This is an automated email from the ASF dual-hosted git repository.
wangyang0918 pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/flink-kubernetes-operator.git
The following commit(s) were added to refs/heads/main by this push:
new 2511860 [FLINK-26157] Containers Should Not Run As Root
2511860 is described below
commit 2511860467de46c4bff1cc1a1fe735246f3e27ea
Author: Matyas Orhidi <[email protected]>
AuthorDate: Tue Feb 15 11:16:44 2022 +0100
[FLINK-26157] Containers Should Not Run As Root
This closes #8.
---
Dockerfile | 18 ++++++++++++++----
.../metrics/KubernetesOperatorMetricGroupTest.java | 2 +-
helm/flink-operator/templates/flink-operator.yaml | 3 +++
3 files changed, 18 insertions(+), 5 deletions(-)
diff --git a/Dockerfile b/Dockerfile
index 2eda986..a04f21d 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -37,15 +37,25 @@ RUN --mount=type=cache,target=/root/.m2 mvn clean install
# stage
FROM openjdk:11-jre
-
+ENV FLINK_HOME=/opt/flink
ENV OPERATOR_VERSION=1.0-SNAPSHOT
ENV OPERATOR_JAR=flink-kubernetes-operator-$OPERATOR_VERSION-shaded.jar
ENV WEBHOOK_JAR=flink-kubernetes-webhook-$OPERATOR_VERSION-shaded.jar
-COPY --from=build /app/flink-kubernetes-operator/target/$OPERATOR_JAR /
-COPY --from=build /app/flink-kubernetes-webhook/target/$WEBHOOK_JAR /
-COPY --from=build /app/flink-kubernetes-operator/target/plugins
/opt/flink/plugins
+WORKDIR /
+RUN groupadd --system --gid=9999 flink && \
+ useradd --system --home-dir $FLINK_HOME --uid=9999 --gid=flink flink
+COPY --from=build /app/flink-kubernetes-operator/target/$OPERATOR_JAR .
+COPY --from=build /app/flink-kubernetes-webhook/target/$WEBHOOK_JAR .
+COPY --from=build /app/flink-kubernetes-operator/target/plugins
$FLINK_HOME/plugins
COPY docker-entrypoint.sh /
+
+RUN chown -R flink:flink $FLINK_HOME && \
+ chown flink:flink $OPERATOR_JAR && \
+ chown flink:flink $WEBHOOK_JAR && \
+ chown flink:flink docker-entrypoint.sh
+
+USER flink
ENTRYPOINT ["/docker-entrypoint.sh"]
CMD ["help"]
diff --git
a/flink-kubernetes-operator/src/test/java/org/apache/flink/kubernetes/operator/metrics/KubernetesOperatorMetricGroupTest.java
b/flink-kubernetes-operator/src/test/java/org/apache/flink/kubernetes/operator/metrics/KubernetesOperatorMetricGroupTest.java
index 3d1d510..9f65293 100644
---
a/flink-kubernetes-operator/src/test/java/org/apache/flink/kubernetes/operator/metrics/KubernetesOperatorMetricGroupTest.java
+++
b/flink-kubernetes-operator/src/test/java/org/apache/flink/kubernetes/operator/metrics/KubernetesOperatorMetricGroupTest.java
@@ -23,7 +23,7 @@ import org.apache.flink.runtime.metrics.MetricRegistryImpl;
import org.apache.flink.shaded.guava30.com.google.common.collect.ImmutableMap;
-import org.junit.Test;
+import org.junit.jupiter.api.Test;
import static
org.apache.flink.kubernetes.operator.metrics.KubernetesOperatorMetricOptions.SCOPE_NAMING_KUBERNETES_OPERATOR;
import static org.junit.Assert.assertArrayEquals;
diff --git a/helm/flink-operator/templates/flink-operator.yaml
b/helm/flink-operator/templates/flink-operator.yaml
index 7225dc0..f269310 100644
--- a/helm/flink-operator/templates/flink-operator.yaml
+++ b/helm/flink-operator/templates/flink-operator.yaml
@@ -33,6 +33,9 @@ spec:
labels:
{{- include "flink-operator.selectorLabels" . | nindent 8 }}
spec:
+ securityContext:
+ runAsUser: 9999
+ runAsGroup: 9999
{{- with .Values.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
