knative · karthikmurali60 · Nov 13, 2023
diff --git a/code-samples/serving/cloudevents/cloudevents-dotnet/Dockerfile b/code-samples/serving/cloudevents/cloudevents-dotnet/Dockerfile
@@ -13,6 +13,11 @@
 # limitations under the License.
 
 FROM mcr.microsoft.com/dotnet/core/sdk:3.1-alpine AS build-env
+
+# Add a user so the server will run as a non-root user.
+RUN addgroup -g 1000 appuser && \
+    adduser -S -u 1000 -G appuser appuser
+
 WORKDIR /app
 
 # Copy csproj and restore as distinct layers
@@ -25,6 +30,14 @@ RUN dotnet publish -c Release -o out
 
 # Build runtime image
 FROM mcr.microsoft.com/dotnet/core/aspnet:3.1-alpine
+
+# Add a user so the server will run as a non-root user.
+RUN addgroup -g 1000 appuser && \
+    adduser -S -u 1000 -G appuser appuser
+
 WORKDIR /app
 COPY --from=build-env /app/out .
+
+USER appuser
+
 ENTRYPOINT ["dotnet", "CloudEventsSample.dll"]
diff --git a/code-samples/serving/cloudevents/cloudevents-go/Dockerfile b/code-samples/serving/cloudevents/cloudevents-go/Dockerfile
@@ -3,6 +3,10 @@
 # https://hub.docker.com/_/golang
 FROM golang:1.13 as builder
 
+# Add a user so the server will run as a non-root user.
+RUN addgroup -g 1000 appuser && \
+    adduser -S -u 1000 -G appuser appuser
+
 ARG TARGETOS
 ARG TARGETARCH
 
@@ -25,10 +29,17 @@ RUN go mod download
 # https://hub.docker.com/_/alpine
 # https://docs.docker.com/develop/develop-images/multistage-build/#use-multi-stage-builds
 FROM alpine:3
+
+# Add a user so the server will run as a non-root user.
+RUN addgroup -g 1000 appuser && \
+    adduser -S -u 1000 -G appuser appuser
+
 RUN apk add --no-cache ca-certificates
 
 # Copy the binary to the production image from the builder stage.
 COPY --from=builder /app/server /server
 
+USER appuser
+
 # Run the web service on container startup.
 CMD ["/server"]
diff --git a/code-samples/serving/cloudevents/cloudevents-nodejs/Dockerfile b/code-samples/serving/cloudevents/cloudevents-nodejs/Dockerfile
@@ -14,6 +14,10 @@
 
 FROM registry.access.redhat.com/ubi8/nodejs-12
 
+# Add a user so the server will run as a non-root user.
+RUN addgroup -g 1000 appuser && \
+    adduser -S -u 1000 -G appuser appuser
+
 # Copy application dependency manifests to the container image.
 # A wildcard is used to ensure both package.json AND package-lock.json are copied.
 # Copying this separately prevents re-running npm install on every code change.
@@ -31,6 +35,8 @@ ARG ENV=production
 
 ENV NODE_ENV $ENV
 
+USER appuser
+
 # Run the web service on container startup.
 CMD npm run $NODE_ENV
 

diff --git a/code-samples/serving/cloudevents/cloudevents-rust/Dockerfile b/code-samples/serving/cloudevents/cloudevents-rust/Dockerfile
@@ -14,7 +14,13 @@
 
 FROM scratch
 
+# Add a user so the server will run as a non-root user.
+RUN addgroup -g 1000 appuser && \
+    adduser -S -u 1000 -G appuser appuser
+
 # To build it: cargo build --target x86_64-unknown-linux-musl --release
 COPY target/x86_64-unknown-linux-musl/release/knative-cloudevents-example /app
 
+USER appuser
+
 CMD ["/app"]
diff --git a/code-samples/serving/gitwebhook-go/Dockerfile b/code-samples/serving/gitwebhook-go/Dockerfile
@@ -14,6 +14,10 @@
 
 FROM golang AS builder
 
+# Add a user so the server will run as a non-root user.
+RUN addgroup -g 1000 appuser && \
+    adduser -S -u 1000 -G appuser appuser
+
 ARG TARGETOS
 ARG TARGETARCH
 
@@ -32,7 +36,13 @@ RUN CGO_ENABLED=0 GOOS=${TARGETOS} GOARCH=${TARGETARCH} go build -o /go/bin/webh
 
 FROM golang:alpine
 
+# Add a user so the server will run as a non-root user.
+RUN addgroup -g 1000 appuser && \
+    adduser -S -u 1000 -G appuser appuser
+
 EXPOSE 8080
 COPY --from=builder /go/bin/webhook-sample /app/webhook-sample
 
+USER appuser
+
 ENTRYPOINT ["/app/webhook-sample"]
diff --git a/code-samples/serving/grpc-ping-go/Dockerfile b/code-samples/serving/grpc-ping-go/Dockerfile
@@ -17,6 +17,10 @@
 # https://hub.docker.com/_/golang
 FROM golang as builder
 
+# Add a user so the server will run as a non-root user.
+RUN addgroup -g 1000 appuser && \
+    adduser -S -u 1000 -G appuser appuser
+
 ARG TARGETOS
 ARG TARGETARCH
 
@@ -37,9 +41,15 @@ RUN CGO_ENABLED=0 GOOS=${TARGETOS} GOARCH=${TARGETARCH} go build -tags=grpcping
 # https://github.com/GoogleContainerTools/distroless#readme
 FROM gcr.io/distroless/static
 
+# Add a user so the server will run as a non-root user.
+RUN addgroup -g 1000 appuser && \
+    adduser -S -u 1000 -G appuser appuser
+
 # Copy the binaries to the production image from the builder stage.
 COPY --from=builder /go/src/github.com/knative/docs/code-samples/serving/grpc-ping-go/ping-server /server
 COPY --from=builder /go/src/github.com/knative/docs/code-samples/serving/grpc-ping-go/ping-client /client
 
+USER appuser
+
 # Run the service on container startup.
 CMD ["/server"]
diff --git a/code-samples/serving/hello-world/helloworld-csharp/Dockerfile b/code-samples/serving/hello-world/helloworld-csharp/Dockerfile
@@ -1,5 +1,10 @@
 # Use Microsoft's official build .NET image.
 FROM mcr.microsoft.com/dotnet/sdk:6.0 AS build-env
+
+# Add a user so the server will run as a non-root user.
+RUN addgroup -g 1000 appuser && \
+    adduser -S -u 1000 -G appuser appuser
+
 WORKDIR /app
 
 # Copy csproj and restore as distinct layers
@@ -12,8 +17,15 @@ RUN dotnet publish -c Release -o out
 
 # Build runtime image
 FROM mcr.microsoft.com/dotnet/aspnet:6.0
+
+# Add a user so the server will run as a non-root user.
+RUN addgroup -g 1000 appuser && \
+    adduser -S -u 1000 -G appuser appuser
+
 WORKDIR /app
 COPY --from=build-env /app/out .
 
+USER appuser
+
 # Run the web service on container startup.
 ENTRYPOINT ["dotnet", "helloworld-csharp.dll"]
diff --git a/code-samples/serving/hello-world/helloworld-go/Dockerfile b/code-samples/serving/hello-world/helloworld-go/Dockerfile
@@ -2,6 +2,10 @@
 # This is based on Debian and sets the GOPATH to /go.
 FROM golang:latest as builder
 
+# Add a user so the server will run as a non-root user.
+RUN addgroup -g 1000 appuser && \
+    adduser -S -u 1000 -G appuser appuser
+
 ARG TARGETOS
 ARG TARGETARCH
 
@@ -24,10 +28,17 @@ RUN CGO_ENABLED=0 GOOS=${TARGETOS} GOARCH=${TARGETARCH} go build -mod=readonly -
 # https://hub.docker.com/_/alpine
 # https://docs.docker.com/develop/develop-images/multistage-build/#use-multi-stage-builds
 FROM alpine:3
+
+# Add a user so the server will run as a non-root user.
+RUN addgroup -g 1000 appuser && \
+    adduser -S -u 1000 -G appuser appuser
+
 RUN apk add --no-cache ca-certificates
 
 # Copy the binary to the production image from the builder stage.
 COPY --from=builder /app/server /server
 
+USER appuser
+
 # Run the web service on container startup.
 CMD ["/server"]
diff --git a/code-samples/serving/hello-world/helloworld-java-spark/Dockerfile b/code-samples/serving/hello-world/helloworld-java-spark/Dockerfile
@@ -2,6 +2,10 @@
 # https://hub.docker.com/_/maven
 FROM maven:3.5-jdk-8-alpine as builder
 
+# Add a user so the server will run as a non-root user.
+RUN addgroup -g 1000 appuser && \
+    adduser -S -u 1000 -G appuser appuser
+
 # Copy local code to the container image.
 WORKDIR /app
 COPY pom.xml .
@@ -15,13 +19,19 @@ RUN mvn package -DskipTests
 # https://docs.docker.com/develop/develop-images/multistage-build/#use-multi-stage-builds
 FROM openjdk:8-jre-alpine
 
+# Add a user so the server will run as a non-root user.
+RUN addgroup -g 1000 appuser && \
+    adduser -S -u 1000 -G appuser appuser
+
 # Copy the jar to the production image from the builder stage.
 COPY --from=builder /app/target/helloworld-0.0.1-SNAPSHOT-jar-with-dependencies.jar helloworld.jar
 
 ENV PORT 8080
 
 EXPOSE 8080
 
+USER appuser
+
 # Run the web service on container startup.
 CMD ["java","-jar","helloworld.jar"]
 
diff --git a/code-samples/serving/hello-world/helloworld-java-spring/Dockerfile b/code-samples/serving/hello-world/helloworld-java-spring/Dockerfile
@@ -1,6 +1,10 @@
 # Use the official maven/Java 8 image to create a build artifact: https://hub.docker.com/_/maven
 FROM maven:3.5-jdk-8-alpine as builder
 
+# Add a user so the server will run as a non-root user.
+RUN addgroup -g 1000 appuser && \
+    adduser -S -u 1000 -G appuser appuser
+
 # Copy local code to the container image.
 WORKDIR /app
 COPY pom.xml .
@@ -14,8 +18,14 @@ RUN mvn package -DskipTests
 # https://docs.docker.com/develop/develop-images/multistage-build/#use-multi-stage-builds
 FROM openjdk:8-jre-alpine
 
+# Add a user so the server will run as a non-root user.
+RUN addgroup -g 1000 appuser && \
+    adduser -S -u 1000 -G appuser appuser
+
 # Copy the jar to the production image from the builder stage.
 COPY --from=builder /app/target/helloworld-*.jar /helloworld.jar
 
+USER appuser
+
 # Run the web service on container startup.
 CMD ["java", "-Djava.security.egd=file:/dev/./urandom", "-jar", "/helloworld.jar"]
diff --git a/code-samples/serving/hello-world/helloworld-kotlin/Dockerfile b/code-samples/serving/hello-world/helloworld-kotlin/Dockerfile
@@ -2,6 +2,10 @@
 # https://hub.docker.com/_/gradle
 FROM gradle:6.7 as builder
 
+# Add a user so the server will run as a non-root user.
+RUN addgroup -g 1000 appuser && \
+    adduser -S -u 1000 -G appuser appuser
+
 # Copy local code to the container image.
 COPY build.gradle .
 COPY src ./src
@@ -14,8 +18,14 @@ RUN gradle clean build --no-daemon
 # https://docs.docker.com/develop/develop-images/multistage-build/#use-multi-stage-builds
 FROM openjdk:8-jre-alpine
 
+# Add a user so the server will run as a non-root user.
+RUN addgroup -g 1000 appuser && \
+    adduser -S -u 1000 -G appuser appuser
+
 # Copy the jar to the production image from the builder stage.
 COPY --from=builder /home/gradle/build/libs/gradle.jar /helloworld.jar
 
+USER appuser
+
 # Run the web service on container startup.
 CMD [ "java", "-jar", "-Djava.security.egd=file:/dev/./urandom", "/helloworld.jar" ]
diff --git a/code-samples/serving/hello-world/helloworld-nodejs/Dockerfile b/code-samples/serving/hello-world/helloworld-nodejs/Dockerfile
@@ -2,6 +2,10 @@
 # https://hub.docker.com/_/node
 FROM node:12-slim
 
+# Add a user so the server will run as a non-root user.
+RUN addgroup -g 1000 appuser && \
+    adduser -S -u 1000 -G appuser appuser
+
 # Create and change to the app directory.
 WORKDIR /usr/src/app
 
@@ -16,5 +20,7 @@ RUN npm install --only=production
 # Copy local code to the container image.
 COPY . ./
 
+USER appuser
+
 # Run the web service on container startup.
 CMD [ "npm", "start" ]
diff --git a/code-samples/serving/hello-world/helloworld-php/Dockerfile b/code-samples/serving/hello-world/helloworld-php/Dockerfile
@@ -2,6 +2,12 @@
 # https://hub.docker.com/_/php
 FROM php:7.3-apache
 
+# Add a user so the server will run as a non-root user.
+RUN addgroup -g 1000 appuser && \
+    adduser -S -u 1000 -G appuser appuser
+
+USER appuser
+
 # Copy local code to the container image.
 COPY index.php /var/www/html/
 

diff --git a/code-samples/serving/hello-world/helloworld-python/Dockerfile b/code-samples/serving/hello-world/helloworld-python/Dockerfile
@@ -2,6 +2,10 @@
 # https://hub.docker.com/_/python
 FROM python:3.7-slim
 
+# Add a user so the server will run as a non-root user.
+RUN addgroup -g 1000 appuser && \
+    adduser -S -u 1000 -G appuser appuser
+
 # Allow statements and log messages to immediately appear in the Knative logs
 ENV PYTHONUNBUFFERED True
 
@@ -13,6 +17,8 @@ COPY . ./
 # Install production dependencies.
 RUN pip install Flask gunicorn
 
+USER appuser
+
 # Run the web service on container startup. Here we use the gunicorn
 # webserver, with one worker process and 8 threads.
 # For environments with multiple CPU cores, increase the number of workers

diff --git a/code-samples/serving/hello-world/helloworld-ruby/Dockerfile b/code-samples/serving/hello-world/helloworld-ruby/Dockerfile
@@ -2,6 +2,10 @@
 # https://hub.docker.com/_/ruby
 FROM ruby:2.6-slim
 
+# Add a user so the server will run as a non-root user.
+RUN addgroup -g 1000 appuser && \
+    adduser -S -u 1000 -G appuser appuser
+
 # Install production dependencies.
 WORKDIR /usr/src/app
 COPY Gemfile Gemfile.lock ./
@@ -11,5 +15,7 @@ RUN gem install bundler && bundle install
 # Copy local code to the container image.
 COPY . ./
 
+USER appuser
+
 # Run the web service on container startup.
 CMD ["ruby", "./app.rb"]
diff --git a/code-samples/serving/hello-world/helloworld-scala/Dockerfile b/code-samples/serving/hello-world/helloworld-scala/Dockerfile
@@ -1,6 +1,10 @@
 # Use an SBT image matching the Scala and JDK version.
 FROM hseeberger/scala-sbt:8u265_1.4.2_2.13.3 as builder
 
+# Add a user so the server will run as a non-root user.
+RUN addgroup -g 1000 appuser && \
+    adduser -S -u 1000 -G appuser appuser
+
 # Copy local code to the container image.
 WORKDIR /app
 COPY build.sbt .
@@ -15,8 +19,14 @@ RUN sbt assembly
 # https://docs.docker.com/develop/develop-images/multistage-build/#use-multi-stage-builds
 FROM openjdk:8-jre-alpine
 
+# Add a user so the server will run as a non-root user.
+RUN addgroup -g 1000 appuser && \
+    adduser -S -u 1000 -G appuser appuser
+
 # Copy the jar to the production image from the builder stage.
 COPY --from=builder /app/target/scala-2.13/helloworld-*.jar /helloworld.jar
 
+USER appuser
+
 # Run the web service on container startup.
 CMD ["java", "-Djava.security.egd=file:/dev/./urandom", "-jar", "/helloworld.jar"]
diff --git a/code-samples/serving/hello-world/helloworld-shell/Dockerfile b/code-samples/serving/hello-world/helloworld-shell/Dockerfile
@@ -2,6 +2,10 @@
 # https://git.busybox.net/busybox/tree/networking/httpd.c
 FROM busybox
 
+# Add a user so the server will run as a non-root user.
+RUN addgroup -g 1000 appuser && \
+    adduser -S -u 1000 -G appuser appuser
+
 # Serve from this directory
 WORKDIR /var/www
 
@@ -13,5 +17,7 @@ RUN echo "::sysinit:httpd -vv -p 8080 -u daemon -h /var/www" > /etc/inittab
 COPY --chown=daemon:daemon script.sh cgi-bin/index.cgi
 RUN chmod 755 cgi-bin/index.cgi
 
+USER appuser
+
 # Startup init which in turn starts httpd
 CMD init