start kruise-manager as a non-root user (#1491)

Signed-off-by: liheng.zms <[email protected]>
openkruise · Jan 24, 2024 · 9913b92 · 9913b92
1 parent 19854e8
commit 9913b92
Show file tree

Hide file tree

Showing 3 changed files with 43 additions and 6 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -23,10 +23,28 @@ ARG BASE_IMAGE
 ARG BASE_IMAGE_VERSION
 FROM ${BASE_IMAGE}:${BASE_IMAGE_VERSION}
 
-RUN apk add --no-cache ca-certificates bash expat \
-  && rm -rf /var/cache/apk/*
-
 WORKDIR /
 COPY --from=builder /workspace/manager .
 COPY --from=builder /workspace/daemon ./kruise-daemon
+
+RUN set -eux; \
+    mkdir -p /log /tmp && \
+    chown -R nobody:nobody /log && \
+    chown -R nobody:nobody /tmp && \
+    chown -R nobody:nobody /manager && \
+    apk --no-cache --update upgrade && \
+    apk --no-cache add ca-certificates && \
+    apk --no-cache add tzdata && \
+    rm -rf /var/cache/apk/* && \
+    update-ca-certificates && \
+    echo "only include root and nobody user" && \
+    echo -e "root:x:0:0:root:/root:/bin/ash\nnobody:x:65534:65534:nobody:/:/sbin/nologin" | tee /etc/passwd && \
+    echo -e "root:x:0:root\nnobody:x:65534:" | tee /etc/group && \
+    rm -rf /usr/local/sbin/* && \
+    rm -rf /usr/local/bin/* && \
+    rm -rf /usr/sbin/* && \
+    rm -rf /usr/bin/* && \
+    rm -rf /sbin/* && \
+    rm -rf /bin/*
+
 ENTRYPOINT ["/manager"]
diff --git a/Dockerfile_multiarch b/Dockerfile_multiarch
@@ -26,7 +26,15 @@ ARG BASE_IMAGE
 ARG BASE_IMAGE_VERSION
 FROM ${BASE_IMAGE}:${BASE_IMAGE_VERSION}
 
+WORKDIR /
+COPY --from=builder /workspace/manager .
+COPY --from=builder /workspace/daemon ./kruise-daemon
+
 RUN set -eux; \
+    mkdir -p /log /tmp && \
+    chown -R nobody:nobody /log && \
+    chown -R nobody:nobody /tmp && \
+    chown -R nobody:nobody /manager && \
     apk --no-cache --update upgrade && \
     apk --no-cache add ca-certificates && \
     apk --no-cache add tzdata && \
@@ -42,7 +50,4 @@ RUN set -eux; \
     rm -rf /sbin/* && \
     rm -rf /bin/*
 
-WORKDIR /
-COPY --from=builder /workspace/manager .
-COPY --from=builder /workspace/daemon ./kruise-daemon
 ENTRYPOINT ["/manager"]
diff --git a/config/manager/manager.yaml b/config/manager/manager.yaml
@@ -38,6 +38,14 @@ spec:
         - --feature-gates=AllAlpha=true
         image: controller:latest
         imagePullPolicy: Always
+        securityContext:
+          capabilities:
+            drop:
+              - all
+            add: [ 'NET_BIND_SERVICE' ]
+          allowPrivilegeEscalation: false
+          runAsNonRoot: true
+          runAsUser: 65534
         name: manager
         env:
           - name: KUBE_CACHE_MUTATION_DETECTOR
@@ -97,6 +105,12 @@ spec:
         - --feature-gates=AllAlpha=true
         image: controller:latest
         imagePullPolicy: Always
+        securityContext:
+          capabilities:
+            drop:
+              - all
+            add: [ 'NET_BIND_SERVICE' ]
+          allowPrivilegeEscalation: false
         name: daemon
         env:
         - name: KUBE_CACHE_MUTATION_DETECTOR