Enhancement request: Use deterministic UID/GID in Dockerfile #230
Labels
Comments
ghsa-retrieval
added
design needed
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Is your enhancement request related to a problem? Please describe.
The UID and GID in the Dockerfile can change since the user and group are only created by name. This has implications for deployments that rely on identifying the user exactly. For example: Settings for the security context in Kubernetes/Helm charts, such as
runAsUserandrunAsGroup, cannot be applied, since the UID and GID are not known ahead of time and may change between versions.What are the benefits of the requested enhancement?
The user and group are no longer assigned a non-deterministic ID. You can set up user namespaces in a predictable way.
Describe the solution you would like
Modify the
adduserandaddgroupcommands in the Dockerfile to use a numerical UID and GID instead of a name. The UID and GID should be ones that are not already occupied by the Python base image.Additional notes
Using a numerical UID and GID instead of name is also recommended according to Docker: https://docs.docker.com/build/building/best-practices/#user
The text was updated successfully, but these errors were encountered: