From c6397047b77f48677a596d8002102f51499d5489 Mon Sep 17 00:00:00 2001
From: "Shkar T. Noori" <shkarface@gmail.com>
Date: Mon, 14 Feb 2022 10:05:52 +0000
Subject: [PATCH] Use unprivileged alpine container

---
 Dockerfile                      | 4 ++--
 kubernetes/base/deployment.yaml | 9 +++------
 2 files changed, 5 insertions(+), 8 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index ae3e8e2..2e74ddf 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -13,7 +13,7 @@ COPY *.js ./
 
 RUN npm run build
 
-FROM bitnami/nginx:1.20 AS production
+FROM nginxinc/nginx-unprivileged:1.20-alpine AS production
 
-COPY --from=build-stage /app/build /app
+COPY --from=build-stage /app/build /usr/share/nginx/html
 EXPOSE 8080
diff --git a/kubernetes/base/deployment.yaml b/kubernetes/base/deployment.yaml
index a0b3660..24cf952 100644
--- a/kubernetes/base/deployment.yaml
+++ b/kubernetes/base/deployment.yaml
@@ -18,9 +18,10 @@ spec:
 
     spec:
       securityContext:
+        fsGroup: 101
+        runAsUser: 101
+        runAsGroup: 101
         runAsNonRoot: true
-        fsGroup: 1001
-        sysctls: []
 
       containers:
         - name: dsm-client
@@ -52,7 +53,3 @@ spec:
             failureThreshold: 3
             successThreshold: 1
             initialDelaySeconds: 5
-
-          securityContext:
-            runAsUser: 1001
-            runAsNonRoot: true