diff --git a/build/docker/intel-fpga-admissionwebhook.Dockerfile b/build/docker/intel-fpga-admissionwebhook.Dockerfile index ac544a50..30b46620 100644 --- a/build/docker/intel-fpga-admissionwebhook.Dockerfile +++ b/build/docker/intel-fpga-admissionwebhook.Dockerfile @@ -36,4 +36,5 @@ RUN chmod a+x /go/bin/fpga_admissionwebhook \ FROM scratch as final COPY --from=builder /install_root / +RUN groupadd -g 3210 fpga && useradd fpga -u 3210 -g 3210 ENTRYPOINT ["/usr/local/bin/intel_fpga_admissionwebhook"] diff --git a/deployments/fpga_admissionwebhook/deployment-tpl.yaml b/deployments/fpga_admissionwebhook/deployment-tpl.yaml index e84aeabc..930712e0 100644 --- a/deployments/fpga_admissionwebhook/deployment-tpl.yaml +++ b/deployments/fpga_admissionwebhook/deployment-tpl.yaml @@ -22,6 +22,9 @@ spec: - containerPort: 8443 name: webhook-api securityContext: + runAsNonRoot: true + runAsUser: {uid} + runAsGroup: {gid} readOnlyRootFilesystem: true args: - -tls-cert-file=/etc/webhook/certs/cert.pem diff --git a/scripts/webhook-deploy.sh b/scripts/webhook-deploy.sh index efec0e8a..c4bb1dbc 100755 --- a/scripts/webhook-deploy.sh +++ b/scripts/webhook-deploy.sh @@ -3,6 +3,8 @@ srcroot="$(realpath $(dirname $0)/..)" service="intel-fpga-webhook-svc" secret="intel-fpga-webhook-certs" +uid="3210" # fpga user +gid="3210" # fpga group function help { echo "Usage: $1 [help|cleanup]" @@ -94,7 +96,7 @@ cat ${srcroot}/deployments/fpga_admissionwebhook/rbac-config-tpl.yaml | \ ${kubectl} create -f - echo "Create webhook deployment" -cat ${srcroot}/deployments/fpga_admissionwebhook/deployment-tpl.yaml | sed -e "s/{MODE}/${mode}/g" | ${kubectl} --namespace ${namespace} create -f - +cat ${srcroot}/deployments/fpga_admissionwebhook/deployment-tpl.yaml | sed -e "s/{MODE}/${mode}/g" -e "s/{uid}/${uid}/g" -e "s/{gid}/${gid}/g" | ${kubectl} --namespace ${namespace} create -f - echo "Create webhook service" ${kubectl} --namespace ${namespace} create -f ${srcroot}/deployments/fpga_admissionwebhook/service.yaml