Revert user back to nobody

Author: Gabor Lekeny

Dockerfile

@@ -7,11 +7,9 @@ RUN make build
 
 FROM alpine:3.7
 RUN apk upgrade --no-cache && \
-    apk --no-cache add ca-certificates git openssh-client su-exec
-RUN addgroup -S katafygio && \
-    adduser -S -G katafygio katafygio
-RUN install -d -o katafygio -g katafygio /var/lib/katafygio/data
+    apk --no-cache add ca-certificates git openssh-client
+RUN install -d -o nobody -g nobody /var/lib/katafygio/data
 COPY --from=builder /go/src/github.com/bpineau/katafygio/katafygio /usr/bin/
-COPY entrypoint.sh /
 VOLUME /var/lib/katafygio
-ENTRYPOINT ["/entrypoint.sh"]
+USER nobody
+ENTRYPOINT ["/usr/bin/katafygio"]

assets/Dockerfile.goreleaser

@@ -1,10 +1,8 @@
 FROM alpine:3.7
 RUN apk upgrade --no-cache && \
-    apk --no-cache add ca-certificates git openssh-client su-exec
-RUN addgroup -S katafygio && \
-    adduser -S -G katafygio katafygio
-RUN install -d -o katafygio -g katafygio /var/lib/katafygio/data
+    apk --no-cache add ca-certificates git openssh-client
+RUN install -d -o nobody -g nobody /var/lib/katafygio/data
 COPY katafygio /usr/bin/
-COPY entrypoint.sh /
 VOLUME /var/lib/katafygio
-ENTRYPOINT ["/entrypoint.sh"]
+USER nobody
+ENTRYPOINT ["/usr/bin/katafygio"]

assets/helm-chart/katafygio/templates/deployment.yaml

@@ -15,6 +15,8 @@ spec:
       labels:
 {{ include "katafygio.labels.standard" . | indent 8 }}
     spec:
+      securityContext:
+        fsGroup: 65534
       serviceAccountName: {{ template "katafygio.serviceAccountName" . }}
       containers:
         - name: {{ .Chart.Name }}
@@ -69,7 +71,7 @@ spec:
           {{- if and .Values.gitSshKey .Values.gitUrl }}
           volumeMounts:
             - name: katafygio-gitssh
-              mountPath: "/gitssh-secret"
+              mountPath: "/.ssh"
               readOnly: true
           {{- end }}
           resources: