feat: add unprivileged user setup in Dockerfile

Signed-off-by: maksim.nabokikh <max.nabokih@gmail.com>
1 month ago · 0046081736
1 changed files with 9 additions and 1 deletions
--- a/10
+++ b/10
@ -55,6 +55,10 @@ RUN wget -O /usr/local/bin/gomplate \

 # For Dependabot to detect base image versions
 FROM alpine:3.23.3@sha256:25109184c71bdad752c8312a8623239686a9a2071e8825f20acb8f2198c3f659 AS alpine
+
+FROM alpine AS user-setup
+RUN addgroup -g 1001 -S dex && adduser -u 1001 -S -G dex -D -H -s /sbin/nologin dex
+
 FROM gcr.io/distroless/static-debian13:nonroot@sha256:f9f84bd968430d7d35e8e6d55c40efb0b980829ec42920a49e60e65eac0d83fc AS distroless

 FROM $BASE_IMAGE
@ -66,6 +70,10 @@ FROM $BASE_IMAGE
 # See https://go.dev/src/crypto/x509/root_linux.go for Go root CA bundle locations.
 COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt

+# Ensure the dex user/group exist before setting ownership or switching to them.
+COPY --from=user-setup /etc/passwd /etc/passwd
+COPY --from=user-setup /etc/group /etc/group
+
 COPY --from=stager --chown=1001:1001 /var/dex /var/dex
 COPY --from=stager --chown=1001:1001 /etc/dex /etc/dex

@ -79,7 +87,7 @@ COPY --from=builder /usr/local/src/dex/web /srv/dex/web

 COPY --from=gomplate /usr/local/bin/gomplate /usr/local/bin/gomplate

-USER 1001:1001
+USER dex:dex

 ENTRYPOINT ["/usr/local/bin/docker-entrypoint"]
 CMD ["dex", "serve", "/etc/dex/config.docker.yaml"]