Running kubectl container as a rootless user

rcmadhankumar · rcmadhankumar · commit 81beb8364e0c · 2026-04-02T14:43:59.000+05:30
diff --git a/src/bci_build/package/kubectl.py b/src/bci_build/package/kubectl.py
@@ -78,7 +78,8 @@ def _get_kubectl_stability_tag(version: str, os_version: OsVersion) -> str | Non
             else None
         ),
         custom_end=textwrap.dedent(f"""
-            {DOCKERFILE_RUN} echo "user:x:999:100:User for CLI:/home/user:/usr/sbin/nologin" >> /etc/passwd && install -d -o 999 -g 100 -m 0755 /home/user
+            {DOCKERFILE_RUN} echo "user:x:999:100:User for CLI:/home/user:/usr/sbin/nologin" >> /etc/passwd && install -d -o 999 -g 100 -m 0755 /home/user /home/user/.kube
+
             WORKDIR /home/user
             """),
     )
diff --git a/src/bci_build/package/kubectl/README.md.j2 b/src/bci_build/package/kubectl/README.md.j2
@@ -29,6 +29,17 @@ podman run --rm --name kubectl \
       -v /localpath/to/customize:/home/user:Z
       {{ image.pretty_reference }} kustomize --enable-helm
 ```
+## Running as a non-root user
 
+By default, this container runs as the `root` user. However, it is prepared to run as a non-privileged user (UID `999`) for enhanced security.
+
+To run the container in rootless mode, you must explicitly set the user and the home environment variables:
+
+```ShellSession
+podman run --rm --name kubectl \
+      --user 999:100 \
+      -e HOME=/home/user \
+      -v /localpath/to/kubeconfig:/home/user/.kube/config:Z \
+      {{ image.pretty_reference }} get nodes
 
 {% include 'licensing_and_eula.j2' %}
