Merge pull request #874 from enj/enj/i/distroless_nonroot

Use 65532 instead of 1001 as non-root user
This commit is contained in:
Mo Khan 2021-10-25 16:54:47 -04:00 committed by GitHub
commit f25d2870ce
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 9 additions and 7 deletions

View File

@ -33,7 +33,9 @@ COPY --from=build-env /usr/local/bin /usr/local/bin
EXPOSE 8080 8443 EXPOSE 8080 8443
# Run as non-root for security posture # Run as non-root for security posture
USER 1001:1001 # Use the same non-root user as https://github.com/GoogleContainerTools/distroless/blob/fc3c4eaceb0518900f886aae90407c43be0a42d9/base/base.bzl#L9
# This is a workaround for https://github.com/GoogleContainerTools/distroless/issues/718
USER 65532:65532
# Set the entrypoint # Set the entrypoint
ENTRYPOINT ["/usr/local/bin/pinniped-server"] ENTRYPOINT ["/usr/local/bin/pinniped-server"]

View File

@ -55,8 +55,8 @@ api_serving_certificate_renew_before_seconds: 2160000
#! information), trace (timing information), all (kitchen sink). #! information), trace (timing information), all (kitchen sink).
log_level: #! By default, when this value is left unset, only warnings and errors are printed. There is no way to suppress warning and error logs. log_level: #! By default, when this value is left unset, only warnings and errors are printed. There is no way to suppress warning and error logs.
run_as_user: 1001 #! run_as_user specifies the user ID that will own the process run_as_user: 65532 #! run_as_user specifies the user ID that will own the process, see the Dockerfile for the reasoning behind this choice
run_as_group: 1001 #! run_as_group specifies the group ID that will own the process run_as_group: 65532 #! run_as_group specifies the group ID that will own the process, see the Dockerfile for the reasoning behind this choice
#! Specify the API group suffix for all Pinniped API groups. By default, this is set to #! Specify the API group suffix for all Pinniped API groups. By default, this is set to
#! pinniped.dev, so Pinniped API groups will look like foo.pinniped.dev, #! pinniped.dev, so Pinniped API groups will look like foo.pinniped.dev,

View File

@ -15,5 +15,5 @@ image_tag: latest
#! Optional. #! Optional.
image_pull_dockerconfigjson: #! e.g. {"auths":{"https://registry.example.com":{"username":"USERNAME","password":"PASSWORD","auth":"BASE64_ENCODED_USERNAME_COLON_PASSWORD"}}} image_pull_dockerconfigjson: #! e.g. {"auths":{"https://registry.example.com":{"username":"USERNAME","password":"PASSWORD","auth":"BASE64_ENCODED_USERNAME_COLON_PASSWORD"}}}
run_as_user: 1001 #! run_as_user specifies the user ID that will own the process run_as_user: 65532 #! run_as_user specifies the user ID that will own the process, see the Dockerfile for the reasoning behind this choice
run_as_group: 1001 #! run_as_group specifies the group ID that will own the process run_as_group: 65532 #! run_as_group specifies the group ID that will own the process, see the Dockerfile for the reasoning behind this choice

View File

@ -57,8 +57,8 @@ service_loadbalancer_ip: #! e.g. 1.2.3.4
#! information), trace (timing information), all (kitchen sink). #! information), trace (timing information), all (kitchen sink).
log_level: #! By default, when this value is left unset, only warnings and errors are printed. There is no way to suppress warning and error logs. log_level: #! By default, when this value is left unset, only warnings and errors are printed. There is no way to suppress warning and error logs.
run_as_user: 1001 #! run_as_user specifies the user ID that will own the process run_as_user: 65532 #! run_as_user specifies the user ID that will own the process, see the Dockerfile for the reasoning behind this choice
run_as_group: 1001 #! run_as_group specifies the group ID that will own the process run_as_group: 65532 #! run_as_group specifies the group ID that will own the process, see the Dockerfile for the reasoning behind this choice
#! Specify the API group suffix for all Pinniped API groups. By default, this is set to #! Specify the API group suffix for all Pinniped API groups. By default, this is set to
#! pinniped.dev, so Pinniped API groups will look like foo.pinniped.dev, #! pinniped.dev, so Pinniped API groups will look like foo.pinniped.dev,