feat: use rootless base image for nb-controller and pod-default (kubeflow/kubeflow#7686)

thesuperzapper · web-flow · commit 95f002b99f98 · 2025-02-17T08:00:40.000Z
Signed-off-by: Mathew Wicks &lt;5735406+thesuperzapper@users.noreply.github.com&gt;
diff --git a/components/notebook-controller/Dockerfile b/components/notebook-controller/Dockerfile
@@ -26,9 +26,13 @@ RUN CGO_ENABLED=0 GOOS=linux GO111MODULE=on go build -a -mod=mod -o manager main
 
 # Use distroless as minimal base image to package the manager binary
 # Refer to https://github.com/GoogleContainerTools/distroless for more details
-FROM gcr.io/distroless/base:debug
+FROM gcr.io/distroless/static:nonroot
+
 WORKDIR /
 COPY --from=builder /workspace/notebook-controller/manager .
 COPY --from=builder /workspace/notebook-controller/third_party/license.txt third_party/license.txt
 COPY --from=builder /go/pkg/mod/github.com/hashicorp third_party/hashicorp
+
+USER 65532:65532
+
 ENTRYPOINT ["/manager"]
