Enhance security (#151)

* Added USER to Dockerfile * Added pod and container securityContext --------- Co-authored-by: Matteo Baiguini <[email protected]>
doitintl · May 15, 2024 · ec9e80d · ec9e80d
1 parent f24b10b
commit ec9e80d
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 0 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -34,5 +34,7 @@ COPY --from=builder /usr/share/zoneinfo /usr/share/zoneinfo
 # copy the binary to the production image from the builder stage
 COPY --from=builder /app/.bin/kubeip-agent /kubeip-agent
 
+USER 1001
+
 ENTRYPOINT ["/kubeip-agent"]
 CMD ["run"]
diff --git a/chart/templates/daemonset.yaml b/chart/templates/daemonset.yaml
@@ -29,6 +29,11 @@ spec:
           effect: "NoSchedule"
         - operator: "Exists"
           effect: "NoExecute"
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 1001
+        runAsGroup: 1001
+        fsGroup: 1001
       containers:
         - name: kubeip
           image: "{{ .Values.image.repository }}"
@@ -48,3 +53,10 @@ spec:
               value: {{ .Values.daemonSet.env.LOG_LEVEL | quote }}
             - name: LOG_JSON
               value: {{ .Values.daemonSet.env.LOG_JSON | quote }}
+          securityContext:
+            privileged: false
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            readOnlyRootFilesystem: true