change Docker image to run as nonroot for k8s clusters restricting to runAsNonRoot

trentm · trentm · commit ba63e71045b5 · 2026-03-31T09:26:58.000-07:00
Refs: elastic/elastic-otel-node#1398
diff --git a/operator/Dockerfile b/operator/Dockerfile
@@ -38,8 +38,11 @@ RUN pip install --no-cache-dir --target workspace /opt/distro/*.whl -r requireme
 
 FROM ${IMAGE}:${IMAGE_VERSION}
 
-COPY --from=build /operator-build/workspace /autoinstrumentation
-COPY --from=build-musl /operator-build/workspace /autoinstrumentation-musl
+COPY --chown=65532:65532 --from=build /operator-build/workspace /autoinstrumentation
+COPY --chown=65532:65532 --from=build-musl /operator-build/workspace /autoinstrumentation-musl
+
+# Use wolfi's "nonroot" user/group to satisfy k8s runAsNonRoot security policies.
+USER 65532:65532
 
 RUN chmod -R go+r /autoinstrumentation
 RUN chmod -R go+r /autoinstrumentation-musl
diff --git a/operator/Dockerfile.alpine b/operator/Dockerfile.alpine
@@ -17,4 +17,7 @@ FROM python:3.12-alpine3.22@sha256:f6973b8f9395204414a7f25d99a50ba1c7306064771d1
 
 COPY --from=build /operator-build/workspace /autoinstrumentation
 
+# Use "nobody" user, to mimic the non-root "nonroot" user/group used in Dockerfile.
+USER 65534:65534
+
 RUN chmod -R go+r /autoinstrumentation
