From ec9e80d625e1e448f10eb33331a5e04be43c85cb Mon Sep 17 00:00:00 2001
From: Matteo Baiguini <baiguini.matteo@gmail.com>
Date: Wed, 15 May 2024 10:04:23 +0200
Subject: [PATCH] Enhance security (#151)

* Added USER to Dockerfile

* Added pod and container securityContext

---------

Co-authored-by: Matteo Baiguini <mbaiguini@swissblock.net>
---
 Dockerfile                     |  2 ++
 chart/templates/daemonset.yaml | 12 ++++++++++++
 2 files changed, 14 insertions(+)

diff --git a/Dockerfile b/Dockerfile
index 9ecbf4a..0f2ce74 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -34,5 +34,7 @@ COPY --from=builder /usr/share/zoneinfo /usr/share/zoneinfo
 # copy the binary to the production image from the builder stage
 COPY --from=builder /app/.bin/kubeip-agent /kubeip-agent
 
+USER 1001
+
 ENTRYPOINT ["/kubeip-agent"]
 CMD ["run"]
\ No newline at end of file
diff --git a/chart/templates/daemonset.yaml b/chart/templates/daemonset.yaml
index 5ec4d3d..9c1d59e 100644
--- a/chart/templates/daemonset.yaml
+++ b/chart/templates/daemonset.yaml
@@ -29,6 +29,11 @@ spec:
           effect: "NoSchedule"
         - operator: "Exists"
           effect: "NoExecute"
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 1001
+        runAsGroup: 1001
+        fsGroup: 1001
       containers:
         - name: kubeip
           image: "{{ .Values.image.repository }}"
@@ -48,3 +53,10 @@ spec:
               value: {{ .Values.daemonSet.env.LOG_LEVEL | quote }}
             - name: LOG_JSON
               value: {{ .Values.daemonSet.env.LOG_JSON | quote }}
+          securityContext:
+            privileged: false
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            readOnlyRootFilesystem: true