[security] default to run as non root user nobody (#26)

* Run as nobody user * Document update regarding hardening
blake · Mar 10, 2024 · 2b32508 · 2b32508
1 parent 5a24458
commit 2b32508
Show file tree

Hide file tree

Showing 2 changed files with 27 additions and 4 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -1,4 +1,4 @@
-FROM --platform=$BUILDPLATFORM golang:1.16
+FROM --platform=$BUILDPLATFORM golang:1.16 as build
 LABEL maintainer="Blake Covarrubias <[email protected]>" \
       org.opencontainers.image.authors="Blake Covarrubias <[email protected]>" \
       org.opencontainers.image.description="Advertises records for Kubernetes resources over multicast DNS." \
@@ -14,11 +14,15 @@ ARG TARGETVARIANT
 ADD . /go/src/github.com/blake/external-mdns
 WORKDIR /go/src/github.com/blake/external-mdns
 
-RUN CGO_ENABLED=0 GOOS=${TARGETOS} GOARCH=${TARGETARCH} GOARM=$(echo ${TARGETVARIANT} | cut -c2) \
+RUN mkdir -p /release/etc &&\
+    echo nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin > /release/etc/passwd &&\
+    CGO_ENABLED=0 GOOS=${TARGETOS} GOARCH=${TARGETARCH} GOARM=$(echo ${TARGETVARIANT} | cut -c2) \
     go build \
     -ldflags="-s -w" \
-    -o external-mdns .
+    -o /release/external-mdns .
+
 
 FROM scratch
-COPY --from=0 /go/src/github.com/blake/external-mdns/external-mdns /external-mdns
+COPY --from=build /release /
+USER nobody
 ENTRYPOINT ["/external-mdns"]
diff --git a/README.md b/README.md
@@ -89,9 +89,19 @@ spec:
       labels:
         app: external-mdns
     spec:
+      securityContext:
+        runAsUser: 65534
+        runAsGroup: 65534
+        runAsNonRoot: true
       hostNetwork: true
+      serviceAccountName: external-mdns
       containers:
       - name: external-mdns
+        securityContext:
+          readOnlyRootFilesystem: true
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop: ["ALL"]
         image: blakec/external-mdns:latest
         args:
         - -source=ingress
@@ -147,10 +157,19 @@ spec:
       labels:
         app: external-mdns
     spec:
+      securityContext:
+        runAsUser: 65534
+        runAsGroup: 65534
+        runAsNonRoot: true
       hostNetwork: true
       serviceAccountName: external-mdns
       containers:
       - name: external-mdns
+        securityContext:
+          readOnlyRootFilesystem: true
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop: ["ALL"]
         image: blakec/external-mdns:latest
         args:
         - -source=ingress