Any standard guidelines for choosing the USER ID and GROUP ID for Docker images in Dockerfile?

6/7/2021

I normally used 1111 as user id and group id for my containers but when I deployed my application on OpenShift platform, I got error while scheduling of pods.

unable to validate against any security context constraint: [fsGroup: Invalid value: []int64{1111}: 1111 is not an allowed group spec.containers[0].securityContext.securityContext.runAsUser: Invalid value: 1111: must be in the ranges: [1000750000, 1000759999]]

I know that, this restriction has been imposed by some Security Context Constraint (SCC) on the cluster which is not being satisfied by my application Pods. I just wanted to understand, if there are some standard rules/guidelines around choosing these userId and GroupID. Any help would be appreciated!

-- Nish
docker
kubernetes
kubernetes-helm
openshift
podsecuritypolicy

1 Answer

6/8/2021

As per RedHat recommendations,your image should be build in such a way that it can run with an arbitrary user id. So, if you follow that then you don't need to specify user id in Dockerfile or in your deployment yaml manifest. Openshift will automatically choose an arbitrary user id (from the range) and will run the pod with that.

Check this link for more details.

-- nitgeek
Source: StackOverflow