From b6bfcc49f933c65cf8f7eeb74c641069cc5af258 Mon Sep 17 00:00:00 2001
From: Moritz Johner <beller.moritz@googlemail.com>
Date: Wed, 9 Mar 2022 09:06:23 +0100
Subject: [PATCH] feat: use non-root user for base-image

There is no need to use the root user. This allows the user
to comply with pod security standards.

Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>
---
 cluster-autoscaler/Dockerfile.amd64 | 3 ++-
 cluster-autoscaler/Dockerfile.arm64 | 3 ++-
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/cluster-autoscaler/Dockerfile.amd64 b/cluster-autoscaler/Dockerfile.amd64
index 2a1681fe203..8e4b6db52ad 100644
--- a/cluster-autoscaler/Dockerfile.amd64
+++ b/cluster-autoscaler/Dockerfile.amd64
@@ -11,9 +11,10 @@
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
-ARG BASEIMAGE=gcr.io/distroless/static:latest-amd64
+ARG BASEIMAGE=gcr.io/distroless/static:nonroot-amd64
 FROM $BASEIMAGE
 LABEL maintainer="Marcin Wielgus <mwielgus@google.com>"
 
 COPY cluster-autoscaler-amd64 /cluster-autoscaler
+WORKDIR /
 CMD ["/cluster-autoscaler"]
diff --git a/cluster-autoscaler/Dockerfile.arm64 b/cluster-autoscaler/Dockerfile.arm64
index 3cbcb994d52..45dc6c8f5c0 100644
--- a/cluster-autoscaler/Dockerfile.arm64
+++ b/cluster-autoscaler/Dockerfile.arm64
@@ -11,9 +11,10 @@
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
-ARG BASEIMAGE=gcr.io/distroless/static:latest-arm64
+ARG BASEIMAGE=gcr.io/distroless/static:nonroot-arm64
 FROM $BASEIMAGE
 LABEL maintainer="Marcin Wielgus <mwielgus@google.com>"
 
 COPY cluster-autoscaler-arm64 /cluster-autoscaler
+WORKDIR /
 CMD ["/cluster-autoscaler"]