From 8b78570597c4f0f2e8a6494ad6efcbe5e5610522 Mon Sep 17 00:00:00 2001 From: Jens L Date: Sun, 9 Apr 2023 21:39:07 +0200 Subject: [PATCH] outposts: run containers as non root (#5212) Signed-off-by: Jens Langhammer --- authentik/outposts/controllers/k8s/deployment.py | 2 +- ldap.Dockerfile | 2 ++ proxy.Dockerfile | 2 ++ radius.Dockerfile | 2 ++ 4 files changed, 7 insertions(+), 1 deletion(-) diff --git a/authentik/outposts/controllers/k8s/deployment.py b/authentik/outposts/controllers/k8s/deployment.py index 5bc38e762..1eef5c732 100644 --- a/authentik/outposts/controllers/k8s/deployment.py +++ b/authentik/outposts/controllers/k8s/deployment.py @@ -108,7 +108,6 @@ class DeploymentReconciler(KubernetesObjectReconciler[V1Deployment]): V1ObjectReference(name=secret) for secret in image_pull_secrets ], security_context=V1PodSecurityContext( - run_as_non_root=True, seccomp_profile=V1SeccompProfile( type="RuntimeDefault", ), @@ -157,6 +156,7 @@ class DeploymentReconciler(KubernetesObjectReconciler[V1Deployment]): ), ], security_context=V1SecurityContext( + run_as_non_root=True, allow_privilege_escalation=False, capabilities=V1Capabilities( drop=["ALL"], diff --git a/ldap.Dockerfile b/ldap.Dockerfile index 4a3b0d6ae..53bdb1dc7 100644 --- a/ldap.Dockerfile +++ b/ldap.Dockerfile @@ -23,4 +23,6 @@ HEALTHCHECK --interval=5s --retries=20 --start-period=3s CMD [ "wget", "--spider EXPOSE 3389 6636 9300 +USER 1000 + ENTRYPOINT ["/ldap"] diff --git a/proxy.Dockerfile b/proxy.Dockerfile index e17fb854d..92338318e 100644 --- a/proxy.Dockerfile +++ b/proxy.Dockerfile @@ -36,4 +36,6 @@ HEALTHCHECK --interval=5s --retries=20 --start-period=3s CMD [ "wget", "--spider EXPOSE 9000 9300 9443 +USER 1000 + ENTRYPOINT ["/proxy"] diff --git a/radius.Dockerfile b/radius.Dockerfile index 0d4973657..1c5abbf6c 100644 --- a/radius.Dockerfile +++ b/radius.Dockerfile @@ -23,4 +23,6 @@ HEALTHCHECK --interval=5s --retries=20 --start-period=3s CMD [ "wget", "--spider EXPOSE 1812/udp 9300 +USER 1000 + ENTRYPOINT ["/radius"]