Upgrade golang/deps, run as non-root user (#2)

ianunruh · May 31, 2024 · b1af3cd · b1af3cd
1 parent 0d02624
commit b1af3cd
Show file tree

Hide file tree

Showing 8 changed files with 85 additions and 826 deletions.
diff --git a/.gitignore b/.gitignore
@@ -0,0 +1 @@
+.env
diff --git a/Dockerfile b/Dockerfile
@@ -1,4 +1,6 @@
-FROM golang:1.17-alpine as build
+FROM golang:1.22-alpine as build
+
+RUN addgroup -S app && adduser -S app -G app
 
 WORKDIR /go/src/app
 
@@ -8,11 +10,14 @@ RUN go mod download
 
 COPY . .
 
-RUN CGO_ENABLED=0 go build -ldflags '-extldflags "-static"' -tags timetzdata -o ambient-exporter
+RUN CGO_ENABLED=0 go build -trimpath -ldflags '-extldflags "-static"' -tags timetzdata -o ambient-exporter
 
 FROM scratch
 
 COPY --from=build /go/src/app/ambient-exporter /ambient-exporter
 COPY --from=build /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
+COPY --from=build /etc/passwd /etc/passwd
+
+USER app
 
 ENTRYPOINT ["/ambient-exporter"]
diff --git a/README.md b/README.md
@@ -37,6 +37,11 @@ kubectl -n monitoring create secret generic ambient-exporter \
     --from-literal=AMBIENT_API_KEY=${AMBIENT_API_KEY} \
     --from-literal=AMBIENT_APP_KEY=${AMBIENT_APP_KEY}
 
+# Using tagged manifests
 kubectl kustomize "https://github.com/ianunruh/ambient-exporter.git/deploy/basic?ref=v1.0.1" | \
     kubectl apply -n monitoring -f-
+
+# Using local manifests
+kubectl kustomize deploy/basic | \
+    kubectl apply -n monitoring -f-
 ```
diff --git a/deploy/basic/deployment.yaml b/deploy/basic/deployment.yaml
@@ -21,3 +21,14 @@ spec:
           limits:
             cpu: 250m
             memory: 128Mi
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - all
+            add:
+            - NET_BIND_SERVICE
+          readOnlyRootFilesystem: true
+          runAsUser: 1000
+          runAsGroup: 1000
+          fsGroup: 1000
diff --git a/deploy/basic/kustomization.yaml b/deploy/basic/kustomization.yaml
@@ -1,7 +1,9 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
-commonLabels:
-  app.kubernetes.io/name: ambient-exporter
+labels:
+- includeSelectors: true
+  pairs:
+    app.kubernetes.io/name: ambient-exporter
 resources:
 - deployment.yaml
 - service.yaml

diff --git a/docker-compose.yml b/docker-compose.yml
@@ -1,4 +1,3 @@
-version: "3.1"
 services:
   exporter:
     build: .

diff --git a/go.mod b/go.mod
@@ -1,30 +1,26 @@
 module github.com/ianunruh/ambient-exporter
 
-go 1.17
+go 1.22
 
 require (
-	github.com/prometheus/client_golang v1.11.0
-	github.com/spf13/cobra v1.3.0
-	github.com/stretchr/testify v1.7.0
-	go.uber.org/zap v1.20.0
+	github.com/prometheus/client_golang v1.19.1
+	github.com/spf13/cobra v1.8.0
+	github.com/stretchr/testify v1.8.1
+	go.uber.org/zap v1.27.0
 )
 
 require (
 	github.com/beorn7/perks v1.0.1 // indirect
-	github.com/cespare/xxhash/v2 v2.1.2 // indirect
+	github.com/cespare/xxhash/v2 v2.3.0 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
-	github.com/golang/protobuf v1.5.2 // indirect
-	github.com/inconshreveable/mousetrap v1.0.0 // indirect
-	github.com/matttproud/golang_protobuf_extensions v1.0.1 // indirect
+	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
-	github.com/prometheus/client_model v0.2.0 // indirect
-	github.com/prometheus/common v0.32.1 // indirect
-	github.com/prometheus/procfs v0.7.3 // indirect
+	github.com/prometheus/client_model v0.6.1 // indirect
+	github.com/prometheus/common v0.53.0 // indirect
+	github.com/prometheus/procfs v0.15.0 // indirect
 	github.com/spf13/pflag v1.0.5 // indirect
-	github.com/stretchr/objx v0.1.1 // indirect
-	go.uber.org/atomic v1.9.0 // indirect
-	go.uber.org/multierr v1.7.0 // indirect
-	golang.org/x/sys v0.0.0-20220114195835-da31bd327af9 // indirect
-	google.golang.org/protobuf v1.27.1 // indirect
-	gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b // indirect
+	go.uber.org/multierr v1.11.0 // indirect
+	golang.org/x/sys v0.20.0 // indirect
+	google.golang.org/protobuf v1.34.1 // indirect
+	gopkg.in/yaml.v3 v3.0.1 // indirect
 )
diff --git a/go.sum b/go.sum