Enforce runAsNonRoot

BREAKING CHANGE: the controller container is now executed under 65534:65534 (userid:groupid). This change may break deployments that hard-coded the user name 'controller' in their PodSecurityPolicy.

Signed-off-by: Paulo Gomes <[email protected]>

Author: Paulo Gomes

Dockerfile

@@ -90,10 +90,6 @@ FROM debian:bookworm-slim as controller
 # Link repo to the GitHub Container Registry image
 LABEL org.opencontainers.image.source="https://github.com/fluxcd/source-controller"
 
-# Configure user
-RUN addgroup --gid 65532 controller && \
-	useradd -u 65532 -s /sbin/nologin -g controller controller
-
 ARG TARGETPLATFORM
 RUN apt update && apt install -y ca-certificates
 
@@ -102,5 +98,5 @@ COPY --from=build /workspace/source-controller /usr/local/bin/
 COPY --from=libgit2-bullseye /libgit2/built-on-glibc-version /
 COPY ATTRIBUTIONS.md /
 
-USER controller
+USER 65534:65534
 ENTRYPOINT [ "source-controller" ]

config/manager/deployment.yaml

@@ -31,6 +31,7 @@ spec:
         securityContext:
           allowPrivilegeEscalation: false
           readOnlyRootFilesystem: true
+          runAsNonRoot: true
           capabilities:
             drop: [ "ALL" ]
           seccompProfile: