From aad711f3997c19863214451eb58d4135090ef66a Mon Sep 17 00:00:00 2001
From: Sascha Grunert <sgrunert@suse.com>
Date: Tue, 12 Jan 2021 11:59:58 +0100
Subject: [PATCH] Run pause image as non-root user and group

We now build the pause image to use a pseudo user and group 65535:65535.
This increases the security aspect of the container image, if a
vulnerability would directly affect the pause container.

Signed-off-by: Sascha Grunert <sgrunert@suse.com>
---
 build/dependencies.yaml | 2 +-
 build/pause/Dockerfile  | 1 +
 build/pause/Makefile    | 2 +-
 3 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/build/dependencies.yaml b/build/dependencies.yaml
index 6f762e6cc9f..bb6641e1bfd 100644
--- a/build/dependencies.yaml
+++ b/build/dependencies.yaml
@@ -160,7 +160,7 @@ dependencies:
       match: __default_go_runner_version=
 
   - name: "k8s.gcr.io/pause"
-    version: 3.4
+    version: 3.5
     refPaths:
     - path: build/pause/Makefile
       match: TAG =
diff --git a/build/pause/Dockerfile b/build/pause/Dockerfile
index 250284b2aa4..3e612a4b823 100644
--- a/build/pause/Dockerfile
+++ b/build/pause/Dockerfile
@@ -16,4 +16,5 @@ ARG BASE
 FROM ${BASE}
 ARG ARCH
 ADD bin/pause-linux-${ARCH} /pause
+USER 65535:65535
 ENTRYPOINT ["/pause"]
diff --git a/build/pause/Makefile b/build/pause/Makefile
index c7b516f4b06..43f49e9d868 100644
--- a/build/pause/Makefile
+++ b/build/pause/Makefile
@@ -17,7 +17,7 @@
 REGISTRY ?= staging-k8s.gcr.io
 IMAGE = $(REGISTRY)/pause
 
-TAG = 3.4.1
+TAG = 3.5
 REV = $(shell git describe --contains --always --match='v*')
 
 # Architectures supported: amd64, arm, arm64, ppc64le and s390x