From e6fc76d2f29fed840078c8f70e7b43a514e2e82e Mon Sep 17 00:00:00 2001
From: Douglas Camata <159076+douglascamata@users.noreply.github.com>
Date: Tue, 31 Oct 2023 11:32:24 +0100
Subject: [PATCH 1/2] Use non-root user for tests container

Signed-off-by: Douglas Camata <159076+douglascamata@users.noreply.github.com>
---
 tests/Dockerfile | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/tests/Dockerfile b/tests/Dockerfile
index 116b52ced..06203e22f 100644
--- a/tests/Dockerfile
+++ b/tests/Dockerfile
@@ -11,8 +11,8 @@ RUN go install github.com/onsi/ginkgo/ginkgo@v1.14.2 && go mod vendor && ginkgo
 # create new docker image to hold built artifacts
 FROM registry.access.redhat.com/ubi8/ubi-minimal:latest
 
-# run as root
-USER root
+# run as non-root
+USER nobody
 
 # expose env vars for runtime
 ENV KUBECONFIG "/opt/.kube/config"

From 4f72a910302bb1d890f2f6bfdc3bb98a5be4b1fd Mon Sep 17 00:00:00 2001
From: Douglas Camata <159076+douglascamata@users.noreply.github.com>
Date: Tue, 31 Oct 2023 11:52:54 +0100
Subject: [PATCH 2/2] Tighten container permissions

Signed-off-by: Douglas Camata <159076+douglascamata@users.noreply.github.com>
---
 collectors/metrics/Dockerfile                                | 2 ++
 loaders/dashboards/Dockerfile                                | 2 ++
 operators/multiclusterobservability/bundle.Dockerfile        | 2 ++
 proxy/Dockerfile                                             | 3 +++
 tests/Dockerfile                                             | 2 +-
 tools/simulator/metrics-collector/Dockerfile                 | 2 +-
 .../simulator/metrics-collector/metrics-extractor/Dockerfile | 5 +++--
 7 files changed, 14 insertions(+), 4 deletions(-)

diff --git a/collectors/metrics/Dockerfile b/collectors/metrics/Dockerfile
index 971261158..ab96373c7 100644
--- a/collectors/metrics/Dockerfile
+++ b/collectors/metrics/Dockerfile
@@ -47,6 +47,8 @@ RUN microdnf update &&\
     mkdir /licenses &&\
     microdnf clean all
 
+USER 1001:1001
+
 COPY --from=builder /workspace/metrics-collector /usr/bin/
 
 # standalone required parameters
diff --git a/loaders/dashboards/Dockerfile b/loaders/dashboards/Dockerfile
index 7d43061a6..cff372324 100644
--- a/loaders/dashboards/Dockerfile
+++ b/loaders/dashboards/Dockerfile
@@ -45,6 +45,8 @@ WORKDIR /
 
 RUN microdnf update -y && microdnf clean all
 
+USER 1001:1001
+
 COPY --from=builder /workspace/main grafana-dashboard-loader
 
 EXPOSE 3002
diff --git a/operators/multiclusterobservability/bundle.Dockerfile b/operators/multiclusterobservability/bundle.Dockerfile
index 9a3def2c6..65ba0b499 100644
--- a/operators/multiclusterobservability/bundle.Dockerfile
+++ b/operators/multiclusterobservability/bundle.Dockerfile
@@ -1,5 +1,7 @@
 FROM scratch
 
+USER 1001:1001
+
 LABEL operators.operatorframework.io.bundle.mediatype.v1=registry+v1
 LABEL operators.operatorframework.io.bundle.manifests.v1=manifests/
 LABEL operators.operatorframework.io.bundle.metadata.v1=metadata/
diff --git a/proxy/Dockerfile b/proxy/Dockerfile
index 6a1a34b8d..61f2871a4 100644
--- a/proxy/Dockerfile
+++ b/proxy/Dockerfile
@@ -42,6 +42,9 @@ LABEL org.label-schema.vendor="Red Hat" \
     io.openshift.tags="$IMAGE_OPENSHIFT_TAGS"
 
 WORKDIR /
+
+USER 1001:1001
+
 COPY --from=builder /workspace/main rbac-query-proxy
 
 EXPOSE 3002
diff --git a/tests/Dockerfile b/tests/Dockerfile
index 06203e22f..b1fe66e9a 100644
--- a/tests/Dockerfile
+++ b/tests/Dockerfile
@@ -12,7 +12,7 @@ RUN go install github.com/onsi/ginkgo/ginkgo@v1.14.2 && go mod vendor && ginkgo
 FROM registry.access.redhat.com/ubi8/ubi-minimal:latest
 
 # run as non-root
-USER nobody
+USER 1001:1001
 
 # expose env vars for runtime
 ENV KUBECONFIG "/opt/.kube/config"
diff --git a/tools/simulator/metrics-collector/Dockerfile b/tools/simulator/metrics-collector/Dockerfile
index 887495101..b908254bd 100644
--- a/tools/simulator/metrics-collector/Dockerfile
+++ b/tools/simulator/metrics-collector/Dockerfile
@@ -1,3 +1,3 @@
 FROM registry.access.redhat.com/ubi8/ubi-minimal:latest
-
+USER 1001:1001
 COPY timeseries.txt /tmp/
diff --git a/tools/simulator/metrics-collector/metrics-extractor/Dockerfile b/tools/simulator/metrics-collector/metrics-extractor/Dockerfile
index a467f3b45..690cf4d3a 100644
--- a/tools/simulator/metrics-collector/metrics-extractor/Dockerfile
+++ b/tools/simulator/metrics-collector/metrics-extractor/Dockerfile
@@ -11,10 +11,11 @@ RUN microdnf install wget -y \
 RUN microdnf install tar gzip jq bc -y\
     && microdnf clean all
 
+USER 1001:1001
 
 RUN wget https://mirror.openshift.com/pub/openshift-v4/clients/ocp/stable-4.13/openshift-client-linux.tar.gz -P /ocp-tools
 WORKDIR /ocp-tools
-RUN chmod 777 /ocp-tools
+RUN chmod 644 /ocp-tools
 RUN tar xvf openshift-client-linux.tar.gz oc kubectl
 RUN rm openshift-client-linux.tar.gz
 RUN cp oc /usr/local/bin
@@ -38,7 +39,7 @@ RUN export matches=$(curl -L $METRICS_ALLOW_LIST_URL | $GOJSONTOYAML_BIN --yamlt
 
 
 COPY ./extract-metrics-data.sh /metrics-extractor/
-RUN chmod 777 /metrics-extractor
+RUN chmod 744 /metrics-extractor
 
 
 CMD [ "/bin/bash", "/metrics-extractor/extract-metrics-data.sh" ]