Merge pull request #506 from rojkov/validation-plan

mythi · web-flow · commit 5184b4429e8c · 2020-11-16T15:16:32.000+02:00
operator: run as non-root
diff --git a/build/docker/intel-deviceplugin-operator.Dockerfile b/build/docker/intel-deviceplugin-operator.Dockerfile
@@ -35,4 +35,5 @@ RUN chmod a+x /go/bin/operator \
 
 FROM scratch as final
 COPY --from=builder /install_root /
+RUN groupadd -g 3210 operator && useradd operator -u 3210 -g 3210
 ENTRYPOINT ["/usr/local/bin/intel_deviceplugin_operator"]
diff --git a/deployments/operator/default/manager_auth_proxy_patch.yaml b/deployments/operator/default/manager_auth_proxy_patch.yaml
@@ -19,6 +19,11 @@ spec:
         ports:
         - containerPort: 8443
           name: https
+        securityContext:
+          runAsNonRoot: true
+          runAsUser: 1000
+          runAsGroup: 1000
+          readOnlyRootFilesystem: true
       - name: manager
         args:
         - "--metrics-addr=127.0.0.1:8080"
diff --git a/deployments/operator/manager/manager.yaml b/deployments/operator/manager/manager.yaml
@@ -33,4 +33,9 @@ spec:
           requests:
             cpu: 100m
             memory: 20Mi
+        securityContext:
+          runAsNonRoot: true
+          runAsUser: 3210
+          runAsGroup: 3210
+          readOnlyRootFilesystem: true
       terminationGracePeriodSeconds: 10
