From 27bad07b39b3799828f3f2e2111a9193ee4c2a93 Mon Sep 17 00:00:00 2001
From: Danylo Vanin <danylo_vanin@epam.com>
Date: Thu, 29 Jun 2023 16:00:57 +0300
Subject: [PATCH] [GONRG-7391] Move image to non-root approach

---
 devops/gc/deploy/templates/deployment.yaml           | 2 +-
 provider/storage-gc/cloudbuild/Dockerfile.cloudbuild | 6 ++++++
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/devops/gc/deploy/templates/deployment.yaml b/devops/gc/deploy/templates/deployment.yaml
index 087defddb..aa56b13c9 100644
--- a/devops/gc/deploy/templates/deployment.yaml
+++ b/devops/gc/deploy/templates/deployment.yaml
@@ -51,7 +51,7 @@ spec:
         {{- end }}
         securityContext:
           allowPrivilegeEscalation: false
-          runAsUser: 0
+          runAsNonRoot: true
         ports:
         - containerPort: 8080
         resources:
diff --git a/provider/storage-gc/cloudbuild/Dockerfile.cloudbuild b/provider/storage-gc/cloudbuild/Dockerfile.cloudbuild
index ce75d649f..b00b361bf 100644
--- a/provider/storage-gc/cloudbuild/Dockerfile.cloudbuild
+++ b/provider/storage-gc/cloudbuild/Dockerfile.cloudbuild
@@ -11,5 +11,11 @@ ENV PORT $PORT
 # Copy the jar to the production image from the builder stage.
 COPY provider/storage-${PROVIDER_NAME}/target/storage-${PROVIDER_NAME}-*-spring-boot.jar storage-${PROVIDER_NAME}.jar
 
+# Add a non-root user
+RUN groupadd -g 10001 -r nonroot \
+  && useradd -g 10001 -r -u 10001 nonroot
+# Run as non-root user
+USER 10001:10001
+
 # Run the web service on container startup.
 CMD java -Djava.security.egd=file:/dev/./urandom -Dserver.port=${PORT} -Dlog4j.formatMsgNoLookups=true -jar /app/storage-${PROVIDER_NAME}.jar
-- 
GitLab