Set runAsNonRoot=true in gen kube

If the image being used has a user set that is a positive integer greater than 0, then set the securityContext.runAsNonRoot to true for the container in the generated kube yaml. Signed-off-by: Urvashi Mohnani <umohnani@redhat.com>
2025-06-20 09:03:43 +08:00 · 2023-01-25 17:14:22 +05:30
parent c35e74f4cc
commit 958c94094e
2 changed files with 42 additions and 0 deletions
--- a/libpod/kube.go
+++ b/libpod/kube.go
@ -686,6 +686,13 @@ func containerToV1Container(ctx context.Context, c *Container) (v1.Container, []
 	if imgData.User == c.User() && hasSecData {
 		kubeSec.RunAsGroup, kubeSec.RunAsUser = nil, nil
 	}
+	// If the image has user set as a positive integer value, then set runAsNonRoot to true
+	// in the kube yaml
+	imgUserID, err := strconv.Atoi(imgData.User)
+	if err == nil && imgUserID > 0 {
+		trueBool := true
+		kubeSec.RunAsNonRoot = &trueBool
+	}

 	envVariables, err := libpodEnvVarsToKubeEnvVars(c.config.Spec.Process.Env, imgData.Config.Env)
 	if err != nil {