change Docker image to run as nonroot for k8s clusters restricting to runAsNonRoot (#1029)

trentm · web-flow · commit fd8a98eef420 · 2026-04-01T13:40:24.000+01:00
Refs: elastic/elastic-otel-node#1398
diff --git a/docker/Dockerfile b/docker/Dockerfile
@@ -1,6 +1,8 @@
 FROM docker.elastic.co/wolfi/chainguard-base:latest@sha256:b2134dbfbcfb987eec9c249fc81111963de596ff76098775c2444a2869401d9c
 ARG JAR_FILE
 ARG EXTENSION_JAR_FILE
-COPY ${JAR_FILE} /javaagent.jar
-COPY ${EXTENSION_JAR_FILE} /extensions/elastic-otel-agentextension.jar 
+COPY --chown=65532:65532 ${JAR_FILE} /javaagent.jar
+COPY --chown=65532:65532 ${EXTENSION_JAR_FILE} /extensions/elastic-otel-agentextension.jar
+# Use wolfi's "nonroot" user/group to satisfy k8s runAsNonRoot security policies.
+USER 65532:65532
 RUN chmod go+r /javaagent.jar /extensions
