Merge pull request #521 from pjbgf/main

stefanprodan · web-flow · commit e84031ae605d · 2022-01-20T08:55:05.000+02:00
security: Drop capabilities, set userid and enable seccomp
diff --git a/Dockerfile b/Dockerfile
@@ -90,10 +90,6 @@ FROM debian:bookworm-slim as controller
 # Link repo to the GitHub Container Registry image
 LABEL org.opencontainers.image.source="https://github.com/fluxcd/source-controller"
 
-# Configure user
-RUN groupadd controller && \
-    useradd --gid controller --shell /bin/sh --create-home controller
-
 ARG TARGETPLATFORM
 RUN apt update && apt install -y ca-certificates
 
@@ -102,5 +98,5 @@ COPY --from=build /workspace/source-controller /usr/local/bin/
 COPY --from=libgit2-bullseye /libgit2/built-on-glibc-version /
 COPY ATTRIBUTIONS.md /
 
-USER controller
+USER 65534:65534
 ENTRYPOINT [ "source-controller" ]
diff --git a/config/manager/deployment.yaml b/config/manager/deployment.yaml
@@ -20,9 +20,9 @@ spec:
         prometheus.io/port: "8080"
     spec:
       terminationGracePeriodSeconds: 10
-      # Required for AWS IAM Role bindings
-      # https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts-technical-overview.html
       securityContext:
+        # Required for AWS IAM Role bindings
+        # https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts-technical-overview.html
         fsGroup: 1337
       containers:
       - name: manager
@@ -31,6 +31,11 @@ spec:
         securityContext:
           allowPrivilegeEscalation: false
           readOnlyRootFilesystem: true
+          runAsNonRoot: true
+          capabilities:
+            drop: [ "ALL" ]
+          seccompProfile:
+            type: RuntimeDefault
         ports:
           - containerPort: 9090
             name: http
