Run as a non-root user.

Signed-off-by: Matt Moyer <moyer@heptio.com>

.goreleaser.yaml

@@ -14,8 +14,6 @@ builds:
 
 dockers:
   - image: gcr.io/heptio-images/authenticator
-    extra_files:
-      - ca-certificates.crt
 
 snapshot:
   name_template: "git-{{.Commit}}"

Dockerfile

@@ -12,16 +12,13 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-FROM alpine:3.7
-
-ENV NONPRIV_USER="nobody"
-
-ADD heptio-authenticator-aws /
-RUN chown $NONPRIV_USER:$NONPRIV_USER /heptio-authenticator-aws
-RUN mkdir /var/heptio-authenticator-aws && chown -R $NONPRIV_USER:$NONPRIV_USER /var/heptio-authenticator-aws
-RUN mkdir /etc/heptio-authenticator-aws && chown -R $NONPRIV_USER:$NONPRIV_USER /etc/heptio-authenticator-aws
-RUN mkdir -p /etc/kubernetes/heptio-authenticator-aws && chown -R $NONPRIV_USER:$NONPRIV_USER /etc/kubernetes/heptio-authenticator-aws
-
-USER $NONPRIV_USER
+FROM alpine:latest
+RUN adduser -D -u 10000 heptio-authenticator-aws
+RUN apk add --update ca-certificates
 
+FROM scratch
+COPY --from=0 /etc/passwd /etc/passwd
+COPY --from=0 /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
+COPY heptio-authenticator-aws /
+USER heptio-authenticator-aws
 ENTRYPOINT ["/heptio-authenticator-aws"]

Makefile

@@ -4,16 +4,12 @@ GORELEASER := $(shell command -v goreleaser 2> /dev/null)
 
 .PHONY: build test format
 
-build: ca-certificates.crt
+build:
 ifndef GORELEASER
 	$(error "goreleaser not found (`go get -u -v github.com/goreleaser/goreleaser` to fix)")
 endif
 	$(GORELEASER) --skip-publish --rm-dist --snapshot
 
-# pull ca-certificates.crt from Alpine
-ca-certificates.crt:
-	docker run -v "$$PWD":/out --rm --tty -i alpine:latest /bin/sh -c "apk add --update ca-certificates && cp /etc/ssl/certs/ca-certificates.crt /out/"
-
 test:
 	go test -v ./...