cartservice - unprivileged container

[mathieu-benoit]

Setup cartservice to run as unprivileged container (other services will come later with future dedicated PRs).

• Update the Kubernetes manifest of the Deployment with securityContext features
• Set DOTNET_EnableDiagnostics=0 in the Dockerfile in order to make the dotnet app compatible with an unprivleged container
  • More info here https://docs.microsoft.com/en-us/dotnet/core/docker/build-container#create-the-dockerfile: For added security, you can opt out of the diagnostic pipeline. When you opt-out this allows the container to run as read-only.
  • Otherwise at startup runtime, there is this issue Failed to create CoreCLR, HRESULT: 0x80004005

[github-actions]

🚲 PR staged at http://34.134.2.241

[github-actions]

🚲 PR staged at http://34.134.2.241

[github-actions]

🚲 PR staged at http://34.134.2.241

[mathieu-benoit]

Ready for your review, thanks! Again it's just for cartservice for now, other services will come later.

The goal here is to have Online Boutique containers/apps running unprivileged (non root, etc.) in order to be easily deployed on secure environment (PSP, Gatekeeper, OpenShift, etc.). Evidence with Bank of Anthos here: GoogleCloudPlatform/bank-of-anthos#517. I will implement this later in there too.

Because I already had the implementation of this tested and working on my environment for cartservice, I just pushed this here to start :)

[NimJay]

Looks good to me.
Thanks for doing this, @mathieu-benoit.
I've tested the staging URL — the cart works fine.

[github-actions]

🚲 PR staged at http://34.134.2.241