Enforce runAsNonRoot

BREAKING CHANGE: the controller container is now executed under 65534:65534 (userid:groupid). This change may break deployments that hard-coded the user name 'controller' in their PodSecurityPolicy.

Signed-off-by: Paulo Gomes <paulo.gomes@weave.works>

Dockerfile

@@ -90,10 +90,6 @@ FROM debian:bookworm-slim as controller
 # Link repo to the GitHub Container Registry image
 LABEL org.opencontainers.image.source="https://github.com/fluxcd/source-controller"
 
-# Configure user
-RUN addgroup --gid 65532 controller && \
- useradd -u 65532 -s /sbin/nologin -g controller controller
-
 ARG TARGETPLATFORM
 RUN apt update && apt install -y ca-certificates
 
@@ -102,5 +98,5 @@ COPY --from=build /workspace/source-controller /usr/local/bin/
 COPY --from=libgit2-bullseye /libgit2/built-on-glibc-version /
 COPY ATTRIBUTIONS.md /
 
-USER controller
+USER 65534:65534
 ENTRYPOINT [ "source-controller" ]

config/manager/deployment.yaml

@@ -31,6 +31,7 @@ spec:
  securityContext:
  allowPrivilegeEscalation: false
  readOnlyRootFilesystem: true
+ runAsNonRoot: true
  capabilities:
  drop: [ "ALL" ]
  seccompProfile: