run vault-manager as non-root

Docker image security scan complains about running as root. Add a 'manager' user/group for vault-manager. Test Plan: PASS vault application sanity PASS Twistlock scan Story: 2011073 Task: 50522 Change-Id: I87a00a8bc41a39a00e871dbe84aa32f76e8ec768 Signed-off-by: Michel Thebeau <Michel.Thebeau@windriver.com>
2024-07-08 13:15:09 +00:00 · 2024-07-08 13:15:09 +00:00 · b253c2a056
commit b253c2a056
parent b792021365
1 changed files with 10 additions and 0 deletions
--- a/stx-vault-manager/debian/docker/Dockerfile
+++ b/stx-vault-manager/debian/docker/Dockerfile
@ -1,5 +1,7 @@
 FROM debian:stable-slim

+USER root
+
 # Support versions of kubernetes back two releases of starlingx
 # Versions older than 1.26 can be listed from:
 # https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.22.md
@ -11,6 +13,7 @@ ENV KUBE_VERSIONS="v1.29.6 v1.28.11 v1.27.15 v1.26.15 v1.25.16 v1.24.17"
 ENV KUBECTL_DL_URL="https://storage.googleapis.com/kubernetes-release/release/${KUBE_LATEST_VERSION}/bin/linux/amd64/kubectl"
 ENV KUBECTL_INSTALL_PATH="/usr/local/bin"

+# install vault-manager's required packages
 RUN set -ex; \
    PKG_LIST="mawk bash coreutils curl grep sed jq uuid-runtime"; \
    apt-get update && apt-get install -y $PKG_LIST \
@ -31,4 +34,11 @@ RUN set -ex; \
    ln -s ${KUBECTL_INSTALL_PATH}/kubectl.${KUBE_LATEST_VERSION%.*} \
        ${KUBECTL_INSTALL_PATH}/kubectl

+# create a non-root user/group for vault-manager
+RUN groupadd --gid 1000 manager \
+    && adduser --uid 1000 --gid 1000 manager \
+        --home /workdir --shell /bin/bash
+
+USER manager
+
 CMD ["bash"]