diff --git a/Dockerfile b/Dockerfile index 623096674..6faa2e7c6 100644 --- a/Dockerfile +++ b/Dockerfile @@ -7,6 +7,10 @@ RUN make build --warn-undefined-variables RUN make build-e2e --warn-undefined-variables FROM registry.access.redhat.com/ubi8/ubi-minimal:latest +ENV USER_UID=10001 + COPY --from=builder /go/src/github.com/open-cluster-management/work/work / COPY --from=builder /go/src/github.com/open-cluster-management/work/e2e.test / RUN microdnf update && microdnf clean all + +USER ${USER_UID} diff --git a/deploy/spoke/deployment.yaml b/deploy/spoke/deployment.yaml index 48afd561f..50c2c14f8 100644 --- a/deploy/spoke/deployment.yaml +++ b/deploy/spoke/deployment.yaml @@ -24,6 +24,13 @@ spec: - "agent" - "--spoke-cluster-name=cluster1" - "--hub-kubeconfig=/spoke/hub-kubeconfig/kubeconfig" + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + runAsNonRoot: true volumeMounts: - name: hub-kubeconfig-secret mountPath: "/spoke/hub-kubeconfig" diff --git a/deploy/webhook/deployment.yaml b/deploy/webhook/deployment.yaml index 890546a09..e881eef80 100644 --- a/deploy/webhook/deployment.yaml +++ b/deploy/webhook/deployment.yaml @@ -24,3 +24,10 @@ spec: - "webhook" - "--cert-dir=/tmp" - "--secure-port=6443" + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + runAsNonRoot: true diff --git a/test/e2e/bindata/bindata.go b/test/e2e/bindata/bindata.go index cb14b9beb..847fc16ca 100644 --- a/test/e2e/bindata/bindata.go +++ b/test/e2e/bindata/bindata.go @@ -369,6 +369,13 @@ spec: - "agent" - "--spoke-cluster-name=cluster1" - "--hub-kubeconfig=/spoke/hub-kubeconfig/kubeconfig" + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + runAsNonRoot: true volumeMounts: - name: hub-kubeconfig-secret mountPath: "/spoke/hub-kubeconfig"