feat: add non-root user to Docker images for PSA restricted compliance

will-corrigan · will-corrigan · commit a053362687f2 · 2026-03-20T22:20:35.000Z
Create a hatchet system user (UID 1000) in all three Dockerfiles so
Kubernetes deployments can opt into non-root execution via securityContext.

Images continue to run as root by default for backward compatibility.
To run as non-root, set runAsUser: 1000 in the pod securityContext or
pass --user 1000 to docker run.

Signed-off-by: Will Corrigan &lt;will-corrigan@users.noreply.github.com&gt;
diff --git a/build/package/dashboard.dockerfile b/build/package/dashboard.dockerfile
@@ -33,6 +33,11 @@ COPY --from=frontend-build /app/dist /usr/share/nginx/html
 # Make entrypoint script executable
 RUN chmod +x ./entrypoint.sh
 
+# Create non-root user for Kubernetes Pod Security Standards compliance.
+# Image defaults to root for backward compatibility (nginx requires root for port 80).
+# For non-root nginx, consider nginxinc/nginx-unprivileged:alpine in a future major version.
+RUN addgroup -S hatchet && adduser -S -G hatchet -H -s /sbin/nologin -u 1000 hatchet
+
 EXPOSE 80
 
 # Run the entrypoint script
diff --git a/build/package/frontend.dockerfile b/build/package/frontend.dockerfile
@@ -29,6 +29,12 @@ WORKDIR /app
 COPY --from=build /app/dist ./dist
 COPY --from=staticfileserver /app/hatchet-staticfileserver ./hatchet-staticfileserver
 
+# Create non-root user for Kubernetes Pod Security Standards compliance.
+# Image defaults to root for backward compatibility. To run as non-root,
+# set securityContext.runAsUser: 1000 in your Kubernetes pod spec or
+# pass --user 1000 to docker run.
+RUN addgroup -S hatchet && adduser -S -G hatchet -H -s /sbin/nologin -u 1000 hatchet
+
 EXPOSE 80
 
 CMD ["/app/hatchet-staticfileserver", "-static-asset-dir", "/app/dist"]
diff --git a/build/package/servers.dockerfile b/build/package/servers.dockerfile
@@ -81,6 +81,12 @@ COPY --from=build-go /hatchet/bin/hatchet-${SERVER_TARGET} /hatchet/
 COPY /hack/db/atlas-apply.sh ./atlas-apply.sh
 RUN chmod +x ./atlas-apply.sh
 
+# Create non-root user for Kubernetes Pod Security Standards compliance.
+# Image defaults to root for backward compatibility. To run as non-root,
+# set securityContext.runAsUser: 1000 in your Kubernetes pod spec or
+# pass --user 1000 to docker run.
+RUN addgroup -S hatchet && adduser -S -G hatchet -H -s /sbin/nologin -u 1000 hatchet
+
 EXPOSE 8080
 
 CMD ["/bin/sh", "-c", "/hatchet/hatchet-${SERVER_TARGET}"]
