Skip to content

Commit ae19790

Browse files
jcsfjcsf
committed
TUN-9540: Use numeric user id for Dockerfiles
## Summary This commit changes the USER instruction in our Dockerfiles from using the string "nonroot" to its numeric ID "65532". This change is necessary because Kubernetes does not support string-based user IDs in security contexts, requiring numeric IDs instead. The nonroot user maps to 65532 in distroless images.
1 parent 6ec6995 commit ae19790

File tree

3 files changed

+15
-6
lines changed

3 files changed

+15
-6
lines changed

Dockerfile

Lines changed: 5 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -27,8 +27,11 @@ LABEL org.opencontainers.image.source="https://github.com/cloudflare/cloudflared
2727
# copy our compiled binary
2828
COPY --from=builder --chown=nonroot /go/src/github.com/cloudflare/cloudflared/cloudflared /usr/local/bin/
2929

30-
# run as non-privileged user
31-
USER nonroot
30+
# run as nonroot user
31+
# We need to use numeric user id's because Kubernetes doesn't support strings:
32+
# https://github.com/kubernetes/kubernetes/blob/v1.33.2/pkg/kubelet/kuberuntime/security_context_others.go#L49
33+
# The `nonroot` user maps to `65532`, from: https://github.com/GoogleContainerTools/distroless/blob/main/common/variables.bzl#L18
34+
USER 65532:65532
3235

3336
# command / entrypoint of container
3437
ENTRYPOINT ["cloudflared", "--no-autoupdate"]

Dockerfile.amd64

Lines changed: 5 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -22,8 +22,11 @@ LABEL org.opencontainers.image.source="https://github.com/cloudflare/cloudflared
2222
# copy our compiled binary
2323
COPY --from=builder --chown=nonroot /go/src/github.com/cloudflare/cloudflared/cloudflared /usr/local/bin/
2424

25-
# run as non-privileged user
26-
USER nonroot
25+
# run as nonroot user
26+
# We need to use numeric user id's because Kubernetes doesn't support strings:
27+
# https://github.com/kubernetes/kubernetes/blob/v1.33.2/pkg/kubelet/kuberuntime/security_context_others.go#L49
28+
# The `nonroot` user maps to `65532`, from: https://github.com/GoogleContainerTools/distroless/blob/main/common/variables.bzl#L18
29+
USER 65532:65532
2730

2831
# command / entrypoint of container
2932
ENTRYPOINT ["cloudflared", "--no-autoupdate"]

Dockerfile.arm64

Lines changed: 5 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -22,8 +22,11 @@ LABEL org.opencontainers.image.source="https://github.com/cloudflare/cloudflared
2222
# copy our compiled binary
2323
COPY --from=builder --chown=nonroot /go/src/github.com/cloudflare/cloudflared/cloudflared /usr/local/bin/
2424

25-
# run as non-privileged user
26-
USER nonroot
25+
# run as nonroot user
26+
# We need to use numeric user id's because Kubernetes doesn't support strings:
27+
# https://github.com/kubernetes/kubernetes/blob/v1.33.2/pkg/kubelet/kuberuntime/security_context_others.go#L49
28+
# The `nonroot` user maps to `65532`, from: https://github.com/GoogleContainerTools/distroless/blob/main/common/variables.bzl#L18
29+
USER 65532:65532
2730

2831
# command / entrypoint of container
2932
ENTRYPOINT ["cloudflared", "--no-autoupdate"]

0 commit comments

Comments
 (0)