Merge pull request #228 from logdnalf/master

Allow the Operator to run as non-root.
spotahome · Jan 29, 2020 · e9c5dea · e9c5dea
2 parents fc18d3d + b4a5895
commit e9c5dea
Show file tree

Hide file tree

Showing 3 changed files with 12 additions and 0 deletions.
diff --git a/docker/app/Dockerfile b/docker/app/Dockerfile
@@ -8,5 +8,9 @@ FROM alpine:latest
 RUN apk --no-cache add \
   ca-certificates
 COPY --from=0 /go/src/github.com/spotahome/redis-operator/bin/linux/redis-operator /usr/local/bin
+RUN addgroup -g 1000 rf && \
+    adduser -D -u 1000 -G rf rf && \
+    chown rf:rf /usr/local/bin/redis-operator
+USER rf
 
 ENTRYPOINT ["/usr/local/bin/redis-operator"]
diff --git a/example/operator/all-redis-operator-resources.yaml b/example/operator/all-redis-operator-resources.yaml
@@ -21,6 +21,10 @@ spec:
         - image: quay.io/spotahome/redis-operator:latest
           imagePullPolicy: IfNotPresent
           name: app
+          securityContext:
+            readOnlyRootFilesystem: true
+            runAsNonRoot: true
+            runAsUser: 1000
           resources:
             limits:
               cpu: 100m

diff --git a/example/operator/operator.yaml b/example/operator/operator.yaml
@@ -21,6 +21,10 @@ spec:
         - image: quay.io/spotahome/redis-operator:latest
           imagePullPolicy: IfNotPresent
           name: app
+          securityContext:
+            readOnlyRootFilesystem: true
+            runAsNonRoot: true
+            runAsUser: 1000
           resources:
             limits:
               cpu: 100m