[feature] Run the authenticator with an unprivileged user

Use alpine as the base image because it brings unprivileged user and ca certificate tooling. Use the alpine upstream updated and maintained ca-certificates rather than pulling ca-certificates.crt out of an alpine:latest to bake into this image. Software running in containers should default to run as unprivileged user rather than running as the root user inside the container. Fixes Github issue kubernetes-sigs#26 Signed-off-by: Stefan Cocora <stefan.cocora@gmail.com>
d-nishi · Jan 25, 2018 · 4b4bc6e · 4b4bc6e
1 parent 1d13c73
commit 4b4bc6e
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 4,504 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -12,7 +12,16 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-FROM scratch
-ADD ca-certificates.crt /etc/ssl/certs/
+FROM alpine:3.7
+
+ENV NONPRIV_USER="nobody"
+
 ADD heptio-authenticator-aws /
+RUN chown $NONPRIV_USER:$NONPRIV_USER /heptio-authenticator-aws
+RUN mkdir /var/heptio-authenticator-aws && chown -R $NONPRIV_USER:$NONPRIV_USER /var/heptio-authenticator-aws
+RUN mkdir /etc/heptio-authenticator-aws && chown -R $NONPRIV_USER:$NONPRIV_USER /etc/heptio-authenticator-aws
+RUN mkdir -p /etc/kubernetes/heptio-authenticator-aws && chown -R $NONPRIV_USER:$NONPRIV_USER /etc/kubernetes/heptio-authenticator-aws
+
+USER $NONPRIV_USER
+
 ENTRYPOINT ["/heptio-authenticator-aws"]