*: Use non-root

546a2e6a · Frederic Branczyk · 6afb6bce · 546a2e6a · 546a2e6a · 546a2e6a
Commit 546a2e6a authored 7 years ago by Frederic Branczyk
--- a/grafana-image/Dockerfile
+++ b/grafana-image/Dockerfile
+FROM debian:9.3-slim
+
+RUN apt-get update && apt-get install -qq -y wget tar sqlite && \
+    wget -O /tmp/grafana.tar.gz https://s3-us-west-2.amazonaws.com/grafana-releases/release/grafana-4.6.3.linux-x64.tar.gz && \
+    tar -zxvf /tmp/grafana.tar.gz -C /tmp && mv /tmp/grafana-4.6.3 /grafana && \
+    rm -rf /tmp/grafana.tar.gz
+
+ADD config.toml /grafana/conf/config.toml
+
+USER       nobody
+EXPOSE     3000
+VOLUME     [ "/data" ]
+WORKDIR    /grafana
+ENTRYPOINT [ "/grafana/bin/grafana-server" ]
+CMD        [ "-config=/grafana/conf/config.toml" ]
--- a/grafana-image/Makefile
+++ b/grafana-image/Makefile
+container:
+	docker build . -t quay.io/coreos/monitoring-grafana:4.6.3-non-root
--- a/grafana-image/config.toml
+++ b/grafana-image/config.toml
+[database]
+path = /data/grafana.db
--- a/hack/grafana-dashboards-configmap-generator/templates/grafana-deployment-template.yaml
+++ b/hack/grafana-dashboards-configmap-generator/templates/grafana-deployment-template.yaml
@@ -9,9 +9,12 @@ spec:
      labels:
        app: grafana
    spec:
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 65534
      containers:
      - name: grafana
-        image: grafana/grafana:4.6.3
+        image: quay.io/coreos/monitoring-grafana:4.6.3-non-root
        env:
        - name: GF_AUTH_BASIC_ENABLED
          value: "true"
@@ -29,7 +32,7 @@ spec:
              key: password
        volumeMounts:
        - name: grafana-storage
-          mountPath: /var/grafana-storage
+          mountPath: /data
        ports:
        - name: web
          containerPort: 3000

--- a/manifests/grafana/grafana-deployment.yaml
+++ b/manifests/grafana/grafana-deployment.yaml
@@ -9,9 +9,12 @@ spec:
      labels:
        app: grafana
    spec:
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 65534
      containers:
      - name: grafana
-        image: grafana/grafana:4.6.3
+        image: quay.io/coreos/monitoring-grafana:4.6.3-non-root
        env:
        - name: GF_AUTH_BASIC_ENABLED
          value: "true"
@@ -29,7 +32,7 @@ spec:
              key: password
        volumeMounts:
        - name: grafana-storage
-          mountPath: /var/grafana-storage
+          mountPath: /data
        ports:
        - name: web
          containerPort: 3000

--- a/manifests/node-exporter/node-exporter-daemonset.yaml
+++ b/manifests/node-exporter/node-exporter-daemonset.yaml
@@ -14,6 +14,9 @@ spec:
      name: node-exporter
    spec:
      serviceAccountName: node-exporter
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 65534
      hostNetwork: true
      hostPID: true
      containers: