From c8a41d83f7a57dafb32ea9a81df2dd0f811c2913 Mon Sep 17 00:00:00 2001
From: shuting <shutting06@gmail.com>
Date: Wed, 10 Mar 2021 14:47:09 -0800
Subject: [PATCH] Update Dockerfile; remove securityContext runAsUser (#1695)

* - run Kyverno with specific uid; - remove "runAsUser" from deployment manifest

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* add LD_FLAGS when push Kyverno images

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* start Kyverno with UID 10001

Signed-off-by: Shuting Zhao <shutting06@gmail.com>

* update initContainer and CLI Dockerfiles

Signed-off-by: Shuting Zhao <shutting06@gmail.com>
---
 Makefile                             | 14 +++++++-------
 cmd/cli/kubectl-kyverno/Dockerfile   |  4 +---
 cmd/initContainer/Dockerfile         |  4 +---
 cmd/kyverno/Dockerfile               |  4 +---
 definitions/install.yaml             |  2 --
 definitions/manifest/deployment.yaml |  2 --
 6 files changed, 10 insertions(+), 20 deletions(-)

diff --git a/Makefile b/Makefile
index 32b2fc2009..8f39c5f1df 100644
--- a/Makefile
+++ b/Makefile
@@ -43,8 +43,8 @@ docker-build-initContainer-amd64:
 	@docker build -f $(PWD)/$(INITC_PATH)/Dockerfile -t $(REPO)/$(INITC_IMAGE):$(IMAGE_TAG) . --build-arg LD_FLAGS=$(LD_FLAGS) --build-arg TARGETPLATFORM="linux/amd64"
 
 docker-push-initContainer:
-	@docker buildx build --file $(PWD)/$(INITC_PATH)/Dockerfile --progress plane --push --platform linux/arm64,linux/amd64 --tag $(REPO)/$(INITC_IMAGE):$(IMAGE_TAG) .
-	@docker buildx build --file $(PWD)/$(INITC_PATH)/Dockerfile --progress plane --push --platform linux/arm64,linux/amd64 --tag $(REPO)/$(INITC_IMAGE):latest .
+	@docker buildx build --file $(PWD)/$(INITC_PATH)/Dockerfile --progress plane --push --platform linux/arm64,linux/amd64 --tag $(REPO)/$(INITC_IMAGE):$(IMAGE_TAG) . --build-arg LD_FLAGS=$(LD_FLAGS)
+	@docker buildx build --file $(PWD)/$(INITC_PATH)/Dockerfile --progress plane --push --platform linux/arm64,linux/amd64 --tag $(REPO)/$(INITC_IMAGE):latest . --build-arg LD_FLAGS=$(LD_FLAGS)
 
 ##################################
 # KYVERNO CONTAINER
@@ -74,8 +74,8 @@ docker-build-kyverno-amd64:
 	@docker build -f $(PWD)/$(KYVERNO_PATH)/Dockerfile -t $(REPO)/$(KYVERNO_IMAGE):$(IMAGE_TAG) . --build-arg LD_FLAGS=$(LD_FLAGS) --build-arg TARGETPLATFORM="linux/amd64"
 
 docker-push-kyverno:
-	@docker buildx build --file $(PWD)/$(KYVERNO_PATH)/Dockerfile --progress plane --push --platform linux/arm64,linux/amd64 --tag $(REPO)/$(KYVERNO_IMAGE):$(IMAGE_TAG) .
-	@docker buildx build --file $(PWD)/$(KYVERNO_PATH)/Dockerfile --progress plane --push --platform linux/arm64,linux/amd64 --tag $(REPO)/$(KYVERNO_IMAGE):latest .
+	@docker buildx build --file $(PWD)/$(KYVERNO_PATH)/Dockerfile --progress plane --push --platform linux/arm64,linux/amd64 --tag $(REPO)/$(KYVERNO_IMAGE):$(IMAGE_TAG) . --build-arg LD_FLAGS=$(LD_FLAGS)
+	@docker buildx build --file $(PWD)/$(KYVERNO_PATH)/Dockerfile --progress plane --push --platform linux/arm64,linux/amd64 --tag $(REPO)/$(KYVERNO_IMAGE):latest . --build-arg LD_FLAGS=$(LD_FLAGS)
 
 ##################################
 
@@ -105,9 +105,9 @@ docker-build-cli-amd64:
 	@docker build -f $(PWD)/$(CLI_PATH)/Dockerfile -t $(REPO)/$(KYVERNO_CLI_IMAGE):$(IMAGE_TAG) . --build-arg LD_FLAGS=$(LD_FLAGS) --build-arg TARGETPLATFORM="linux/amd64"
 
 docker-push-cli:
-	@docker buildx build --file $(PWD)/$(CLI_PATH)/Dockerfile --progress plane --push --platform linux/arm64,linux/amd64 --tag $(REPO)/$(KYVERNO_CLI_IMAGE):$(IMAGE_TAG) .
-	@docker buildx build --file $(PWD)/$(CLI_PATH)/Dockerfile --progress plane --push --platform linux/arm64,linux/amd64 --tag $(REPO)/$(KYVERNO_CLI_IMAGE):latest .
-
+	@docker buildx build --file $(PWD)/$(CLI_PATH)/Dockerfile --progress plane --push --platform linux/arm64,linux/amd64 --tag $(REPO)/$(KYVERNO_CLI_IMAGE):$(IMAGE_TAG) . --build-arg LD_FLAGS=$(LD_FLAGS)
+	@docker buildx build --file $(PWD)/$(CLI_PATH)/Dockerfile --progress plane --push --platform linux/arm64,linux/amd64 --tag $(REPO)/$(KYVERNO_CLI_IMAGE):latest . --build-arg LD_FLAGS=$(LD_FLAGS)
+ 
 ##################################
 docker-publish-all: docker-publish-initContainer docker-publish-kyverno docker-publish-cli
 
diff --git a/cmd/cli/kubectl-kyverno/Dockerfile b/cmd/cli/kubectl-kyverno/Dockerfile
index 001153de57..24a9df1c0e 100644
--- a/cmd/cli/kubectl-kyverno/Dockerfile
+++ b/cmd/cli/kubectl-kyverno/Dockerfile
@@ -18,8 +18,6 @@ RUN go env
 
 RUN CGO_ENABLED=0 go build -o /output/kyverno -ldflags="${LD_FLAGS}" -v ./cmd/cli/kubectl-kyverno/
 
-RUN useradd -u 10001 kyverno
-
 # Packaging stage
 FROM scratch
 
@@ -28,6 +26,6 @@ LABEL maintainer="Kyverno"
 COPY --from=builder /output/kyverno /
 COPY --from=builder /etc/passwd /etc/passwd
 
-USER kyverno
+USER 10001
 
 ENTRYPOINT ["./kyverno"]
\ No newline at end of file
diff --git a/cmd/initContainer/Dockerfile b/cmd/initContainer/Dockerfile
index 8dde90a737..0adaf8a99a 100644
--- a/cmd/initContainer/Dockerfile
+++ b/cmd/initContainer/Dockerfile
@@ -18,8 +18,6 @@ RUN go env
 
 RUN CGO_ENABLED=0 go build -o /output/kyvernopre -ldflags="${LD_FLAGS}" -v ./cmd/initContainer/
 
-RUN useradd -u 10001 kyverno
-
 # Packaging stage
 FROM scratch
 
@@ -28,6 +26,6 @@ LABEL maintainer="Kyverno"
 COPY --from=builder /output/kyvernopre /
 COPY --from=builder /etc/passwd /etc/passwd
 
-USER kyverno
+USER 10001
 
 ENTRYPOINT ["./kyvernopre"]
diff --git a/cmd/kyverno/Dockerfile b/cmd/kyverno/Dockerfile
index e4f4f4bfc8..8e999e8832 100644
--- a/cmd/kyverno/Dockerfile
+++ b/cmd/kyverno/Dockerfile
@@ -18,8 +18,6 @@ RUN go env
 
 RUN CGO_ENABLED=0 go build -o /output/kyverno -ldflags="${LD_FLAGS}" -v ./cmd/kyverno/
 
-RUN useradd -u 10001 kyverno
-
 # Packaging stage
 FROM scratch
 
@@ -28,6 +26,6 @@ LABEL maintainer="Kyverno"
 COPY --from=builder /output/kyverno /
 COPY --from=builder /etc/passwd /etc/passwd
 
-USER kyverno
+USER 10001
 
 ENTRYPOINT ["./kyverno"]
diff --git a/definitions/install.yaml b/definitions/install.yaml
index ca3b27db4c..c1dc3bdc05 100644
--- a/definitions/install.yaml
+++ b/definitions/install.yaml
@@ -2480,7 +2480,6 @@ spec:
           privileged: false
           readOnlyRootFilesystem: true
           runAsNonRoot: true
-          runAsUser: 1000
       initContainers:
       - image: ghcr.io/kyverno/kyvernopre:v1.3.4
         imagePullPolicy: IfNotPresent
@@ -2493,7 +2492,6 @@ spec:
           privileged: false
           readOnlyRootFilesystem: true
           runAsNonRoot: true
-          runAsUser: 1000
       securityContext:
         runAsNonRoot: true
       serviceAccountName: kyverno-service-account
diff --git a/definitions/manifest/deployment.yaml b/definitions/manifest/deployment.yaml
index 31d7a77254..f6d6568ac0 100755
--- a/definitions/manifest/deployment.yaml
+++ b/definitions/manifest/deployment.yaml
@@ -24,7 +24,6 @@ spec:
           image: ghcr.io/kyverno/kyvernopre:latest
           imagePullPolicy: IfNotPresent
           securityContext:
-            runAsUser: 1000
             runAsNonRoot: true
             privileged: false
             allowPrivilegeEscalation: false
@@ -57,7 +56,6 @@ spec:
             - name: KYVERNO_SVC
               value: kyverno-svc
           securityContext:
-            runAsUser: 1000
             runAsNonRoot: true
             privileged: false
             allowPrivilegeEscalation: false