Run the target allocator as non-root (#2352)

* Run the target allocator as non-root Signed-off-by: David Leadbeater <[email protected]> * Add issue to changelog Signed-off-by: David Leadbeater <[email protected]> --------- Signed-off-by: David Leadbeater <[email protected]>
open-telemetry · Nov 15, 2023 · 9255f75 · 9255f75
1 parent 7e6e3e0
commit 9255f75
Show file tree

Hide file tree

Showing 2 changed files with 22 additions and 0 deletions.
diff --git a/.chloggen/target-allocator-nonroot.yaml b/.chloggen/target-allocator-nonroot.yaml
@@ -0,0 +1,19 @@
+# One of 'breaking', 'deprecation', 'new_component', 'enhancement', 'bug_fix'
+change_type: bug_fix
+
+# The name of the component, or a single word describing the area of concern, (e.g. operator, target allocator, github action)
+component: target allocator
+
+# A brief description of the change. Surround your text with quotes ("") if it needs to start with a backtick (`).
+note: Run the target allocator as a non-root user
+
+# One or more tracking issues related to the change
+issues: [738]
+
+# (Optional) One or more lines of additional information to render under the primary note.
+# These lines will be padded with 2 spaces and then inserted directly into the document.
+# Use pipe (|) for multiline entries.
+subtext: |
+  Some Kubernetes configurations do not allow running images as root, so
+  provide a non-zero UID in the Docker image.
+
diff --git a/cmd/operator-opamp-bridge/Dockerfile b/cmd/operator-opamp-bridge/Dockerfile
@@ -16,4 +16,7 @@ COPY --from=certificates /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-ce
 # Copy binary built on the host
 COPY bin/opampbridge_${TARGETARCH} ./main
 
+# "nonroot"
+USER 65532:65532
+
 ENTRYPOINT ["./main"]