Kubernetes defaults to the image metadata when a runAsUser is not specified. As noted in their documentation.
$ kubectl explain pod.spec.securityContext.runAsUser
KIND: Pod
VERSION: v1
FIELD: runAsUser <integer>
DESCRIPTION:
The UID to run the entrypoint of the container process. Defaults to user
specified in image metadata if unspecified. May also be set in
SecurityContext. If set in both SecurityContext and PodSecurityContext, the
value specified in SecurityContext takes precedence for that container.
Note that this field cannot be set when spec.os.name is windows.
However, when the metadata is a string, like USER groovy, you get an error like the below when combined with runAsNonRoot: true,
Error: container has runAsNonRoot and image has non-numeric user (idsvr), cannot verify user is non-root
We should change the USER statements to be numeric rather than strings, as a better default for Kubernetes.
Kubernetes defaults to the image metadata when a
runAsUseris not specified. As noted in their documentation.However, when the metadata is a string, like
USER groovy, you get an error like the below when combined withrunAsNonRoot: true,We should change the
USERstatements to be numeric rather than strings, as a better default for Kubernetes.