diff --git a/Dockerfile b/Dockerfile index 22fd3d92be..a370399b8d 100644 --- a/Dockerfile +++ b/Dockerfile @@ -31,9 +31,15 @@ RUN --mount=type=cache,target=/root/.cache/go-build \ ENTRYPOINT [ "/start.sh", "/workspace/manager" ] # Copy the controller-manager into a thin image -FROM golang:1.19.5 +FROM alpine:3.11 WORKDIR / COPY --from=builder /workspace/manager . -# Use uid of nonroot user (65532) because kubernetes expects numeric user when applying pod security policies -USER 65532 +# add new user +ARG USER=nonroot +ENV HOME /home/$USER +RUN adduser -D $USER \ + && mkdir -p /etc/sudoers.d \ + && echo "$USER ALL=(ALL) NOPASSWD: ALL" > /etc/sudoers.d/$USER \ + && chmod 0440 /etc/sudoers.d/$USER +USER 1000 ENTRYPOINT ["/manager"]