USER instruction should use $CNB_USER_ID and not a user name. #44
Comments
jromero
added a commit
that referenced
this issue
Feb 19, 2020
Resolves #44 Signed-off-by: Javier Romero <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
All use of the
USERinstruction to setup the final closing user for an image should use:and not:
The reason for this is that it ensures that the user in the image manifest is recorded as an integer user ID that can then be used by a container platform such as Kubernetes, to verify that the image will not run as the
rootuser.This comes up when using pod security policies in Kubernetes. By using a name for
USER, the platform cannot verify what actual user ID the image would run as. This means you can't useMustRunAsfor therunUsersetting of a pod security policy as it will be rejected. Instead you are forced to use in the pod security policyRunAsAnywhich means you have a service account in the namespace which a user could then apply to run any image asroot. So using a user name forUSERis going to force people to configure their platform in a less secure way when using pod security policies.The reason Kubernetes will reject the image where
USERis a user name rather than an integer user ID, is that a user name which is notrootis not a guarantee that it will not run as user ID 0, as the nonrootuser name could map to user ID 0 in the/etc/passwdfile, which the platform wouldn't be able to validate.Any examples and documentation should therefore use an integer user ID for
USER. In this case it can be picked up from the environment variable set from the original build argument.The text was updated successfully, but these errors were encountered: