fluxcd
/
source-controller
mirror of https://github.com/fluxcd/source-controller.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Enforce runAsNonRoot 

BREAKING CHANGE: the controller container is now executed under 65534:65534 (userid:groupid). This change may break deployments that hard-coded the user name 'controller' in their PodSecurityPolicy.

Signed-off-by: Paulo Gomes <paulo.gomes@weave.works>
This commit is contained in:
Paulo Gomes 2022-01-18 18:05:47 +00:00
parent 7b04b44706
commit 9ba76a1f94
No known key found for this signature in database
GPG Key ID: 9995233870E99BEE
2 changed files with 2 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
Dockerfile
View File

@ -90,10 +90,6 @@ FROM debian:bookworm-slim as controller
# Link repo to the GitHub Container Registry image # Link repo to the GitHub Container Registry image
LABEL org.opencontainers.image.source="https://github.com/fluxcd/source-controller" LABEL org.opencontainers.image.source="https://github.com/fluxcd/source-controller"
# Configure user
RUN addgroup --gid 65532 controller && \
useradd -u 65532 -s /sbin/nologin -g controller controller
ARG TARGETPLATFORM ARG TARGETPLATFORM
RUN apt update && apt install -y ca-certificates RUN apt update && apt install -y ca-certificates
@ -102,5 +98,5 @@ COPY --from=build /workspace/source-controller /usr/local/bin/
COPY --from=libgit2-bullseye /libgit2/built-on-glibc-version / COPY --from=libgit2-bullseye /libgit2/built-on-glibc-version /
COPY ATTRIBUTIONS.md / COPY ATTRIBUTIONS.md /
USER controller USER 65534:65534
ENTRYPOINT [ "source-controller" ] ENTRYPOINT [ "source-controller" ]

1
config/manager/deployment.yaml
View File

@ -31,6 +31,7 @@ spec:
securityContext: securityContext:
allowPrivilegeEscalation: false allowPrivilegeEscalation: false
readOnlyRootFilesystem: true readOnlyRootFilesystem: true
runAsNonRoot: true
capabilities: capabilities:
drop: [ "ALL" ] drop: [ "ALL" ]
seccompProfile: seccompProfile: