run as non-root

Signed-off-by: Zhiwei Yin <zyin@redhat.com>

Dockerfile

@@ -7,6 +7,10 @@ RUN make build --warn-undefined-variables
 RUN make build-e2e --warn-undefined-variables
 
 FROM registry.access.redhat.com/ubi8/ubi-minimal:latest
+ENV USER_UID=10001
+
 COPY --from=builder /go/src/github.com/open-cluster-management/work/work /
 COPY --from=builder /go/src/github.com/open-cluster-management/work/e2e.test /
 RUN microdnf update && microdnf clean all
+
+USER ${USER_UID}

deploy/spoke/deployment.yaml

@@ -24,6 +24,13 @@ spec:
           - "agent"
           - "--spoke-cluster-name=cluster1"
           - "--hub-kubeconfig=/spoke/hub-kubeconfig/kubeconfig"
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+              - ALL
+          privileged: false
+          runAsNonRoot: true
         volumeMounts:
         - name: hub-kubeconfig-secret
           mountPath: "/spoke/hub-kubeconfig"

deploy/webhook/deployment.yaml

@@ -24,3 +24,10 @@ spec:
           - "webhook"
           - "--cert-dir=/tmp"
           - "--secure-port=6443"
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+              - ALL
+          privileged: false
+          runAsNonRoot: true

test/e2e/bindata/bindata.go

@@ -369,6 +369,13 @@ spec:
           - "agent"
           - "--spoke-cluster-name=cluster1"
           - "--hub-kubeconfig=/spoke/hub-kubeconfig/kubeconfig"
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+              - ALL
+          privileged: false
+          runAsNonRoot: true
         volumeMounts:
         - name: hub-kubeconfig-secret
           mountPath: "/spoke/hub-kubeconfig"