github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-21 10:51:29 +00:00
Code Issues Projects Releases Wiki Activity

Run pause image as non-root user and group

Browse Source 
We now build the pause image to use a pseudo user and group 65535:65535.
This increases the security aspect of the container image, if a
vulnerability would directly affect the pause container.

Signed-off-by: Sascha Grunert <sgrunert@suse.com>
This commit is contained in:
Sascha Grunert 2021-01-12 11:59:58 +01:00 committed by Sascha Grunert
parent 784df7a37e
commit aad711f399
No known key found for this signature in database
GPG Key ID: 09D97D153EF94D93
3 changed files with 3 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
build/dependencies.yaml
View File

@ -160,7 +160,7 @@ dependencies:
match: __default_go_runner_version= match: __default_go_runner_version=
- name: "k8s.gcr.io/pause" - name: "k8s.gcr.io/pause"
version: 3.4 version: 3.5
refPaths: refPaths:
- path: build/pause/Makefile - path: build/pause/Makefile
match: TAG = match: TAG =

1
build/pause/Dockerfile
View File

@ -16,4 +16,5 @@ ARG BASE
FROM ${BASE} FROM ${BASE}
ARG ARCH ARG ARCH
ADD bin/pause-linux-${ARCH} /pause ADD bin/pause-linux-${ARCH} /pause
USER 65535:65535
ENTRYPOINT ["/pause"] ENTRYPOINT ["/pause"]

2
build/pause/Makefile
View File

@ -17,7 +17,7 @@
REGISTRY ?= staging-k8s.gcr.io REGISTRY ?= staging-k8s.gcr.io
IMAGE = $(REGISTRY)/pause IMAGE = $(REGISTRY)/pause
TAG = 3.4.1 TAG = 3.5
REV = $(shell git describe --contains --always --match='v*') REV = $(shell git describe --contains --always --match='v*')
# Architectures supported: amd64, arm, arm64, ppc64le and s390x # Architectures supported: amd64, arm, arm64, ppc64le and s390x