Run as non root

ibot3 · ibot3 · commit 6b5ca7310404 · 2025-11-23T11:08:17.000+01:00
diff --git a/Dockerfile b/Dockerfile
@@ -1,6 +1,9 @@
 # Use Python 3.13 slim image
 FROM python:3.13-slim
 
+# Create non-root user
+RUN groupadd -r syncuser && useradd -r -g syncuser -u 1000 syncuser
+
 # Set working directory
 WORKDIR /app
 
@@ -10,6 +13,7 @@ RUN apt-get update && \
     libldap2-dev \
     libsasl2-dev \
     gcc \
+    procps \
     && rm -rf /var/lib/apt/lists/*
 
 # Copy requirements first for better layer caching
@@ -21,12 +25,17 @@ RUN pip install --no-cache-dir -r requirements.txt
 # Copy application code
 COPY *.py ./
 
-# Create log directory
-RUN mkdir -p /var/log/ldap-openfga-sync
-
+# Copy entrypoint script
 COPY entrypoint.sh /app/entrypoint.sh
 RUN chmod +x /app/entrypoint.sh
 
+# Create log directory and set ownership
+RUN mkdir -p /var/log/ldap-openfga-sync && \
+    chown -R syncuser:syncuser /app /var/log/ldap-openfga-sync
+
+# Switch to non-root user
+USER syncuser
+
 # Expose volume for logs
 VOLUME ["/var/log/ldap-openfga-sync"]
 
diff --git a/README.md b/README.md
@@ -9,6 +9,7 @@ This script synchronizes group memberships from LDAP to OpenFGA using the [diffs
 - Supports dry-run mode to preview changes before applying them
 - Users are identified by their email addresses
 - Comprehensive logging
+- Runs as non-root user for enhanced security
 
 ## Requirements
 
diff --git a/helm/ldap-openfga-sync/values.yaml b/helm/ldap-openfga-sync/values.yaml
@@ -31,6 +31,7 @@ podLabels: {}
 podSecurityContext:
   runAsNonRoot: true
   runAsUser: 1000
+  runAsGroup: 1000
   fsGroup: 1000
 
 securityContext:
@@ -39,6 +40,8 @@ securityContext:
     drop:
     - ALL
   readOnlyRootFilesystem: false
+  runAsNonRoot: true
+  runAsUser: 1000
 
 resources:
   limits:
