ensure that the application is not writable by kubernaut

2025-04-30 16:40:58 -05:00 · 2025-04-30 16:40:58 -05:00 · 2fd3c801de
commit 2fd3c801de
parent da9a06dc24
2 changed files with 8 additions and 8 deletions
--- a/dockerfiles/alpine.Dockerfile
+++ b/dockerfiles/alpine.Dockerfile
@ -30,6 +30,8 @@ RUN <<EOT
  rm -rf ~/.bundle/ "${BUNDLE_PATH}"/ruby/*/cache "${BUNDLE_PATH}"/ruby/*/bundler/gems/*/.git
 EOT

+COPY . .
+
 FROM base

 ENV PORT=4567
@ -39,12 +41,10 @@ RUN <<EOT
  adduser --system --uid 666 --ingroup kubernaut --shell /bin/bash --disabled-password kubernaut
 EOT

-USER kubernaut:kubernaut
-
 COPY --from=build /usr/local/bundle /usr/local/bundle
-COPY --from=build --chown=kubernaut:kubernaut /kubernaut /kubernaut
+COPY --from=build /kubernaut /kubernaut

-COPY --chown=kubernaut:kubernaut . .
+USER kubernaut:kubernaut

 EXPOSE $PORT
 ENTRYPOINT [ "/kubernaut/dockerfiles/entrypoint.sh" ]
--- a/dockerfiles/bookworm.Dockerfile
+++ b/dockerfiles/bookworm.Dockerfile
@ -30,6 +30,8 @@ RUN <<EOT
  rm -rf ~/.bundle/ "${BUNDLE_PATH}"/ruby/*/cache "${BUNDLE_PATH}"/ruby/*/bundler/gems/*/.git
 EOT

+COPY . .
+
 FROM base

 ENV PORT=4567
@ -39,12 +41,10 @@ RUN <<EOT
  useradd --system --uid 666 --gid kubernaut --create-home --shell /bin/bash kubernaut
 EOT

-USER kubernaut:kubernaut
-
 COPY --from=build /usr/local/bundle /usr/local/bundle
-COPY --from=build --chown=kubernaut:kubernaut /kubernaut /kubernaut
+COPY --from=build /kubernaut /kubernaut

-COPY --chown=kubernaut:kubernaut . .
+USER kubernaut:kubernaut

 EXPOSE $PORT
 ENTRYPOINT [ "/kubernaut/dockerfiles/entrypoint.sh" ]