k8s 使用非root用户启动

k8s 使用非root用户启动

Dockerfile

FROM   192.168.15.198/source/tomcat8_jdk1.8:202107131202

MAINTAINER fengjian <627459560@qq.com>

RUN groupadd -g 2000 fengjian && useradd -u 1000 -g 2000  fengjian

RUN mkdir /data/webserver -p

ADD start.sh /data/webserver/

ADD gateway-0.0.1-SNAPSHOT.jar /data/webserver/

RUN chown -R fengjian.fengjian /data/webserver  /data/logs  /data/tomcat  && 
    chmod +x /data/webserver/start.sh

USER 1000:2000

EXPOSE 8080

ENTRYPOINT ["/data/webserver/start.sh"]

k8s fengjian-deployment.yaml

apiVersion: apps/v1
kind: Deployment
metadata:
  name: fengjian
  namespace: testfeng
spec:
  selector:
    matchLabels:
      app: fengjian-label
  replicas: 1
  template:
    metadata:
      labels:
        app: fengjian-label
      annotations:
        "cni.projectcalico.org/ipv4pools": "["default-ipv4-ippool"]"
    spec:
      dnsConfig:
        options:
        - name: single-request-reopen
      containers:
      - name: fengjian
        image: 192.168.15.198/source/testfeng:202111010909
        imagePullPolicy: Always
        resources:
          limits:
            cpu: 1000m
            memory: 8192Mi
          requests:
            cpu: 100m
            memory: 1024Mi
        ports:
        - containerPort: 8080
        securityContext:
          runAsUser: 1000
          runAsGroup: 2000