GONRG-7392: use non-root user for images

devops/gc/deploy/templates/deploy-bootstrap.yaml

@@ -32,5 +32,8 @@ spec:
           envFrom:
             - configMapRef:
                 name: {{ printf "%s-bootstrap" .Values.conf.configmap | quote }}
+          securityContext:
+            allowPrivilegeEscalation: false
+            runAsNonRoot: true
       restartPolicy: Always
       serviceAccountName: {{ printf "%s-bootstrap" .Values.data.serviceAccountName | quote }}

devops/gc/deploy/templates/deploy.yaml

@@ -33,7 +33,7 @@ spec:
           {{- end }}
           securityContext:
             allowPrivilegeEscalation: false
-            runAsUser: 0
+            runAsNonRoot: true
           ports:
             - containerPort: 8080
           resources:

provider/partition-gc/bootstrap/Dockerfile

 FROM alpine
-
 WORKDIR /opt
-
 COPY ./provider/partition-gc/bootstrap/ /opt/
-
 ENV PREFIX=$(pwd)
-
 RUN apk update && apk add \
     bash \
     curl \
     && chmod 775 bootstrap_partition.sh
-
+RUN addgroup -g 10001 -S nonroot \
+  && adduser -h /opt -G nonroot -S -u 10001 nonroot
+RUN chown -R 10001:10001 /opt
+USER 10001:10001
 CMD ["/bin/bash", "-c", "./bootstrap_partition.sh && sleep 365d"]

provider/partition-gc/cloudbuild/Dockerfile.cloudbuild

@@ -6,6 +6,10 @@ ARG PORT
 ENV PORT $PORT
 # Copy the jar to the production image from the builder stage.
 COPY provider/partition-${PROVIDER_NAME}/target/partition-${PROVIDER_NAME}-*-spring-boot.jar partition-${PROVIDER_NAME}.jar
+# Add a non-root user
+RUN groupadd -g 10001 -r nonroot \
+  && useradd -g 10001 -r -u 10001 nonroot
+# Run as non-root user
+USER 10001:10001
 # Run the web service on container startup.
 CMD java -Djava.security.egd=file:/dev/./urandom -Dserver.port=${PORT} -Dlog4j.formatMsgNoLookups=true -jar /app/partition-${PROVIDER_NAME}.jar
-