What is the difference between selecting the user to run as in the securityContext.runAsUser
section of my k8s deployment, vs specifying the user using USER myuser
in the Dockerfile?
I'm particularly interested in if there are security concerns associated with USER myuser
that don't exist under securityContext
Requires that the pod be submitted with a
non-zero runAsUser
or have theUSER directive defined
(using a numeric UID) in the image. Pods which have specified neither runAsNonRoot nor runAsUser settings will be mutated to setrunAsNonRoot=true
, thus requiring a definednon-zero numeric USER directive
in the container. No default provided. Setting allowPrivilegeEscalation=false is strongly recommended with this strategy.
So USER directive
is important when you want the container to be started as non-root.