Start containers as non-root user

Signed-off-by: twelcon <[email protected]>
getastra · Jun 22, 2023 · 3e03721 · 3e03721
1 parent 117731e
commit 3e03721
Show file tree

Hide file tree

Showing 5 changed files with 32 additions and 20 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -12,6 +12,7 @@ to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
 ### Changed
 - `Dockerfile` restructuring for better performance and faster build.
+- Start both php-fpm and nginx container as `non-root` user
 
 
 ## [0.0.3] - 2023-06-19

diff --git a/Dockerfile b/Dockerfile
@@ -5,4 +5,5 @@ WORKDIR /app
 COPY composer.json ./composer.json
 COPY composer.lock ./composer.lock
 RUN composer i --no-dev
+USER www-data
 COPY . /app
diff --git a/Dockerfile.nginx b/Dockerfile.nginx
@@ -1,4 +1,11 @@
-FROM --platform=linux/amd64 nginx:latest
+FROM --platform=linux/amd64 nginx:stable-alpine3.17-slim
 WORKDIR /app
 COPY ./public /app/public
-COPY ./config/k8s.conf /etc/nginx/conf.d/default.conf
+COPY ./config/k8s.conf /etc/nginx/conf.d/default.conf
+RUN chown -R nginx:nginx /app && chmod -R 755 /app && \
+        chown -R nginx:nginx /var/cache/nginx && \
+        chown -R nginx:nginx /var/log/nginx && \
+        chown -R nginx:nginx /etc/nginx/conf.d
+RUN touch /var/run/nginx.pid && \
+        chown -R nginx:nginx /var/run/nginx.pid
+USER nginx
diff --git a/config/k8s.conf b/config/k8s.conf
@@ -1,5 +1,5 @@
 server {
-    listen 80;
+    listen 8080;
     root /app/public;
     index index.php;
     server_name localhost;

diff --git a/k8s-support/hypejab.yaml b/k8s-support/hypejab.yaml
@@ -1,4 +1,3 @@
-
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -7,7 +6,7 @@ metadata:
   labels:
     hypejab: "1"
 spec:
-  replicas: 1
+  replicas: 3
   selector:
     matchLabels:
       hypejab: "1"
@@ -19,29 +18,33 @@ spec:
     spec:
       containers:
         - name: hypejab-nginx
-          # resources:
-            # requests:
-            #   cpu: 1m
-            #   memory: 500Mi
-            # limits:
-            #   cpu: 1m
-            #   memory: 500Mi
+          resources:
+            requests:
+              cpu: 10m
+              memory: 50Mi
+            limits:
+              cpu: 20m
+              memory: 100Mi
           image: <nginx image name>
           ports:
             - name: c-port
-              containerPort: 80
+              containerPort: 8080
+          securityContext:
+            allowPrivilegeEscalation: false
         - name: hypejab-php
-          # resources:
-            # requests:
-            #   cpu: 1m
-            #   memory: 500Mi
-            # limits:
-            #   cpu: 1m
-            #   memory: 500Mi
+          resources:
+            requests:
+              cpu: 40m
+              memory: 50Mi
+            limits:
+              cpu: 50m
+              memory: 100Mi
           image: <php image name>
           ports:
             - name: php-port
               containerPort: 9000
+          securityContext:
+            allowPrivilegeEscalation: false
 
 ---