Apply UID/GID defaults from image

[sigv]

Proposed changes

build/Dockerfile specifies USER 101 for common target, which is re-applied into the final images. Helm Chart/Manifests do not need to specify UID explicitly, and can instead use the image's UID. (PodSecurityContext v1 core specifies runAsUser defaults to user specified in image metadata if unspecified.)

The existing runAsNonRoot: true flag (already in place) will ensure during runtime that the image is configured with a custom user ID.

This is notably helpful for users running OpenShift, because OpenShift attempts to enforce custom UID/GID ranges for individual namespaces as part of restricted-v2 Security Context Constraint. When removing hard-coded values from manifests, OpenShift will be able to assign its own UID/GID.

In practice, this means a different model of configuring file system permissions. OpenShift assigns the container process GID 0 as supplemental to assist with that. Locations that are expected to be written to must be owned by GID 0, with group write permissions. Previous changes to main have ensured that is the case.

Init container copying files is not a concern, as we will have the same UID as owner there as the main NIC container.

Reference: A Guide to OpenShift and UIDs

Closes #5422.

Checklist

Before creating a PR, run through this checklist and mark each as complete.

• I have read the CONTRIBUTING doc
• I have added tests that prove my fix is effective or that my feature works
• I have checked that all unit tests pass after adding my changes
• I have updated necessary documentation
• I have rebased my branch onto main
• I will ensure my PR is targeting the main branch and pulling from my branch from my own fork

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 52.35%. Comparing base (8a2c9a9) to head (f38706e).
Report is 257 commits behind head on main.

❗ Current head f38706e differs from pull request most recent head ee75176. Consider uploading reports for the commit ee75176 to get more accurate results

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #3665      +/-   ##
==========================================
+ Coverage   52.32%   52.35%   +0.03%     
==========================================
  Files          61       59       -2     
  Lines       17502    16880     -622     
==========================================
- Hits         9158     8838     -320     
+ Misses       8015     7747     -268     
+ Partials      329      295      -34     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[sigv]

Not sure if CI / Smoke Tests (alpine, policies, 1.26.2) failure of internally observed 502 Bad Gateway response is relevant to this PR. 🤔

Will double check if I can repro. Tests being re-run helped. I do not see how this PR can cause a transient test failure.

[vepatel]

Hi @sigv can you create a new issue for this as the one linked in description seems incomplete and WIP, we can then prioritise and review the PR, thanks!

[sigv]

@vepatel, opened a fresh #5422 for this scope. 🤞🏻

[github-actions]

This PR is stale because it has been open 90 days with no activity. Remove stale label or comment or this will be closed in 10 days.

[j1m-ryan]

Hi @sigv, now that securityContext is configurably using helm, is this still required?

[github-actions]

This PR is stale because it has been open 90 days with no activity. Remove stale label or comment or this will be closed in 10 days.