Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
Run as non-root user and group
In the unlikely event that you are currently persisting data to disk then this
change may break file read/write access due to a change in the UID/GID that the
oauth2_proxy process runs as.
Motivation and Context
Run as non-root system user and group
oauth2proxy
with UID/GID2000
to avoid clashing with typical local users.An alternative to creating a separate user is to
chown binary andrun asUSER nobody
, which also works, can amend this PR if required.Least access privileges.
Close: #78
How Has This Been Tested?
Locally with Docker (
-version
):Running in Kubernetes without
securityContext
:Running in Kubernetes 1.13 with the following also specified: