Usually and unless mentioned in the Dockerfile, the image gets build and runs with root privileges inside the container.

Running a container with non-root user:

To be able to run a container with a non-root user, we build the docker image, mentioning the user that the image will later use to run the containeras we can see in the below Dockerfile:


We van build the image using the below command:


Remark:

All the commands below the "USER container_user" instruction run under the "container_user" id.

We can run the image in a container using the below:


Kubernetes pods and non-privileged users:

If we are using kubernetes, we could override the fact that the container runs with a root user, by creating a "non-privileged" user for the pod in which the container "lives" ( ID: 6500 -mentioned below- ).

All the containers in the "secure-pod" will run under the user mentioned in "runAsUser".
The "runAsGroup" performs the same function for the user group.

The "allowPrivilegeEscalation" dictates whether a pod can escalate its privileges beyond those of the parent process.

Below is the Yaml file of the pod:


Brando Sabatini and Ikbal C ©. Powered by Blogger.