From 7a397d763dc0a179eb24e006451c417b4ab24566 Mon Sep 17 00:00:00 2001 From: praju-aot Date: Wed, 20 Sep 2023 14:11:35 -0400 Subject: [PATCH 01/20] TEST --- backend/dops/Dockerfile | 13 +++++++++++++ backend/dops/uid_entrypoint.sh | 7 +++++++ 2 files changed, 20 insertions(+) create mode 100644 backend/dops/uid_entrypoint.sh diff --git a/backend/dops/Dockerfile b/backend/dops/Dockerfile index 2fb54fca4..cdbc5261f 100644 --- a/backend/dops/Dockerfile +++ b/backend/dops/Dockerfile @@ -78,6 +78,19 @@ ENV PUPPETEER_EXECUTABLE_PATH=/usr/bin/chromium-browser # Expose Port EXPOSE 5001 +# Add Chrome as a user +RUN addgroup -S dopsuser && adduser -S -g dopsuser dopsuser \ + && mkdir -p /home/dopsuser/Downloads \ + && chown -R dopsuser:dopsuser /home/dopsuser \ + && chown -R dopsuser:dopsuser /app + +# Run Chrome as non-privileged +USER dopsuser + +COPY uid_entrypoint / +RUN chmod g=u /etc/passwd && chmod 775 /uid_entrypoint +ENTRYPOINT ["uid_entrypoint"] + # Start the app CMD ["npm", "run", "start:prod"] diff --git a/backend/dops/uid_entrypoint.sh b/backend/dops/uid_entrypoint.sh new file mode 100644 index 000000000..15944d276 --- /dev/null +++ b/backend/dops/uid_entrypoint.sh @@ -0,0 +1,7 @@ +#!/bin/sh +if ! whoami &> /dev/null; then + if [ -w /etc/passwd ]; then + echo "dopsuser:x:$(id -u):0:My User:${HOME}:/sbin/nologin" >> /etc/passwd + fi +fi +exec "$@" \ No newline at end of file From 2d2bac43683977b1cd14eba79b0b9e64ade35a07 Mon Sep 17 00:00:00 2001 From: praju-aot Date: Wed, 20 Sep 2023 14:14:10 -0400 Subject: [PATCH 02/20] Test --- backend/dops/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/backend/dops/Dockerfile b/backend/dops/Dockerfile index cdbc5261f..79035bff7 100644 --- a/backend/dops/Dockerfile +++ b/backend/dops/Dockerfile @@ -89,7 +89,7 @@ USER dopsuser COPY uid_entrypoint / RUN chmod g=u /etc/passwd && chmod 775 /uid_entrypoint -ENTRYPOINT ["uid_entrypoint"] +ENTRYPOINT ["uid_entrypoint.sh"] # Start the app CMD ["npm", "run", "start:prod"] From bafd9eacc565bdd54aac8911bcdafd03824cea4c Mon Sep 17 00:00:00 2001 From: praju-aot Date: Wed, 20 Sep 2023 14:24:32 -0400 Subject: [PATCH 03/20] test --- backend/dops/Dockerfile | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/backend/dops/Dockerfile b/backend/dops/Dockerfile index 79035bff7..d0bfaaf47 100644 --- a/backend/dops/Dockerfile +++ b/backend/dops/Dockerfile @@ -64,6 +64,8 @@ ENV ACCESS_API_URL ${ACCESS_API_URL} COPY --from=builder /app/package*.json ./ COPY --from=builder /app/node_modules ./node_modules COPY --from=builder /app/dist ./dist +# Copy uid_entrypoint from builder stage +COPY --from=builder /app/uid_entrypoint / RUN apk add --no-cache \ chromium \ @@ -89,7 +91,7 @@ USER dopsuser COPY uid_entrypoint / RUN chmod g=u /etc/passwd && chmod 775 /uid_entrypoint -ENTRYPOINT ["uid_entrypoint.sh"] +ENTRYPOINT ["uid_entrypoint"] # Start the app CMD ["npm", "run", "start:prod"] From fd95263978935650d661cb860dedc09fd5c77019 Mon Sep 17 00:00:00 2001 From: praju-aot Date: Wed, 20 Sep 2023 14:27:44 -0400 Subject: [PATCH 04/20] fix --- backend/dops/Dockerfile | 1 - 1 file changed, 1 deletion(-) diff --git a/backend/dops/Dockerfile b/backend/dops/Dockerfile index d0bfaaf47..4b07ae748 100644 --- a/backend/dops/Dockerfile +++ b/backend/dops/Dockerfile @@ -89,7 +89,6 @@ RUN addgroup -S dopsuser && adduser -S -g dopsuser dopsuser \ # Run Chrome as non-privileged USER dopsuser -COPY uid_entrypoint / RUN chmod g=u /etc/passwd && chmod 775 /uid_entrypoint ENTRYPOINT ["uid_entrypoint"] From 7a6f730a02d6a34db346d1f19335aae74a747a9f Mon Sep 17 00:00:00 2001 From: praju-aot Date: Wed, 20 Sep 2023 14:37:24 -0400 Subject: [PATCH 05/20] Revert changes --- backend/dops/Dockerfile | 14 -------------- backend/dops/uid_entrypoint.sh | 7 ------- 2 files changed, 21 deletions(-) delete mode 100644 backend/dops/uid_entrypoint.sh diff --git a/backend/dops/Dockerfile b/backend/dops/Dockerfile index 4b07ae748..2fb54fca4 100644 --- a/backend/dops/Dockerfile +++ b/backend/dops/Dockerfile @@ -64,8 +64,6 @@ ENV ACCESS_API_URL ${ACCESS_API_URL} COPY --from=builder /app/package*.json ./ COPY --from=builder /app/node_modules ./node_modules COPY --from=builder /app/dist ./dist -# Copy uid_entrypoint from builder stage -COPY --from=builder /app/uid_entrypoint / RUN apk add --no-cache \ chromium \ @@ -80,18 +78,6 @@ ENV PUPPETEER_EXECUTABLE_PATH=/usr/bin/chromium-browser # Expose Port EXPOSE 5001 -# Add Chrome as a user -RUN addgroup -S dopsuser && adduser -S -g dopsuser dopsuser \ - && mkdir -p /home/dopsuser/Downloads \ - && chown -R dopsuser:dopsuser /home/dopsuser \ - && chown -R dopsuser:dopsuser /app - -# Run Chrome as non-privileged -USER dopsuser - -RUN chmod g=u /etc/passwd && chmod 775 /uid_entrypoint -ENTRYPOINT ["uid_entrypoint"] - # Start the app CMD ["npm", "run", "start:prod"] diff --git a/backend/dops/uid_entrypoint.sh b/backend/dops/uid_entrypoint.sh deleted file mode 100644 index 15944d276..000000000 --- a/backend/dops/uid_entrypoint.sh +++ /dev/null @@ -1,7 +0,0 @@ -#!/bin/sh -if ! whoami &> /dev/null; then - if [ -w /etc/passwd ]; then - echo "dopsuser:x:$(id -u):0:My User:${HOME}:/sbin/nologin" >> /etc/passwd - fi -fi -exec "$@" \ No newline at end of file From 454aabfccdbda504be1a5d175f4694fd3d263dce Mon Sep 17 00:00:00 2001 From: praju-aot Date: Wed, 20 Sep 2023 16:30:00 -0400 Subject: [PATCH 06/20] Test openshift --- backend/dops/Dockerfile | 2 ++ backend/dops/openshift.deploy.yml | 3 +++ 2 files changed, 5 insertions(+) diff --git a/backend/dops/Dockerfile b/backend/dops/Dockerfile index 2fb54fca4..0be2f3482 100644 --- a/backend/dops/Dockerfile +++ b/backend/dops/Dockerfile @@ -78,6 +78,8 @@ ENV PUPPETEER_EXECUTABLE_PATH=/usr/bin/chromium-browser # Expose Port EXPOSE 5001 +USER 1001 + # Start the app CMD ["npm", "run", "start:prod"] diff --git a/backend/dops/openshift.deploy.yml b/backend/dops/openshift.deploy.yml index 221558b64..277f9485f 100644 --- a/backend/dops/openshift.deploy.yml +++ b/backend/dops/openshift.deploy.yml @@ -207,6 +207,9 @@ objects: spec: containers: - image: ${NAME}-${ZONE}-${COMPONENT}:${IMAGE_TAG} + securityContext: + capabilities: + add: ["NET_BIND_SERVICE"] imagePullPolicy: Always name: ${NAME} env: From 4a2ed7b197c2deec5b75e06d2fa2547c0652f523 Mon Sep 17 00:00:00 2001 From: Chris Berg Date: Wed, 20 Sep 2023 14:05:58 -0700 Subject: [PATCH 07/20] adding curl to image for debugging --- backend/dops/Dockerfile | 1 + charts/onroutebc/Chart.yaml | 18 +++++++----------- 2 files changed, 8 insertions(+), 11 deletions(-) diff --git a/backend/dops/Dockerfile b/backend/dops/Dockerfile index 0be2f3482..b007c4724 100644 --- a/backend/dops/Dockerfile +++ b/backend/dops/Dockerfile @@ -67,6 +67,7 @@ COPY --from=builder /app/dist ./dist RUN apk add --no-cache \ chromium \ + curl \ nss \ freetype \ harfbuzz \ diff --git a/charts/onroutebc/Chart.yaml b/charts/onroutebc/Chart.yaml index 32cb58f1d..c811584fa 100644 --- a/charts/onroutebc/Chart.yaml +++ b/charts/onroutebc/Chart.yaml @@ -3,18 +3,14 @@ apiVersion: v2 name: onRouteBC description: Helm chart for onRouteBC type: application -version: 0.0.1 +version: 1.0.0 appVersion: "1.16.0" dependencies: # A list of the chart requirements (optional) - - name: service - version: 0.0.1 - repository: "file://../service" + - name: component + version: 1.0.0 + repository: "file:///home/ubuntu/action-deployer-helm/charts/component" alias: frontend - - name: service - version: 0.0.1 - repository: "file://../service" + - name: component + version: 1.0.0 + repository: "file:///home/ubuntu/action-deployer-helm/charts/component" alias: vehicles - - name: service - version: 0.0.1 - repository: "file://../service" - alias: dops From 28320797546b06d3dd1e6ef438aea6e6d234345b Mon Sep 17 00:00:00 2001 From: Praveen Raju <80779423+praju-aot@users.noreply.github.com> Date: Tue, 26 Sep 2023 18:18:40 -0400 Subject: [PATCH 08/20] Update Dockerfile to Add pptruser Signed-off-by: Praveen Raju <80779423+praju-aot@users.noreply.github.com> --- backend/dops/Dockerfile | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/backend/dops/Dockerfile b/backend/dops/Dockerfile index b007c4724..11449455a 100644 --- a/backend/dops/Dockerfile +++ b/backend/dops/Dockerfile @@ -79,7 +79,17 @@ ENV PUPPETEER_EXECUTABLE_PATH=/usr/bin/chromium-browser # Expose Port EXPOSE 5001 -USER 1001 +# USER 1001 + +# Add user so we don't need --no-sandbox. +RUN addgroup -S pptruser && adduser -S -G pptruser pptruser \ + # && mkdir -p /home/pptruser/Downloads /app \ + && chown -R pptruser:pptruser /home/pptruser \ + && chown -R pptruser:pptruser /app + + +# Run everything after as non-privileged user. +USER pptruser # Start the app CMD ["npm", "run", "start:prod"] From 74298017b54d34a10fe08b0f8559240d8a4b348b Mon Sep 17 00:00:00 2001 From: Praveen Raju <80779423+praju-aot@users.noreply.github.com> Date: Tue, 26 Sep 2023 18:19:48 -0400 Subject: [PATCH 09/20] Update openshift.deploy.yml resource limit Signed-off-by: Praveen Raju <80779423+praju-aot@users.noreply.github.com> --- backend/dops/openshift.deploy.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/backend/dops/openshift.deploy.yml b/backend/dops/openshift.deploy.yml index 277f9485f..473b23977 100644 --- a/backend/dops/openshift.deploy.yml +++ b/backend/dops/openshift.deploy.yml @@ -19,13 +19,13 @@ parameters: - name: DOMAIN value: apps.silver.devops.gov.bc.ca - name: CPU_REQUEST - value: "25m" + value: "250m" - name: MEMORY_REQUEST - value: "50Mi" + value: "500Mi" - name: CPU_LIMIT - value: "75m" + value: "500m" - name: MEMORY_LIMIT - value: "150Mi" + value: "1Gi" - name: MIN_REPLICAS description: The minimum amount of replicas for the horizontal pod autoscaler. value: "3" From 868f0e689b3cd1ef32a99d16a0caf643598c2e59 Mon Sep 17 00:00:00 2001 From: Derek Roberts Date: Tue, 26 Sep 2023 15:37:05 -0700 Subject: [PATCH 10/20] Security context --- frontend/openshift.deploy.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/frontend/openshift.deploy.yml b/frontend/openshift.deploy.yml index 532dc3814..79e1de759 100644 --- a/frontend/openshift.deploy.yml +++ b/frontend/openshift.deploy.yml @@ -185,6 +185,9 @@ objects: spec: containers: - image: ${NAME}-${ZONE}-${COMPONENT}:${IMAGE_TAG} + securityContext: + capabilities: + add: ["NET_BIND_SERVICE"] imagePullPolicy: Always name: ${NAME} ports: From b0fd217f2e0e2bbaebbb8a4dbcc46abceebb581e Mon Sep 17 00:00:00 2001 From: Chris Berg Date: Tue, 26 Sep 2023 12:58:57 -0700 Subject: [PATCH 11/20] changing distro for testing --- backend/dops/Dockerfile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/backend/dops/Dockerfile b/backend/dops/Dockerfile index 11449455a..30f92640b 100644 --- a/backend/dops/Dockerfile +++ b/backend/dops/Dockerfile @@ -1,5 +1,5 @@ # Build container -FROM node:18.17.1-alpine AS builder +FROM node:18.17.1-bullseye AS builder # Set the working directory to /app inside the container WORKDIR /app @@ -18,7 +18,7 @@ RUN npm prune --production # Deployment container -FROM node:18.17.1-alpine +FROM node:18.17.1-bullseye RUN npm cache clean --force # Create and Assign permissions to npm folder From e98b424d9edc19473f68a2b9d0398333e64b8049 Mon Sep 17 00:00:00 2001 From: Chris Berg Date: Tue, 26 Sep 2023 13:08:13 -0700 Subject: [PATCH 12/20] changing distro for testing --- backend/dops/Dockerfile | 28 +++++++++++++++------------- 1 file changed, 15 insertions(+), 13 deletions(-) diff --git a/backend/dops/Dockerfile b/backend/dops/Dockerfile index 30f92640b..59518c526 100644 --- a/backend/dops/Dockerfile +++ b/backend/dops/Dockerfile @@ -65,16 +65,17 @@ COPY --from=builder /app/package*.json ./ COPY --from=builder /app/node_modules ./node_modules COPY --from=builder /app/dist ./dist -RUN apk add --no-cache \ - chromium \ - curl \ - nss \ - freetype \ - harfbuzz \ - ca-certificates \ - ttf-freefont + + +RUN apt-get update \ + && apt-get install -y wget gnupg \ + && wget -q -O - https://dl-ssl.google.com/linux/linux_signing_key.pub | apt-key add - \ + && sh -c 'echo "deb [arch=amd64] http://dl.google.com/linux/chrome/deb/ stable main" >> /etc/apt/sources.list.d/google.list' \ + && apt-get update \ + && apt-get install -y google-chrome-stable fonts-ipafont-gothic fonts-wqy-zenhei fonts-thai-tlwg fonts-kacst fonts-freefont-ttf libxss1 \ + --no-install-recommends \ + && rm -rf /var/lib/apt/lists/* -ENV PUPPETEER_EXECUTABLE_PATH=/usr/bin/chromium-browser # Expose Port EXPOSE 5001 @@ -82,11 +83,12 @@ EXPOSE 5001 # USER 1001 # Add user so we don't need --no-sandbox. -RUN addgroup -S pptruser && adduser -S -G pptruser pptruser \ - # && mkdir -p /home/pptruser/Downloads /app \ +RUN groupadd -r pptruser && useradd -r -g pptruser -G audio,video pptruser \ + && mkdir -p /home/pptruser/Downloads \ && chown -R pptruser:pptruser /home/pptruser \ - && chown -R pptruser:pptruser /app - + && chown -R pptruser:pptruser /node_modules \ + && chown -R pptruser:pptruser /package.json \ + && chown -R pptruser:pptruser /package-lock.json # Run everything after as non-privileged user. USER pptruser From 0f60b0bc1b368d3dbebc9559f92929c450e4b859 Mon Sep 17 00:00:00 2001 From: Chris Berg Date: Tue, 26 Sep 2023 13:23:22 -0700 Subject: [PATCH 13/20] changing distro for testing --- backend/dops/Dockerfile | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/backend/dops/Dockerfile b/backend/dops/Dockerfile index 59518c526..75f1de11a 100644 --- a/backend/dops/Dockerfile +++ b/backend/dops/Dockerfile @@ -86,9 +86,7 @@ EXPOSE 5001 RUN groupadd -r pptruser && useradd -r -g pptruser -G audio,video pptruser \ && mkdir -p /home/pptruser/Downloads \ && chown -R pptruser:pptruser /home/pptruser \ - && chown -R pptruser:pptruser /node_modules \ - && chown -R pptruser:pptruser /package.json \ - && chown -R pptruser:pptruser /package-lock.json + && chown -R pptruser:pptruser /app # Run everything after as non-privileged user. USER pptruser From 8d8bc5521536fe2f984b614ed59c4182d04d0ee1 Mon Sep 17 00:00:00 2001 From: Chris Berg Date: Wed, 27 Sep 2023 10:45:34 -0700 Subject: [PATCH 14/20] changing distro for testing --- backend/dops/Dockerfile | 1 + 1 file changed, 1 insertion(+) diff --git a/backend/dops/Dockerfile b/backend/dops/Dockerfile index 75f1de11a..c698e8995 100644 --- a/backend/dops/Dockerfile +++ b/backend/dops/Dockerfile @@ -64,6 +64,7 @@ ENV ACCESS_API_URL ${ACCESS_API_URL} COPY --from=builder /app/package*.json ./ COPY --from=builder /app/node_modules ./node_modules COPY --from=builder /app/dist ./dist +COPY --from=builder /.cache ./.cache From 4f0373d4548af80afc6181c12160b2655c08b772 Mon Sep 17 00:00:00 2001 From: Chris Berg Date: Wed, 27 Sep 2023 11:08:52 -0700 Subject: [PATCH 15/20] Reverted Dockerfile for Alpine testing --- backend/dops/Dockerfile | 30 +++++++++++++++--------------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/backend/dops/Dockerfile b/backend/dops/Dockerfile index c698e8995..5bedcdef3 100644 --- a/backend/dops/Dockerfile +++ b/backend/dops/Dockerfile @@ -1,5 +1,5 @@ # Build container -FROM node:18.17.1-bullseye AS builder +FROM node:18.17.1-alpine AS builder # Set the working directory to /app inside the container WORKDIR /app @@ -18,7 +18,7 @@ RUN npm prune --production # Deployment container -FROM node:18.17.1-bullseye +FROM node:18.17.1-alpine RUN npm cache clean --force # Create and Assign permissions to npm folder @@ -64,19 +64,18 @@ ENV ACCESS_API_URL ${ACCESS_API_URL} COPY --from=builder /app/package*.json ./ COPY --from=builder /app/node_modules ./node_modules COPY --from=builder /app/dist ./dist -COPY --from=builder /.cache ./.cache - - -RUN apt-get update \ - && apt-get install -y wget gnupg \ - && wget -q -O - https://dl-ssl.google.com/linux/linux_signing_key.pub | apt-key add - \ - && sh -c 'echo "deb [arch=amd64] http://dl.google.com/linux/chrome/deb/ stable main" >> /etc/apt/sources.list.d/google.list' \ - && apt-get update \ - && apt-get install -y google-chrome-stable fonts-ipafont-gothic fonts-wqy-zenhei fonts-thai-tlwg fonts-kacst fonts-freefont-ttf libxss1 \ - --no-install-recommends \ - && rm -rf /var/lib/apt/lists/* +RUN apk add --no-cache \ + chromium \ + curl \ + nss \ + freetype \ + harfbuzz \ + ca-certificates \ + ttf-freefont +ENV PUPPETEER_SKIP_CHROMIUM_DOWNLOAD=true \ + PUPPETEER_EXECUTABLE_PATH=/usr/bin/chromium-browser # Expose Port EXPOSE 5001 @@ -84,11 +83,12 @@ EXPOSE 5001 # USER 1001 # Add user so we don't need --no-sandbox. -RUN groupadd -r pptruser && useradd -r -g pptruser -G audio,video pptruser \ - && mkdir -p /home/pptruser/Downloads \ +RUN addgroup -S pptruser && adduser -S -G pptruser pptruser \ + # && mkdir -p /home/pptruser/Downloads /app \ && chown -R pptruser:pptruser /home/pptruser \ && chown -R pptruser:pptruser /app + # Run everything after as non-privileged user. USER pptruser From ffc67bebc2d60ee451a28bd2c7a9482d60794052 Mon Sep 17 00:00:00 2001 From: Chris Berg Date: Wed, 27 Sep 2023 12:42:16 -0700 Subject: [PATCH 16/20] Trying with privledge escalation --- backend/dops/openshift.deploy.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/backend/dops/openshift.deploy.yml b/backend/dops/openshift.deploy.yml index 473b23977..da1182e09 100644 --- a/backend/dops/openshift.deploy.yml +++ b/backend/dops/openshift.deploy.yml @@ -208,6 +208,7 @@ objects: containers: - image: ${NAME}-${ZONE}-${COMPONENT}:${IMAGE_TAG} securityContext: + allowPrivilegeEscalation: true capabilities: add: ["NET_BIND_SERVICE"] imagePullPolicy: Always From d46e46a50f0c49693f36c4d2170bc537ad689113 Mon Sep 17 00:00:00 2001 From: Chris Berg Date: Wed, 27 Sep 2023 12:58:15 -0700 Subject: [PATCH 17/20] Running NPM as non-root? --- backend/dops/Dockerfile | 22 ++++++++++------------ 1 file changed, 10 insertions(+), 12 deletions(-) diff --git a/backend/dops/Dockerfile b/backend/dops/Dockerfile index 5bedcdef3..e41674f20 100644 --- a/backend/dops/Dockerfile +++ b/backend/dops/Dockerfile @@ -10,6 +10,16 @@ COPY . ./ # Create and Assign permissions to npm folder RUN mkdir /.npm && chmod 777 /.npm +# Add user so we don't need --no-sandbox. +RUN addgroup -S pptruser && adduser -S -G pptruser pptruser \ + # && mkdir -p /home/pptruser/Downloads /app \ + && chown -R pptruser:pptruser /home/pptruser \ + && chown -R pptruser:pptruser /app + + +# Run everything after as non-privileged user. +USER pptruser + # Install packages, build and keep only prod packages RUN npm ci RUN npm run build @@ -80,18 +90,6 @@ ENV PUPPETEER_SKIP_CHROMIUM_DOWNLOAD=true \ # Expose Port EXPOSE 5001 -# USER 1001 - -# Add user so we don't need --no-sandbox. -RUN addgroup -S pptruser && adduser -S -G pptruser pptruser \ - # && mkdir -p /home/pptruser/Downloads /app \ - && chown -R pptruser:pptruser /home/pptruser \ - && chown -R pptruser:pptruser /app - - -# Run everything after as non-privileged user. -USER pptruser - # Start the app CMD ["npm", "run", "start:prod"] From 025eee045986548932284a27fad6fc30db72dbdb Mon Sep 17 00:00:00 2001 From: Chris Berg Date: Wed, 27 Sep 2023 12:58:44 -0700 Subject: [PATCH 18/20] Running NPM as non-root? --- backend/dops/openshift.deploy.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/backend/dops/openshift.deploy.yml b/backend/dops/openshift.deploy.yml index da1182e09..88cc0352d 100644 --- a/backend/dops/openshift.deploy.yml +++ b/backend/dops/openshift.deploy.yml @@ -207,8 +207,6 @@ objects: spec: containers: - image: ${NAME}-${ZONE}-${COMPONENT}:${IMAGE_TAG} - securityContext: - allowPrivilegeEscalation: true capabilities: add: ["NET_BIND_SERVICE"] imagePullPolicy: Always From 1df1a39003b071eafc48b7ca9319f96df753cb86 Mon Sep 17 00:00:00 2001 From: Chris Berg Date: Wed, 27 Sep 2023 13:06:10 -0700 Subject: [PATCH 19/20] Running NPM as non-root? --- backend/dops/openshift.deploy.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/backend/dops/openshift.deploy.yml b/backend/dops/openshift.deploy.yml index 88cc0352d..473b23977 100644 --- a/backend/dops/openshift.deploy.yml +++ b/backend/dops/openshift.deploy.yml @@ -207,6 +207,7 @@ objects: spec: containers: - image: ${NAME}-${ZONE}-${COMPONENT}:${IMAGE_TAG} + securityContext: capabilities: add: ["NET_BIND_SERVICE"] imagePullPolicy: Always From 388faf4d86d974fc378cf8e2dfe773fa066b4895 Mon Sep 17 00:00:00 2001 From: Derek Roberts Date: Thu, 28 Sep 2023 09:30:38 -0700 Subject: [PATCH 20/20] backend/dops/.dockerignore --- backend/dops/.dockerignore | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/backend/dops/.dockerignore b/backend/dops/.dockerignore index ab57381ff..b99c86319 100644 --- a/backend/dops/.dockerignore +++ b/backend/dops/.dockerignore @@ -1,3 +1,8 @@ -node_modules -build -dist +**/.cache/ +**/build/ +**/dist/ +**/node_modules/ +**/test/ +*.md +*.yml +*.yaml