diff --git a/Dockerfile b/Dockerfile index 4a19049e..13e915b6 100644 --- a/Dockerfile +++ b/Dockerfile @@ -33,7 +33,9 @@ COPY --from=build-env /usr/local/bin /usr/local/bin EXPOSE 8080 8443 # Run as non-root for security posture -USER 1001:1001 +# Use the same non-root user as https://github.com/GoogleContainerTools/distroless/blob/fc3c4eaceb0518900f886aae90407c43be0a42d9/base/base.bzl#L9 +# This is a workaround for https://github.com/GoogleContainerTools/distroless/issues/718 +USER 65532:65532 # Set the entrypoint ENTRYPOINT ["/usr/local/bin/pinniped-server"] diff --git a/deploy/concierge/values.yaml b/deploy/concierge/values.yaml index a0e0750c..76d77a64 100644 --- a/deploy/concierge/values.yaml +++ b/deploy/concierge/values.yaml @@ -55,8 +55,8 @@ api_serving_certificate_renew_before_seconds: 2160000 #! information), trace (timing information), all (kitchen sink). log_level: #! By default, when this value is left unset, only warnings and errors are printed. There is no way to suppress warning and error logs. -run_as_user: 1001 #! run_as_user specifies the user ID that will own the process -run_as_group: 1001 #! run_as_group specifies the group ID that will own the process +run_as_user: 65532 #! run_as_user specifies the user ID that will own the process, see the Dockerfile for the reasoning behind this choice +run_as_group: 65532 #! run_as_group specifies the group ID that will own the process, see the Dockerfile for the reasoning behind this choice #! Specify the API group suffix for all Pinniped API groups. By default, this is set to #! pinniped.dev, so Pinniped API groups will look like foo.pinniped.dev, diff --git a/deploy/local-user-authenticator/values.yaml b/deploy/local-user-authenticator/values.yaml index f39cb42d..1f65baa4 100644 --- a/deploy/local-user-authenticator/values.yaml +++ b/deploy/local-user-authenticator/values.yaml @@ -15,5 +15,5 @@ image_tag: latest #! Optional. image_pull_dockerconfigjson: #! e.g. {"auths":{"https://registry.example.com":{"username":"USERNAME","password":"PASSWORD","auth":"BASE64_ENCODED_USERNAME_COLON_PASSWORD"}}} -run_as_user: 1001 #! run_as_user specifies the user ID that will own the process -run_as_group: 1001 #! run_as_group specifies the group ID that will own the process +run_as_user: 65532 #! run_as_user specifies the user ID that will own the process, see the Dockerfile for the reasoning behind this choice +run_as_group: 65532 #! run_as_group specifies the group ID that will own the process, see the Dockerfile for the reasoning behind this choice diff --git a/deploy/supervisor/values.yaml b/deploy/supervisor/values.yaml index ea3fa2a4..16b036b1 100644 --- a/deploy/supervisor/values.yaml +++ b/deploy/supervisor/values.yaml @@ -57,8 +57,8 @@ service_loadbalancer_ip: #! e.g. 1.2.3.4 #! information), trace (timing information), all (kitchen sink). log_level: #! By default, when this value is left unset, only warnings and errors are printed. There is no way to suppress warning and error logs. -run_as_user: 1001 #! run_as_user specifies the user ID that will own the process -run_as_group: 1001 #! run_as_group specifies the group ID that will own the process +run_as_user: 65532 #! run_as_user specifies the user ID that will own the process, see the Dockerfile for the reasoning behind this choice +run_as_group: 65532 #! run_as_group specifies the group ID that will own the process, see the Dockerfile for the reasoning behind this choice #! Specify the API group suffix for all Pinniped API groups. By default, this is set to #! pinniped.dev, so Pinniped API groups will look like foo.pinniped.dev,