diff options
| author |  Vinayak Goyal <vinayakankugoyal@gmail.com>
| 2023-03-20 19:49:59 +0530 |
|---|---|---|
| committer |  GitHub <noreply@github.com>
| 2023-03-20 10:19:59 -0400 |
| commit | d21537f93197f82f9abd66569ea78f0fe629061f (patch) | |
| tree | fb6318eb89d66762c65102dfd3c91f31a352ade1 | |
| parent | 1258e3b2f20a91d77eaf99874002d1aab99a7b60 (diff) | |
| download | coredns-d21537f93197f82f9abd66569ea78f0fe629061f.tar.gz coredns-d21537f93197f82f9abd66569ea78f0fe629061f.tar.zst coredns-d21537f93197f82f9abd66569ea78f0fe629061f.zip | |
Run coredns as non root. (#5969)
Signed-off-by: Vinayak Goyal <vinaygo@google.com>
| -rw-r--r-- | Dockerfile | 15 |
1 files changed, 8 insertions, 7 deletions
diff --git a/Dockerfile b/Dockerfile index b840a5777..3c2b7f43b 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM --platform=$BUILDPLATFORM debian:stable-slim +FROM --platform=$BUILDPLATFORM debian:stable-slim AS build SHELL [ "/bin/sh", "-ec" ] RUN export DEBCONF_NONINTERACTIVE_SEEN=true \ @@ -7,13 +7,14 @@ RUN export DEBCONF_NONINTERACTIVE_SEEN=true \ TERM=linux ; \ apt-get -qq update ; \ apt-get -yyqq upgrade ; \ - apt-get -yyqq install ca-certificates ; \ + apt-get -yyqq install ca-certificates libcap2-bin; \ apt-get clean +COPY coredns /coredns +RUN setcap cap_net_bind_service=+ep /coredns -FROM --platform=$TARGETPLATFORM scratch - -COPY --from=0 /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ -ADD coredns /coredns - +FROM --platform=$TARGETPLATFORM gcr.io/distroless/static-debian11:nonroot +COPY --from=build /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ +COPY --from=build /coredns /coredns +USER nonroot:nonroot EXPOSE 53 53/udp ENTRYPOINT ["/coredns"] |