
GitLab