From aba2057ba67977aed316ead20c72a12ae860d09a Mon Sep 17 00:00:00 2001 From: Chmouel Boudjnah Date: Wed, 11 Sep 2024 09:32:39 +0200 Subject: [PATCH] run kubernetes deployment as non root Signed-off-by: Chmouel Boudjnah --- Dockerfile | 2 +- misc/kubernetes-deployment.yaml | 9 ++++++++- 2 files changed, 9 insertions(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index f56b536..19e9c83 100644 --- a/Dockerfile +++ b/Dockerfile @@ -10,5 +10,5 @@ RUN microdnf -y update && microdnf -y --nodocs install tar rsync shadow-utils && COPY --from=0 /tmp/gosmee /usr/local/bin/gosmee WORKDIR /home/gosmee -USER gosmee +USER 1001 ENTRYPOINT ["/usr/local/bin/gosmee"] diff --git a/misc/kubernetes-deployment.yaml b/misc/kubernetes-deployment.yaml index 1a9b1a4..ed280af 100644 --- a/misc/kubernetes-deployment.yaml +++ b/misc/kubernetes-deployment.yaml @@ -1,4 +1,3 @@ ---- apiVersion: apps/v1 kind: Deployment metadata: @@ -27,3 +26,11 @@ spec: "https://yousmee.url", "http://deployment.name.namespace.name:PORT_OF_SERVICE", ] + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - "ALL" + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault