Skip to content

Commit c003da1

Browse files
seb-kwseb-kw
committed
Sets nonroot user for devguard api image, in helm default values and improves docker compose try it
Signed-off-by: Sebastian Kawelke <sebastian.kawelke@l3montree.com>
1 parent 722eb3a commit c003da1

3 files changed

Lines changed: 34 additions & 10 deletions

File tree

Dockerfile

Lines changed: 9 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -24,15 +24,17 @@ ENV FLAGS="ldflags='-X main.release=devguard@${GITHUB_REF_NAME}'"
2424
RUN CGO_ENABLED=0 make devguard
2525
RUN CGO_ENABLED=0 make devguard-cli
2626

27-
FROM gcr.io/distroless/static-debian12@sha256:b7b9a6953e7bed6baaf37329331051d7bdc1b99c885f6dbeb72d75b1baad54f9
27+
FROM gcr.io/distroless/static-debian12:nonroot@sha256:cdf4daaf154e3e27cfffc799c16f343a384228f38646928a1513d925f473cb46
28+
29+
USER 53111
2830

2931
WORKDIR /
3032

31-
COPY config/rbac_model.conf /config/rbac_model.conf
32-
COPY --from=build /go/src/app/devguard /usr/local/bin/devguard
33-
COPY --from=build /go/src/app/devguard-cli /usr/local/bin/devguard-cli
34-
COPY templates /templates
35-
COPY intoto-public-key.pem /intoto-public-key.pem
36-
COPY cosign.pub /cosign.pub
33+
COPY --chown=53111:53111 config/rbac_model.conf /config/rbac_model.conf
34+
COPY --chown=53111:53111 --from=build /go/src/app/devguard /usr/local/bin/devguard
35+
COPY --chown=53111:53111 --from=build /go/src/app/devguard-cli /usr/local/bin/devguard-cli
36+
COPY --chown=53111:53111 templates /templates
37+
COPY --chown=53111:53111 intoto-public-key.pem /intoto-public-key.pem
38+
COPY --chown=53111:53111 cosign.pub /cosign.pub
3739

3840
CMD ["devguard"]

charts/devguard/values.yaml

Lines changed: 5 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -44,9 +44,11 @@ api:
4444
capabilities:
4545
drop:
4646
- ALL
47-
#readOnlyRootFilesystem: true
48-
#runAsNonRoot: true
49-
#runAsUser: 1000
47+
seccompProfile:
48+
type: RuntimeDefault
49+
allowPrivilegeEscalation: false
50+
runAsNonRoot: true
51+
runAsUser: 53111
5052

5153
autoscaling:
5254
enabled: false

docker-compose-try-it.yaml

Lines changed: 20 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -4,6 +4,8 @@ services:
44
postgresql:
55
image: ghcr.io/l3montree-dev/devguard/postgresql:0.13.2
66
container_name: devguard-postgres
7+
security_opt:
8+
- no-new-privileges:true
79
environment:
810
POSTGRES_USER: postgres
911
POSTGRES_PASSWORD: password
@@ -23,6 +25,10 @@ services:
2325

2426
kratos-migrate:
2527
image: oryd/kratos:v1.3.1
28+
security_opt:
29+
- no-new-privileges:true
30+
cap_drop:
31+
- ALL
2632
depends_on:
2733
postgresql:
2834
condition: service_healthy
@@ -39,6 +45,11 @@ services:
3945
kratos:
4046
image: oryd/kratos:v1.3.1
4147
container_name: devguard-kratos
48+
security_opt:
49+
- no-new-privileges:true
50+
cap_drop:
51+
- ALL
52+
user: "53111"
4253
depends_on:
4354
postgresql:
4455
condition: service_healthy
@@ -62,6 +73,11 @@ services:
6273
devguard-api:
6374
image: ghcr.io/l3montree-dev/devguard:0.13.2
6475
container_name: devguard-api
76+
security_opt:
77+
- no-new-privileges:true
78+
cap_drop:
79+
- ALL
80+
user: "53111"
6581
depends_on:
6682
postgresql:
6783
condition: service_healthy
@@ -87,6 +103,10 @@ services:
87103
devguard-web:
88104
image: ghcr.io/l3montree-dev/devguard-web:0.13.2
89105
container_name: devguard-web
106+
security_opt:
107+
- no-new-privileges:true
108+
cap_drop:
109+
- ALL
90110
depends_on:
91111
- devguard-api
92112
ports:

0 commit comments

Comments
 (0)