fix(docker): updated docker to use non-root user for k8s/helm deployments (#1626)

* fix(docker): updated docker to use non-root user for k8s/helm deployments * ack PR comments
2026-04-06 03:00:16 -04:00 · 2025-10-14 15:54:51 -07:00
parent f147eaee1c
commit f345c4d1d8
3 changed files with 42 additions and 16 deletions
--- a/docker/realtime.Dockerfile
+++ b/docker/realtime.Dockerfile
@@ -36,11 +36,18 @@ WORKDIR /app

 ENV NODE_ENV=production

+# Create non-root user and group
+RUN addgroup -g 1001 -S nodejs && \
+    adduser -S nextjs -u 1001
+
 # Copy the sim app and the shared db package needed by socket-server
-COPY --from=builder /app/apps/sim ./apps/sim
-COPY --from=builder /app/packages/db ./packages/db
-COPY --from=builder /app/node_modules ./node_modules
-COPY --from=builder /app/package.json ./package.json
+COPY --from=builder --chown=nextjs:nodejs /app/apps/sim ./apps/sim
+COPY --from=builder --chown=nextjs:nodejs /app/packages/db ./packages/db
+COPY --from=builder --chown=nextjs:nodejs /app/node_modules ./node_modules
+COPY --from=builder --chown=nextjs:nodejs /app/package.json ./package.json
+
+# Switch to non-root user
+USER nextjs

 # Expose socket server port (default 3002, but configurable via PORT env var)
 EXPOSE 3002