From 2e91cc9e02ac4ab08f391fee5255ee7d307e7571 Mon Sep 17 00:00:00 2001
From: chris-vest <intellivision@pm.me>
Date: Fri, 17 Sep 2021 10:07:55 +0200
Subject: [PATCH 1/3] Use scratch base for Docker image; set security context
 for pods

---
 build/Dockerfile  | 19 ++++++++++++++++++-
 deploy/deploy.yml |  3 +++
 go.mod            |  2 +-
 3 files changed, 22 insertions(+), 2 deletions(-)

diff --git a/build/Dockerfile b/build/Dockerfile
index 14d8ba16..622fb80a 100644
--- a/build/Dockerfile
+++ b/build/Dockerfile
@@ -1,6 +1,23 @@
-FROM debian:stretch-slim
+FROM golang:1.13-alpine as builder
+
+ENV USER=event_exporter
+ENV UID=10001
+RUN adduser \
+		--disabled-password \
+		--gecos "" \
+		--home "/nonexistent" \
+		--shell "/sbin/nologin" \
+		--no-create-home \
+		--uid "${UID}" \
+		"${USER}" && \
+	apk update && apk add --no-cache git ca-certificates gcc
+
+FROM scratch
 
 COPY bin/event_exporter /
+COPY --from=builder /etc/passwd /etc/passwd
+COPY --from=builder /etc/group /etc/group
+COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
 
 USER nobody
 
diff --git a/deploy/deploy.yml b/deploy/deploy.yml
index 67cd272c..b82792dd 100644
--- a/deploy/deploy.yml
+++ b/deploy/deploy.yml
@@ -45,6 +45,9 @@ spec:
       labels:
         app: event-exporter
     spec:
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 10001
       containers:
         - name: event-exporter
           image: 'caicloud/event-exporter:v1.0.0'
diff --git a/go.mod b/go.mod
index c6a016d3..2bcf87d7 100644
--- a/go.mod
+++ b/go.mod
@@ -1,6 +1,6 @@
 module github.com/caicloud/event_exporter
 
-go 1.13
+go 1.17
 
 require (
 	github.com/imdario/mergo v0.3.11 // indirect

From c00e5917cc73b8bf1bf6e61897f914bdebd0a2ab Mon Sep 17 00:00:00 2001
From: chris-vest <intellivision@pm.me>
Date: Fri, 17 Sep 2021 10:22:52 +0200
Subject: [PATCH 2/3] Reset go version

---
 go.mod | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/go.mod b/go.mod
index 2bcf87d7..c6a016d3 100644
--- a/go.mod
+++ b/go.mod
@@ -1,6 +1,6 @@
 module github.com/caicloud/event_exporter
 
-go 1.17
+go 1.13
 
 require (
 	github.com/imdario/mergo v0.3.11 // indirect

From 4c82725b21865cb8b517fd39795a62f633ea362f Mon Sep 17 00:00:00 2001
From: chris-vest <intellivision@pm.me>
Date: Fri, 17 Sep 2021 10:34:29 +0200
Subject: [PATCH 3/3] Use scratch base for Docker image; set security context
 for pods

---
 build/Dockerfile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/build/Dockerfile b/build/Dockerfile
index 622fb80a..1f8e78e4 100644
--- a/build/Dockerfile
+++ b/build/Dockerfile
@@ -19,7 +19,7 @@ COPY --from=builder /etc/passwd /etc/passwd
 COPY --from=builder /etc/group /etc/group
 COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
 
-USER nobody
+USER event-exporter
 
 ENTRYPOINT ["/event_exporter"]