[security] default to run as non root user nobody

[iamasmith]

23 Tested on it's own and integrated with my other PR implements a single line passwd file in the scratch container containing a nobody user and defaults to starting the user as that.

Layering is stil 1 layer, we simply construct a /release staging folder in the build container and copy that to root.

I use this same mechanism for my services that need connections to cloud services as golang doesn't have a trust chain in a scratch container unless there something well known on the image. I tend to copy /etc/ssl to the /release folder in the build stage to overcome this.

This allows a cleaner Deployment containing..

apiVersion: apps/v1
kind: Deployment
metadata:
  name: external-mdns
spec:
  strategy:
    type: Recreate
  selector:
    matchLabels:
      app: external-mdns
  template:
    metadata:
      labels:
        app: external-mdns
    spec:
      securityContext:     # POD rather than individual container
        runAsUser: 65534   # Already set in container but if vuln scans
        runAsGroup: 65534  # look they may only check here as this is authoritative
        runAsNonRoot: true
      hostNetwork: true
      serviceAccountName: external-mdns
      containers:
      - name: external-mdns
        securityContext:
          readOnlyRootFilesystem: true
          allowPrivilegeEscalation: false
          capabilities:
            drop: ["ALL"]
        image: blakec/external-mdns:latest
        args:
        - -source=ingress
        - -source=service

[iamasmith]

Done, I didn't include the comments as these were more for context in the review. Happy to add them back if you think it's needed..?

[iamasmith]

@blake since this is merged the container does need to be built and published with the changes to add the nobody user otherwise the suggested deployments will fail.

[blake]

@iamasmith I just built and pushed an updated image.