From 3859abcd1667782ece051c923bb5a3afbd371749 Mon Sep 17 00:00:00 2001 From: vijtrip2 Date: Wed, 12 Jan 2022 20:56:29 -0800 Subject: [PATCH 1/2] Make controller images non-root by default --- Dockerfile | 4 ++++ Dockerfile.local | 3 +++ 2 files changed, 7 insertions(+) diff --git a/Dockerfile b/Dockerfile index efb435ce..c00f541f 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,6 +1,8 @@ # Base image to use for the final stage ARG base_image=public.ecr.aws/eks-distro-build-tooling/eks-distro-minimal-base-nonroot:2021-12-01-1638322424 # Build the manager binary +# TODO(vijtrip2) move this builder image to public.ecr.aws/eks-distro-build-tooling/builder-base, when builder-base +# supports golang 1.17 FROM public.ecr.aws/bitnami/golang:1.17.5 as builder ARG service_alias @@ -46,4 +48,6 @@ ARG service_alias ARG work_dir=/github.com/aws-controllers-k8s/$service_alias-controller WORKDIR / COPY --from=builder $work_dir/bin/controller $work_dir/LICENSE $work_dir/ATTRIBUTION.md /bin/ +# Make this image non-root by default +USER 1000 ENTRYPOINT ["/bin/controller"] diff --git a/Dockerfile.local b/Dockerfile.local index a06b8d02..99aa5d31 100644 --- a/Dockerfile.local +++ b/Dockerfile.local @@ -1,6 +1,8 @@ # Base image to use at runtime ARG base_image=public.ecr.aws/eks-distro-build-tooling/eks-distro-minimal-base-nonroot:2021-12-01-1638322424 # Build the manager binary +# TODO(vijtrip2) move this builder image to public.ecr.aws/eks-distro-build-tooling/builder-base, when builder-base +# supports golang 1.17 FROM public.ecr.aws/bitnami/golang:1.17.5 as builder ARG service_alias @@ -58,4 +60,5 @@ ARG service_alias ARG work_dir=/github.com/aws-controllers-k8s/$service_alias-controller WORKDIR / COPY --from=builder $work_dir/bin/controller $work_dir/LICENSE $work_dir/ATTRIBUTION.md /bin/ +USER 1000 ENTRYPOINT ["/bin/controller"] From f362c86fcf953969956a20e032ace5774a67a61b Mon Sep 17 00:00:00 2001 From: vijtrip2 Date: Wed, 12 Jan 2022 20:57:18 -0800 Subject: [PATCH 2/2] remove runAsUser field from containerSecurityContext in deployment templates --- templates/config/controller/deployment.yaml.tpl | 1 - templates/helm/templates/deployment.yaml | 1 - 2 files changed, 2 deletions(-) diff --git a/templates/config/controller/deployment.yaml.tpl b/templates/config/controller/deployment.yaml.tpl index 64122dc0..e43a2d9f 100644 --- a/templates/config/controller/deployment.yaml.tpl +++ b/templates/config/controller/deployment.yaml.tpl @@ -57,7 +57,6 @@ spec: allowPrivilegeEscalation: false privileged: false runAsNonRoot: true - runAsUser: 1000 capabilities: drop: - ALL diff --git a/templates/helm/templates/deployment.yaml b/templates/helm/templates/deployment.yaml index a03eb3a1..b60d9246 100644 --- a/templates/helm/templates/deployment.yaml +++ b/templates/helm/templates/deployment.yaml @@ -77,7 +77,6 @@ spec: allowPrivilegeEscalation: false privileged: false runAsNonRoot: true - runAsUser: 1000 capabilities: drop: - ALL