I'm facing an issue with using `runAsUser` in the security context for my Kubernetes pods. When I set a specific UID in security settings and that user doesn't exist in the `/etc/passwd` file within the container, I run into errors like `whoami: unknown uid`. This creates problems because the user won't have a home directory, leading to subtle script errors that developers complain about. Moreover, when users try to create directories, they encounter permission denied issues, like in this example:
> I have no name!@dev-baba2b15:/$ mkdir /data
> mkdir: cannot create directory '/data': Permission denied
Is there a way to ensure that the UID specified in the `runAsUser` security context exists in `/etc/passwd` in the container and actually has a home directory? I've tried using an initContainer to add the user and create a passwd file, then overwrite `/etc/passwd` in the main container, but that just removes essential users from the image. Any advice on this?
1 Answer
Ideally, any necessary user accounts should be created during the container's build phase. That way, you won't have to deal with missing users when the container is running. Also, try to avoid executing binaries that create state inside the container at runtime. That could lead to unwanted complications.
Wait, so you're saying the UID has to exist in the container at build time too, right? Or else you'll run into issues when using `runAsUser`?