hoelee/cloudflared
1
0
Fork 0
mirror of https://github.com/cloudflare/cloudflared.git synced 2025-07-27 07:59:58 +00:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

TUN-9540: Use numeric user id for Dockerfiles

Browse Source 
## Summary
This commit changes the USER instruction in our Dockerfiles from using
the string "nonroot" to its numeric ID "65532".

This change is necessary because Kubernetes does not support string-based
user IDs in security contexts, requiring numeric IDs instead. The nonroot
user maps to 65532 in distroless images.
This commit is contained in:
João "Pisco" Fernandes
2025-07-03 11:31:04 +01:00
parent 6ec699509d
commit ae197908be
3 changed files with 15 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
Dockerfile
View File

@@ -27,8 +27,11 @@ LABEL org.opencontainers.image.source="https://github.com/cloudflare/cloudflared
# copy our compiled binary
COPY --from=builder --chown=nonroot /go/src/github.com/cloudflare/cloudflared/cloudflared /usr/local/bin/
# run as non-privileged user
USER nonroot
# run as nonroot user
# We need to use numeric user id's because Kubernetes doesn't support strings:
# https://github.com/kubernetes/kubernetes/blob/v1.33.2/pkg/kubelet/kuberuntime/security_context_others.go#L49
# The `nonroot` user maps to `65532`, from: https://github.com/GoogleContainerTools/distroless/blob/main/common/variables.bzl#L18
USER 65532:65532
# command / entrypoint of container
ENTRYPOINT ["cloudflared", "--no-autoupdate"]

7
Dockerfile.amd64
View File

@@ -22,8 +22,11 @@ LABEL org.opencontainers.image.source="https://github.com/cloudflare/cloudflared
# copy our compiled binary
COPY --from=builder --chown=nonroot /go/src/github.com/cloudflare/cloudflared/cloudflared /usr/local/bin/
# run as non-privileged user
USER nonroot
# run as nonroot user
# We need to use numeric user id's because Kubernetes doesn't support strings:
# https://github.com/kubernetes/kubernetes/blob/v1.33.2/pkg/kubelet/kuberuntime/security_context_others.go#L49
# The `nonroot` user maps to `65532`, from: https://github.com/GoogleContainerTools/distroless/blob/main/common/variables.bzl#L18
USER 65532:65532
# command / entrypoint of container
ENTRYPOINT ["cloudflared", "--no-autoupdate"]

7
Dockerfile.arm64
View File

@@ -22,8 +22,11 @@ LABEL org.opencontainers.image.source="https://github.com/cloudflare/cloudflared
# copy our compiled binary
COPY --from=builder --chown=nonroot /go/src/github.com/cloudflare/cloudflared/cloudflared /usr/local/bin/
# run as non-privileged user
USER nonroot
# run as nonroot user
# We need to use numeric user id's because Kubernetes doesn't support strings:
# https://github.com/kubernetes/kubernetes/blob/v1.33.2/pkg/kubelet/kuberuntime/security_context_others.go#L49
# The `nonroot` user maps to `65532`, from: https://github.com/GoogleContainerTools/distroless/blob/main/common/variables.bzl#L18
USER 65532:65532
# command / entrypoint of container
ENTRYPOINT ["cloudflared", "--no-autoupdate"]