Feature Request: Build release image using non-root user

GoogleCloudPlatform / pgadapter

PostgreSQL wire-protocol proxy for Cloud Spanner

https://cloud.google.com/spanner/docs/postgresql-interface#postgresql-client-support

Apache License 2.0

59 stars 21 forks source link

Feature Request: Build release image using non-root user #895

Closed joshbautista closed 1 year ago

joshbautista commented 1 year ago

Feature Request

Modify the Dockerfile that builds the release image to utilize a non-root user.

Background

Use of pgadapter is being flagged by cloud security vulnerability scans due to the main process running as root. Running containers as a non-root user is also a generally accepted security practice.

Possible Solutions

With the existing image (eclipse-temurin), utilize standard patterns to create a non-root user and use that non-root user as the executor.
Convert to distroless images, similarly to how cloud-sql-proxy is built.

olavloite commented 1 year ago

@joshbautista Thanks for the feature request, and sorry for not getting to you earlier. We'll look into it. Things that we need to take into account are:

The Docker container must for most use cases have access to the host file system to read the credentials file that is used to connect to Cloud Spanner.
We need to make sure we don't make any breaking changes to existing users.

(I'm not saying that any of the above needs to be a blocker for this, just that we need to look into it to get an understanding of what it would mean)

joshbautista commented 1 year ago

No problem, thanks for following up! I totally understand swapping to a non-root user is a non-trivial change and can cause havoc if done without care.