Skip to content

Running kubectl container as a rootless user #3626

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
rcmadhankumar wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Running kubectl container as a rootless user #3626

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 2 additions & 1 deletion src/bci_build/package/kubectl.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -78,7 +78,8 @@ def _get_kubectl_stability_tag(version: str, os_version: OsVersion) -> str | Non
else None
),
custom_end=textwrap.dedent(f"""
{DOCKERFILE_RUN} echo "user:x:999:100:User for CLI:/home/user:/usr/sbin/nologin" >> /etc/passwd && install -d -o 999 -g 100 -m 0755 /home/user
{DOCKERFILE_RUN} echo "user:x:999:100:User for CLI:/home/user:/usr/sbin/nologin" >> /etc/passwd && install -d -o 999 -g 100 -m 0755 /home/user /home/user/.kube

Comment thread
rcmadhankumar marked this conversation as resolved.
WORKDIR /home/user
"""),
)
Expand Down
11 changes: 11 additions & 0 deletions src/bci_build/package/kubectl/README.md.j2
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,17 @@ podman run --rm --name kubectl \
-v /localpath/to/customize:/home/user:Z
{{ image.pretty_reference }} kustomize --enable-helm
```
## Running as a non-root user
Copy link
Copy Markdown
Member

@dirkmueller dirkmueller Apr 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

maybe "regular user" ?


By default, this container runs as the `root` user. However, it is prepared to run as a non-privileged user (UID `999`) for enhanced security.
Copy link
Copy Markdown
Member

@alexandrevicenzi alexandrevicenzi Apr 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
By default, this container runs as the `root` user. However, it is prepared to run as a non-privileged user (UID `999`) for enhanced security.
By default, this container runs as the `root` user. However, the image is also prepared to run as a non-privileged user (UID `999`) for enhanced security.

Copy link
Copy Markdown
Member

@dirkmueller dirkmueller Apr 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this is a bit misleading, because how the container is being run is not specified by the container. the only thing we specify is the the user within the container. how you map that is dependent on how you invoke it.

I think we should simply say

"The container provides a preconfigured user called "user" which can be explicitly set to lower the permissions of kubectl within the container".


To run the container in rootless mode, you must explicitly set the user and the home environment variables:

```ShellSession
podman run --rm --name kubectl \
--user 999:100 \
Copy link
Copy Markdown
Member

@dirkmueller dirkmueller Apr 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why do we hardcode this here? --user user works as well.

-e HOME=/home/user \
Copy link
Copy Markdown
Member

@dirkmueller dirkmueller Apr 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

do we need this when the -v mount below is explicityly stating /home/user ?

-v /localpath/to/kubeconfig:/home/user/.kube/config:Z \
{{ image.pretty_reference }} get nodes
Copy link
Copy Markdown
Member

@dirkmueller dirkmueller Apr 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why does it list "get nodes" here?


{% include 'licensing_and_eula.j2' %}
Loading