add user to dockerfile

cfpb · Dec 19, 2024 · 7e3b2e6 · 7e3b2e6
1 parent 45f4f40
commit 7e3b2e6
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 10 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -17,6 +17,11 @@ ENV APP_HOME /src/consumerfinance.gov
 
 ENV PYTHONPATH ${APP_HOME}/cfgov
 
+ARG USERNAME=cfgov
+ARG USER_UID=1000
+
+RUN adduser -u $USER_UID -D $USERNAME
+
 # Set the working directory
 WORKDIR ${APP_HOME}
 
@@ -146,6 +151,12 @@ COPY --from=node-builder ${APP_HOME} ${APP_HOME}
 # secret key here for this step only.
 RUN SECRET_KEY=only-for-collectstatic cfgov/manage.py collectstatic --noinput
 
+# Use a non-root user
+RUN chown -R $USERNAME:$USERNAME $APP_HOME
+
+# Create the user
+USER $USERNAME
+
 # Run Gunicorn
 CMD gunicorn --reload cfgov.wsgi:application -b :8000
 # CMD python ./cfgov/manage.py runserver 0.0.0.0:8000
diff --git a/helm/values.eks.yaml b/helm/values.eks.yaml
@@ -96,16 +96,15 @@ podAnnotations: {}
 # For more information checkout: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
 podLabels: {"app.kubernetes.io/name": "cfgov"}
 
-podSecurityContext: {}
-  # fsGroup: 2000
-
-securityContext: {}
-  # capabilities:
-  #   drop:
-  #   - ALL
-  # readOnlyRootFilesystem: true
-  # runAsNonRoot: true
-  # runAsUser: 1000
+securityContext:
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+    - ALL
+  readOnlyRootFilesystem: true
+  runAsUser: 1000
+  seccompProfile:
+    type: RuntimeDefault
 
 # This is for setting up a service more information can be found here: https://kubernetes.io/docs/concepts/services-networking/service/
 service: