Do not run as root when not needed. Remove WORKDIR in Dockerfile

Signed-off-by: Agustín Martínez Fayó <[email protected]>
amartinezfayo · Mar 18, 2024 · 8cf4578 · 8cf4578
1 parent 914cc93
commit 8cf4578
Show file tree

Hide file tree

Showing 5 changed files with 6 additions and 8 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -34,7 +34,6 @@ RUN --mount=type=cache,target=/root/.cache/go-build \
 
 FROM --platform=${BUILDPLATFORM} scratch AS spire-base
 COPY --link --from=builder --chown=root:root --chmod=755 /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
-WORKDIR /opt/spire
 
 # Preparation environment for setting up directories
 FROM alpine as prep-spire-server

diff --git a/test/integration/suites/delegatedidentity/04-create-registration-entries b/test/integration/suites/delegatedidentity/04-create-registration-entries
@@ -5,7 +5,7 @@ docker-compose exec -T spire-server \
     /opt/spire/bin/spire-server entry create \
     -parentID "spiffe://domain.test/spire/agent/x509pop/$(fingerprint conf/agent/agent.crt.pem)" \
     -spiffeID "spiffe://domain.test/authorized_delegate" \
-    -selector "unix:uid:1001" \
+    -selector "unix:uid:1000" \
     -ttl 0
 check-synced-entry "spire-agent" "spiffe://domain.test/authorized_delegate"
 

diff --git a/test/integration/suites/delegatedidentity/05-test-endpoints b/test/integration/suites/delegatedidentity/05-test-endpoints
@@ -1,9 +1,9 @@
 #!/bin/bash
 
 log-info "Test Delegated Identity API (for success)"
-docker-compose exec -u 1001 -T spire-agent \
+docker-compose exec -u 1001:1000 -T spire-agent \
 	/opt/spire/conf/agent/delegatedidentityclient -expectedID spiffe://domain.test/workload || fail-now "Failed to check Delegated Identity API"
 
 log-info "Test Delegated Identity API (expecting permission denied)"
-docker-compose exec -u 1002 -T spire-agent \
+docker-compose exec -u 1002:1000 -T spire-agent \
 	/opt/spire/conf/agent/delegatedidentityclient || fail-now "Failed to check Delegated Identity API"
diff --git a/test/integration/suites/delegatedidentity/docker-compose.yaml b/test/integration/suites/delegatedidentity/docker-compose.yaml
@@ -13,4 +13,3 @@ services:
     volumes:
       - ./conf/agent:/opt/spire/conf/agent
     command: ["-config", "/opt/spire/conf/agent/agent.conf"]
-    user: 0:0
diff --git a/test/integration/suites/oidc-discovery-provider/docker-compose.yaml b/test/integration/suites/oidc-discovery-provider/docker-compose.yaml
@@ -15,7 +15,7 @@ services:
       - ./conf/agent:/opt/spire/conf/agent
       - /var/run/docker.sock:/var/run/docker.sock
     command: [ "-config", "/opt/spire/conf/agent/agent.conf" ]
-    user: 0:0
+    user: 0:0 # Required to access the Docker daemon socket
   oidc-discovery-provider-server:
     image: oidc-discovery-provider:latest-local
     hostname: oidc-discovery-provider-server
@@ -25,7 +25,7 @@ services:
       - ./conf/agent:/opt/spire/conf/agent
       - ./conf/server:/opt/spire/conf/server
     command: [ "-config", "/opt/spire/conf/oidc-discovery-provider/provider-server-api.conf" ]
-    user: 0:0
+    user: 0:0 # Required to access the Docker daemon socket
   oidc-discovery-provider-workload:
     pid: "host"
     image: oidc-discovery-provider:latest-local
@@ -39,4 +39,4 @@ services:
       - ./conf/agent:/opt/spire/conf/agent
       - ./conf/server:/opt/spire/conf/server
     command: [ "-config", "/opt/spire/conf/oidc-discovery-provider/provider-workload-api.conf" ]
-    user: 0:0
+    user: 0:0 # Required to access the Docker daemon socket