From 8819ea29fd3503da93144f683a714c79f0b9db14 Mon Sep 17 00:00:00 2001
From: Kenny Ho <Kenny.Ho@amd.com>
Date: Wed, 11 Sep 2024 21:51:25 -0400
Subject: [PATCH] Add non-root user to container image

---
 Dockerfile          | 14 +++++++++++++-
 labeller.Dockerfile | 13 ++++++++++++-
 2 files changed, 25 insertions(+), 2 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index 288b2ee8..acdcd65f 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -21,13 +21,25 @@ RUN go install \
     -ldflags="-X main.gitDescribe=$(git -C /go/src/github.com/ROCm/k8s-device-plugin/ describe --always --long --dirty)"
 
 FROM alpine:3.20.3
+
+ARG USERNAME=amdgpu
+ARG USER_UID=1000
+ARG USER_GID=$USER_UID
+
 LABEL \
     org.opencontainers.image.source="https://github.com/ROCm/k8s-device-plugin" \
     org.opencontainers.image.authors="Kenny Ho <Kenny.Ho@amd.com>" \
     org.opencontainers.image.vendor="Advanced Micro Devices, Inc." \
     org.opencontainers.image.licenses="Apache-2.0"
+
 RUN apk --no-cache add ca-certificates libdrm
 RUN apk --no-cache add hwloc --repository=http://dl-cdn.alpinelinux.org/alpine/edge/community
-WORKDIR /root/
+
+RUN addgroup --gid "$USER_GID" "$USERNAME" \
+    && adduser --disabled-password --gecos "" --uid "$USER_UID" --ingroup "$USERNAME" "$USERNAME"
+
+USER $USERNAME
+
+WORKDIR /home/$USERNAME/
 COPY --from=0 /go/bin/k8s-device-plugin .
 CMD ["./k8s-device-plugin", "-logtostderr=true", "-stderrthreshold=INFO", "-v=5"]
diff --git a/labeller.Dockerfile b/labeller.Dockerfile
index a0390a85..6ffbe28b 100644
--- a/labeller.Dockerfile
+++ b/labeller.Dockerfile
@@ -20,12 +20,23 @@ RUN go install \
     -ldflags="-X main.gitDescribe=$(git -C /go/src/github.com/ROCm/k8s-device-plugin/ describe --always --long --dirty)"
 
 FROM alpine:3.20.3
+
+ARG USERNAME=amdgpu
+ARG USER_UID=1000
+ARG USER_GID=$USER_UID
+
 LABEL \
     org.opencontainers.image.source="https://github.com/ROCm/k8s-device-plugin" \
     org.opencontainers.image.authors="Kenny Ho <Kenny.Ho@amd.com>" \
     org.opencontainers.image.vendor="Advanced Micro Devices, Inc." \
     org.opencontainers.image.licenses="Apache-2.0"
 RUN apk --no-cache add ca-certificates libdrm
-WORKDIR /root/
+
+RUN addgroup --gid "$USER_GID" "$USERNAME" \
+    && adduser --disabled-password --gecos "" --uid "$USER_UID" --ingroup "$USERNAME" "$USERNAME"
+
+USER $USERNAME
+
+WORKDIR /home/$USERNAME/
 COPY --from=0 /go/bin/k8s-node-labeller .
 CMD ["./k8s-node-labeller"]