Run jupyterhub-ssh as non-root

Ref #16
yuvipanda · Oct 27, 2020 · 089a85f · 089a85f
1 parent a1911ac
commit 089a85f
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 0 deletions.
diff --git a/helm-chart/images/jupyterhub-ssh/Dockerfile b/helm-chart/images/jupyterhub-ssh/Dockerfile
@@ -2,9 +2,21 @@ FROM python:3.8-slim
 
 WORKDIR /srv/jupyterhub-ssh
 
+ENV NB_UID=1000
+ENV NB_USER jovyan
+
+RUN adduser \
+    --disabled-password \
+    --shell "/sbin/nologin" \
+    --gecos "Default Jupyter user" \
+    --uid ${NB_UID} \
+    ${NB_USER}
+
 COPY . .
 COPY helm-chart/images/jupyterhub-ssh/jupyterhub_ssh_config.py .
 
 RUN pip3 install --no-cache-dir .
 
+USER $NB_UID
+
 ENTRYPOINT [ "python3", "-m", "jupyterhub_ssh" ]
diff --git a/helm-chart/jupyterhub-ssh/templates/ssh/deployment.yaml b/helm-chart/jupyterhub-ssh/templates/ssh/deployment.yaml
@@ -38,6 +38,9 @@ spec:
         - name: server
           image: "{{ .Values.ssh.image.repository }}:{{ .Values.ssh.image.tag }}"
           imagePullPolicy: {{ .Values.ssh.image.pullPolicy }}
+          securityContext:
+            allowPrivilegeEscalation: false
+            runAsNonRoot: true
           volumeMounts:
             - name: secrets
               mountPath: /etc/jupyterhub-ssh/secrets