From 028b834ea6f4db8407e50e43cec1c40b779f7822 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Erik=20Inge=20Bols=C3=B8?= <erik.inge.bolso@nrk.no>
Date: Fri, 14 Jun 2019 15:47:08 +0200
Subject: [PATCH] postgres-operator deployment template: run operator as
 non-root, and with readonly filesystem (#582)

---
 docker/Dockerfile                | 5 +++++
 manifests/postgres-operator.yaml | 4 ++++
 2 files changed, 9 insertions(+)

diff --git a/docker/Dockerfile b/docker/Dockerfile
index 66abb6c30..196ac93d3 100644
--- a/docker/Dockerfile
+++ b/docker/Dockerfile
@@ -6,4 +6,9 @@ RUN apk --no-cache add ca-certificates
 
 COPY build/* /
 
+RUN addgroup -g 1000 pgo
+RUN adduser -D -u 1000 -G pgo -g 'Postgres operator' pgo
+
+USER 1000:1000
+
 ENTRYPOINT ["/postgres-operator"]
diff --git a/manifests/postgres-operator.yaml b/manifests/postgres-operator.yaml
index d43c0f8a8..005f02521 100644
--- a/manifests/postgres-operator.yaml
+++ b/manifests/postgres-operator.yaml
@@ -21,6 +21,10 @@ spec:
           limits:
             cpu: 2000m
             memory: 500Mi
+        securityContext:
+          runAsUser: 1000
+          runAsNonRoot: true
+          readOnlyRootFilesystem: true
         env:
         # provided additional ENV vars can overwrite individual config map entries  
         - name: CONFIG_MAP_NAME