Run verrazzano-api pod as non root user

[desagar]

Description

Run verrazzano-api pod as non-root user. This required changing the default prefix path to a location that the nginx user has permissions to, and changing the permissions on some of the startup shell scripts, since those are owned by root.

Note: I tried to fix fluentd to not run as root, but from what I can gather, it needs root permission to read /var/log. Found some info here and here

Partially Fixes VZ-2504

Checklist

As the author of this PR, I have:

• Checked that I included or updated copyright and license notices in all files that I altered
• Added or updated unit tests for any new functions I added
• Added or updated integration tests if appropriate
• Added or updated acceptance tests if appropriate

Code reviewer, please confirm this PR:

• Addressed the requirement and meets the acceptance criteria
• Does not introduce unrelated or spurious changes
• Does not introduce any unapproved dependency
• Makes sense and it easy to understand, and/or difficult areas of code are clearly documented so that they can be understood

[wmhopkins]

Looks good to me, but had a couple questions.

[wmhopkins]

Why are we adding execute permission for group+world?

[desagar]

when the config map containing these scripts is mounted at /api-config, everything is owned by root. I tried specifying a securityContext section with runAsUser id 101 (the nginx default user www-data) but still everything mounted is owned by root:root. The www-data user is not a member of root group but needs to execute the scripts mounted from the config map.

[wmhopkins]

If we delete the "run as user/group 0", what uid/gid does nginx run as?

[desagar]

It runs by default as user id 101 which is www-data:www-data - here is their Dockerfile

[wmhopkins]

lgtm