Friday, June 04, 2021

DevSecOps: Running a React Single Page App with minimal privilege in Kubernetes

 Dockerfile

FROM node:16-alpine3.11 as build
WORKDIR /app

ENV PATH /app/node_modules/.bin:$PATH

COPY Moneta.Frontend.Web/package.json ./
COPY Moneta.Frontend.Web/package-lock.json ./
RUN npm install --silent

COPY Moneta.Frontend.Web/ ./

RUN yarn build

FROM nginx:latest
COPY --from=build /app/build /usr/share/nginx/html

COPY Moneta.Frontend.Web/nginx/default.conf /etc/nginx/conf.d/default.conf
COPY Moneta.Frontend.Web/nginx/nginx.conf /etc/nginx/nginx.conf

RUN chown -R nobody:nogroup /usr/share/nginx/html && chmod -R 755 /usr/share/nginx/html && \
        chown -R nobody:nogroup /var/cache/nginx && \
        chown -R nobody:nogroup /var/log/nginx && \
        chown -R nobody:nogroup /etc/nginx/conf.d

RUN touch /var/run/nginx.pid && \
        chown -R nobody:nogroup /var/run/nginx.pid

EXPOSE 8080

CMD ["nginx", "-g", "daemon off;"]

nginx/default.conf

server {
  listen 8080;

  location / {
    root   /usr/share/nginx/html;
    index  index.html index.htm;
    try_files $uri $uri/ /index.html;
  }

  error_page   500 502 503 504  /50x.html;

  location = /50x.html {
    root   /usr/share/nginx/html;
  }
}

nginx/nginx.conf

worker_processes  1;
           
error_log  /var/log/nginx/error.log warn;
pid        /var/run/nginx.pid;

events {
    worker_connections  1024;
}

http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    sendfile        on;
    #tcp_nopush     on;

    keepalive_timeout  65;

    #gzip  on;

    include /etc/nginx/conf.d/*.conf;
}


k8s deployment

podSecurityContext
  runAsUser65534  #nobody
  fsGroup65534    #nogroup
securityContext
  capabilities:
    drop:
    - ALL
    add
    - "NET_ADMIN"
  readOnlyRootFilesystemfalse
  runAsNonRoottrue
  runAsUser65534 # run as the nobody user