From 54b4ece8a0cae7d9efe8de7c26146237d8fe2432 Mon Sep 17 00:00:00 2001
From: Yauheni Rykhter <yauheni_rykhter@epam.com>
Date: Thu, 29 Jun 2023 11:34:24 +0400
Subject: [PATCH] GONRG-7392: use non-root user for images

---
 devops/gc/deploy/templates/deployment.yaml          | 2 +-
 provider/search-gc/cloudbuild/Dockerfile.cloudbuild | 5 +++++
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/devops/gc/deploy/templates/deployment.yaml b/devops/gc/deploy/templates/deployment.yaml
index 19099e3c3..54d5c2a75 100644
--- a/devops/gc/deploy/templates/deployment.yaml
+++ b/devops/gc/deploy/templates/deployment.yaml
@@ -43,7 +43,7 @@ spec:
                 key: REDIS_PASSWORD
           securityContext:
             allowPrivilegeEscalation: false
-            runAsUser: 0
+            runAsNonRoot: true
           ports:
             - containerPort: 8080
           resources:
diff --git a/provider/search-gc/cloudbuild/Dockerfile.cloudbuild b/provider/search-gc/cloudbuild/Dockerfile.cloudbuild
index fdd49b816..7de1fc9e4 100644
--- a/provider/search-gc/cloudbuild/Dockerfile.cloudbuild
+++ b/provider/search-gc/cloudbuild/Dockerfile.cloudbuild
@@ -6,5 +6,10 @@ ARG PORT
 ENV PORT $PORT
 # Copy the jar to the production image from the builder stage.
 COPY provider/search-${PROVIDER_NAME}/target/search-${PROVIDER_NAME}-*-spring-boot.jar search-${PROVIDER_NAME}.jar
+# Add a non-root user
+RUN groupadd -g 10001 -r nonroot \
+  && useradd -g 10001 -r -u 10001 nonroot
+# Run as non-root user
+USER 10001:10001
 # Run the web service on container startup.
 CMD java -Djava.security.egd=file:/dev/./urandom -Dserver.port=${PORT} -Dlog4j.formatMsgNoLookups=true -jar /app/search-${PROVIDER_NAME}.jar
-- 
GitLab