Merge pull request #252 from andyzhangx/nonroot

fix: create nonroot user in Dockerfile

Author: andyzhangx

charts/latest/blob-csi-driver/templates/csi-blob-controller.yaml

@@ -96,6 +96,8 @@ spec:
             - name: CSI_ENDPOINT
               value: unix:///csi/csi.sock
           imagePullPolicy: {{ .Values.image.blob.pullPolicy }}
+          securityContext:
+            runAsUser: 0
           volumeMounts:
             - mountPath: /csi
               name: socket-dir

charts/latest/blob-csi-driver/templates/csi-blob-node.yaml

@@ -106,6 +106,7 @@ spec:
           imagePullPolicy: {{ .Values.image.pullPolicy }}
           securityContext:
             privileged: true
+            runAsUser: 0
           volumeMounts:
             - mountPath: /csi
               name: socket-dir

deploy/csi-blob-controller.yaml

@@ -93,6 +93,8 @@ spec:
                   optional: true
             - name: CSI_ENDPOINT
               value: unix:///csi/csi.sock
+          securityContext:
+            runAsUser: 0
           volumeMounts:
             - mountPath: /csi
               name: socket-dir

deploy/csi-blob-node.yaml

@@ -104,6 +104,7 @@ spec:
                   fieldPath: spec.nodeName
           securityContext:
             privileged: true
+            runAsUser: 0
           volumeMounts:
             - mountPath: /csi
               name: socket-dir

pkg/blobplugin/Dockerfile

@@ -30,4 +30,8 @@ RUN apt update && apt install nfs-common nfs-kernel-server -y || true
 LABEL maintainers="andyzhangx"
 LABEL description="Azure Blob Storage CSI driver"
 
+# Create a nonroot user
+RUN useradd -u 10001 nonroot
+USER nonroot
+
 ENTRYPOINT ["/blobplugin"]

pkg/blobplugin/dev.Dockerfile

@@ -18,5 +18,9 @@ RUN dpkg -i /tmp/packages-microsoft-prod.deb && apt-get update && apt-get instal
 LABEL maintainers="andyzhangx"
 LABEL description="Azure Blob Storage CSI driver"
 
+# Create a nonroot user
+RUN useradd -u 10001 nonroot
+USER nonroot
+
 COPY ./_output/blobplugin /blobplugin
 ENTRYPOINT ["/blobplugin"]