[GONRG-7391] Move image to non-root approach

1b8824e8 · Danylo Vanin (EPAM) · Mikhail Piatliou (EPAM) · 6cc3815d · 1b8824e8 · 1b8824e8
Commit 1b8824e8 authored 1 year ago by Danylo Vanin (EPAM) Committed by Mikhail Piatliou (EPAM) 1 year ago
--- a/devops/gc/deploy/templates/unit-deploy.yml
+++ b/devops/gc/deploy/templates/unit-deploy.yml
@@ -30,7 +30,7 @@ spec:
            name: {{ .Values.conf.configmap | quote }}
        securityContext:
          allowPrivilegeEscalation: false
-          runAsUser: 0
+          runAsNonRoot: true
        ports:
        - containerPort: 8080
        resources:

--- a/provider/unit-gc/cloudbuild/Dockerfile.cloudbuild
+++ b/provider/unit-gc/cloudbuild/Dockerfile.cloudbuild
@@ -5,5 +5,12 @@ ENV PORT $PORT
 # Copy the jar to the production image from the builder stage.
 COPY provider/unit-gc/unit-gke/target/unit-gke-*.jar unit.jar
 COPY data/unit_catalog_v2.json /mnt/unit_catalogs/unit_catalog_v2.json
+
+# Add a non-root user
+RUN groupadd -g 10001 -r nonroot \
+  && useradd -g 10001 -r -u 10001 nonroot
+# Run as non-root user
+USER 10001:10001
+
 # Run the web service on container startup.
 CMD java -Djava.security.egd=file:/dev/./urandom -Dserver.port=${PORT} -Dlog4j.formatMsgNoLookups=true -jar /app/unit.jar