From b253c2a056759140af7b73480dd523eae0f37e17 Mon Sep 17 00:00:00 2001 From: Michel Thebeau Date: Mon, 8 Jul 2024 13:15:09 +0000 Subject: [PATCH] run vault-manager as non-root Docker image security scan complains about running as root. Add a 'manager' user/group for vault-manager. Test Plan: PASS vault application sanity PASS Twistlock scan Story: 2011073 Task: 50522 Change-Id: I87a00a8bc41a39a00e871dbe84aa32f76e8ec768 Signed-off-by: Michel Thebeau --- stx-vault-manager/debian/docker/Dockerfile | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/stx-vault-manager/debian/docker/Dockerfile b/stx-vault-manager/debian/docker/Dockerfile index 945363b..e01126f 100644 --- a/stx-vault-manager/debian/docker/Dockerfile +++ b/stx-vault-manager/debian/docker/Dockerfile @@ -1,5 +1,7 @@ FROM debian:stable-slim +USER root + # Support versions of kubernetes back two releases of starlingx # Versions older than 1.26 can be listed from: # https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.22.md @@ -11,6 +13,7 @@ ENV KUBE_VERSIONS="v1.29.6 v1.28.11 v1.27.15 v1.26.15 v1.25.16 v1.24.17" ENV KUBECTL_DL_URL="https://storage.googleapis.com/kubernetes-release/release/${KUBE_LATEST_VERSION}/bin/linux/amd64/kubectl" ENV KUBECTL_INSTALL_PATH="/usr/local/bin" +# install vault-manager's required packages RUN set -ex; \ PKG_LIST="mawk bash coreutils curl grep sed jq uuid-runtime"; \ apt-get update && apt-get install -y $PKG_LIST \ @@ -31,4 +34,11 @@ RUN set -ex; \ ln -s ${KUBECTL_INSTALL_PATH}/kubectl.${KUBE_LATEST_VERSION%.*} \ ${KUBECTL_INSTALL_PATH}/kubectl +# create a non-root user/group for vault-manager +RUN groupadd --gid 1000 manager \ + && adduser --uid 1000 --gid 1000 manager \ + --home /workdir --shell /bin/bash + +USER manager + CMD ["bash"]