From 2e50e8f01bf1653340d1ad01de7fde440d3ee19d Mon Sep 17 00:00:00 2001 From: Ryan Richard Date: Mon, 2 Nov 2020 16:32:50 -0500 Subject: [PATCH] hack/lib/tilt: run Tilt images with non-root user Signed-off-by: Andrew Keesler --- hack/lib/tilt/concierge.Dockerfile | 3 +++ hack/lib/tilt/local-user-authenticator.Dockerfile | 3 +++ hack/lib/tilt/supervisor.Dockerfile | 5 ++++- 3 files changed, 10 insertions(+), 1 deletion(-) diff --git a/hack/lib/tilt/concierge.Dockerfile b/hack/lib/tilt/concierge.Dockerfile index b24a10b5..ea4d5959 100644 --- a/hack/lib/tilt/concierge.Dockerfile +++ b/hack/lib/tilt/concierge.Dockerfile @@ -10,5 +10,8 @@ COPY build/pinniped-concierge /usr/local/bin/pinniped-concierge # Document the port EXPOSE 8443 +# Run as non-root for security posture +USER 1001:1001 + # Set the entrypoint ENTRYPOINT ["/usr/local/bin/pinniped-concierge"] diff --git a/hack/lib/tilt/local-user-authenticator.Dockerfile b/hack/lib/tilt/local-user-authenticator.Dockerfile index 5f0d314c..0dd1523c 100644 --- a/hack/lib/tilt/local-user-authenticator.Dockerfile +++ b/hack/lib/tilt/local-user-authenticator.Dockerfile @@ -10,5 +10,8 @@ COPY build/local-user-authenticator /usr/local/bin/local-user-authenticator # Document the port EXPOSE 8443 +# Run as non-root for security posture +USER 1001:1001 + # Set the entrypoint ENTRYPOINT ["/usr/local/bin/local-user-authenticator"] diff --git a/hack/lib/tilt/supervisor.Dockerfile b/hack/lib/tilt/supervisor.Dockerfile index 6a18da00..a62772e1 100644 --- a/hack/lib/tilt/supervisor.Dockerfile +++ b/hack/lib/tilt/supervisor.Dockerfile @@ -8,7 +8,10 @@ FROM debian:10.5-slim COPY build/pinniped-supervisor /usr/local/bin/pinniped-supervisor # Document the port -EXPOSE 8443 +EXPOSE 8080 8443 + +# Run as non-root for security posture +USER 1001:1001 # Set the entrypoint ENTRYPOINT ["/usr/local/bin/pinniped-supervisor"]