change docker-image to run as numeric userid and update k8s examples

sseide · Apr 21, 2020 · 3899423 · 3899423
1 parent f406fa7
commit 3899423
Show file tree

Hide file tree

Showing 5 changed files with 53 additions and 2 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,10 @@
 # Redis-Commander CHANGELOG
 
+## Next Version
+#### Enhancements
+* set user in Dockerfile as numeric value to allow Kubernetes to enforce non-root user
+* update Kubernetes examples with security settings for Redis Commander
+
 ## Version 0.7.0
 #### Bugfixes
 * fix error on Windows on getting package installation path, #388

diff --git a/Dockerfile b/Dockerfile
@@ -22,7 +22,7 @@ RUN  apk update \
   && apk add --no-cache --virtual .patch-dep patch \
   && update-ca-certificates \
   && echo -e "\n---- Create runtime user and fix file access rights ----------" \
-  && adduser ${SERVICE_USER} -h ${HOME} -G root -S \
+  && adduser ${SERVICE_USER} -h ${HOME} -G root -S -u 1000 \
   && chown -R root.root ${HOME} \
   && chown -R ${SERVICE_USER} ${HOME}/config \
   && chmod g+w ${HOME}/config \
@@ -37,7 +37,7 @@ RUN  apk update \
   && ${HOME}/docker/harden.sh \
   && rm -rf /tmp/* /root/.??* /root/cache /var/cache/apk/*
 
-USER ${SERVICE_USER}
+USER 1000
 
 HEALTHCHECK --interval=1m --timeout=2s CMD ["/redis-commander/bin/healthcheck.js"]
 

diff --git a/k8s/redis-commander/deployment-password-protected-redis.yaml b/k8s/redis-commander/deployment-password-protected-redis.yaml
@@ -26,3 +26,14 @@ spec:
         ports:
         - name: redis-commander
           containerPort: 8081
+        #resources:
+        #  limits:
+        #    cpu: "500m"
+        #    memory: "512M"
+        securityContext:
+          runAsNonRoot: true
+          readOnlyRootFilesystem: false
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+              - ALL
diff --git a/k8s/redis-commander/deployment.yaml b/k8s/redis-commander/deployment.yaml
@@ -24,3 +24,15 @@ spec:
         ports:
         - name: redis-commander
           containerPort: 8081
+        #resources:
+        #  limits:
+        #    cpu: "500m"
+        #    memory: "512M"
+        securityContext:
+          runAsNonRoot: true
+          readOnlyRootFilesystem: false
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+              - ALL
+
diff --git a/k8s/redis-commander/ingress.yml b/k8s/redis-commander/ingress.yml
@@ -0,0 +1,23 @@
+apiVersion: extensions/v1beta1
+kind: Ingress
+metadata:
+  name: redis-commander-ingress
+  labels:
+    app: redis-commander
+  annotations:
+    # ssl + hsts config
+    #ingress.kubernetes.io/ssl-proxy-headers: "X-Forwarded-Proto:https"
+    #ingress.kubernetes.io/ssl-redirect: "true"
+    #ingress.kubernetes.io/force-hsts: "true"
+    #ingress.kubernetes.io/hsts-max-age: "315360000"
+    #ingress.kubernetes.io/hsts-preload: "true"
+    #ingress.kubernetes.io/hsts-include-subdomains: true
+spec:
+  rules:
+    - host: redis.local
+      http:
+        paths:
+          - path: "/"
+            backend:
+              serviceName: redis-commander
+              servicePort: 8081