Controller runs as a non-root user.

Closes #38

Controller runs as a non-root user.
Closes #38
fc5c45b1 · Geoff Simmons · 1821f0b9 · fc5c45b1 · fc5c45b1 · fc5c45b1
Commit fc5c45b1 authored Oct 02, 2020 by Geoff Simmons
Showing with 29 additions and 4 deletions

Dockerfile.controller container/Dockerfile.controller +11 -0

controller.yaml deploy/controller.yaml +9 -2

controller.yaml examples/architectures/multi-controller/controller.yaml +9 -2

No files found.
--- a/container/Dockerfile.controller
+++ b/container/Dockerfile.controller
 FROM golang:1.11.6 as builder
+
 RUN go get -d -v github.com/slimhazard/gogitversion && \
    cd /go/src/github.com/slimhazard/gogitversion && \
    make install
@@ -12,6 +13,7 @@ COPY go.sum .

 ENV GO111MODULE=on
 RUN go mod download
+RUN go mod verify

 COPY ./pkg/ /go/src/code.uplex.de/uplex-varnish/k8s-ingress/pkg/
 COPY ./cmd/ /go/src/code.uplex.de/uplex-varnish/k8s-ingress/cmd/
@@ -21,6 +23,15 @@ RUN go generate ./cmd/... && go build ./pkg/... ./cmd/... && \
    CGO_ENABLED=0 GOOS=linux go build -ldflags="-w -s" -o k8s-ingress cmd/*.go

 FROM alpine:3.11.0
+ENV USER=controller UID=10001
+
+RUN adduser --disabled-password --gecos "viking controller" \
+	--home "/nonexistent" --shell "/sbin/nologin" --no-create-home \
+        --uid "${UID}" \
+        "${USER}"
+
 COPY --from=builder /go/src/code.uplex.de/uplex-varnish/k8s-ingress/k8s-ingress /k8s-ingress
 COPY --from=builder /go/src/code.uplex.de/uplex-varnish/k8s-ingress/pkg/varnish/vcl/*.tmpl /
+
+USER controller:controller
 ENTRYPOINT ["/k8s-ingress"]
--- a/deploy/controller.yaml
+++ b/deploy/controller.yaml
@@ -21,6 +21,9 @@ spec:
        ports:
        - name: http
          containerPort: 8080
+        volumeMounts:
+          - name: run
+            mountPath: "/run"
        livenessProbe:
          exec:
            command:
@@ -33,6 +36,10 @@ spec:
            command:
            - /usr/bin/test
            - -e
-            - /ready
+            - /run/controller-ready
        args:
-        - -readyfile=/ready
+        - -readyfile=/run/controller-ready
+      volumes:
+        - name: run
+          emptyDir:
+            medium: "Memory"
--- a/examples/architectures/multi-controller/controller.yaml
+++ b/examples/architectures/multi-controller/controller.yaml
@@ -22,6 +22,9 @@ spec:
        ports:
        - name: http
          containerPort: 8080
+        volumeMounts:
+          - name: run
+            mountPath: "/run"
        livenessProbe:
          exec:
            command:
@@ -34,7 +37,11 @@ spec:
            command:
            - /usr/bin/test
            - -e
-            - /ready
+            - /run/controller-ready
        args:
-        - -readyfile=/ready
+        - -readyfile=/run/controller-ready
        - -class=varnish-coffee
+      volumes:
+        - name: run
+          emptyDir:
+            medium: "Memory"