Run container as non-root user

redhat-marketplace · Aug 3, 2020 · 6e5218d · 6e5218d
1 parent c1c5030
commit 6e5218d
Show file tree

Hide file tree

Showing 3 changed files with 24 additions and 19 deletions.
diff --git a/build/process-template.sh b/build/process-template.sh
@@ -23,6 +23,11 @@ export TRAVIS_COMMIT
 GIT_REMOTE="$(git remote get-url origin)"
 export GIT_REMOTE
 
+NODE_USER_ID="$(docker run -it node:lts-alpine /usr/bin/id -u node | tr -d '\r' | tr -d '\n')"
+export NODE_USER_ID
+NODE_GROUP_ID="$(docker run -it node:lts-alpine /usr/bin/id -g node | tr -d '\r' | tr -d '\n')"
+export NODE_GROUP_ID
+
 envsubst <"${THIS_DIR}/viewTemplate.json" >/tmp/view.json
 
 npx mustache /tmp/view.json "${FILE}"
diff --git a/build/viewTemplate.json b/build/viewTemplate.json
@@ -1,5 +1,7 @@
 {
-    "TRAVIS_COMMIT": "${TRAVIS_COMMIT}",
-    "GIT_REMOTE": "${GIT_REMOTE}",
-    "TRAVIS_TAG": "${TRAVIS_TAG}"
+  "TRAVIS_COMMIT": "${TRAVIS_COMMIT}",
+  "TRAVIS_TAG": "${TRAVIS_TAG}",
+  "GIT_REMOTE": "${GIT_REMOTE}",
+  "NODE_USER_ID": "${NODE_USER_ID}",
+  "NODE_GROUP_ID": "${NODE_GROUP_ID}"
 }
diff --git a/kubernetes/razeedash-api/resource.yaml b/kubernetes/razeedash-api/resource.yaml
@@ -3,19 +3,16 @@ kind: List
 metadata:
   name: razeedash-api
   annotations:
-    version: "{{TRAVIS_COMMIT}}"
+    version: "{{{TRAVIS_COMMIT}}}"
 type: array
 items:
-
-  # api
-
-  - apiVersion: apps/v1
+  - apiVersion: apps/v1      #api
     kind: Deployment
     metadata:
       annotations:
-        version: "{{TRAVIS_COMMIT}}"
+        version: "{{{TRAVIS_COMMIT}}}"
         razee.io/git-repo: "{{{GIT_REMOTE}}}"
-        razee.io/commit-sha: "{{TRAVIS_COMMIT}}"
+        razee.io/commit-sha: "{{{TRAVIS_COMMIT}}}"
       labels:
         razee/watch-resource: "lite"
       name: razeedash-api
@@ -35,16 +32,17 @@ items:
           name: razeedash-api
         spec:
           securityContext:
-            fsGroup: 999
-            runAsUser: 999
+            runAsUser: {{{NODE_USER_ID}}}
+            runAsGroup: {{{NODE_GROUP_ID}}}
+            fsGroup: {{{NODE_GROUP_ID}}}
           initContainers:
           - env:
             - name: MONGO_URL
               valueFrom:
                 secretKeyRef:
                   name: razeedash-secret
                   key: mongo_url
-            image: "quay.io/razee/razeedash-api:{{TRAVIS_TAG}}"
+            image: "quay.io/razee/razeedash-api:{{{TRAVIS_TAG}}}"
             command: ["npm", "run", "wait-mongo"]
             imagePullPolicy: Always
             name: razeedash-api-init
@@ -110,7 +108,7 @@ items:
                   optional: true
             - name: REDIS_PUBSUB_URL
               value: 'redis://redis-service:6379/0'
-            image: "quay.io/razee/razeedash-api:{{TRAVIS_TAG}}"
+            image: "quay.io/razee/razeedash-api:{{{TRAVIS_TAG}}}"
             imagePullPolicy: Always
             name: razeedash-api
             ports:
@@ -144,9 +142,7 @@ items:
               secret:
                 secretName: razeedash-secret
 
-  # redis
-
-  - apiVersion: apps/v1
+  - apiVersion: apps/v1   # redis
     kind: Deployment
     metadata:
       name: redis
@@ -161,6 +157,10 @@ items:
             app: redis
           name: redis
         spec:
+          securityContext:
+            runAsUser: 999
+            runAsGroup: 1000
+            fsGroup: 1000
           containers:
             - name: redis
               image: redis:latest
@@ -183,8 +183,6 @@ items:
                   cpu: 1m
                   memory: 64Mi
 
-
-
   - apiVersion: v1
     kind: Service
     metadata: