Merge pull request #87 from kgudel/nonroot

Set user as nonroot with shadow
cfpb · Jul 18, 2019 · 858d620 · 858d620
2 parents ee19cfc + 7756d51
commit 858d620
Show file tree

Hide file tree

Showing 4 changed files with 14 additions and 10 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -13,14 +13,18 @@ COPY public ./public
 
 RUN yarn build
 
-FROM nginx:1.15.12-alpine
-ENV NGINX_USER=nginx
+FROM nginx:1.16-alpine
+ENV NGINX_USER=svc_nginx_hmda
 RUN rm -rf /etc/nginx/conf.d
 COPY nginx /etc/nginx
 COPY --from=build-stage /usr/src/app/build /usr/share/nginx/html/hmda-help
-RUN apk --no-cache add shadow && \
-    usermod -l $NGINX_USER nginx && \
-    groupmod -n $NGINX_USER nginx && \
-    chown -R $NGINX_USER:$NGINX_USER /etc/nginx /usr/share/nginx/html/hmda-help
-EXPOSE 80
+RUN adduser -S $NGINX_USER nginx && \
+    addgroup -S $NGINX_USER && \
+    addgroup $NGINX_USER $NGINX_USER && \
+    touch /run/nginx.pid && \
+    chown -R $NGINX_USER:$NGINX_USER /etc/nginx /run/nginx.pid /var/cache/nginx/
+
+ EXPOSE 8080
+
+ USER svc_nginx_hmda
 CMD ["nginx", "-g", "daemon off;"]
diff --git a/kubernetes/hmda-help/templates/deployment.yaml b/kubernetes/hmda-help/templates/deployment.yaml
@@ -35,7 +35,7 @@ spec:
           imagePullPolicy: {{ .Values.image.pullPolicy }}
           ports:
             - name: http
-              containerPort: 80
+              containerPort: 8080
               protocol: TCP
           livenessProbe:
             httpGet:

diff --git a/kubernetes/hmda-help/values.yaml b/kubernetes/hmda-help/values.yaml
@@ -15,7 +15,7 @@ fullnameOverride: ''
 
 service:
   type: ClusterIP
-  port: 80
+  port: 8080
 
 #ambassador:
 #  service:

diff --git a/nginx/nginx.conf b/nginx/nginx.conf
@@ -46,7 +46,7 @@ http {
   }
 
   server {
-    listen 80;
+    listen 8080;
     root /usr/share/nginx/html/;
     autoindex off;
     access_log /dev/stdout;