From 3be93961c7dafe22c64ced670ec29d34263b9ae6 Mon Sep 17 00:00:00 2001 From: "cartsnitch-engineer[bot]" <269717931+cartsnitch-engineer[bot]@users.noreply.github.com> Date: Sun, 22 Mar 2026 01:27:20 +0000 Subject: [PATCH 1/2] fix: use non-root nginx image for Kubernetes runAsNonRoot compatibility Switch from nginx:stable-alpine to nginxinc/nginx-unprivileged:stable-alpine. The unprivileged image runs as nginx user (UID 101) on port 8080, satisfying the runAsNonRoot: true security context in Kubernetes. Fixes: https://github.com/cartsnitch/infra/issues/65 Co-Authored-By: Paperclip --- Dockerfile | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/Dockerfile b/Dockerfile index 6a8b88d..069d83b 100644 --- a/Dockerfile +++ b/Dockerfile @@ -9,13 +9,13 @@ RUN npm ci COPY . . RUN npm run build -# Stage 2: Production -FROM nginx:stable-alpine AS prod +# Stage 2: Production — uses nginxinc/nginx-unprivileged which runs as non-root (UID 101) +FROM nginxinc/nginx-unprivileged:stable-alpine AS prod COPY --from=build /app/dist /usr/share/nginx/html COPY nginx.conf /etc/nginx/conf.d/default.conf -EXPOSE 80 +EXPOSE 8080 HEALTHCHECK --interval=30s --timeout=3s --start-period=5s --retries=3 \ - CMD wget -qO- http://localhost/health || exit 1 + CMD wget -qO- http://localhost:8080/health || exit 1 From e41d24718ebfba57d8a170e24b3d102695ca5e4b Mon Sep 17 00:00:00 2001 From: "cartsnitch-engineer[bot]" <269717931+cartsnitch-engineer[bot]@users.noreply.github.com> Date: Sun, 22 Mar 2026 01:27:31 +0000 Subject: [PATCH 2/2] fix: update nginx listen port to 8080 for non-root operation Non-root users cannot bind to ports < 1024. Port 8080 is used by nginxinc/nginx-unprivileged by default. Co-Authored-By: Paperclip --- nginx.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nginx.conf b/nginx.conf index b51da1e..fd1acc3 100644 --- a/nginx.conf +++ b/nginx.conf @@ -1,5 +1,5 @@ server { - listen 80; + listen 8080; server_name _; root /usr/share/nginx/html; index index.html;