diff --git a/Dockerfile b/Dockerfile index d61a2a7..a11630e 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM --platform=$BUILDPLATFORM golang:1.16 +FROM --platform=$BUILDPLATFORM golang:1.16 as build LABEL maintainer="Blake Covarrubias " \ org.opencontainers.image.authors="Blake Covarrubias " \ org.opencontainers.image.description="Advertises records for Kubernetes resources over multicast DNS." \ @@ -14,11 +14,15 @@ ARG TARGETVARIANT ADD . /go/src/github.com/blake/external-mdns WORKDIR /go/src/github.com/blake/external-mdns -RUN CGO_ENABLED=0 GOOS=${TARGETOS} GOARCH=${TARGETARCH} GOARM=$(echo ${TARGETVARIANT} | cut -c2) \ +RUN mkdir -p /release/etc &&\ + echo nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin > /release/etc/passwd &&\ + CGO_ENABLED=0 GOOS=${TARGETOS} GOARCH=${TARGETARCH} GOARM=$(echo ${TARGETVARIANT} | cut -c2) \ go build \ -ldflags="-s -w" \ - -o external-mdns . + -o /release/external-mdns . + FROM scratch -COPY --from=0 /go/src/github.com/blake/external-mdns/external-mdns /external-mdns +COPY --from=build /release / +USER nobody ENTRYPOINT ["/external-mdns"] diff --git a/README.md b/README.md index 9524f6f..d9944bd 100644 --- a/README.md +++ b/README.md @@ -89,9 +89,19 @@ spec: labels: app: external-mdns spec: + securityContext: + runAsUser: 65534 + runAsGroup: 65534 + runAsNonRoot: true hostNetwork: true + serviceAccountName: external-mdns containers: - name: external-mdns + securityContext: + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] image: blakec/external-mdns:latest args: - -source=ingress @@ -147,10 +157,19 @@ spec: labels: app: external-mdns spec: + securityContext: + runAsUser: 65534 + runAsGroup: 65534 + runAsNonRoot: true hostNetwork: true serviceAccountName: external-mdns containers: - name: external-mdns + securityContext: + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] image: blakec/external-mdns:latest args: - -source=ingress