change Docker image to run as nonroot for k8s clusters restricting to runAsNonRoot (#515)

trentm · web-flow · commit fd8f85305155 · 2026-04-01T12:12:02.000+02:00
* change Docker image to run as nonroot for k8s clusters restricting to runAsNonRoot Refs: elastic/elastic-otel-node#1398 * also chown the copied files
diff --git a/operator/Dockerfile b/operator/Dockerfile
@@ -38,8 +38,11 @@ RUN pip install --no-cache-dir --target workspace /opt/distro/*.whl -r requireme
 
 FROM ${IMAGE}:${IMAGE_VERSION}
 
-COPY --from=build /operator-build/workspace /autoinstrumentation
-COPY --from=build-musl /operator-build/workspace /autoinstrumentation-musl
+COPY --chown=65532:65532 --from=build /operator-build/workspace /autoinstrumentation
+COPY --chown=65532:65532 --from=build-musl /operator-build/workspace /autoinstrumentation-musl
+
+# Use wolfi's "nonroot" user/group to satisfy k8s runAsNonRoot security policies.
+USER 65532:65532
 
 RUN chmod -R go+r /autoinstrumentation
 RUN chmod -R go+r /autoinstrumentation-musl
diff --git a/operator/Dockerfile.alpine b/operator/Dockerfile.alpine
@@ -15,6 +15,9 @@ RUN pip install --target workspace /opt/distro/*.whl -r requirements.txt
 
 FROM python:3.12-alpine3.22@sha256:f6973b8f9395204414a7f25d99a50ba1c7306064771d11a8c2a848e9af3697a6
 
-COPY --from=build /operator-build/workspace /autoinstrumentation
+COPY --chown=65534:65534 --from=build /operator-build/workspace /autoinstrumentation
+
+# Use "nobody" user, to mimic the non-root "nonroot" user/group used in Dockerfile.
+USER 65534:65534
 
 RUN chmod -R go+r /autoinstrumentation
