chore(Dockerfile): bump alpine version and set uid for 'kafka-proxy' user

sebastiangaiser · sebastiangaiser · commit a22e9532c206 · 2025-01-17T14:58:54.000Z
Signed-off-by: Sebastian Gaiser &lt;sebastiangaiser@users.noreply.github.com&gt;
diff --git a/Dockerfile b/Dockerfile
@@ -1,4 +1,4 @@
-FROM --platform=$BUILDPLATFORM golang:1.22-alpine3.19 AS builder
+FROM --platform=$BUILDPLATFORM golang:1.22-alpine3.21 AS builder
 RUN apk add alpine-sdk ca-certificates
 
 ARG TARGETOS
@@ -21,7 +21,7 @@ RUN mkdir -p build && \
     go build -mod=vendor -o build/kafka-proxy \
     -ldflags "${LDFLAGS}" .
 
-FROM --platform=$BUILDPLATFORM alpine:3.19
+FROM --platform=$BUILDPLATFORM alpine:3.21
 RUN apk add --no-cache ca-certificates libcap
 RUN adduser \
         --disabled-password \
diff --git a/Dockerfile.all b/Dockerfile.all
@@ -1,4 +1,4 @@
-FROM --platform=$BUILDPLATFORM golang:1.22-alpine3.19 AS builder
+FROM --platform=$BUILDPLATFORM golang:1.22-alpine3.21 AS builder
 RUN apk add alpine-sdk ca-certificates
 
 ARG TARGETOS
@@ -27,7 +27,7 @@ RUN mkdir -p build && \
     go build -mod=vendor -o build/unsecured-jwt-provider -ldflags "${LDFLAGS}" cmd/plugin-unsecured-jwt-provider/main.go && \
     go build -mod=vendor -o build/oidc-provider -ldflags "${LDFLAGS}" cmd/plugin-oidc-provider/main.go
 
-FROM --platform=$BUILDPLATFORM alpine:3.19
+FROM --platform=$BUILDPLATFORM alpine:3.21
 RUN apk add --no-cache ca-certificates libcap
 RUN adduser \
         --disabled-password \
@@ -50,4 +50,3 @@ RUN setcap 'cap_net_bind_service=+ep' /opt/kafka-proxy/bin/kafka-proxy && \
 USER kafka-proxy
 ENTRYPOINT ["/opt/kafka-proxy/bin/kafka-proxy"]
 CMD ["--help"]
-
diff --git a/README.md b/README.md
@@ -496,6 +496,17 @@ spec:
           ports:
           - name: metrics
             containerPort: 9080
+          securityContext:
+            runAsNonRoot: true
+            runAsUser: 65534
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+              add:
+                - NET_BIND_SERVICE
+            seccompProfile:
+              type: RuntimeDefault
           livenessProbe:
             httpGet:
               path: /health
@@ -591,6 +602,17 @@ spec:
             mountPath: "/var/run/secret/kafka-client-certificate"
           - name: "tls-client-key-file"
             mountPath: "/var/run/secret/kafka-client-key"
+          securityContext:
+            runAsNonRoot: true
+            runAsUser: 65534
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+              add:
+                - NET_BIND_SERVICE
+            seccompProfile:
+              type: RuntimeDefault
           ports:
           - name: metrics
             containerPort: 9080
