Run tekton containers as nonroot

mattmoor · mattmoor · commit 5cb1df24e623 · 2020-04-17T20:50:27.000-07:00
diff --git a/.ko.yaml b/.ko.yaml
@@ -1,4 +1,5 @@
+defaultBaseImage: gcr.io/distroless/static:nonroot
 baseImageOverrides:
   github.com/tektoncd/pipeline/cmd/creds-init: gcr.io/tekton-nightly/github.com/tektoncd/pipeline/build-base:latest
   github.com/tektoncd/pipeline/cmd/git-init: gcr.io/tekton-nightly/github.com/tektoncd/pipeline/build-base:latest
-  github.com/tektoncd/pipeline/cmd/entrypoint: busybox  # image must have `cp` in $PATH
+  github.com/tektoncd/pipeline/cmd/entrypoint: gcr.io/distroless/base:debug-nonroot  # image must have `cp` in $PATH
diff --git a/config/controller.yaml b/config/controller.yaml
@@ -56,8 +56,9 @@ spec:
 
           # These images are pulled from Dockerhub, by digest, as of April 15, 2020.
           "-nop-image", "tianon/true@sha256:009cce421096698832595ce039aa13fa44327d96beedb84282a69d3dbcf5a81b",
-          "-shell-image", "busybox@sha256:a2490cec4484ee6c1068ba3a05f89934010c85242f736280b35343483b2264b6",
           "-gsutil-image", "google/cloud-sdk@sha256:6e8676464c7581b2dc824956b112a61c95e4144642bec035e6db38e3384cae2e",
+          # As of April 17, 2020
+          "-shell-image", "gcr.io/distroless/base:debug-nonroot@sha256:85d7c26e8a98f910dca4c556bf2fee8a0c88df63f8f6692c84be92331c3c3169",
         ]
         volumeMounts:
         - name: config-logging
diff --git a/images/Dockerfile b/images/Dockerfile
@@ -3,3 +3,5 @@ FROM alpine:latest
 RUN apk add --update git openssh-client \
     && apk update \
     && apk upgrade
+
+USER 65532
