How to build and run DfMon container image as non-root

[orenzp]

Hi
In our company, we require to run all k8s pods as NonRootUser, Due to this I tried to run the DFM container as NonRoot using Kubernetes spec.securityContext.runAsNonRoot.

The issue is that DotNet container images don't have a dedicated user for the applications like Node containers have. I found the following article which explains how to configure DotNet containers to run the applications as a NonRoot user.

Hardening an ASP.NET container running on Kubernetes

I updated the Dockerfile given in the durablefunctionsmonitor.dotnetbackend to look like the following:

FROM mcr.microsoft.com/dotnet/sdk:6.0 AS installer-env

# Build requires 3.1 SDK
COPY --from=mcr.microsoft.com/dotnet/core/sdk:3.1 /usr/share/dotnet /usr/share/dotnet

COPY . /src/dotnet-function-app
RUN cd /src/dotnet-function-app && \
    mkdir -p /home/site/wwwroot && \
    dotnet publish *.csproj --output /home/site/wwwroot

FROM mcr.microsoft.com/azure-functions/dotnet:4

#Create a Linux user in the container called DFM with UID and GID of 1000
RUN groupadd -r dfm --gid 1000 && \
    useradd --uid 1000 -r --gid 1000 "dfm"

# Configure the container to automatically start with the DFM user by default
USER 1000:1000 

EXPOSE 8080

# Configure the ASP HTTP web site to listen on port 8080
# This is due to the fact that non-root users aren't allow to bind to ports 1024 and below
ENV ASPNETCORE_URLS=http://*:8080
ENV AzureWebJobsScriptRoot=/home/site/wwwroot \
    AzureFunctionsJobHost__Logging__Console__IsEnabled=true

# Configure the copied files to be owned by the DFM user
COPY --chown=dfm:dfm --from=installer-env ["/home/site/wwwroot", "/home/site/wwwroot"]

I updated the DFM deployment manifest with the following settings and change the image to point to our private continer registry.

      securityContext:
        runAsNonRoot: true

This solved my issues.

[scale-tone]

Thanks so much for this input, @orenzp !
Let's convert your instruction into a Discussion.