From aed8250a63d07d0bd1ee8bffa4a14fdf3fcfe975 Mon Sep 17 00:00:00 2001 From: Tomasz Barwicki Date: Wed, 12 Jun 2024 11:20:20 +0200 Subject: [PATCH 1/4] fix: modify Dockerfile to run container as non root user --- Dockerfile | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 9fe2a3e..96f3c9c 100644 --- a/Dockerfile +++ b/Dockerfile @@ -37,6 +37,9 @@ WORKDIR /app COPY ./web /app/web COPY --from=builder --chown=nonroot:nonroot /app/dashboard /app/dashboard +RUN adduser -u 1000 --disabled-password --gecos "" --no-create-home nonroot +USER nonroot + ENTRYPOINT ["/app/dashboard"] -CMD ["-in-cluster=true"] \ No newline at end of file +CMD ["-in-cluster=true"] From 1f578d8f1b733e868f81c3670fd256bfda9d96f7 Mon Sep 17 00:00:00 2001 From: Tomasz Barwicki Date: Wed, 12 Jun 2024 11:20:45 +0200 Subject: [PATCH 2/4] fix: modify Deployment to run pod as non root user --- charts/app-dashboard/templates/deployment.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/charts/app-dashboard/templates/deployment.yaml b/charts/app-dashboard/templates/deployment.yaml index 782247c..f283bf0 100644 --- a/charts/app-dashboard/templates/deployment.yaml +++ b/charts/app-dashboard/templates/deployment.yaml @@ -43,6 +43,8 @@ spec: {{- toYaml . | nindent 8 }} {{- end }} serviceAccountName: {{ include "app-dashboard.serviceAccountName" . }} + securityContext: + runAsUser: 1000 containers: - name: {{ .Chart.Name }} securityContext: From f6a4359449a2c692d1df7e4c027d80e2a2a94137 Mon Sep 17 00:00:00 2001 From: Tomasz Barwicki Date: Wed, 12 Jun 2024 11:26:15 +0200 Subject: [PATCH 3/4] chore: update DEPENDENCIES --- DEPENDENCIES | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/DEPENDENCIES b/DEPENDENCIES index 6a997f8..a9869d0 100644 --- a/DEPENDENCIES +++ b/DEPENDENCIES @@ -1,4 +1,4 @@ -go/golang/github.com%2Fcreack/pty/v1.1.9, MIT, approved, clearlydefined +go/golang/github.com%2Fcreack/pty/v1.1.9, BSD-3-Clause AND MIT, approved, #14623 go/golang/github.com%2Fdavecgh/go-spew/v1.1.0, ISC, approved, clearlydefined go/golang/github.com%2Fdavecgh/go-spew/v1.1.1, ISC, approved, clearlydefined go/golang/github.com%2Femicklei%2Fgo-restful/v3/v3.11.0, MIT, approved, clearlydefined @@ -9,12 +9,12 @@ go/golang/github.com%2Fgo-openapi/jsonpointer/v0.20.0, Apache-2.0, approved, #10 go/golang/github.com%2Fgo-openapi/jsonreference/v0.20.2, Apache-2.0, approved, #10676 go/golang/github.com%2Fgo-openapi/swag/v0.22.3, Apache-2.0 AND (Apache-2.0 AND MIT), approved, #10679 go/golang/github.com%2Fgo-openapi/swag/v0.22.4, Apache-2.0 AND (Apache-2.0 AND MIT), approved, #10679 -go/golang/github.com%2Fgo-task/slim-sprig/v0.0.0-20230315185526-52ccab3ef572, MIT AND LicenseRef-scancode-proprietary-license, restricted, #10759 +go/golang/github.com%2Fgo-task/slim-sprig/v0.0.0-20230315185526-52ccab3ef572, MIT, approved, #11068 go/golang/github.com%2Fgogo/protobuf/v1.3.2, BSD-3-Clause AND BSD-2-Clause, approved, #5660 go/golang/github.com%2Fgolang/protobuf/v1.5.0, BSD-3-Clause, approved, #5706 go/golang/github.com%2Fgolang/protobuf/v1.5.2, BSD-3-Clause, approved, #5706 go/golang/github.com%2Fgolang/protobuf/v1.5.3, BSD-3-Clause, approved, #5706 -go/golang/github.com%2Fgoogle/gnostic-models/v0.6.9-0.20230804172637-c7be7c783f49, Apache-2.0 AND (Apache-2.0 AND JSON), restricted, #10742 +go/golang/github.com%2Fgoogle/gnostic-models/v0.6.9-0.20230804172637-c7be7c783f49, Apache-2.0, approved, #10742 go/golang/github.com%2Fgoogle/go-cmp/v0.5.5, BSD-3-Clause, approved, #5689 go/golang/github.com%2Fgoogle/go-cmp/v0.5.9, BSD-3-Clause, approved, #5689 go/golang/github.com%2Fgoogle/gofuzz/v1.0.0, Apache-2.0, approved, clearlydefined @@ -82,7 +82,7 @@ go/golang/golang.org%2Fx/sys/v0.13.0, BSD-3-Clause, approved, #11053 go/golang/golang.org%2Fx/term/v0.0.0-20201126162022-7de9c90e9dd1, BSD-3-Clause, approved, #5720 go/golang/golang.org%2Fx/term/v0.0.0-20210927222741-03fcf44c2211, BSD-3-Clause, approved, #5720 go/golang/golang.org%2Fx/term/v0.13.0, BSD-3-Clause, approved, #11056 -go/golang/golang.org%2Fx/text/v0.13.0, BSD-3-Clause AND (BSD-3-Clause AND CC-BY-SA-1.0 AND CC-BY-SA-2.5 AND CC-BY-SA-3.0) AND (BSD-3-Clause AND CC-BY-SA-1.0 AND CC-BY-SA-2.0 AND CC-BY-SA-2.5 AND CC-BY-SA-3.0), restricted, #10752 +go/golang/golang.org%2Fx/text/v0.13.0, BSD-3-Clause, approved, #10752 go/golang/golang.org%2Fx/text/v0.3.0, BSD-3-Clause AND CC-BY-SA-1.0 AND CC-BY-SA-2.0 AND CC-BY-SA-2.5 AND CC-BY-SA-3.0, approved, #6122 go/golang/golang.org%2Fx/text/v0.3.3, BSD-3-Clause AND CC-BY-SA-1.0 AND CC-BY-SA-2.0 AND CC-BY-SA-2.5 AND CC-BY-SA-3.0, approved, #6126 go/golang/golang.org%2Fx/text/v0.3.7, BSD-3-Clause, approved, #6127 From 754bd0c973b531040078baa56121f7b2b1b69cb8 Mon Sep 17 00:00:00 2001 From: Tomasz Barwicki Date: Wed, 12 Jun 2024 11:36:33 +0200 Subject: [PATCH 4/4] chore: bump chart ver --- charts/app-dashboard/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/app-dashboard/Chart.yaml b/charts/app-dashboard/Chart.yaml index 04264c7..586902e 100644 --- a/charts/app-dashboard/Chart.yaml +++ b/charts/app-dashboard/Chart.yaml @@ -27,7 +27,7 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 1.0.7 +version: 1.0.8 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to