From 3e03721edaad3ce3f74c6e6788249040bb11f655 Mon Sep 17 00:00:00 2001
From: twelcon <mastermind12210@gmail.com>
Date: Thu, 22 Jun 2023 13:00:25 +0530
Subject: [PATCH] Start containers as non-root user

Signed-off-by: twelcon <mastermind12210@gmail.com>
---
 CHANGELOG.md             |  1 +
 Dockerfile               |  1 +
 Dockerfile.nginx         | 11 +++++++++--
 config/k8s.conf          |  2 +-
 k8s-support/hypejab.yaml | 37 ++++++++++++++++++++-----------------
 5 files changed, 32 insertions(+), 20 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index f4d7245..5c26716 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -12,6 +12,7 @@ to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
 ### Changed
 - `Dockerfile` restructuring for better performance and faster build.
+- Start both php-fpm and nginx container as `non-root` user
 
 
 ## [0.0.3] - 2023-06-19
diff --git a/Dockerfile b/Dockerfile
index e75cbed..772fcc4 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -5,4 +5,5 @@ WORKDIR /app
 COPY composer.json ./composer.json
 COPY composer.lock ./composer.lock
 RUN composer i --no-dev
+USER www-data
 COPY . /app
diff --git a/Dockerfile.nginx b/Dockerfile.nginx
index 421ac4f..63350d4 100644
--- a/Dockerfile.nginx
+++ b/Dockerfile.nginx
@@ -1,4 +1,11 @@
-FROM --platform=linux/amd64 nginx:latest
+FROM --platform=linux/amd64 nginx:stable-alpine3.17-slim
 WORKDIR /app
 COPY ./public /app/public
-COPY ./config/k8s.conf /etc/nginx/conf.d/default.conf
\ No newline at end of file
+COPY ./config/k8s.conf /etc/nginx/conf.d/default.conf
+RUN chown -R nginx:nginx /app && chmod -R 755 /app && \
+        chown -R nginx:nginx /var/cache/nginx && \
+        chown -R nginx:nginx /var/log/nginx && \
+        chown -R nginx:nginx /etc/nginx/conf.d
+RUN touch /var/run/nginx.pid && \
+        chown -R nginx:nginx /var/run/nginx.pid
+USER nginx
\ No newline at end of file
diff --git a/config/k8s.conf b/config/k8s.conf
index a706202..7e68ad9 100644
--- a/config/k8s.conf
+++ b/config/k8s.conf
@@ -1,5 +1,5 @@
 server {
-    listen 80;
+    listen 8080;
     root /app/public;
     index index.php;
     server_name localhost;
diff --git a/k8s-support/hypejab.yaml b/k8s-support/hypejab.yaml
index 6390f94..4ac5c38 100644
--- a/k8s-support/hypejab.yaml
+++ b/k8s-support/hypejab.yaml
@@ -1,4 +1,3 @@
-
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -7,7 +6,7 @@ metadata:
   labels:
     hypejab: "1"
 spec:
-  replicas: 1
+  replicas: 3
   selector:
     matchLabels:
       hypejab: "1"
@@ -19,29 +18,33 @@ spec:
     spec:
       containers:
         - name: hypejab-nginx
-          # resources:
-            # requests:
-            #   cpu: 1m
-            #   memory: 500Mi
-            # limits:
-            #   cpu: 1m
-            #   memory: 500Mi
+          resources:
+            requests:
+              cpu: 10m
+              memory: 50Mi
+            limits:
+              cpu: 20m
+              memory: 100Mi
           image: <nginx image name>
           ports:
             - name: c-port
-              containerPort: 80
+              containerPort: 8080
+          securityContext:
+            allowPrivilegeEscalation: false
         - name: hypejab-php
-          # resources:
-            # requests:
-            #   cpu: 1m
-            #   memory: 500Mi
-            # limits:
-            #   cpu: 1m
-            #   memory: 500Mi
+          resources:
+            requests:
+              cpu: 40m
+              memory: 50Mi
+            limits:
+              cpu: 50m
+              memory: 100Mi
           image: <php image name>
           ports:
             - name: php-port
               containerPort: 9000
+          securityContext:
+            allowPrivilegeEscalation: false
 
 ---