[GONRG-7389] Moved bootstrap to non-root

24dfcef1 · Danylo Vanin (EPAM) · Mikhail Piatliou (EPAM) · 5b690c37 · 24dfcef1 · 24dfcef1
Commit 24dfcef1 authored 1 year ago by Danylo Vanin (EPAM) Committed by Mikhail Piatliou (EPAM) 1 year ago
--- a/devops/gc/deploy/templates/bootstrap-deployment.yaml
+++ b/devops/gc/deploy/templates/bootstrap-deployment.yaml
@@ -38,5 +38,8 @@ spec:
          - secretRef:
              name: {{ .Values.conf.bootstrapSecretName | quote }}
          {{- end }}
+          securityContext:
+            allowPrivilegeEscalation: false
+            runAsNonRoot: true
      serviceAccountName: {{ .Values.data.bootstrapServiceAccountName | quote }}
 {{- end }}
--- a/provider/storage-gc/bootstrap/Dockerfile
+++ b/provider/storage-gc/bootstrap/Dockerfile
@@ -16,5 +16,10 @@ RUN apt-get update \
    && chmod +x download-data.sh \
    && chmod +x bootstrap_storage.sh \
    && ./download-data.sh 
+
+RUN groupadd -g 10001 -r nonroot \
+  && useradd -d /opt -g 10001 -r -u 10001 nonroot
+RUN chown -R 10001:10001 /opt
+USER 10001:10001
    
 CMD ["/bin/bash", "-c", "/opt/bootstrap_storage.sh && sleep 365d"]