cartservice - unprivileged container (GoogleCloudPlatform#848)

* cartservice - COMPlus_EnableDiagnostics=0

* unprivileged container and securitycontext in kubernetes yaml file

* DOTNET_EnableDiagnostics=0

Co-authored-by: Nim Jayawardena <[email protected]>

Author: mathieu-benoit

kubernetes-manifests/cartservice.yaml

@@ -27,8 +27,20 @@ spec:
     spec:
       serviceAccountName: default
       terminationGracePeriodSeconds: 5
+      securityContext:
+        fsGroup: 1000
+        runAsGroup: 1000
+        runAsNonRoot: true
+        runAsUser: 1000
       containers:
       - name: server
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+              - all
+          privileged: false
+          readOnlyRootFilesystem: true
         image: cartservice
         ports:
         - containerPort: 7070

src/cartservice/src/Dockerfile

@@ -28,4 +28,5 @@ RUN GRPC_HEALTH_PROBE_VERSION=v0.4.11 && \
 WORKDIR /app
 COPY --from=builder /cartservice .
 ENV ASPNETCORE_URLS http://*:7070
+ENV DOTNET_EnableDiagnostics=0
 ENTRYPOINT ["/app/cartservice"]