fix container as a non-root user #3049

yurake · Feb 15, 2023 · 5144e94 · 5144e94
1 parent 0e01648
commit 5144e94
Show file tree

Hide file tree

Showing 10 changed files with 30 additions and 5 deletions.
diff --git a/kubernetes/cassandra/Dockerfile b/kubernetes/cassandra/Dockerfile
@@ -3,6 +3,8 @@ ARG BUILD_DATE
 ARG VCS_REF
 LABEL org.label-schema.build-date=$BUILD_DATE org.label-schema.vcs-ref=$VCS_REF \
   org.label-schema.vcs-url="https://github.com/yurake/k8s-3tier-webapp"
+USER cassandra
+WORKDIR /opt/cassandra
 COPY entrypoint-wrap.sh /
 COPY init /docker-entrypoint-initdb.d
 ENTRYPOINT ["/entrypoint-wrap.sh"]

diff --git a/kubernetes/mongodb/Dockerfile b/kubernetes/mongodb/Dockerfile
@@ -3,4 +3,5 @@ ARG BUILD_DATE
 ARG VCS_REF
 LABEL org.label-schema.build-date=$BUILD_DATE org.label-schema.vcs-ref=$VCS_REF \
     org.label-schema.vcs-url="https://github.com/yurake/k8s-3tier-webapp"
+USER mongodb
 COPY init /docker-entrypoint-initdb.d
diff --git a/kubernetes/monitoring/test/postmannewman/quarkus/Dockerfile b/kubernetes/monitoring/test/postmannewman/quarkus/Dockerfile
@@ -3,5 +3,7 @@ ARG BUILD_DATE
 ARG VCS_REF
 LABEL org.label-schema.build-date=$BUILD_DATE org.label-schema.vcs-ref=$VCS_REF \
     org.label-schema.vcs-url="https://github.com/yurake/k8s-3tier-webapp"
+RUN addgroup -S newman && adduser -S newman -G newman
+USER newman
 COPY hostname-quarkus.postman_environment.json /etc/newman/
 COPY jaxrs-quarkus.postman_collection.json /etc/newman/
diff --git a/kubernetes/mysql/Dockerfile b/kubernetes/mysql/Dockerfile
@@ -3,4 +3,5 @@ ARG BUILD_DATE
 ARG VCS_REF
 LABEL org.label-schema.build-date=$BUILD_DATE org.label-schema.vcs-ref=$VCS_REF \
     org.label-schema.vcs-url="https://github.com/yurake/k8s-3tier-webapp"
-COPY init /docker-entrypoint-initdb.d
+USER mysql
+COPY init /docker-entrypoint-initdb.d
diff --git a/kubernetes/nginx/Dockerfile b/kubernetes/nginx/Dockerfile
@@ -4,5 +4,21 @@ ARG BUILD_DATE
 ARG VCS_REF
 LABEL org.label-schema.build-date=$BUILD_DATE org.label-schema.vcs-ref=$VCS_REF \
     org.label-schema.vcs-url="https://github.com/yurake/k8s-3tier-webapp"
+
 COPY default.conf /etc/nginx/conf.d/default.conf
 COPY docs /etc/nginx/docs
+
+# Implement changes required to run NGINX as an unprivileged user
+RUN sed -i '/user  nginx;/d' /etc/nginx/nginx.conf \
+    && sed -i 's,/var/run/nginx.pid,/tmp/nginx.pid,' /etc/nginx/nginx.conf \
+    && sed -i "/^http {/a \    proxy_temp_path /tmp/proxy_temp;\n \
+    client_body_temp_path /tmp/client_temp;\n    fastcgi_temp_path /tmp/fastcgi_temp;\n \
+    uwsgi_temp_path /tmp/uwsgi_temp;\n    scgi_temp_path /tmp/scgi_temp;\n" /etc/nginx/nginx.conf \
+    # Nginx user must own the cache and etc directory to write cache and tweak the nginx config
+    && chown -R nginx:nginx /var/cache/nginx \
+    && chmod -R g+w /var/cache/nginx \
+    && chown -R nginx:nginx /etc/nginx \
+    && chmod -R g+w /etc/nginx
+
+EXPOSE 8080
+USER nginx
diff --git a/kubernetes/nginx/default.conf b/kubernetes/nginx/default.conf
@@ -1,6 +1,6 @@
 server {
 
-    listen       80;
+    listen       8080;
     server_name  localhost;
 
     root /etc/nginx/docs;

diff --git a/kubernetes/nginx/nginx-deployment.yaml b/kubernetes/nginx/nginx-deployment.yaml
@@ -22,10 +22,10 @@ spec:
           image: yurak/nginx:latest
           imagePullPolicy: Always
           ports:
-            - containerPort: 80
+            - containerPort: 8080
           livenessProbe:
             tcpSocket:
-              port: 80
+              port: 8080
           readinessProbe:
             httpGet:
               port: 9113

diff --git a/kubernetes/nginx/nginx-service.yaml b/kubernetes/nginx/nginx-service.yaml
@@ -8,4 +8,4 @@ spec:
     app: nginx
   ports:
     - protocol: TCP
-      port: 80
+      port: 8080
diff --git a/kubernetes/postgres/Dockerfile b/kubernetes/postgres/Dockerfile
@@ -3,6 +3,7 @@ ARG BUILD_DATE
 ARG VCS_REF
 LABEL org.label-schema.build-date=$BUILD_DATE org.label-schema.vcs-ref=$VCS_REF \
     org.label-schema.vcs-url="https://github.com/yurake/k8s-3tier-webapp"
+USER postgres
 COPY init /docker-entrypoint-initdb.d
 COPY conf/postgresql.conf /etc/postgresql/postgresql.conf
 CMD ["postgres", "-c", "config_file=/etc/postgresql/postgresql.conf"]
diff --git a/kubernetes/rabbitmq/Dockerfile b/kubernetes/rabbitmq/Dockerfile
@@ -11,6 +11,8 @@ RUN apk update && \
     apk --no-cache add tzdata && \
     cp /usr/share/zoneinfo/Asia/Tokyo /etc/localtime && \
     apk del tzdata
+USER rabbitmq
+
 COPY custom_definitions.json /etc/rabbitmq/
 RUN printf 'management.load_definitions = /etc/rabbitmq/custom_definitions.json\n' >> /etc/rabbitmq/rabbitmq.conf && \
     rabbitmq-plugins enable rabbitmq_prometheus