Setup user on docker image to run it as no root by using gcr.io/distroless/static:nonroot and the targetPort 9843 for webhoocks

camilamacedo86 · camilamacedo86 · commit 7af89cb00c22 · 2019-09-19T01:09:39.000+01:00
diff --git a/pkg/scaffold/v2/dockerfile.go b/pkg/scaffold/v2/dockerfile.go
@@ -57,8 +57,10 @@ RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 GO111MODULE=on go build -a -o manager
 
 # Use distroless as minimal base image to package the manager binary
 # Refer to https://github.com/GoogleContainerTools/distroless for more details
-FROM gcr.io/distroless/static:latest
+FROM gcr.io/distroless/static:nonroot 
 WORKDIR /
 COPY --from=builder /workspace/manager .
+USER nonroot:nonroot
+
 ENTRYPOINT ["/manager"]
 `
diff --git a/pkg/scaffold/v2/main.go b/pkg/scaffold/v2/main.go
@@ -166,6 +166,7 @@ func main() {
 		Scheme:             scheme,
 		MetricsBindAddress: metricsAddr,
 		LeaderElection:     enableLeaderElection,
+		Port:               9443, 
 	})
 	if err != nil {
 		setupLog.Error(err, "unable to start manager")
diff --git a/pkg/scaffold/v2/webhook/service.go b/pkg/scaffold/v2/webhook/service.go
@@ -48,7 +48,7 @@ metadata:
 spec:
   ports:
     - port: 443
-      targetPort: 443
+      targetPort: 9443
   selector:
     control-plane: controller-manager
 `
diff --git a/pkg/scaffold/v2/webhook_manager_patch.go b/pkg/scaffold/v2/webhook_manager_patch.go
@@ -47,7 +47,7 @@ spec:
       containers:
       - name: manager
         ports:
-        - containerPort: 443
+        - containerPort: 9443
           name: webhook-server
           protocol: TCP
         volumeMounts:
diff --git a/testdata/project-v2/config/default/manager_webhook_patch.yaml b/testdata/project-v2/config/default/manager_webhook_patch.yaml
@@ -9,7 +9,7 @@ spec:
       containers:
       - name: manager
         ports:
-        - containerPort: 443
+        - containerPort: 9443
           name: webhook-server
           protocol: TCP
         volumeMounts:
diff --git a/testdata/project-v2/config/webhook/service.yaml b/testdata/project-v2/config/webhook/service.yaml
@@ -7,6 +7,6 @@ metadata:
 spec:
   ports:
     - port: 443
-      targetPort: 443
+      targetPort: 9443
   selector:
     control-plane: controller-manager
diff --git a/testdata/project-v2/main.go b/testdata/project-v2/main.go
@@ -58,6 +58,7 @@ func main() {
 		Scheme:             scheme,
 		MetricsBindAddress: metricsAddr,
 		LeaderElection:     enableLeaderElection,
+		Port:               9843,
 	})
 	if err != nil {
 		setupLog.Error(err, "unable to start manager")

Original file line number	Diff line number	Diff line change
`@@ -48,7 +48,7 @@ metadata:`
`48`	`48`	`spec:`
`49`	`49`	`ports:`
`50`	`50`	`- port: 443`
`51`		`- targetPort: 443`
	`51`	`+ targetPort: 9443`
`52`	`52`	`selector:`
`53`	`53`	`control-plane: controller-manager`
`54`	`54`	`