We are running docker containers in Kubernetes. Docker allows to run containers under different users on host system level.
I was looking into several Helm charts and it seems that for example Prometheus is running as "nobody", while Grafana is creating its user (hardcoded id) using useradd in Dockerfile.
Is there any way how to standardize the behavior in Kubernetes, possibly making sure that only users required on the system by containers are present? And removed once the container is scheduled elsewhere.
I am also worried that we will get userId collision, resulting in unexpected behavior, which will be hard to test...
It isn't necessary for a container to have a user with UID that is used inside the container on a docker host machine.
Here is the example:
On the docker host machine:
# Mongo container is running
root@docker-test:~# docker ps -a
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
08495ae15f44 mongo:latest "docker-entrypoint..." 23 minutes ago Up 23 minutes 27017/tcp some-mongo
# mongod process is running under UID 999
root@docker-test:~# ps aux | grep mongo | grep -v grep
999 14035 0.6 1.7 986136 67612 ? Ssl 08:56 0:01 mongod --bind_ip_all
# there is no user with UID 999 id on the docker host machine
root@docker-test:~# cat /etc/passwd | grep 999
root@docker-test:~#
Inside the container:
# attaching to container
root@docker-test:~# docker exec -it 08495ae15f44 bash
# mongod process is running with privileges of the mongodb user
root@08495ae15f44:/# ps aux | grep mongo | grep -v grep
mongodb 1 0.4 1.8 990320 70036 ? Ssl 08:56 0:02 mongod --bind_ip_all
# user mongodb is present inside the container in /etc/passwd and has UID 999
root@08495ae15f44:/# cat /etc/passwd | grep mongodb
mongodb:x:999:999::/home/mongodb:/bin/sh
root@08495ae15f44:/#