Enforce runAsNonRoot

BREAKING CHANGE: the controller container is now executed under 65534:65534 (userid:groupid). This change may break deployments that hard-coded the user name 'controller' in their PodSecurityPolicy.

Signed-off-by: Paulo Gomes <[email protected]>

Dockerfile

@@ -41,8 +41,6 @@ RUN apk add --no-cache ca-certificates tini
 
 COPY --from=builder /workspace/helm-controller /usr/local/bin/
 
-RUN addgroup -S controller -g 65532 && adduser -D -u 65532 -s /sbin/nologin -S controller -G controller
-
-USER controller
+USER 65534:65534
 
 ENTRYPOINT [ "/sbin/tini", "--", "helm-controller" ]

config/manager/deployment.yaml

@@ -25,6 +25,7 @@ spec:
         securityContext:
           allowPrivilegeEscalation: false
           readOnlyRootFilesystem: true
+          runAsNonRoot: true
           capabilities:
             drop: ["ALL"]
           seccompProfile: