Merge pull request #38 from fluxcd/nonroot

build: run controller as a non-root user
2020-04-24 12:10:50 +03:00 · 2020-04-24 12:10:50 +03:00 · f469418dcd
parent 1a1b288a82 a6a41eeec5
commit f469418dcd
2 changed files with 19 additions and 0 deletions
--- a/4
+++ b/4
@ -24,4 +24,8 @@ RUN apk add --no-cache openssh-client ca-certificates tini 'git>=2.12.0' socat c

 COPY --from=builder /workspace/source-controller /usr/local/bin/

+RUN addgroup -S controller && adduser -S -g controller controller
+
+USER controller
+
 ENTRYPOINT [ "/sbin/tini", "--", "source-controller" ]
--- a/config/manager/deployment.yaml
+++ b/config/manager/deployment.yaml
@ -23,6 +23,9 @@ spec:
      - name: manager
        image: fluxcd/source-controller
        imagePullPolicy: IfNotPresent
+        securityContext:
+          allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: true
        ports:
          - containerPort: 8080
            name: http
@ -37,6 +40,14 @@ spec:
            valueFrom:
              fieldRef:
                fieldPath: metadata.namespace
+        livenessProbe:
+          httpGet:
+            port: http
+            path: /
+        readinessProbe:
+          httpGet:
+            port: http
+            path: /
        resources:
          limits:
            cpu: 1000m
@ -47,6 +58,10 @@ spec:
        volumeMounts:
          - name: data
            mountPath: /data
+          - name: tmp
+            mountPath: /tmp
      volumes:
        - name: data
          emptyDir: {}
+        - name: tmp
+          emptyDir: {}