diff --git a/Dockerfile b/Dockerfile index 10e8f465..b31b2b61 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,11 @@ -FROM gcr.io/distroless/static:debug-nonroot +FROM gcr.io/distroless/static:debug-nonroot AS builder + +# Stage 2: +FROM gcr.io/distroless/static:nonroot + +# Grab the cp binary so we can cp the unpack +# binary to a shared volume in the bundle image +COPY --from=builder /busybox/cp /cp WORKDIR / diff --git a/pkg/source/image.go b/pkg/source/image.go index 07f91898..f959ccc2 100644 --- a/pkg/source/image.go +++ b/pkg/source/image.go @@ -138,13 +138,12 @@ func (i *Image) getDesiredPodApplyConfig(bundle *rukpakv1alpha2.BundleDeployment WithName("install-unpacker"). WithImage(i.UnpackImage). WithImagePullPolicy(corev1.PullIfNotPresent). - WithCommand("cp", "-Rv", "/unpack", "/util/bin/unpack"). + WithCommand("/cp", "-Rv", "/unpack", "/util/bin/unpack"). WithVolumeMounts(applyconfigurationcorev1.VolumeMount(). WithName("util"). WithMountPath("/util/bin"), ). - WithSecurityContext(containerSecurityContext). - WithTerminationMessagePolicy(corev1.TerminationMessageFallbackToLogsOnError), + WithSecurityContext(containerSecurityContext), ). WithContainers(applyconfigurationcorev1.Container(). WithName(imageBundleUnpackContainerName). @@ -154,15 +153,14 @@ func (i *Image) getDesiredPodApplyConfig(bundle *rukpakv1alpha2.BundleDeployment WithName("util"). WithMountPath("/bin"), ). - WithSecurityContext(containerSecurityContext). - WithTerminationMessagePolicy(corev1.TerminationMessageFallbackToLogsOnError), + WithSecurityContext(containerSecurityContext.WithRunAsUser(1001)), ). WithVolumes(applyconfigurationcorev1.Volume(). WithName("util"). WithEmptyDir(applyconfigurationcorev1.EmptyDirVolumeSource()), ). WithSecurityContext(applyconfigurationcorev1.PodSecurityContext(). - WithRunAsNonRoot(false). + WithRunAsNonRoot(true). WithSeccompProfile(applyconfigurationcorev1.SeccompProfile(). WithType(corev1.SeccompProfileTypeRuntimeDefault), ),