For the pu/pu image to support non-root execution (a security best practice, and supported by PKOv2), we need to add a local user to the image.
Ideally we wouldn't have separate "nonroot" images (see the "distroless" images). Otherwise the defaulting logic would be more tricky.
One possibility is to add the local user as shown below but avoid using the USER instruction. I think that's sufficient for purposes of PKOv2, because the pod can apply a security context. The USER instruction seems to set the default, which might be considered a breaking change for existing users of the pu/pu image.
For the pu/pu image to support non-root execution (a security best practice, and supported by PKOv2), we need to add a local user to the image.
Ideally we wouldn't have separate "nonroot" images (see the "distroless" images). Otherwise the defaulting logic would be more tricky.
One possibility is to add the local user as shown below but avoid using the
USER
instruction. I think that's sufficient for purposes of PKOv2, because the pod can apply a security context. TheUSER
instruction seems to set the default, which might be considered a breaking change for existing users of the pu/pu image.Here's an example of the Dockerfile commands:
And an example of the pod security context: