Merge pull request #86 from camilamacedo86/solve-image

Make image be rootless
brancz · Sep 15, 2020 · 6615bdd · 6615bdd
2 parents 9738794 + 9bfdae2
commit 6615bdd
Show file tree

Hide file tree

Showing 12 changed files with 43 additions and 2 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -1,7 +1,8 @@
-FROM gcr.io/distroless/static
+FROM gcr.io/distroless/static:nonroot
 
 ARG BINARY=kube-rbac-proxy-linux-amd64
 COPY _output/$BINARY /usr/local/bin/kube-rbac-proxy
-
 EXPOSE 8080
+USER 65532:65532
+
 ENTRYPOINT ["/usr/local/bin/kube-rbac-proxy"]
diff --git a/examples/non-resource-url-token-request/deployment.yaml b/examples/non-resource-url-token-request/deployment.yaml
@@ -58,6 +58,8 @@ spec:
       labels:
         app: kube-rbac-proxy
     spec:
+      securityContext:
+        runAsUser: 65532
       serviceAccountName: kube-rbac-proxy
       containers:
       - name: kube-rbac-proxy
@@ -71,6 +73,8 @@ spec:
         ports:
         - containerPort: 8443
           name: https
+        securityContext:
+          allowPrivilegeEscalation: false
       - name: prometheus-example-app
         image: quay.io/brancz/prometheus-example-app:v0.1.0
         args:

diff --git a/examples/non-resource-url/deployment.yaml b/examples/non-resource-url/deployment.yaml
@@ -55,6 +55,8 @@ spec:
       labels:
         app: kube-rbac-proxy
     spec:
+      securityContext:
+        runAsUser: 65532
       serviceAccountName: kube-rbac-proxy
       containers:
       - name: kube-rbac-proxy
@@ -67,6 +69,8 @@ spec:
         ports:
         - containerPort: 8443
           name: https
+        securityContext:
+          allowPrivilegeEscalation: false
       - name: prometheus-example-app
         image: quay.io/brancz/prometheus-example-app:v0.1.0
         args:

diff --git a/examples/non-resource-url/non-resource-url/deployment.yaml b/examples/non-resource-url/non-resource-url/deployment.yaml
@@ -55,6 +55,8 @@ spec:
       labels:
         app: kube-rbac-proxy
     spec:
+      securityContext:
+        runAsUser: 65532
       serviceAccountName: kube-rbac-proxy
       containers:
       - name: kube-rbac-proxy
@@ -67,6 +69,8 @@ spec:
         ports:
         - containerPort: 8443
           name: https
+        securityContext:
+          allowPrivilegeEscalation: false
       - name: prometheus-example-app
         image: quay.io/brancz/prometheus-example-app:v0.1.0
         args:

diff --git a/examples/oidc/deployment.yaml b/examples/oidc/deployment.yaml
@@ -74,6 +74,8 @@ spec:
         ports:
         - containerPort: 8444
           name: https
+        securityContext:
+          allowPrivilegeEscalation: false
       - name: prometheus-example-app
         image: quay.io/brancz/prometheus-example-app:v0.1.0
         args:

diff --git a/examples/resource-attributes/deployment.yaml b/examples/resource-attributes/deployment.yaml
@@ -69,6 +69,8 @@ spec:
       labels:
         app: kube-rbac-proxy
     spec:
+      securityContext:
+        runAsUser: 65532
       serviceAccountName: kube-rbac-proxy
       containers:
       - name: kube-rbac-proxy
@@ -85,6 +87,8 @@ spec:
         volumeMounts:
         - name: config
           mountPath: /etc/kube-rbac-proxy
+        securityContext:
+          allowPrivilegeEscalation: false
       - name: prometheus-example-app
         image: quay.io/brancz/prometheus-example-app:v0.1.0
         args:

diff --git a/examples/rewrites/deployment.yaml b/examples/rewrites/deployment.yaml
@@ -71,6 +71,8 @@ spec:
       labels:
         app: kube-rbac-proxy
     spec:
+      securityContext:
+        runAsUser: 65532
       serviceAccountName: kube-rbac-proxy
       containers:
       - name: kube-rbac-proxy
@@ -87,6 +89,8 @@ spec:
         volumeMounts:
         - name: config
           mountPath: /etc/kube-rbac-proxy
+        securityContext:
+          allowPrivilegeEscalation: false
       - name: prometheus-example-app
         image: quay.io/brancz/prometheus-example-app:v0.1.0
         args:

diff --git a/scripts/templates/non-resource-url-deployment.yaml b/scripts/templates/non-resource-url-deployment.yaml
@@ -55,6 +55,8 @@ spec:
       labels:
         app: kube-rbac-proxy
     spec:
+      securityContext:
+        runAsUser: 65532
       serviceAccountName: kube-rbac-proxy
       containers:
       - name: kube-rbac-proxy
@@ -67,6 +69,8 @@ spec:
         ports:
         - containerPort: 8443
           name: https
+        securityContext:
+          allowPrivilegeEscalation: false
       - name: prometheus-example-app
         image: quay.io/brancz/prometheus-example-app:v0.1.0
         args:

diff --git a/scripts/templates/non-resource-url-token-request-deployment.yaml b/scripts/templates/non-resource-url-token-request-deployment.yaml
@@ -58,6 +58,8 @@ spec:
       labels:
         app: kube-rbac-proxy
     spec:
+      securityContext:
+        runAsUser: 65532
       serviceAccountName: kube-rbac-proxy
       containers:
       - name: kube-rbac-proxy
@@ -71,6 +73,8 @@ spec:
         ports:
         - containerPort: 8443
           name: https
+        securityContext:
+          allowPrivilegeEscalation: false
       - name: prometheus-example-app
         image: quay.io/brancz/prometheus-example-app:v0.1.0
         args:

diff --git a/scripts/templates/oidc-deployment.yaml b/scripts/templates/oidc-deployment.yaml
@@ -74,6 +74,8 @@ spec:
         ports:
         - containerPort: 8444
           name: https
+        securityContext:
+          allowPrivilegeEscalation: false
       - name: prometheus-example-app
         image: quay.io/brancz/prometheus-example-app:v0.1.0
         args:

diff --git a/scripts/templates/resource-attributes-deployment.yaml b/scripts/templates/resource-attributes-deployment.yaml
@@ -69,6 +69,8 @@ spec:
       labels:
         app: kube-rbac-proxy
     spec:
+      securityContext:
+        runAsUser: 65532
       serviceAccountName: kube-rbac-proxy
       containers:
       - name: kube-rbac-proxy
@@ -85,6 +87,8 @@ spec:
         volumeMounts:
         - name: config
           mountPath: /etc/kube-rbac-proxy
+        securityContext:
+          allowPrivilegeEscalation: false
       - name: prometheus-example-app
         image: quay.io/brancz/prometheus-example-app:v0.1.0
         args:

diff --git a/scripts/templates/rewrites-deployment.yaml b/scripts/templates/rewrites-deployment.yaml
@@ -71,6 +71,8 @@ spec:
       labels:
         app: kube-rbac-proxy
     spec:
+      securityContext:
+        runAsUser: 65532
       serviceAccountName: kube-rbac-proxy
       containers:
       - name: kube-rbac-proxy
@@ -87,6 +89,8 @@ spec:
         volumeMounts:
         - name: config
           mountPath: /etc/kube-rbac-proxy
+        securityContext:
+          allowPrivilegeEscalation: false
       - name: prometheus-example-app
         image: quay.io/brancz/prometheus-example-app:v0.1.0
         args: