k8s securityContext.runAsUser vs Dockerfile USER instruction

7/5/2019

What is the difference between selecting the user to run as in the securityContext.runAsUser section of my k8s deployment, vs specifying the user using USER myuser in the Dockerfile?

I'm particularly interested in if there are security concerns associated with USER myuser that don't exist under securityContext

-- Mike S
docker
kubernetes

1 Answer

7/5/2019

MustRunAsNonRoot

Users and groups

Requires that the pod be submitted with a non-zero runAsUser or have the USER directive defined (using a numeric UID) in the image. Pods which have specified neither runAsNonRoot nor runAsUser settings will be mutated to set runAsNonRoot=true, thus requiring a defined non-zero numeric USER directive in the container. No default provided. Setting allowPrivilegeEscalation=false is strongly recommended with this strategy.

So USER directive is important when you want the container to be started as non-root.

-- Prakash Krishna
Source: StackOverflow