fix other serving samples' Dockerfile to run as non-root user

Update README.md file when necessary

code-samples/serving/gitwebhook-go/Dockerfile

@@ -32,7 +32,23 @@ RUN CGO_ENABLED=0 GOOS=${TARGETOS} GOARCH=${TARGETARCH} go build -o /go/bin/webh
 
 FROM golang:alpine
 
-EXPOSE 8080
-COPY --from=builder /go/bin/webhook-sample /app/webhook-sample
+ARG USER=appuser
+ARG USER_UID=1001
+ARG USER_GID=$USER_UID
 
-ENTRYPOINT ["/app/webhook-sample"]
+ENV PORT=8080
+
+# Create and change to the app directory.
+WORKDIR "/home/${USER}/app"
+
+# Add a user so the server will run as a non-root user.
+RUN addgroup -g $USER_GID $USER && \
+    adduser -u $USER_UID -G $USER -D $USER
+
+COPY --from=builder /go/bin/webhook-sample ./webhook-sample
+
+EXPOSE $PORT
+
+USER $USER
+
+ENTRYPOINT ["./webhook-sample"]

code-samples/serving/grpc-ping-go/Dockerfile

@@ -35,11 +35,13 @@ RUN CGO_ENABLED=0 GOOS=${TARGETOS} GOARCH=${TARGETARCH} go build -tags=grpcping
 # Use a Docker multi-stage build to create a lean production image.
 # https://docs.docker.com/develop/develop-images/multistage-build/#use-multi-stage-builds
 # https://github.com/GoogleContainerTools/distroless#readme
-FROM gcr.io/distroless/static
+FROM gcr.io/distroless/static:nonroot
+
+WORKDIR "/home/nonroot/app"
 
 # Copy the binaries to the production image from the builder stage.
-COPY --from=builder /go/src/github.com/knative/docs/code-samples/serving/grpc-ping-go/ping-server /server
-COPY --from=builder /go/src/github.com/knative/docs/code-samples/serving/grpc-ping-go/ping-client /client
+COPY --from=builder /go/src/github.com/knative/docs/code-samples/serving/grpc-ping-go/ping-server ./server
+COPY --from=builder /go/src/github.com/knative/docs/code-samples/serving/grpc-ping-go/ping-client ./client
 
 # Run the service on container startup.
-CMD ["/server"]
+CMD ["./server"]

code-samples/serving/grpc-ping-go/README.md

@@ -40,7 +40,6 @@ for production containers.
 
    Replace `{username}` in `service.yaml` with your Docker Hub user name:
 
-
   ```yaml
   apiVersion: serving.knative.dev/v1
   kind: Service

code-samples/serving/knative-routing-go/Dockerfile

@@ -22,9 +22,14 @@ ADD . /go/src/github.com/knative/docs/
 
 RUN CGO_ENABLED=0 GOOS=${TARGETOS} GOARCH=${TARGETARCH} go build ./code-samples/serving/knative-routing-go/
 
-FROM gcr.io/distroless/base
+FROM gcr.io/distroless/base:nonroot
 
-EXPOSE 8080
-COPY --from=builder /go/src/github.com/knative/docs/knative-routing-go /sample
+ENV PORT=8080
 
-ENTRYPOINT ["/sample"]
+WORKDIR "/home/nonroot/app"
+
+COPY --from=builder /go/src/github.com/knative/docs/knative-routing-go ./sample
+
+EXPOSE $PORT
+
+ENTRYPOINT ["./sample"]

code-samples/serving/knative-routing-go/README.md

@@ -27,15 +27,15 @@ the Login service.
      will refer to it as <YOUR_DOMAIN_NAME> in the rest of this document
 4. Check out the code:
 
-```
+```bash
 go get -d github.com/knative/docs/code-samples/serving/knative-routing-go
 ```
 
 ## Setup
 
 To check the domain name, run the following command:
 
-```
+```bash
 kubectl get cm  -n knative-serving config-domain -o yaml
 ```
 
@@ -69,7 +69,7 @@ export REPO="docker.io/<username>"
 
 3. Use Docker to build and push your application container:
 
-```
+```bash
 # Build and push the container on your local machine.
 docker buildx build --platform linux/arm64,linux/amd64 -t "${REPO}/knative-routing-go" --push . -f code-samples/serving/knative-routing-go/Dockerfile
 ```
@@ -87,15 +87,15 @@ docker buildx build --platform linux/arm64,linux/amd64 -t "${REPO}/knative-routi
 
    - Run this command:
 
-   ```
+   ```bash
    perl -pi -e "[email protected]/knative/docs/code-samples/serving@${REPO}@g" code-samples/serving/knative-routing-go/sample.yaml
    ```
 
 ## Deploy the Service
 
 Deploy the Knative Serving sample:
 
-```
+```bash
 kubectl apply --filename code-samples/serving/knative-routing-go/sample.yaml
 ```
 
@@ -107,21 +107,21 @@ Kubernetes service with:
 
 - Check the shared Gateway:
 
-```
+```bash
 kubectl get Gateway --namespace knative-serving --output yaml
 ```
 
 - Check the corresponding Kubernetes service for the shared Gateway:
 
-```
+```bash
 INGRESSGATEWAY=istio-ingressgateway
 
 kubectl get svc $INGRESSGATEWAY --namespace istio-system --output yaml
 ```
 
 - Inspect the deployed Knative services with:
 
-```
+```bash
 kubectl get ksvc
 ```
 
@@ -166,7 +166,7 @@ You should see: `Login Service is called !`
 
 1. Apply the custom routing rules defined in `routing.yaml` file with:
 
-```
+```bash
 kubectl apply --filename code-samples/serving/knative-routing-go/routing.yaml
 ```
 
@@ -182,7 +182,7 @@ like {{.Name}}-{{.Namespace}}. You can find out the format by running the
 command:
 {% endraw %}
 
-```
+```bash
 kubectl get cm  -n knative-serving config-network -o yaml
 ```
 
@@ -196,7 +196,7 @@ Then look for the value for `domain-template`. If it is
 2. The `routing.yaml` file will generate a new VirtualService `entry-route` for
    domain `example.com` or your own domain name. View the VirtualService:
 
-```
+```bash
 kubectl get VirtualService entry-route --output yaml
 ```
 
@@ -268,15 +268,15 @@ with a destination address of an externally available service.
 
 Using
 
-```
+```bash
 kubectl label kservice search-service login-service networking.knative.dev/visibility=cluster-local
 ```
 
 you label the services as an cluster-local services, removing access via `search-service.default.example.com`
 and `login-service.default.example.com`. After doing so, your previous routing rule will not be routable anymore.
 Running
 
-```
+```bash
 kubectl apply --filename code-samples/serving/knative-routing-go/routing-internal.yaml
 ```
 

code-samples/serving/kong-routing-go/Dockerfile

@@ -22,9 +22,14 @@ ADD . /go/src/github.com/knative/docs/
 
 RUN CGO_ENABLED=0 GOOS=${TARGETOS} GOARCH=${TARGETARCH} go build ./code-samples/serving/kong-routing-go/
 
-FROM gcr.io/distroless/base
+FROM gcr.io/distroless/base:nonroot
 
-EXPOSE 8080
-COPY --from=builder /go/src/github.com/knative/docs/kong-routing-go /sample
+ENV PORT=8080
 
-ENTRYPOINT ["/sample"]
+WORKDIR "/home/nonroot/app"
+
+COPY --from=builder /go/src/github.com/knative/docs/kong-routing-go ./sample
+
+EXPOSE $PORT
+
+ENTRYPOINT ["./sample"]

code-samples/serving/kong-routing-go/README.md

@@ -19,18 +19,18 @@ to the _Login_ service.
 
 ## Prerequisites
 
-1.  A Kubernetes cluster with [Knative Serving](https://knative.dev/docs/install/serving/install-serving-with-yaml) and
+1. A Kubernetes cluster with [Knative Serving](https://knative.dev/docs/install/serving/install-serving-with-yaml) and
     [Kong](https://docs.konghq.com/kubernetes-ingress-controller/1.3.x/guides/using-kong-with-knative/)
     installed.
-1.  Install
+1. Install
     [Docker](https://docs.docker.com/get-started/#prepare-your-docker-environment).
-1.  Acquire a domain name.
+1. Acquire a domain name.
     - In this example, we use `example.com`. If you don't have a domain name,
       you can modify your hosts file (on macOS or Linux) to map `example.com` to
       your cluster's ingress IP.
     - If you have configured a custom domain for your Knative installation, we
       will refer to it as `<YOUR_DOMAIN_NAME>` in the rest of this document
-1.  Check out the code:
+1. Check out the code:
 
     ```bash
     go get -d github.com/knative/docs/code-samples/serving/kong-routing-go
@@ -49,13 +49,13 @@ Then, check the value for `data`. The domain name should be in the format of
 
 Build the application container and publish it to a container registry:
 
-1.  Move into the sample directory:
+1. Move into the sample directory:
 
     ```bash
     cd $GOPATH/src/github.com/knative/docs
     ```
 
-1.  Set your preferred container registry:
+1. Set your preferred container registry:
 
     If you use Google Container Registry (GCR), you will need to enable the [GCR
     API](https://console.cloud.google.com/apis/library/containerregistry.googleapis.com)
@@ -79,7 +79,7 @@ Build the application container and publish it to a container registry:
     docker buildx build --platform linux/arm64,linux/amd64 -t "${REPO}/kong-routing-go" --push . -f code-samples/serving/kong-routing-go/Dockerfile
     ```
 
-1.  Replace the image reference path with our published image path in the
+1. Replace the image reference path with our published image path in the
     configuration file `code-samples/serving/kong-routing-go/sample.yaml` in one
     of the following ways:
 
@@ -88,6 +88,7 @@ Build the application container and publish it to a container registry:
       ${REPO}/kong-routing-go`. If you manually changed the `.yaml` file, you
       must replace `${REPO}` with the correct path on your local machine.
     - Run this command:
+
       ```bash
       perl -pi -e "[email protected]/knative/docs/code-samples/serving@${REPO}@g" code-samples/serving/kong-routing-go/sample.yaml
       ```
@@ -121,53 +122,53 @@ kubectl get svc $INGRESSGATEWAY -n kong --output yaml
 
 ### Access the Services
 
-1.  Find the gateway IP and export it as an environment variable:
+1. Find the gateway IP and export it as an environment variable:
 
     ```bash
     export GATEWAY_IP=`kubectl get svc $INGRESSGATEWAY -n kong \
         --output jsonpath="{.status.loadBalancer.ingress[*]['ip']}"`
     ```
 
-1.  Find the _Search_ service URL:
+1. Find the _Search_ service URL:
 
     ```bash
     kubectl get route search-service --output=custom-columns=NAME:.metadata.name,URL:.status.url
     ```
 
     The output should looks like this:
 
-    ```
+    ```bash
     NAME              URL
     search-service    http://search-service.default.example.com
     ```
 
-1.  Make a cURL request to the service:
+1. Make a cURL request to the service:
 
     ```bash
     curl http://${GATEWAY_IP} --header "Host:search-service.default.example.com"
     ```
 
     The output should look like this:
 
-    ```
+    ```text
     Search Service is called!
     ```
 
-1.  Similarly, you can also directly access _Login_ service:
+1. Similarly, you can also directly access _Login_ service:
 
     ```bash
     curl http://${GATEWAY_IP} --header "Host:login-service.default.example.com"
     ```
 
     The output should look like this:
 
-    ```
+    ```text
     Login Service is called!
     ```
 
 ## Apply Custom Routing Rule
 
-1.  Apply the custom routing rules defined in the `routing.yaml` file:
+1. Apply the custom routing rules defined in the `routing.yaml` file:
 
     ```bash
     kubectl apply -f code-samples/serving/kong-routing-go/routing.yaml
@@ -193,7 +194,7 @@ kubectl get svc $INGRESSGATEWAY -n kong --output yaml
     `login-service.default` into `login-service-default` as well in
     `routing.yaml`.
 
-1.  The `routing.yaml` file will create an ingress that forwards incoming
+1. The `routing.yaml` file will create an ingress that forwards incoming
     requests at `example.com/search` to `search-service.default.example.com` by
     updating the "Host" header to `search-service.default.example.com` and
     stripping the request path. This modified request is then forwarded to the
@@ -204,28 +205,36 @@ kubectl get svc $INGRESSGATEWAY -n kong --output yaml
     kubectl get ingress {search,login}-service-ingress -n kong --output yaml
     ```
 
-1.  Send a request to the _Search_ service and the _Login_ service by using
+1. Send a request to the _Search_ service and the _Login_ service by using
     their corresponding URLs. You should get the same results as directly
     accessing these services.
 
     - Send a request to the _Search_ service:
+
       ```bash
       curl http://${GATEWAY_IP}/search --header "Host: example.com"
       ```
+
       or
+
       ```bash
       curl http://${GATEWAY_IP}/search --header "Host: <YOUR_DOMAIN_NAME>"
       ```
+
       for the case using your own domain.
 
     - Send a request to the _Login_ service:
+
       ```bash
       curl http://${GATEWAY_IP}/login --header "Host: example.com"
       ```
+
       or
+
       ```bash
       curl http://${GATEWAY_IP}/login --header "Host: <YOUR_DOMAIN_NAME>"
       ```
+
       for the case using your own domain.
 
 ## How It Works