Skip to content

Commit 81beb83

Browse files
committed
Running kubectl container as a rootless user
1 parent f7e3ffd commit 81beb83

2 files changed

Lines changed: 13 additions & 1 deletion

File tree

src/bci_build/package/kubectl.py

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -78,7 +78,8 @@ def _get_kubectl_stability_tag(version: str, os_version: OsVersion) -> str | Non
7878
else None
7979
),
8080
custom_end=textwrap.dedent(f"""
81-
{DOCKERFILE_RUN} echo "user:x:999:100:User for CLI:/home/user:/usr/sbin/nologin" >> /etc/passwd && install -d -o 999 -g 100 -m 0755 /home/user
81+
{DOCKERFILE_RUN} echo "user:x:999:100:User for CLI:/home/user:/usr/sbin/nologin" >> /etc/passwd && install -d -o 999 -g 100 -m 0755 /home/user /home/user/.kube
82+
8283
WORKDIR /home/user
8384
"""),
8485
)

src/bci_build/package/kubectl/README.md.j2

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -29,6 +29,17 @@ podman run --rm --name kubectl \
2929
-v /localpath/to/customize:/home/user:Z
3030
{{ image.pretty_reference }} kustomize --enable-helm
3131
```
32+
## Running as a non-root user
3233

34+
By default, this container runs as the `root` user. However, it is prepared to run as a non-privileged user (UID `999`) for enhanced security.
35+
36+
To run the container in rootless mode, you must explicitly set the user and the home environment variables:
37+
38+
```ShellSession
39+
podman run --rm --name kubectl \
40+
--user 999:100 \
41+
-e HOME=/home/user \
42+
-v /localpath/to/kubeconfig:/home/user/.kube/config:Z \
43+
{{ image.pretty_reference }} get nodes
3344

3445
{% include 'licensing_and_eula.j2' %}

0 commit comments

Comments
 (0)