fix: run container as non root user

DEPENDENCIES

@@ -1,4 +1,4 @@
-go/golang/github.com%2Fcreack/pty/v1.1.9, MIT, approved, clearlydefined
+go/golang/github.com%2Fcreack/pty/v1.1.9, BSD-3-Clause AND MIT, approved, #14623
 go/golang/github.com%2Fdavecgh/go-spew/v1.1.0, ISC, approved, clearlydefined
 go/golang/github.com%2Fdavecgh/go-spew/v1.1.1, ISC, approved, clearlydefined
 go/golang/github.com%2Femicklei%2Fgo-restful/v3/v3.11.0, MIT, approved, clearlydefined
@@ -9,12 +9,12 @@ go/golang/github.com%2Fgo-openapi/jsonpointer/v0.20.0, Apache-2.0, approved, #10
 go/golang/github.com%2Fgo-openapi/jsonreference/v0.20.2, Apache-2.0, approved, #10676
 go/golang/github.com%2Fgo-openapi/swag/v0.22.3, Apache-2.0 AND (Apache-2.0 AND MIT), approved, #10679
 go/golang/github.com%2Fgo-openapi/swag/v0.22.4, Apache-2.0 AND (Apache-2.0 AND MIT), approved, #10679
-go/golang/github.com%2Fgo-task/slim-sprig/v0.0.0-20230315185526-52ccab3ef572, MIT AND LicenseRef-scancode-proprietary-license, restricted, #10759
+go/golang/github.com%2Fgo-task/slim-sprig/v0.0.0-20230315185526-52ccab3ef572, MIT, approved, #11068
 go/golang/github.com%2Fgogo/protobuf/v1.3.2, BSD-3-Clause AND BSD-2-Clause, approved, #5660
 go/golang/github.com%2Fgolang/protobuf/v1.5.0, BSD-3-Clause, approved, #5706
 go/golang/github.com%2Fgolang/protobuf/v1.5.2, BSD-3-Clause, approved, #5706
 go/golang/github.com%2Fgolang/protobuf/v1.5.3, BSD-3-Clause, approved, #5706
-go/golang/github.com%2Fgoogle/gnostic-models/v0.6.9-0.20230804172637-c7be7c783f49, Apache-2.0 AND (Apache-2.0 AND JSON), restricted, #10742
+go/golang/github.com%2Fgoogle/gnostic-models/v0.6.9-0.20230804172637-c7be7c783f49, Apache-2.0, approved, #10742
 go/golang/github.com%2Fgoogle/go-cmp/v0.5.5, BSD-3-Clause, approved, #5689
 go/golang/github.com%2Fgoogle/go-cmp/v0.5.9, BSD-3-Clause, approved, #5689
 go/golang/github.com%2Fgoogle/gofuzz/v1.0.0, Apache-2.0, approved, clearlydefined
@@ -82,7 +82,7 @@ go/golang/golang.org%2Fx/sys/v0.13.0, BSD-3-Clause, approved, #11053
 go/golang/golang.org%2Fx/term/v0.0.0-20201126162022-7de9c90e9dd1, BSD-3-Clause, approved, #5720
 go/golang/golang.org%2Fx/term/v0.0.0-20210927222741-03fcf44c2211, BSD-3-Clause, approved, #5720
 go/golang/golang.org%2Fx/term/v0.13.0, BSD-3-Clause, approved, #11056
-go/golang/golang.org%2Fx/text/v0.13.0, BSD-3-Clause AND (BSD-3-Clause AND CC-BY-SA-1.0 AND CC-BY-SA-2.5 AND CC-BY-SA-3.0) AND (BSD-3-Clause AND CC-BY-SA-1.0 AND CC-BY-SA-2.0 AND CC-BY-SA-2.5 AND CC-BY-SA-3.0), restricted, #10752
+go/golang/golang.org%2Fx/text/v0.13.0, BSD-3-Clause, approved, #10752
 go/golang/golang.org%2Fx/text/v0.3.0, BSD-3-Clause AND CC-BY-SA-1.0 AND CC-BY-SA-2.0 AND CC-BY-SA-2.5 AND CC-BY-SA-3.0, approved, #6122
 go/golang/golang.org%2Fx/text/v0.3.3, BSD-3-Clause AND CC-BY-SA-1.0 AND CC-BY-SA-2.0 AND CC-BY-SA-2.5 AND CC-BY-SA-3.0, approved, #6126
 go/golang/golang.org%2Fx/text/v0.3.7, BSD-3-Clause, approved, #6127

Dockerfile

@@ -37,6 +37,9 @@ WORKDIR /app
 COPY ./web /app/web
 COPY --from=builder --chown=nonroot:nonroot /app/dashboard /app/dashboard
 
+RUN adduser -u 1000 --disabled-password --gecos "" --no-create-home nonroot
+USER nonroot
+
 ENTRYPOINT ["/app/dashboard"]
 
-CMD ["-in-cluster=true"]
+CMD ["-in-cluster=true"]

charts/app-dashboard/Chart.yaml

@@ -27,7 +27,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 1.0.7
+version: 1.0.8
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

charts/app-dashboard/templates/deployment.yaml

@@ -43,6 +43,8 @@ spec:
         {{- toYaml . | nindent 8 }}
       {{- end }}
       serviceAccountName: {{ include "app-dashboard.serviceAccountName" . }}
+      securityContext:
+        runAsUser: 1000
       containers:
         - name: {{ .Chart.Name }}
           securityContext: