From 6dc5a4f193b560c3680731ed82ec0af0db76a97a Mon Sep 17 00:00:00 2001
From: Yauheni Rykhter <yauheni_rykhter@epam.com>
Date: Thu, 29 Jun 2023 11:30:16 +0400
Subject: [PATCH] GONRG-7392: use non-root user for images

---
 devops/gc/deploy/templates/deploy-bootstrap.yaml       | 3 +++
 devops/gc/deploy/templates/deploy.yaml                 | 2 +-
 provider/partition-gc/bootstrap/Dockerfile             | 9 ++++-----
 provider/partition-gc/cloudbuild/Dockerfile.cloudbuild | 6 +++++-
 4 files changed, 13 insertions(+), 7 deletions(-)

diff --git a/devops/gc/deploy/templates/deploy-bootstrap.yaml b/devops/gc/deploy/templates/deploy-bootstrap.yaml
index d73892e20..28fa160e0 100644
--- a/devops/gc/deploy/templates/deploy-bootstrap.yaml
+++ b/devops/gc/deploy/templates/deploy-bootstrap.yaml
@@ -32,5 +32,8 @@ spec:
           envFrom:
             - configMapRef:
                 name: {{ printf "%s-bootstrap" .Values.conf.configmap | quote }}
+          securityContext:
+            allowPrivilegeEscalation: false
+            runAsNonRoot: true
       restartPolicy: Always
       serviceAccountName: {{ printf "%s-bootstrap" .Values.data.serviceAccountName | quote }}
diff --git a/devops/gc/deploy/templates/deploy.yaml b/devops/gc/deploy/templates/deploy.yaml
index 15becaf11..1e875546d 100644
--- a/devops/gc/deploy/templates/deploy.yaml
+++ b/devops/gc/deploy/templates/deploy.yaml
@@ -33,7 +33,7 @@ spec:
           {{- end }}
           securityContext:
             allowPrivilegeEscalation: false
-            runAsUser: 0
+            runAsNonRoot: true
           ports:
             - containerPort: 8080
           resources:
diff --git a/provider/partition-gc/bootstrap/Dockerfile b/provider/partition-gc/bootstrap/Dockerfile
index b270902de..db30642df 100644
--- a/provider/partition-gc/bootstrap/Dockerfile
+++ b/provider/partition-gc/bootstrap/Dockerfile
@@ -1,14 +1,13 @@
 FROM alpine
-
 WORKDIR /opt
-
 COPY ./provider/partition-gc/bootstrap/ /opt/
-
 ENV PREFIX=$(pwd)
-
 RUN apk update && apk add \
     bash \
     curl \
     && chmod 775 bootstrap_partition.sh
-
+RUN addgroup -g 10001 -S nonroot \
+  && adduser -h /opt -G nonroot -S -u 10001 nonroot
+RUN chown -R 10001:10001 /opt
+USER 10001:10001
 CMD ["/bin/bash", "-c", "./bootstrap_partition.sh && sleep 365d"]
diff --git a/provider/partition-gc/cloudbuild/Dockerfile.cloudbuild b/provider/partition-gc/cloudbuild/Dockerfile.cloudbuild
index 53f6b70bf..dbc4eaacb 100644
--- a/provider/partition-gc/cloudbuild/Dockerfile.cloudbuild
+++ b/provider/partition-gc/cloudbuild/Dockerfile.cloudbuild
@@ -6,6 +6,10 @@ ARG PORT
 ENV PORT $PORT
 # Copy the jar to the production image from the builder stage.
 COPY provider/partition-${PROVIDER_NAME}/target/partition-${PROVIDER_NAME}-*-spring-boot.jar partition-${PROVIDER_NAME}.jar
+# Add a non-root user
+RUN groupadd -g 10001 -r nonroot \
+  && useradd -g 10001 -r -u 10001 nonroot
+# Run as non-root user
+USER 10001:10001
 # Run the web service on container startup.
 CMD java -Djava.security.egd=file:/dev/./urandom -Dserver.port=${PORT} -Dlog4j.formatMsgNoLookups=true -jar /app/partition-${PROVIDER_NAME}.jar
-
-- 
GitLab