From aede835bb7e80601a8f7639af85018abfd909d6d Mon Sep 17 00:00:00 2001
From: Felipe Alfaro Solana <felipe.solana@logdna.com>
Date: Mon, 27 Jan 2020 13:29:08 +0100
Subject: [PATCH 1/2] Allow the Operator to run as non-root.

Without a proper security context, the Operator Pod fails to start up
with the following error in Kubernetes 1.13+:

```
Error: container has runAsNonRoot and image will run as root
```
---
 example/operator/all-redis-operator-resources.yaml | 4 ++++
 example/operator/operator.yaml                     | 4 ++++
 2 files changed, 8 insertions(+)

diff --git a/example/operator/all-redis-operator-resources.yaml b/example/operator/all-redis-operator-resources.yaml
index c04e4bee1..ef71cc427 100644
--- a/example/operator/all-redis-operator-resources.yaml
+++ b/example/operator/all-redis-operator-resources.yaml
@@ -21,6 +21,10 @@ spec:
         - image: quay.io/spotahome/redis-operator:latest
           imagePullPolicy: IfNotPresent
           name: app
+          securityContext:
+            readOnlyRootFilesystem: true
+            runAsNonRoot: true
+            runAsUser: 1000
           resources:
             limits:
               cpu: 100m
diff --git a/example/operator/operator.yaml b/example/operator/operator.yaml
index 049ac6b71..845719a8d 100644
--- a/example/operator/operator.yaml
+++ b/example/operator/operator.yaml
@@ -21,6 +21,10 @@ spec:
         - image: quay.io/spotahome/redis-operator:latest
           imagePullPolicy: IfNotPresent
           name: app
+          securityContext:
+            readOnlyRootFilesystem: true
+            runAsNonRoot: true
+            runAsUser: 1000
           resources:
             limits:
               cpu: 100m

From b4a5895c1d268e8c661f567f055aa81de31f467c Mon Sep 17 00:00:00 2001
From: Felipe Alfaro Solana <felipe.solana@logdna.com>
Date: Wed, 29 Jan 2020 13:44:52 +0100
Subject: [PATCH 2/2] Run the Operator as UID/GID 1000/1000.

---
 docker/app/Dockerfile | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/docker/app/Dockerfile b/docker/app/Dockerfile
index 70dbc37eb..3933da75d 100644
--- a/docker/app/Dockerfile
+++ b/docker/app/Dockerfile
@@ -8,5 +8,9 @@ FROM alpine:latest
 RUN apk --no-cache add \
   ca-certificates
 COPY --from=0 /go/src/github.com/spotahome/redis-operator/bin/linux/redis-operator /usr/local/bin
+RUN addgroup -g 1000 rf && \
+    adduser -D -u 1000 -G rf rf && \
+    chown rf:rf /usr/local/bin/redis-operator
+USER rf
 
 ENTRYPOINT ["/usr/local/bin/redis-operator"]