Analyze and edit the given Dockerfile FROM ubuntu:latest RUN apt-get update -y RUN apt-install nginx -y COPY entrypoint.sh / ENTRYPOINT ["/entrypoint.sh"] USER ROOT Fixing two instructions present in the file being prominent security best practice issues Analyze and edit the deployment manifest file apiVersion: v1 kind: Pod metadata: name: security-context-demo-2 spec: securityContext: runAsUser: 1000 containers: - name: sec-ctx-demo-2 image: gcr.io/google-samples/node-hello:1.0 securityContext: runAsUser: 0 privileged: True allowPrivilegeEscalation: false Fixing two fields present in the file being prominent security best practice issues Don't add or remove configuration settings; only modify the existing configuration settings Whenever you need an unprivileged user for any of the tasks, use user test-user with the user id 5487
Looks like the key fixes are switching to ubuntu:20.04 in the Dockerfile and USER test-user, then for the manifest, runAsUser 5487 and privileged false. That lines up with CKS best practice and what the question wants. I think that's all that's needed unless I'm missing something subtle?
Why not just swap ubuntu:latest for ubuntu:20.04 and switch USER root to USER test-user? In the manifest, change runAsUser from 0 to 5487, and set privileged to false. Saw similar in recent practice tests, seems right.
Careful here: looks like ubuntu:latest is a trap since it's not pinned, and USER ROOT definitely violates container best practices. For the manifest, running as UID 0 and privileged: True are both security risks, so pretty sure updating those is the way to go. Anyone see another gotcha?
