Make the frontend container run as a non-root user

Author: SpecLad

Dockerfile.ui

@@ -36,9 +36,9 @@ DISABLE_SOURCE_MAPS="${DISABLE_SOURCE_MAPS}" \
 UI_APP_CONFIG="${UI_APP_CONFIG}" \
 SOURCE_MAPS_TOKEN="${SOURCE_MAPS_TOKEN}" yarn run build:cvat-ui
 
-FROM nginx:1.28.0-alpine3.21-slim
+FROM nginxinc/nginx-unprivileged:1.28.0-alpine3.21-slim
 
 # Replace default.conf configuration to remove unnecessary rules
-COPY cvat-ui/react_nginx.conf /etc/nginx/conf.d/default.conf
+COPY --chown=nginx:root cvat-ui/react_nginx.conf /etc/nginx/conf.d/default.conf
 COPY cvat-ui/robots.txt /usr/share/nginx/html/
 COPY --from=cvat-ui /tmp/cvat-ui/dist /usr/share/nginx/html/

docker-compose.yml

@@ -252,7 +252,7 @@ services:
       - cvat_server
     labels:
       traefik.enable: "true"
-      traefik.http.services.cvat-ui.loadbalancer.server.port: "80"
+      traefik.http.services.cvat-ui.loadbalancer.server.port: "8000"
       traefik.http.routers.cvat-ui.rule: Host(`${CVAT_HOST:-localhost}`)
       traefik.http.routers.cvat-ui.entrypoints: web
     networks:

helm-chart/Chart.yaml

@@ -16,7 +16,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.15.0
+version: 0.15.1
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

helm-chart/templates/cvat_frontend/deployment.yml

@@ -39,27 +39,29 @@ spec:
           {{- toYaml . | nindent 12 }}
           {{- end }}
           ports:
-          - containerPort: 80
+          - containerPort: 8000
           {{- with .Values.cvat.frontend.additionalEnv }}
           env:
           {{- toYaml . | nindent 10 }}
           {{- end }}
           {{- if .Values.cvat.frontend.readinessProbe.enabled }}
           readinessProbe:
             tcpSocket:
-              port: 80
+              port: 8000
             {{- toYaml (omit .Values.cvat.frontend.readinessProbe "enabled") | nindent 12 }}
           {{- end }}
           {{- if .Values.cvat.frontend.livenessProbe.enabled }}
           livenessProbe:
             tcpSocket:
-              port: 80
+              port: 8000
             {{- toYaml (omit .Values.cvat.frontend.livenessProbe "enabled") | nindent 12 }}
           {{- end }}
           {{- with .Values.cvat.frontend.additionalVolumeMounts }}
           volumeMounts:
           {{- toYaml . | nindent 10 }}
           {{- end }}
+          securityContext:
+            runAsNonRoot: true
       {{- with .Values.cvat.frontend.additionalVolumes }}
       volumes:
       {{- toYaml . | nindent 8 }}

helm-chart/templates/ingress.yaml

@@ -34,13 +34,13 @@ spec:
           service:
             name: {{ $.Release.Name }}-backend-service
             port:
-              number: 8080
+              name: http
       {{- end }}
       - path: /
         pathType: Prefix
         backend:
           service:
             name: {{ .Release.Name }}-frontend-service
             port:
-              number: 80
+              name: http
 {{- end }}

helm-chart/values.yaml

@@ -211,8 +211,8 @@ cvat:
     service:
       type: ClusterIP
       ports:
-        - port: 80
-          targetPort: 80
+        - port: 8000
+          targetPort: 8000
           protocol: TCP
           name: http
   opa: